4 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
8 sudoers - list of which users may execute what
10 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
11 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is composed of two types of entries: aliases
12 (basically variables) and user specifications (which specify who may
15 When multiple entries match for a user, they are applied in order.
16 Where there are multiple matches, the last match is used (which is not
17 necessarily the most specific match).
19 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs grammar will be described below in Extended Backus-Naur
20 Form (EBNF). Don't despair if you don't know what EBNF is; it is
21 fairly simple, and the definitions below are annotated.
23 Q
\bQu
\bui
\bic
\bck
\bk g
\bgu
\bui
\bid
\bde
\be t
\bto
\bo E
\bEB
\bBN
\bNF
\bF
24 EBNF is a concise and exact way of describing the grammar of a
25 language. Each EBNF definition is made up of _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be_
\bs. E.g.,
27 symbol ::= definition | alternate1 | alternate2 ...
29 Each _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be references others and thus makes up a grammar for
30 the language. EBNF also contains the following operators, which many
31 readers will recognize from regular expressions. Do not, however,
32 confuse them with "wildcard" characters, which have different meanings.
34 ? Means that the preceding symbol (or group of symbols) is optional.
35 That is, it may appear once or not at all.
37 * Means that the preceding symbol (or group of symbols) may appear
40 + Means that the preceding symbol (or group of symbols) may appear
43 Parentheses may be used to group symbols together. For clarity, we
44 will use single quotes ('') to designate what is a verbatim character
45 string (as opposed to a symbol name).
47 A
\bAl
\bli
\bia
\bas
\bse
\bes
\bs
48 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
51 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
52 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
53 'Host_Alias' Host_Alias (':' Host_Alias)* |
54 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
56 User_Alias ::= NAME '=' User_List
58 Runas_Alias ::= NAME '=' Runas_List
60 Host_Alias ::= NAME '=' Host_List
70 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
74 Cmnd_Alias ::= NAME '=' Cmnd_List
76 NAME ::= [A-Z]([A-Z][0-9]_)*
78 Each _
\ba_
\bl_
\bi_
\ba_
\bs definition is of the form
80 Alias_Type NAME = item1, item2, ...
82 where _
\bA_
\bl_
\bi_
\ba_
\bs_
\b__
\bT_
\by_
\bp_
\be is one of User_Alias, Runas_Alias, Host_Alias, or
83 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
84 underscore characters ('_'). A NAME m
\bmu
\bus
\bst
\bt start with an uppercase
85 letter. It is possible to put several alias definitions of the same
86 type on a single line, joined by a colon (':'). E.g.,
88 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
90 The definitions of what constitutes a valid _
\ba_
\bl_
\bi_
\ba_
\bs member follow.
95 User ::= '!'* user name |
99 '!'* '%:'nonunix_group |
102 A User_List is made up of one or more user names, uids (prefixed with
103 '#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
104 and User_Aliases. Each list item may be prefixed with zero or more '!'
105 operators. An odd number of '!' operators negate the value of the
106 item; an even number just cancel each other out.
108 A user name, group, netgroup or nonunix_group may be enclosed in double
109 quotes to avoid the need for escaping special characters. Alternately,
110 special characters may be specified in escaped hex mode, e.g. \x20 for
113 The nonunix_group syntax depends on the underlying implementation. For
114 instance, the QAS AD backend supports the following formats:
116 +
\bo Group in the same domain: "Group Name"
118 +
\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
120 +
\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
122 Note that quotes around group names are optional. Unquoted strings
123 must use a backslash (\) to escape spaces and the '@' symbol.
125 Runas_List ::= Runas_Member |
126 Runas_Member ',' Runas_List
130 1.7.4 July 21, 2010 2
136 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
140 Runas_Member ::= '!'* user name |
146 A Runas_List is similar to a User_List except that instead of
147 User_Aliases it can contain Runas_Aliases. Note that user names and
148 groups are matched as strings. In other words, two users (groups) with
149 the same uid (gid) are considered to be distinct. If you wish to match
150 all user names with the same uid (e.g. root and toor), you can use a
151 uid instead (#0 in the example given).
156 Host ::= '!'* host name |
158 '!'* network(/netmask)? |
162 A Host_List is made up of one or more host names, IP addresses, network
163 numbers, netgroups (prefixed with '+') and other aliases. Again, the
164 value of an item may be negated with the '!' operator. If you do not
165 specify a netmask along with the network number, s
\bsu
\bud
\bdo
\bo will query each
166 of the local host's network interfaces and, if the network number
167 corresponds to one of the hosts's network interfaces, the corresponding
168 netmask will be used. The netmask may be specified either in standard
169 IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
170 CIDR notation (number of bits, e.g. 24 or 64). A host name may include
171 shell-style wildcards (see the Wildcards section below), but unless the
172 host name command on your machine returns the fully qualified host
173 name, you'll need to use the _
\bf_
\bq_
\bd_
\bn option for wildcards to be useful.
