1 Copyright (c) 1994-1996, 1998-2005, 2007-2011
2 Todd C. Miller <Todd.Miller@courtesan.com>
4 Permission to use, copy, modify, and distribute this software for any
5 purpose with or without fee is hereby granted, provided that the above
6 copyright notice and this permission notice appear in all copies.
8 THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
17 Sponsored in part by the Defense Advanced Research Projects
18 Agency (DARPA) and Air Force Research Laboratory, Air Force
19 Materiel Command, USAF, under agreement number F39502-99-1-0512.
25 sudoers - default sudo security policy module
29 The I<sudoers> policy module determines a user's B<sudo> privileges.
30 It is the default B<sudo> policy plugin. The policy is driven by
31 the F<@sysconfdir@/sudoers> file or, optionally in LDAP. The policy
32 format is described in detail in the L<"SUDOERS FILE FORMAT">
33 section. For information on storing I<sudoers> policy information
34 in LDAP, please see L<sudoers.ldap(5)>.
36 =head2 Authentication and Logging
38 The I<sudoers> security policy requires that most users authenticate
39 themselves before they can use B<sudo>. A password is not required
40 if the invoking user is root, if the target user is the same as the
41 invoking user, or if the policy has disabled authentication for the
42 user or command. Unlike L<su(1)>, when I<sudoers> requires
43 authentication, it validates the invoking user's credentials, not
44 the target user's (or root's) credentials. This can be changed via
45 the I<rootpw>, I<targetpw> and I<runaspw> flags, described later.
47 If a user who is not listed in the policy tries to run a command
48 via B<sudo>, mail is sent to the proper authorities. The address
49 used for such mail is configurable via the I<mailto> Defaults entry
50 (described later) and defaults to C<@mailto@>.
52 Note that mail will not be sent if an unauthorized user tries to
53 run B<sudo> with the B<-l> or B<-v> option. This allows users to
54 determine for themselves whether or not they are allowed to use
57 If B<sudo> is run by root and the C<SUDO_USER> environment variable
58 is set, the I<sudoers> policy will use this value to determine who
59 the actual user is. This can be used by a user to log commands
60 through sudo even when a root shell has been invoked. It also
61 allows the B<-e> option to remain useful even when invoked via a
62 sudo-run script or program. Note, however, that the I<sudoers>
63 lookup is still done for root, not the user specified by C<SUDO_USER>.
65 I<sudoers> uses time stamp files for credential caching. Once a
66 user has been authenticated, a time stamp is updated and the user
67 may then use sudo without a password for a short period of time
68 (C<@timeout@> minutes unless overridden by the I<timeout> option.
69 By default, I<sudoers> uses a tty-based time stamp which means that
70 there is a separate time stamp for each of a user's login sessions.
71 The I<tty_tickets> option can be disabled to force the use of a
72 single time stamp for all of a user's sessions.
74 I<sudoers> can log both successful and unsuccessful attempts (as well
75 as errors) to syslog(3), a log file, or both. By default, I<sudoers>
76 will log via syslog(3) but this is changeable via the I<syslog>
77 and I<logfile> Defaults settings.
79 I<sudoers> also supports logging a command's input and output
80 streams. I/O logging is not on by default but can be enabled using
81 the I<log_input> and I<log_output> Defaults flags as well as the
82 C<LOG_INPUT> and C<LOG_OUTPUT> command tags.
84 =head2 Command Environment
86 Since environment variables can influence program behavior, I<sudoers>
87 provides a means to restrict which variables from the user's
88 environment are inherited by the command to be run. There are two
89 distinct ways I<sudoers> can deal with environment variables.
91 By default, the I<env_reset> option is enabled. This causes commands
92 to be executed with a minimal environment containing C<TERM>,
93 C<PATH>, C<HOME>, C<MAIL>, C<SHELL>, C<LOGNAME>, C<USER> and C<USERNAME> in
94 addition to variables from the invoking process permitted by the
95 I<env_check> and I<env_keep> options. This is effectively a whitelist
96 for environment variables.
98 If, however, the I<env_reset> option is disabled, any variables not
99 explicitly denied by the I<env_check> and I<env_delete> options are
100 inherited from the invoking process. In this case, I<env_check>
101 and I<env_delete> behave like a blacklist. Since it is not possible
102 to blacklist all potentially dangerous environment variables, use
103 of the default I<env_reset> behavior is encouraged.
105 In all cases, environment variables with a value beginning with
106 C<()> are removed as they could be interpreted as B<bash> functions.
107 The list of environment variables that B<sudo> allows or denies is
108 contained in the output of C<sudo -V> when run as root.
110 Note that the dynamic linker on most operating systems will remove
111 variables that can control dynamic linking from the environment of
112 setuid executables, including B<sudo>. Depending on the operating
113 system this may include C<_RLD*>, C<DYLD_*>, C<LD_*>, C<LDR_*>,
114 C<LIBPATH>, C<SHLIB_PATH>, and others. These type of variables are
115 removed from the environment before B<sudo> even begins execution
116 and, as such, it is not possible for B<sudo> to preserve them.
118 As a special case, if B<sudo>'s B<-i> option (initial login) is
119 specified, I<sudoers> will initialize the environment regardless
120 of the value of I<env_reset>. The I<DISPLAY>, I<PATH> and I<TERM>
121 variables remain unchanged; I<HOME>, I<MAIL>, I<SHELL>, I<USER>,
122 and I<LOGNAME> are set based on the target user. On Linux and AIX
123 systems the contents of F</etc/environment> are also included. All
124 other environment variables are removed.
126 =head1 SUDOERS FILE FORMAT
128 The I<sudoers> file is composed of two types of entries: aliases
129 (basically variables) and user specifications (which specify who
132 When multiple entries match for a user, they are applied in order.
133 Where there are multiple matches, the last match is used (which is
134 not necessarily the most specific match).
136 The I<sudoers> grammar will be described below in Extended Backus-Naur
137 Form (EBNF). Don't despair if you don't know what EBNF is; it is
138 fairly simple, and the definitions below are annotated.
140 =head2 Quick guide to EBNF
142 EBNF is a concise and exact way of describing the grammar of a language.
143 Each EBNF definition is made up of I<production rules>. E.g.,
145 symbol ::= definition | alternate1 | alternate2 ...
147 Each I<production rule> references others and thus makes up a
148 grammar for the language. EBNF also contains the following
149 operators, which many readers will recognize from regular
150 expressions. Do not, however, confuse them with "wildcard"
151 characters, which have different meanings.
157 Means that the preceding symbol (or group of symbols) is optional.
158 That is, it may appear once or not at all.
162 Means that the preceding symbol (or group of symbols) may appear
167 Means that the preceding symbol (or group of symbols) may appear
172 Parentheses may be used to group symbols together. For clarity,
173 we will use single quotes ('') to designate what is a verbatim character
174 string (as opposed to a symbol name).
178 There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
179 C<Host_Alias> and C<Cmnd_Alias>.
181 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
182 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
183 'Host_Alias' Host_Alias (':' Host_Alias)* |
184 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
186 User_Alias ::= NAME '=' User_List
188 Runas_Alias ::= NAME '=' Runas_List
190 Host_Alias ::= NAME '=' Host_List
192 Cmnd_Alias ::= NAME '=' Cmnd_List
194 NAME ::= [A-Z]([A-Z][0-9]_)*
196 Each I<alias> definition is of the form
198 Alias_Type NAME = item1, item2, ...
200 where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
201 or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
202 and underscore characters ('_'). A C<NAME> B<must> start with an
203 uppercase letter. It is possible to put several alias definitions
204 of the same type on a single line, joined by a colon (':'). E.g.,
206 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
208 The definitions of what constitutes a valid I<alias> member follow.
213 User ::= '!'* user name |
218 '!'* %:nonunix_group |
219 '!'* %:#nonunix_gid |
222 A C<User_List> is made up of one or more user names, user ids
223 (prefixed with '#'), system group names and ids (prefixed with '%'
224 and '%#' respectively), netgroups (prefixed with '+'), non-Unix
225 group names and IDs (prefixed with '%:' and '%:#' respectively) and
226 C<User_Alias>es. Each list item may be prefixed with zero or more
227 '!' operators. An odd number of '!' operators negate the value of
228 the item; an even number just cancel each other out.
230 A C<user name>, C<uid>, C<group>, C<gid>, C<netgroup>, C<nonunix_group>
231 or C<nonunix_gid> may be enclosed in double quotes to avoid the
232 need for escaping special characters. Alternately, special characters
233 may be specified in escaped hex mode, e.g. \x20 for space. When
234 using double quotes, any prefix characters must be included inside
237 The actual C<nonunix_group> and C<nonunix_gid> syntax depends on
238 the underlying group provider plugin (see the I<group_plugin>
239 description below). For instance, the QAS AD plugin supports the
246 Group in the same domain: "Group Name"
250 Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
254 Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
258 Note that quotes around group names are optional. Unquoted strings
259 must use a backslash (\) to escape spaces and special characters.
260 See L<"Other special characters and reserved words"> for a list of
261 characters that need to be escaped.
263 Runas_List ::= Runas_Member |
264 Runas_Member ',' Runas_List
266 Runas_Member ::= '!'* user name |
270 '!'* %:nonunix_group |
271 '!'* %:#nonunix_gid |
275 A C<Runas_List> is similar to a C<User_List> except that instead
276 of C<User_Alias>es it can contain C<Runas_Alias>es. Note that
277 user names and groups are matched as strings. In other words, two
278 users (groups) with the same uid (gid) are considered to be distinct.
279 If you wish to match all user names with the same uid (e.g.E<nbsp>root
280 and toor), you can use a uid instead (#0 in the example given).
285 Host ::= '!'* host name |
287 '!'* network(/netmask)? |
291 A C<Host_List> is made up of one or more host names, IP addresses,
292 network numbers, netgroups (prefixed with '+') and other aliases.
293 Again, the value of an item may be negated with the '!' operator.
294 If you do not specify a netmask along with the network number,
295 B<sudo> will query each of the local host's network interfaces and,
296 if the network number corresponds to one of the hosts's network
297 interfaces, the corresponding netmask will be used. The netmask
298 may be specified either in standard IP address notation
299 (e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
300 or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A host name may
301 include shell-style wildcards (see the L<Wildcards> section below),
302 but unless the C<host name> command on your machine returns the fully
303 qualified host name, you'll need to use the I<fqdn> option for
304 wildcards to be useful. Note B<sudo> only inspects actual network
305 interfaces; this means that IP address 127.0.0.1 (localhost) will
306 never match. Also, the host name "localhost" will only match if
307 that is the actual host name, which is usually only the case for
308 non-networked systems.
313 commandname ::= file name |
317 Cmnd ::= '!'* commandname |
322 A C<Cmnd_List> is a list of one or more commandnames, directories, and other
323 aliases. A commandname is a fully qualified file name which may include
324 shell-style wildcards (see the L<Wildcards> section below). A simple
325 file name allows the user to run the command with any arguments he/she
326 wishes. However, you may also specify command line arguments (including
327 wildcards). Alternately, you can specify C<""> to indicate that the command
328 may only be run B<without> command line arguments. A directory is a
329 fully qualified path name ending in a '/'. When you specify a directory
330 in a C<Cmnd_List>, the user will be able to run any file within that directory
331 (but not in any subdirectories therein).
333 If a C<Cmnd> has associated command line arguments, then the arguments
334 in the C<Cmnd> must match exactly those given by the user on the command line
335 (or match the wildcards if there are any). Note that the following
336 characters must be escaped with a '\' if they are used in command
337 arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
338 is used to permit a user to run B<sudo> with the B<-e> option (or
339 as B<sudoedit>). It may take command line arguments just as
340 a normal command does.
344 Certain configuration options may be changed from their default
345 values at runtime via one or more C<Default_Entry> lines. These
346 may affect all users on any host, all users on a specific host, a
347 specific user, a specific command, or commands being run as a specific user.
348 Note that per-command entries may not include command line arguments.
349 If you need to specify arguments, define a C<Cmnd_Alias> and reference
352 Default_Type ::= 'Defaults' |
353 'Defaults' '@' Host_List |
354 'Defaults' ':' User_List |
355 'Defaults' '!' Cmnd_List |
356 'Defaults' '>' Runas_List
358 Default_Entry ::= Default_Type Parameter_List
360 Parameter_List ::= Parameter |
361 Parameter ',' Parameter_List
363 Parameter ::= Parameter '=' Value |
364 Parameter '+=' Value |
365 Parameter '-=' Value |
368 Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
369 Flags are implicitly boolean and can be turned off via the '!'
370 operator. Some integer, string and list parameters may also be
371 used in a boolean context to disable them. Values may be enclosed
372 in double quotes (C<">) when they contain multiple words. Special
373 characters may be escaped with a backslash (C<\>).
375 Lists have two additional assignment operators, C<+=> and C<-=>.
376 These operators are used to add to and delete from a list respectively.
377 It is not an error to use the C<-=> operator to remove an element
378 that does not exist in a list.
380 Defaults entries are parsed in the following order: generic, host
381 and user Defaults first, then runas Defaults and finally command
384 See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
386 =head2 User Specification
388 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
389 (':' Host_List '=' Cmnd_Spec_List)*
391 Cmnd_Spec_List ::= Cmnd_Spec |
392 Cmnd_Spec ',' Cmnd_Spec_List
394 Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
396 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
398 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
400 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
401 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
402 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
404 A B<user specification> determines which commands a user may run
405 (and as what user) on specified hosts. By default, commands are
406 run as B<root>, but this can be changed on a per-command basis.
408 The basic structure of a user specification is `who where = (as_whom)
409 what'. Let's break that down into its constituent parts:
413 A C<Runas_Spec> determines the user and/or the group that a command
414 may be run as. A fully-specified C<Runas_Spec> consists of two
415 C<Runas_List>s (as defined above) separated by a colon (':') and
416 enclosed in a set of parentheses. The first C<Runas_List> indicates
417 which users the command may be run as via B<sudo>'s B<-u> option.
418 The second defines a list of groups that can be specified via
419 B<sudo>'s B<-g> option. If both C<Runas_List>s are specified, the
420 command may be run with any combination of users and groups listed
421 in their respective C<Runas_List>s. If only the first is specified,
422 the command may be run as any user in the list but no B<-g> option
423 may be specified. If the first C<Runas_List> is empty but the
424 second is specified, the command may be run as the invoking user
425 with the group set to any listed in the C<Runas_List>. If no
426 C<Runas_Spec> is specified the command may be run as B<root> and
427 no group may be specified.
429 A C<Runas_Spec> sets the default for the commands that follow it.
430 What this means is that for the entry:
432 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
434 The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
435 F</usr/bin/lprm> -- but only as B<operator>. E.g.,
437 $ sudo -u operator /bin/ls
439 It is also possible to override a C<Runas_Spec> later on in an
440 entry. If we modify the entry like so:
442 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
444 Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
445 but F</bin/kill> and F</usr/bin/lprm> as B<root>.
447 We can extend this to allow B<dgb> to run C</bin/ls> with either
448 the user or group set to B<operator>:
450 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
453 Note that while the group portion of the C<Runas_Spec> permits the
454 user to run as command with that group, it does not force the user
455 to do so. If no group is specified on the command line, the command
456 will run with the group listed in the target user's password database
457 entry. The following would all be permitted by the sudoers entry above:
459 $ sudo -u operator /bin/ls
460 $ sudo -u operator -g operator /bin/ls
461 $ sudo -g operator /bin/ls
463 In the following example, user B<tcm> may run commands that access
464 a modem device file with the dialer group.
466 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
467 /usr/local/bin/minicom
469 Note that in this example only the group will be set, the command
470 still runs as user B<tcm>. E.g.
472 $ sudo -g dialer /usr/bin/cu
474 Multiple users and groups may be present in a C<Runas_Spec>, in
475 which case the user may select any combination of users and groups
476 via the B<-u> and B<-g> options. In this example:
478 alan ALL = (root, bin : operator, system) ALL
480 user B<alan> may run any command as either user root or bin,
481 optionally setting the group to operator or system.
485 On systems with SELinux support, I<sudoers> entries may optionally have
486 an SELinux role and/or type associated with a command. If a role or
487 type is specified with the command it will override any default values
488 specified in I<sudoers>. A role or type specified on the command line,
489 however, will supercede the values in I<sudoers>.
493 A command may have zero or more tags associated with it. There are
494 eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>,
495 C<EXEC>, C<SETENV>, C<NOSETENV>, C<LOG_INPUT>, C<NOLOG_INPUT>,
496 C<LOG_OUTPUT> and C<NOLOG_OUTPUT>. Once a tag is set on a C<Cmnd>,
497 subsequent C<Cmnd>s in the C<Cmnd_Spec_List>, inherit the tag unless
498 it is overridden by the opposite tag (i.e.: C<PASSWD> overrides
499 C<NOPASSWD> and C<NOEXEC> overrides C<EXEC>).
501 =head3 NOPASSWD and PASSWD
503 By default, B<sudo> requires that a user authenticate him or herself
504 before running a command. This behavior can be modified via the
505 C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
506 a default for the commands that follow it in the C<Cmnd_Spec_List>.
507 Conversely, the C<PASSWD> tag can be used to reverse things.
510 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
512 would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
513 F</usr/bin/lprm> as B<root> on the machine rushmore without
514 authenticating himself. If we only want B<ray> to be able to
515 run F</bin/kill> without a password the entry would be:
517 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
519 Note, however, that the C<PASSWD> tag has no effect on users who are
520 in the group specified by the I<exempt_group> option.
522 By default, if the C<NOPASSWD> tag is applied to any of the entries
523 for a user on the current host, he or she will be able to run
524 C<sudo -l> without a password. Additionally, a user may only run
525 C<sudo -v> without a password if the C<NOPASSWD> tag is present
526 for all a user's entries that pertain to the current host.
527 This behavior may be overridden via the verifypw and listpw options.
529 =head3 NOEXEC and EXEC
531 If B<sudo> has been compiled with I<noexec> support and the underlying
532 operating system supports it, the C<NOEXEC> tag can be used to prevent
533 a dynamically-linked executable from running further commands itself.
535 In the following example, user B<aaron> may run F</usr/bin/more>
536 and F</usr/bin/vi> but shell escapes will be disabled.
538 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
540 See the L<PREVENTING SHELL ESCAPES> section below for more details
541 on how C<NOEXEC> works and whether or not it will work on your system.
543 =head3 SETENV and NOSETENV
545 These tags override the value of the I<setenv> option on a per-command
546 basis. Note that if C<SETENV> has been set for a command, the user
547 may disable the I<env_reset> option from the command line via the
548 B<-E> option. Additionally, environment variables set on the command
549 line are not subject to the restrictions imposed by I<env_check>,
550 I<env_delete>, or I<env_keep>. As such, only trusted users should
551 be allowed to set variables in this manner. If the command matched
552 is B<ALL>, the C<SETENV> tag is implied for that command; this
553 default may be overridden by use of the C<NOSETENV> tag.
555 =head3 LOG_INPUT and NOLOG_INPUT
557 These tags override the value of the I<log_input> option on a
558 per-command basis. For more information, see the description of
559 I<log_input> in the L<"SUDOERS OPTIONS"> section below.
561 =head3 LOG_OUTPUT and NOLOG_OUTPUT
563 These tags override the value of the I<log_output> option on a
564 per-command basis. For more information, see the description of
565 I<log_output> in the L<"SUDOERS OPTIONS"> section below.
569 B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
570 to be used in host names, path names and command line arguments in
571 the I<sudoers> file. Wildcard matching is done via the B<POSIX>
572 L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not>
579 Matches any set of zero or more characters.
583 Matches any single character.
587 Matches any character in the specified range.
591 Matches any character B<not> in the specified range.
595 For any character "x", evaluates to "x". This is used to
596 escape special characters such as: "*", "?", "[", and "}".
600 POSIX character classes may also be used if your system's L<glob(3)>
601 and L<fnmatch(3)> functions support them. However, because the
602 C<':'> character has special meaning in I<sudoers>, it must be
603 escaped. For example:
605 /bin/ls [[\:alpha\:]]*
607 Would match any file name beginning with a letter.
609 Note that a forward slash ('/') will B<not> be matched by
610 wildcards used in the path name. When matching the command
611 line arguments, however, a slash B<does> get matched by
612 wildcards. This is to make a path like:
616 match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
618 =head2 Exceptions to wildcard rules
620 The following exceptions apply to the above rules:
626 If the empty string C<""> is the only command line argument in the
627 I<sudoers> entry it means that command is not allowed to be run
628 with B<any> arguments.
632 =head2 Including other files from within sudoers
634 It is possible to include other I<sudoers> files from within the
635 I<sudoers> file currently being parsed using the C<#include> and
636 C<#includedir> directives.
638 This can be used, for example, to keep a site-wide I<sudoers> file
639 in addition to a local, per-machine file. For the sake of this
640 example the site-wide I<sudoers> will be F</etc/sudoers> and the
641 per-machine one will be F</etc/sudoers.local>. To include
642 F</etc/sudoers.local> from within F</etc/sudoers> we would use the
643 following line in F</etc/sudoers>:
647 C<#include /etc/sudoers.local>
651 When B<sudo> reaches this line it will suspend processing of the
652 current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>.
653 Upon reaching the end of F</etc/sudoers.local>, the rest of
654 F</etc/sudoers> will be processed. Files that are included may
655 themselves include other files. A hard limit of 128 nested include
656 files is enforced to prevent include file loops.
658 The file name may include the C<%h> escape, signifying the short form
659 of the host name. I.e., if the machine's host name is "xerxes", then
661 C<#include /etc/sudoers.%h>
663 will cause B<sudo> to include the file F</etc/sudoers.xerxes>.
665 The C<#includedir> directive can be used to create a F<sudo.d>
666 directory that the system package manager can drop I<sudoers> rules
667 into as part of package installation. For example, given:
669 C<#includedir /etc/sudoers.d>
671 B<sudo> will read each file in F</etc/sudoers.d>, skipping file
672 names that end in C<~> or contain a C<.> character to avoid causing
673 problems with package manager or editor temporary/backup files.
674 Files are parsed in sorted lexical order. That is,
675 F</etc/sudoers.d/01_first> will be parsed before
676 F</etc/sudoers.d/10_second>. Be aware that because the sorting is
677 lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded
678 B<after> F</etc/sudoers.d/10_second>. Using a consistent number
679 of leading zeroes in the file names can be used to avoid such
682 Note that unlike files included via C<#include>, B<visudo> will not
683 edit the files in a C<#includedir> directory unless one of them
684 contains a syntax error. It is still possible to run B<visudo>
685 with the C<-f> flag to edit the files directly.
687 =head2 Other special characters and reserved words
689 The pound sign ('#') is used to indicate a comment (unless it is
690 part of a #include directive or unless it occurs in the context of
691 a user name and is followed by one or more digits, in which case
692 it is treated as a uid). Both the comment character and any text
693 after it, up to the end of the line, are ignored.
695 The reserved word B<ALL> is a built-in I<alias> that always causes
696 a match to succeed. It can be used wherever one might otherwise
697 use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
698 You should not try to define your own I<alias> called B<ALL> as the
699 built-in alias will be used in preference to your own. Please note
700 that using B<ALL> can be dangerous since in a command context, it
701 allows the user to run B<any> command on the system.
703 An exclamation point ('!') can be used as a logical I<not> operator
704 both in an I<alias> and in front of a C<Cmnd>. This allows one to
705 exclude certain values. Note, however, that using a C<!> in
706 conjunction with the built-in C<ALL> alias to allow a user to
707 run "all but a few" commands rarely works as intended (see SECURITY
710 Long lines can be continued with a backslash ('\') as the last
711 character on the line.
713 Whitespace between elements in a list as well as special syntactic
714 characters in a I<User Specification> ('=', ':', '(', ')') is optional.
716 The following characters must be escaped with a backslash ('\') when
717 used as part of a word (e.g.E<nbsp>a user name or host name):
718 '!', '=', ':', ',', '(', ')', '\'.
720 =head1 SUDOERS OPTIONS
722 B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
723 explained earlier. A list of all supported Defaults parameters,
724 grouped by type, are listed below.
730 =item always_set_home
732 If enabled, B<sudo> will set the C<HOME> environment variable to the
733 home directory of the target user (which is root unless the B<-u>
734 option is used). This effectively means that the B<-H> option is
735 always implied. Note that C<HOME> is already set when the the
736 I<env_reset> option is enabled, so I<always_set_home> is only
737 effective for configurations where either I<env_reset> is disabled
738 or C<HOME> is present in the I<env_keep> list.
739 This flag is I<off> by default.
743 If set, users must authenticate themselves via a password (or other
744 means of authentication) before they may run commands. This default
745 may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
746 This flag is I<on> by default.
748 =item closefrom_override
750 If set, the user may use B<sudo>'s B<-C> option which
751 overrides the default starting point at which B<sudo> begins
752 closing open file descriptors. This flag is I<off> by default.
756 If set, and B<sudo> is configured to log a command's input or output,
757 the I/O logs will be compressed using B<zlib>. This flag is I<on>
758 by default when B<sudo> is compiled with B<zlib> support.
762 If set, B<visudo> will use the value of the EDITOR or VISUAL
763 environment variables before falling back on the default editor list.
764 Note that this may create a security hole as it allows the user to
765 run any arbitrary command as root without logging. A safer alternative
766 is to place a colon-separated list of editors in the C<editor>
767 variable. B<visudo> will then only use the EDITOR or VISUAL if
768 they match a value specified in C<editor>. This flag is I<@env_editor@> by
773 If set, B<sudo> will reset the environment to only contain the
774 LOGNAME, MAIL, SHELL, USER, USERNAME and the C<SUDO_*> variables. Any
775 variables in the caller's environment that match the C<env_keep>
776 and C<env_check> lists are then added. The default contents of the
777 C<env_keep> and C<env_check> lists are displayed when B<sudo> is
778 run by root with the I<-V> option. If the I<secure_path> option
779 is set, its value will be used for the C<PATH> environment variable.
780 This flag is I<@env_reset@> by default.
784 Normally, B<sudo> uses the L<glob(3)> function to do shell-style
785 globbing when matching path names. However, since it accesses the
786 file system, L<glob(3)> can take a long time to complete for some
787 patterns, especially when the pattern references a network file
788 system that is mounted on demand (automounted). The I<fast_glob>
789 option causes B<sudo> to use the L<fnmatch(3)> function, which does
790 not access the file system to do its matching. The disadvantage
791 of I<fast_glob> is that it is unable to match relative path names
792 such as F<./ls> or F<../bin/ls>. This has security implications
793 when path names that include globbing characters are used with the
794 negation operator, C<'!'>, as such rules can be trivially bypassed.
795 As such, this option should not be used when I<sudoers> contains rules
796 that contain negated path names which include globbing characters.
797 This flag is I<off> by default.
801 Set this flag if you want to put fully qualified host names in the
802 I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
803 You may still use the short form if you wish (and even mix the two).
804 Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
805 which may make B<sudo> unusable if DNS stops working (for example
806 if the machine is not plugged into the network). Also note that
807 you must use the host's official name as DNS knows it. That is,
808 you may not use a host alias (C<CNAME> entry) due to performance
809 issues and the fact that there is no way to get all aliases from
810 DNS. If your machine's host name (as returned by the C<hostname>
811 command) is already fully qualified you shouldn't need to set
812 I<fqdn>. This flag is I<@fqdn@> by default.
816 If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
817 environment variable; the C<PATH> itself is not modified. This
818 flag is I<@ignore_dot@> by default.
820 =item ignore_local_sudoers
822 If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
823 This is intended for Enterprises that wish to prevent the usage of local
824 sudoers files so that only LDAP is used. This thwarts the efforts of
825 rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
826 When this option is present, F<@sysconfdir@/sudoers> does not even need to
827 exist. Since this option tells B<sudo> how to behave when no specific LDAP
828 entries have been matched, this sudoOption is only meaningful for the
829 C<cn=defaults> section. This flag is I<off> by default.
833 If set, B<sudo> will insult users when they enter an incorrect
834 password. This flag is I<@insults@> by default.
838 If set, the host name will be logged in the (non-syslog) B<sudo> log file.
839 This flag is I<off> by default.
843 If set, B<sudo> will run the command in a I<pseudo tty> and log all
845 If the standard input is not connected to the user's tty, due to
846 I/O redirection or because the command is part of a pipeline, that
847 input is also captured and stored in a separate log file.
849 Input is logged to the directory specified by the I<iolog_dir>
850 option (F<@iolog_dir@> by default) using a unique session ID that
851 is included in the normal B<sudo> log line, prefixed with I<TSID=>.
852 The I<iolog_file> option may be used to control the format of the
855 Note that user input may contain sensitive information such as
856 passwords (even if they are not echoed to the screen), which will
857 be stored in the log file unencrypted. In most cases, logging the
858 command output via I<log_output> is all that is required.
862 If set, B<sudo> will run the command in a I<pseudo tty> and log all
863 output that is sent to the screen, similar to the script(1) command.
864 If the standard output or standard error is not connected to the
865 user's tty, due to I/O redirection or because the command is part
866 of a pipeline, that output is also captured and stored in separate
869 Output is logged to the directory specified by the I<iolog_dir>
870 option (F<@iolog_dir@> by default) using a unique session ID that
871 is included in the normal B<sudo> log line, prefixed with I<TSID=>.
872 The I<iolog_file> option may be used to control the format of the
875 Output logs may be viewed with the L<sudoreplay(8)> utility, which
876 can also be used to list or search the available logs.
880 If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
881 This flag is I<off> by default.
883 =item long_otp_prompt
885 When validating with a One Time Password (OTP) scheme such as
886 B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
887 to cut and paste the challenge to a local window. It's not as
888 pretty as the default but some people find it more convenient. This
889 flag is I<@long_otp_prompt@> by default.
893 Send mail to the I<mailto> user every time a users runs B<sudo>.
894 This flag is I<off> by default.
898 Send mail to the I<mailto> user if the user running B<sudo> does not
899 enter the correct password. This flag is I<off> by default.
903 If set, mail will be sent to the I<mailto> user if the invoking
904 user exists in the I<sudoers> file, but is not allowed to run
905 commands on the current host. This flag is I<@mail_no_host@> by default.
909 If set, mail will be sent to the I<mailto> user if the invoking
910 user is allowed to use B<sudo> but the command they are trying is not
911 listed in their I<sudoers> file entry or is explicitly denied.
912 This flag is I<@mail_no_perms@> by default.
916 If set, mail will be sent to the I<mailto> user if the invoking
917 user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
922 If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
923 tag has been set, unless overridden by a C<EXEC> tag. See the
924 description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
925 ESCAPES> section at the end of this manual. This flag is I<off> by default.
929 Normally, B<sudo> will tell the user when a command could not be
930 found in their C<PATH> environment variable. Some sites may wish
931 to disable this as it could be used to gather information on the
932 location of executables that the normal user does not have access
933 to. The disadvantage is that if the executable is simply not in
934 the user's C<PATH>, B<sudo> will tell the user that they are not
935 allowed to run it, which can be confusing. This flag is I<@path_info@>
938 =item passprompt_override
940 The password prompt specified by I<passprompt> will normally only
941 be used if the password prompt provided by systems such as PAM matches
942 the string "Password:". If I<passprompt_override> is set, I<passprompt>
943 will always be used. This flag is I<off> by default.
945 =item preserve_groups
947 By default, B<sudo> will initialize the group vector to the list of
948 groups the target user is in. When I<preserve_groups> is set, the
949 user's existing group vector is left unaltered. The real and
950 effective group IDs, however, are still set to match the target
951 user. This flag is I<off> by default.
955 By default, B<sudo> reads the password like most other Unix programs,
956 by turning off echo until the user hits the return (or enter) key.
957 Some users become confused by this as it appears to them that B<sudo>
958 has hung at this point. When I<pwfeedback> is set, B<sudo> will
959 provide visual feedback when the user presses a key. Note that
960 this does have a security impact as an onlooker may be able to
961 determine the length of the password being entered.
962 This flag is I<off> by default.
966 If set, B<sudo> will only run when the user is logged in to a real
967 tty. When this flag is set, B<sudo> can only be run from a login
968 session and not via other means such as L<cron(8)> or cgi-bin scripts.
969 This flag is I<off> by default.
973 If set, root is allowed to run B<sudo> too. Disabling this prevents users
974 from "chaining" B<sudo> commands to get a root shell by doing something
975 like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
976 will also prevent root from running B<sudoedit>.
977 Disabling I<root_sudo> provides no real additional security; it
978 exists purely for historical reasons.
979 This flag is I<@root_sudo@> by default.
983 If set, B<sudo> will prompt for the root password instead of the password
984 of the invoking user. This flag is I<off> by default.
988 If set, B<sudo> will prompt for the password of the user defined by the
989 I<runas_default> option (defaults to C<@runas_default@>) instead of the
990 password of the invoking user. This flag is I<off> by default.
994 If enabled and B<sudo> is invoked with the B<-s> option the C<HOME>
995 environment variable will be set to the home directory of the target
996 user (which is root unless the B<-u> option is used). This effectively
997 makes the B<-s> option imply B<-H>. Note that C<HOME> is already
998 set when the the I<env_reset> option is enabled, so I<set_home> is
999 only effective for configurations where either I<env_reset> is disabled
1000 or C<HOME> is present in the I<env_keep> list.
1001 This flag is I<off> by default.
1005 Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
1006 environment variables to the name of the target user (usually root
1007 unless the B<-u> option is given). However, since some programs
1008 (including the RCS revision control system) use C<LOGNAME> to
1009 determine the real identity of the user, it may be desirable to
1010 change this behavior. This can be done by negating the set_logname
1011 option. Note that if the I<env_reset> option has not been disabled,
1012 entries in the I<env_keep> list will override the value of
1013 I<set_logname>. This flag is I<on> by default.
1017 When enabled, B<sudo> will create an entry in the utmp (or utmpx)
1018 file when a pseudo-tty is allocated. A pseudo-tty is allocated by
1019 B<sudo> when the I<log_input>, I<log_output> or I<use_pty> flags
1020 are enabled. By default, the new entry will be a copy of the user's
1021 existing utmp entry (if any), with the tty, time, type and pid
1022 fields updated. This flag is I<on> by default.
1026 Allow the user to disable the I<env_reset> option from the command
1027 line via the B<-E> option. Additionally, environment variables set
1028 via the command line are not subject to the restrictions imposed
1029 by I<env_check>, I<env_delete>, or I<env_keep>. As such, only
1030 trusted users should be allowed to set variables in this manner.
1031 This flag is I<off> by default.
1035 If set and B<sudo> is invoked with no arguments it acts as if the
1036 B<-s> option had been given. That is, it runs a shell as root (the
1037 shell is determined by the C<SHELL> environment variable if it is
1038 set, falling back on the shell listed in the invoking user's
1039 /etc/passwd entry if not). This flag is I<off> by default.
1043 Normally, when B<sudo> executes a command the real and effective
1044 UIDs are set to the target user (root by default). This option
1045 changes that behavior such that the real UID is left as the invoking
1046 user's UID. In other words, this makes B<sudo> act as a setuid
1047 wrapper. This can be useful on systems that disable some potentially
1048 dangerous functionality when a program is run setuid. This option
1049 is only effective on systems with either the setreuid() or setresuid()
1050 function. This flag is I<off> by default.
1054 If set, B<sudo> will prompt for the password of the user specified
1055 by the B<-u> option (defaults to C<root>) instead of the password
1056 of the invoking user. In addition, the timestamp file name will
1057 include the target user's name. Note that this flag precludes the
1058 use of a uid not listed in the passwd database as an argument to
1059 the B<-u> option. This flag is I<off> by default.
1063 If set, users must authenticate on a per-tty basis. With this flag
1064 enabled, B<sudo> will use a file named for the tty the user is
1065 logged in on in the user's time stamp directory. If disabled, the
1066 time stamp of the directory is used instead. This flag is
1067 I<@tty_tickets@> by default.
1069 =item umask_override
1071 If set, B<sudo> will set the umask as specified by I<sudoers> without
1072 modification. This makes it possible to specify a more permissive
1073 umask in I<sudoers> than the user's own umask and matches historical
1074 behavior. If I<umask_override> is not set, B<sudo> will set the
1075 umask to be the union of the user's umask and what is specified in
1076 I<sudoers>. This flag is I<@umask_override@> by default.
1078 =item use_loginclass
1080 If set, B<sudo> will apply the defaults specified for the target user's
1081 login class if one exists. Only available if B<sudo> is configured with
1082 the --with-logincap option. This flag is I<off> by default.
1086 If set, B<sudo> will run the command in a pseudo-pty even if no I/O
1087 logging is being gone. A malicious program run under B<sudo> could
1088 conceivably fork a background process that retains to the user's
1089 terminal device after the main program has finished executing. Use
1090 of this option will make that impossible. This flag is I<off> by default.
1094 If set, B<sudo> will store the name of the runas user when updating
1095 the utmp (or utmpx) file. By default, B<sudo> stores the name of
1096 the invoking user. This flag is I<off> by default.
1100 By default, B<sudo> will refuse to run if the user must enter a
1101 password but it is not possible to disable echo on the terminal.
1102 If the I<visiblepw> flag is set, B<sudo> will prompt for a password
1103 even when it would be visible on the screen. This makes it possible
1104 to run things like C<"rsh somehost sudo ls"> since L<rsh(1)> does
1105 not allocate a tty. This flag is I<off> by default.
1115 Before it executes a command, B<sudo> will close all open file
1116 descriptors other than standard input, standard output and standard
1117 error (ie: file descriptors 0-2). The I<closefrom> option can be used
1118 to specify a different file descriptor at which to start closing.
1119 The default is C<3>.
1123 The number of tries a user gets to enter his/her password before
1124 B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
1128 B<Integers that can be used in a boolean context>:
1134 Number of characters per line for the file log. This value is used
1135 to decide when to wrap lines for nicer log files. This has no
1136 effect on the syslog log file, only the file log. The default is
1137 C<@loglen@> (use 0 or negate the option to disable word wrap).
1139 =item passwd_timeout
1141 Number of minutes before the B<sudo> password prompt times out, or
1142 C<0> for no timeout. The timeout may include a fractional component
1143 if minute granularity is insufficient, for example C<2.5>. The
1144 default is C<@password_timeout@>.
1146 =item timestamp_timeout
1148 Number of minutes that can elapse before B<sudo> will ask for a
1149 passwd again. The timeout may include a fractional component if
1150 minute granularity is insufficient, for example C<2.5>. The default
1151 is C<@timeout@>. Set this to C<0> to always prompt for a password.
1152 If set to a value less than C<0> the user's timestamp will never
1153 expire. This can be used to allow users to create or delete their
1154 own timestamps via C<sudo -v> and C<sudo -k> respectively.
1158 Umask to use when running the command. Negate this option or set
1159 it to 0777 to preserve the user's umask. The actual umask that is
1160 used will be the union of the user's umask and the value of the
1161 I<umask> option, which defaults to C<@sudo_umask@>. This guarantees
1162 that B<sudo> never lowers the umask when running a command. Note
1163 on systems that use PAM, the default PAM configuration may specify
1164 its own umask which will override the value set in I<sudoers>.
1172 =item badpass_message
1174 Message that is displayed if a user enters an incorrect password.
1175 The default is C<@badpass_message@> unless insults are enabled.
1179 A colon (':') separated list of editors allowed to be used with
1180 B<visudo>. B<visudo> will choose the editor that matches the user's
1181 EDITOR environment variable if possible, or the first editor in the
1182 list that exists and is executable. The default is C<"@editor@">.
1186 The top-level directory to use when constructing the path name for
1187 the input/output log directory. Only used if the I<log_input> or
1188 I<log_output> options are enabled or when the C<LOG_INPUT> or
1189 C<LOG_OUTPUT> tags are present for a command. The session sequence
1190 number, if any, is stored in the directory.
1191 The default is C<"@iolog_dir@">.
1193 The following percent (`C<%>') escape sequences are supported:
1199 expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
1200 where every two digits are used to form a new directory, e.g. F<01/00/A5>
1204 expanded to the invoking user's login name
1208 expanded to the name of the invoking user's real group ID
1210 =item C<%{runas_user}>
1212 expanded to the login name of the user the command will
1213 be run as (e.g. root)
1215 =item C<%{runas_group}>
1217 expanded to the group name of the user the command will
1218 be run as (e.g. wheel)
1220 =item C<%{hostname}>
1222 expanded to the local host name without the domain name
1226 expanded to the base name of the command being run
1230 In addition, any escape sequences supported by the system's strftime()
1231 function will be expanded.
1233 To include a literal `C<%>' character, the string `C<%%>' should
1236 Path names that end in six or more C<X>s will have the C<X>s replaced
1237 with a unique combination of digits and letters, similar to the
1242 The path name, relative to I<iolog_dir>, in which to store input/output
1243 logs when the I<log_input> or I<log_output> options are enabled or
1244 when the C<LOG_INPUT> or C<LOG_OUTPUT> tags are present for a command.
1245 Note that I<iolog_file> may contain directory components.
1246 The default is C<"%{seq}">.
1248 See the I<iolog_dir> option above for a list of supported percent
1249 (`C<%>') escape sequences.
1253 Subject of the mail sent to the I<mailto> user. The escape C<%h>
1254 will expand to the host name of the machine.
1255 Default is C<@mailsub@>.
1259 This option is deprecated and will be removed in a future release
1260 of B<sudo>. The path to the noexec file should now be set in the
1261 F<@sysconfdir@/sudo.conf> file.
1265 The default prompt to use when asking for a password; can be overridden
1266 via the B<-p> option or the C<SUDO_PROMPT> environment variable.
1267 The following percent (`C<%>') escape sequences are supported:
1273 expanded to the local host name including the domain name
1274 (only if the machine's host name is fully qualified or the I<fqdn>
1279 expanded to the local host name without the domain name
1283 expanded to the user whose password is being asked for (respects the
1284 I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
1288 expanded to the login name of the user the command will
1289 be run as (defaults to root)
1293 expanded to the invoking user's login name
1297 two consecutive C<%> characters are collapsed into a single C<%> character
1301 The default value is C<@passprompt@>.
1305 The default SELinux role to use when constructing a new security
1306 context to run the command. The default role may be overridden on
1307 a per-command basis in I<sudoers> or via command line options.
1308 This option is only available whe B<sudo> is built with SELinux support.
1312 The default user to run commands as if the B<-u> option is not specified
1313 on the command line. This defaults to C<@runas_default@>.
1317 Syslog priority to use when user authenticates unsuccessfully.
1318 Defaults to C<@badpri@>.
1320 The following syslog priorities are supported: B<alert>, B<crit>,
1321 B<debug>, B<emerg>, B<err>, B<info>, B<notice>, and B<warning>.
1323 =item syslog_goodpri
1325 Syslog priority to use when user authenticates successfully.
1326 Defaults to C<@goodpri@>.
1328 See L<syslog_badpri> for the list of supported syslog priorities.
1330 =item sudoers_locale
1332 Locale to use when parsing the sudoers file, logging commands, and
1333 sending email. Note that changing the locale may affect how sudoers
1334 is interpreted. Defaults to C<"C">.
1338 The directory in which B<sudo> stores its timestamp files.
1339 The default is F<@timedir@>.
1341 =item timestampowner
1343 The owner of the timestamp directory and the timestamps stored therein.
1344 The default is C<root>.
1348 The default SELinux type to use when constructing a new security
1349 context to run the command. The default type may be overridden on
1350 a per-command basis in I<sudoers> or via command line options.
1351 This option is only available whe B<sudo> is built with SELinux support.
1355 B<Strings that can be used in a boolean context>:
1361 The I<env_file> options specifies the fully qualified path to a
1362 file containing variables to be set in the environment of the program
1363 being run. Entries in this file should either be of the form
1364 C<VARIABLE=value> or C<export VARIABLE=value>. The value may
1365 optionally be surrounded by single or double quotes. Variables in
1366 this file are subject to other B<sudo> environment settings such
1367 as I<env_keep> and I<env_check>.
1371 Users in this group are exempt from password and PATH requirements.
1372 The group name specified should not include a C<%> prefix.
1373 This is not set by default.
1377 A string containing a I<sudoers> group plugin with optional arguments.
1378 This can be used to implement support for the C<nonunix_group>
1379 syntax described earlier. The string should consist of the plugin
1380 path, either fully-qualified or relative to the F<@prefix@/libexec>
1381 directory, followed by any configuration arguments the plugin
1382 requires. These arguments (if any) will be passed to the plugin's
1383 initialization function. If arguments are present, the string must
1384 be enclosed in double quotes (C<">).
1386 For example, given F</etc/sudo-group>, a group file in Unix group
1387 format, the sample group plugin can be used:
1389 Defaults group_plugin="sample_group.so /etc/sudo-group"
1391 For more information see L<sudo_plugin(5)>.
1395 This option controls when a short lecture will be printed along with
1396 the password prompt. It has the following possible values:
1402 Always lecture the user.
1406 Never lecture the user.
1410 Only lecture the user the first time they run B<sudo>.
1414 If no value is specified, a value of I<once> is implied.
1415 Negating the option results in a value of I<never> being used.
1416 The default value is I<@lecture@>.
1420 Path to a file containing an alternate B<sudo> lecture that will
1421 be used in place of the standard lecture if the named file exists.
1422 By default, B<sudo> uses a built-in lecture.
1426 This option controls when a password will be required when a
1427 user runs B<sudo> with the B<-l> option. It has the following possible values:
1433 All the user's I<sudoers> entries for the current host must have
1434 the C<NOPASSWD> flag set to avoid entering a password.
1438 The user must always enter a password to use the B<-l> option.
1442 At least one of the user's I<sudoers> entries for the current host
1443 must have the C<NOPASSWD> flag set to avoid entering a password.
1447 The user need never enter a password to use the B<-l> option.
1451 If no value is specified, a value of I<any> is implied.
1452 Negating the option results in a value of I<never> being used.
1453 The default value is I<any>.
1457 Path to the B<sudo> log file (not the syslog log file). Setting a path
1458 turns on logging to a file; negating this option turns it off.
1459 By default, B<sudo> logs via syslog.
1463 Flags to use when invoking mailer. Defaults to B<-t>.
1467 Path to mail program used to send warning mail.
1468 Defaults to the path to sendmail found at configure time.
1472 Address to use for the "from" address when sending warning and error
1473 mail. The address should be enclosed in double quotes (C<">) to
1474 protect against B<sudo> interpreting the C<@> sign. Defaults to
1475 the name of the user running B<sudo>.
1479 Address to send warning and error mail to. The address should
1480 be enclosed in double quotes (C<">) to protect against B<sudo>
1481 interpreting the C<@> sign. Defaults to C<@mailto@>.
1485 Path used for every command run from B<sudo>. If you don't trust the
1486 people running B<sudo> to have a sane C<PATH> environment variable you may
1487 want to use this. Another use is if you want to have the "root path"
1488 be separate from the "user path." Users in the group specified by the
1489 I<exempt_group> option are not affected by I<secure_path>.
1490 This option is @secure_path@ by default.
1494 Syslog facility if syslog is being used for logging (negate to
1495 disable syslog logging). Defaults to C<@logfac@>.
1497 The following syslog facilities are supported: B<authpriv> (if your
1498 OS supports it), B<auth>, B<daemon>, B<user>, B<local0>, B<local1>,
1499 B<local2>, B<local3>, B<local4>, B<local5>, B<local6>, and B<local7>.
1503 This option controls when a password will be required when a user runs
1504 B<sudo> with the B<-v> option. It has the following possible values:
1510 All the user's I<sudoers> entries for the current host must have
1511 the C<NOPASSWD> flag set to avoid entering a password.
1515 The user must always enter a password to use the B<-v> option.
1519 At least one of the user's I<sudoers> entries for the current host
1520 must have the C<NOPASSWD> flag set to avoid entering a password.
1524 The user need never enter a password to use the B<-v> option.
1528 If no value is specified, a value of I<all> is implied.
1529 Negating the option results in a value of I<never> being used.
1530 The default value is I<all>.
1534 B<Lists that can be used in a boolean context>:
1540 Environment variables to be removed from the user's environment if
1541 the variable's value contains C<%> or C</> characters. This can
1542 be used to guard against printf-style format vulnerabilities in
1543 poorly-written programs. The argument may be a double-quoted,
1544 space-separated list or a single value without double-quotes. The
1545 list can be replaced, added to, deleted from, or disabled by using
1546 the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
1547 of whether the C<env_reset> option is enabled or disabled, variables
1548 specified by C<env_check> will be preserved in the environment if
1549 they pass the aforementioned check. The default list of environment
1550 variables to check is displayed when B<sudo> is run by root with
1555 Environment variables to be removed from the user's environment
1556 when the I<env_reset> option is not in effect. The argument may
1557 be a double-quoted, space-separated list or a single value without
1558 double-quotes. The list can be replaced, added to, deleted from,
1559 or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators
1560 respectively. The default list of environment variables to remove
1561 is displayed when B<sudo> is run by root with the I<-V> option.
1562 Note that many operating systems will remove potentially dangerous
1563 variables from the environment of any setuid process (such as
1568 Environment variables to be preserved in the user's environment
1569 when the I<env_reset> option is in effect. This allows fine-grained
1570 control over the environment B<sudo>-spawned processes will receive.
1571 The argument may be a double-quoted, space-separated list or a
1572 single value without double-quotes. The list can be replaced, added
1573 to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
1574 C<!> operators respectively. The default list of variables to keep
1575 is displayed when B<sudo> is run by root with the I<-V> option.
1583 =item F<@sysconfdir@/sudoers>
1585 List of who can run what
1591 =item F</etc/netgroup>
1593 List of network groups
1595 =item F<@iolog_dir@>
1601 Directory containing time stamps for the I<sudoers> security policy
1603 =item F</etc/environment>
1605 Initial environment for B<-i> mode on Linux and AIX
1611 Below are example I<sudoers> entries. Admittedly, some of
1612 these are a bit contrived. First, we allow a few environment
1613 variables to pass and then define our I<aliases>:
1615 # Run X applications through sudo; HOME is used to find the
1616 # .Xauthority file. Note that other programs use HOME to find
1617 # configuration files and this may lead to privilege escalation!
1618 Defaults env_keep += "DISPLAY HOME"
1620 # User alias specification
1621 User_Alias FULLTIMERS = millert, mikef, dowdy
1622 User_Alias PARTTIMERS = bostley, jwfox, crawl
1623 User_Alias WEBMASTERS = will, wendy, wim
1625 # Runas alias specification
1626 Runas_Alias OP = root, operator
1627 Runas_Alias DB = oracle, sybase
1628 Runas_Alias ADMINGRP = adm, oper
1630 # Host alias specification
1631 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1632 SGI = grolsch, dandelion, black :\
1633 ALPHA = widget, thalamus, foobar :\
1634 HPPA = boa, nag, python
1635 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1636 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1637 Host_Alias SERVERS = master, mail, www, ns
1638 Host_Alias CDROM = orion, perseus, hercules
1640 # Cmnd alias specification
1641 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1642 /usr/sbin/restore, /usr/sbin/rrestore
1643 Cmnd_Alias KILL = /usr/bin/kill
1644 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1645 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1646 Cmnd_Alias HALT = /usr/sbin/halt
1647 Cmnd_Alias REBOOT = /usr/sbin/reboot
1648 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1649 /usr/local/bin/tcsh, /usr/bin/rsh, \
1651 Cmnd_Alias SU = /usr/bin/su
1652 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1654 Here we override some of the compiled in default values. We want
1655 B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
1656 cases. We don't want to subject the full time staff to the B<sudo>
1657 lecture, user B<millert> need not give a password, and we don't
1658 want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
1659 variables when running commands as root. Additionally, on the
1660 machines in the I<SERVERS> C<Host_Alias>, we keep an additional
1661 local log file and make sure we log the year in each log line since
1662 the log entries will be kept around for several years. Lastly, we
1663 disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
1664 (F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
1666 # Override built-in defaults
1667 Defaults syslog=auth
1668 Defaults>root !set_logname
1669 Defaults:FULLTIMERS !lecture
1670 Defaults:millert !authenticate
1671 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1672 Defaults!PAGERS noexec
1674 The I<User specification> is the part that actually determines who may
1677 root ALL = (ALL) ALL
1678 %wheel ALL = (ALL) ALL
1680 We let B<root> and any user in group B<wheel> run any command on any
1683 FULLTIMERS ALL = NOPASSWD: ALL
1685 Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
1686 command on any host without authenticating themselves.
1688 PARTTIMERS ALL = ALL
1690 Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
1691 command on any host but they must authenticate themselves first
1692 (since the entry lacks the C<NOPASSWD> tag).
1696 The user B<jack> may run any command on the machines in the I<CSNETS> alias
1697 (the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
1698 Of those networks, only C<128.138.204.0> has an explicit netmask (in
1699 CIDR notation) indicating it is a class C network. For the other
1700 networks in I<CSNETS>, the local machine's netmask will be used
1705 The user B<lisa> may run any command on any host in the I<CUNETS> alias
1706 (the class B network C<128.138.0.0>).
1708 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1709 sudoedit /etc/printcap, /usr/oper/bin/
1711 The B<operator> user may run commands limited to simple maintenance.
1712 Here, those are commands related to backups, killing processes, the
1713 printing system, shutting down the system, and any commands in the
1714 directory F</usr/oper/bin/>.
1716 joe ALL = /usr/bin/su operator
1718 The user B<joe> may only L<su(1)> to operator.
1720 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1722 %opers ALL = (: ADMINGRP) /usr/sbin/
1724 Users in the B<opers> group may run commands in F</usr/sbin/> as themselves
1725 with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper>
1728 The user B<pete> is allowed to change anyone's password except for
1729 root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
1730 does not take multiple user names on the command line.
1732 bob SPARC = (OP) ALL : SGI = (OP) ALL
1734 The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
1735 as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
1739 The user B<jim> may run any command on machines in the I<biglab> netgroup.
1740 B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
1742 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1744 Users in the B<secretaries> netgroup need to help manage the printers
1745 as well as add and remove users, so they are allowed to run those
1746 commands on all machines.
1748 fred ALL = (DB) NOPASSWD: ALL
1750 The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
1751 (B<oracle> or B<sybase>) without giving a password.
1753 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1755 On the I<ALPHA> machines, user B<john> may su to anyone except root
1756 but he is not allowed to specify any options to the L<su(1)> command.
1758 jen ALL, !SERVERS = ALL
1760 The user B<jen> may run any command on any machine except for those
1761 in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
1763 jill SERVERS = /usr/bin/, !SU, !SHELLS
1765 For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
1766 any commands in the directory F</usr/bin/> except for those commands
1767 belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
1769 steve CSNETS = (operator) /usr/local/op_commands/
1771 The user B<steve> may run any command in the directory /usr/local/op_commands/
1772 but only as user operator.
1774 matt valkyrie = KILL
1776 On his personal workstation, valkyrie, B<matt> needs to be able to
1777 kill hung processes.
1779 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1781 On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
1782 wendy, and wim), may run any command as user www (which owns the
1783 web pages) or simply L<su(1)> to www.
1785 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1786 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1788 Any user may mount or unmount a CD-ROM on the machines in the CDROM
1789 C<Host_Alias> (orion, perseus, hercules) without entering a password.
1790 This is a bit tedious for users to type, so it is a prime candidate
1791 for encapsulating in a shell script.
1793 =head1 SECURITY NOTES
1795 It is generally not effective to "subtract" commands from C<ALL>
1796 using the '!' operator. A user can trivially circumvent this
1797 by copying the desired command to a different name and then
1798 executing that. For example:
1800 bill ALL = ALL, !SU, !SHELLS
1802 Doesn't really prevent B<bill> from running the commands listed in
1803 I<SU> or I<SHELLS> since he can simply copy those commands to a
1804 different name, or use a shell escape from an editor or other
1805 program. Therefore, these kind of restrictions should be considered
1806 advisory at best (and reinforced by policy).
1808 Furthermore, if the I<fast_glob> option is in use, it is not possible
1809 to reliably negate commands where the path name includes globbing
1810 (aka wildcard) characters. This is because the C library's
1811 L<fnmatch(3)> function cannot resolve relative paths. While this
1812 is typically only an inconvenience for rules that grant privileges,
1813 it can result in a security issue for rules that subtract or revoke
1816 For example, given the following I<sudoers> entry:
1818 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
1819 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1821 User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
1822 enabled by changing to F</usr/bin> and running C<./passwd root> instead.
1824 =head1 PREVENTING SHELL ESCAPES
1826 Once B<sudo> executes a program, that program is free to do whatever
1827 it pleases, including run other programs. This can be a security
1828 issue since it is not uncommon for a program to allow shell escapes,
1829 which lets a user bypass B<sudo>'s access control and logging.
1830 Common programs that permit shell escapes include shells (obviously),
1831 editors, paginators, mail and terminal programs.
1833 There are two basic approaches to this problem:
1839 Avoid giving users access to commands that allow the user to run
1840 arbitrary commands. Many editors have a restricted mode where shell
1841 escapes are disabled, though B<sudoedit> is a better solution to
1842 running editors via B<sudo>. Due to the large number of programs that
1843 offer shell escapes, restricting users to the set of programs that
1844 do not is often unworkable.
1848 Many systems that support shared libraries have the ability to
1849 override default library functions by pointing an environment
1850 variable (usually C<LD_PRELOAD>) to an alternate shared library.
1851 On such systems, B<sudo>'s I<noexec> functionality can be used to
1852 prevent a program run by B<sudo> from executing any other programs.
1853 Note, however, that this applies only to native dynamically-linked
1854 executables. Statically-linked executables and foreign executables
1855 running under binary emulation are not affected.
1857 The I<noexec> feature is known to work on SunOS, Solaris, *BSD,
1858 Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
1859 It should be supported on most operating systems that support the
1860 C<LD_PRELOAD> environment variable. Check your operating system's
1861 manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
1862 dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
1864 On Solaris 10 and higher, I<noexec> uses Solaris privileges instead
1865 of the C<LD_PRELOAD> environment variable.
1867 To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
1868 in the User Specification section above. Here is that example again:
1870 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1872 This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
1873 with I<noexec> enabled. This will prevent those two commands from
1874 executing other commands (such as a shell). If you are unsure
1875 whether or not your system is capable of supporting I<noexec> you
1876 can always just try it out and check whether shell escapes work
1877 when I<noexec> is enabled.
1881 Note that restricting shell escapes is not a panacea. Programs
1882 running as root are still capable of many potentially hazardous
1883 operations (such as changing or overwriting files) that could lead
1884 to unintended privilege escalation. In the specific case of an
1885 editor, a safer approach is to give the user permission to run
1888 =head1 SECURITY NOTES
1890 I<sudoers> will check the ownership of its time stamp directory
1891 (F<@timedir@> by default) and ignore the directory's contents if
1892 it is not owned by root or if it is writable by a user other than
1893 root. On systems that allow non-root users to give away files via
1894 L<chown(2)>, if the time stamp directory is located in a world-writable
1895 directory (e.g., F</tmp>), it is possible for a user to create the
1896 time stamp directory before B<sudo> is run. However, because
1897 I<sudoers> checks the ownership and mode of the directory and its
1898 contents, the only damage that can be done is to "hide" files by
1899 putting them in the time stamp dir. This is unlikely to happen
1900 since once the time stamp dir is owned by root and inaccessible by
1901 any other user, the user placing files there would be unable to get
1904 I<sudoers> will not honor time stamps set far in the future. Time
1905 stamps with a date greater than current_time + 2 * C<TIMEOUT> will
1906 be ignored and sudo will log and complain. This is done to keep a
1907 user from creating his/her own time stamp with a bogus date on
1908 systems that allow users to give away files if the time stamp directory
1909 is located in a world-writable directory.
1911 On systems where the boot time is available, I<sudoers> will ignore
1912 time stamps that date from before the machine booted.
1914 Since time stamp files live in the file system, they can outlive a
1915 user's login session. As a result, a user may be able to login,
1916 run a command with B<sudo> after authenticating, logout, login
1917 again, and run B<sudo> without authenticating so long as the time
1918 stamp file's modification time is within C<@timeout@> minutes (or
1919 whatever the timeout is set to in I<sudoers>). When the I<tty_tickets>
1920 option is enabled, the time stamp has per-tty granularity but still
1921 may outlive the user's session. On Linux systems where the devpts
1922 filesystem is used, Solaris systems with the devices filesystem,
1923 as well as other systems that utilize a devfs filesystem that
1924 monotonically increase the inode number of devices as they are
1925 created (such as Mac OS X), I<sudoers> is able to determine when a
1926 tty-based time stamp file is stale and will ignore it. Administrators
1927 should not rely on this feature as it is not universally available.
1929 If users have sudo C<ALL> there is nothing to prevent them from
1930 creating their own program that gives them a root shell (or making
1931 their own copy of a shell) regardless of any '!' elements in the
1936 L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<mktemp(3)>, L<strftime(3)>,
1937 L<sudoers.ldap(5)>, L<sudo_plugin(8)>, L<sudo(8)>, L<visudo(8)>
1941 The I<sudoers> file should B<always> be edited by the B<visudo>
1942 command which locks the file and does grammatical checking. It is
1943 imperative that I<sudoers> be free of syntax errors since B<sudo>
1944 will not run with a syntactically incorrect I<sudoers> file.
1946 When using netgroups of machines (as opposed to users), if you
1947 store fully qualified host name in the netgroup (as is usually the
1948 case), you either need to have the machine's host name be fully qualified
1949 as returned by the C<hostname> command or use the I<fqdn> option in
1954 If you feel you have found a bug in B<sudo>, please submit a bug report
1955 at http://www.sudo.ws/sudo/bugs/
1959 Limited free support is available via the sudo-users mailing list,
1960 see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
1961 search the archives.
1965 B<sudo> is provided ``AS IS'' and any express or implied warranties,
1966 including, but not limited to, the implied warranties of merchantability
1967 and fitness for a particular purpose are disclaimed. See the LICENSE
1968 file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
1969 for complete details.