174 Note s
\bsu
\bud
\bdo
\bo only inspects actual network interfaces; this means that IP
175 address 127.0.0.1 (localhost) will never match. Also, the host name
176 "localhost" will only match if that is the actual host name, which is
177 usually only the case for non-networked systems.
182 commandname ::= file name |
186 Cmnd ::= '!'* commandname |
191 A Cmnd_List is a list of one or more commandnames, directories, and
192 other aliases. A commandname is a fully qualified file name which may
196 1.7.4 July 21, 2010 3
202 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
205 include shell-style wildcards (see the Wildcards section below). A
206 simple file name allows the user to run the command with any arguments
207 he/she wishes. However, you may also specify command line arguments
208 (including wildcards). Alternately, you can specify "" to indicate
209 that the command may only be run w
\bwi
\bit
\bth
\bho
\bou
\but
\bt command line arguments. A
210 directory is a fully qualified path name ending in a '/'. When you
211 specify a directory in a Cmnd_List, the user will be able to run any
212 file within that directory (but not in any subdirectories therein).
214 If a Cmnd has associated command line arguments, then the arguments in
215 the Cmnd must match exactly those given by the user on the command line
216 (or match the wildcards if there are any). Note that the following
217 characters must be escaped with a '\' if they are used in command
218 arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
219 to permit a user to run s
\bsu
\bud
\bdo
\bo with the -
\b-e
\be option (or as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt). It
220 may take command line arguments just as a normal command does.
222 D
\bDe
\bef
\bfa
\bau
\bul
\blt
\bts
\bs
223 Certain configuration options may be changed from their default values
224 at runtime via one or more Default_Entry lines. These may affect all
225 users on any host, all users on a specific host, a specific user, a
226 specific command, or commands being run as a specific user. Note that
227 per-command entries may not include command line arguments. If you
228 need to specify arguments, define a Cmnd_Alias and reference that
231 Default_Type ::= 'Defaults' |
232 'Defaults' '@' Host_List |
233 'Defaults' ':' User_List |
234 'Defaults' '!' Cmnd_List |
235 'Defaults' '>' Runas_List
237 Default_Entry ::= Default_Type Parameter_List
239 Parameter_List ::= Parameter |
240 Parameter ',' Parameter_List
242 Parameter ::= Parameter '=' Value |
243 Parameter '+=' Value |
244 Parameter '-=' Value |
247 Parameters may be f
\bfl
\bla
\bag
\bgs
\bs, i
\bin
\bnt
\bte
\beg
\bge
\ber
\br values, s
\bst
\btr
\bri
\bin
\bng
\bgs
\bs, or l
\bli
\bis
\bst
\bts
\bs. Flags are
248 implicitly boolean and can be turned off via the '!' operator. Some
249 integer, string and list parameters may also be used in a boolean
250 context to disable them. Values may be enclosed in double quotes (")
251 when they contain multiple words. Special characters may be escaped
252 with a backslash (\).
254 Lists have two additional assignment operators, += and -=. These
255 operators are used to add to and delete from a list respectively. It
256 is not an error to use the -= operator to remove an element that does
262 1.7.4 July 21, 2010 4
268 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
271 Defaults entries are parsed in the following order: generic, host and
272 user Defaults first, then runas Defaults and finally command defaults.
274 See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
276 U
\bUs
\bse
\ber
\br S
\bSp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn
277 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
278 (':' Host_List '=' Cmnd_Spec_List)*
280 Cmnd_Spec_List ::= Cmnd_Spec |
281 Cmnd_Spec ',' Cmnd_Spec_List
283 Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
285 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
287 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
289 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
290 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
291 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
293 A u
\bus
\bse
\ber
\br s
\bsp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn determines which commands a user may run (and as
294 what user) on specified hosts. By default, commands are run as r
\bro
\boo
\bot
\bt,
295 but this can be changed on a per-command basis.
297 The basic structure of a user specification is `who = where (as_whom)
298 what'. Let's break that down into its constituent parts:
300 R
\bRu
\bun
\bna
\bas
\bs_
\b_S
\bSp
\bpe
\bec
\bc
301 A Runas_Spec determines the user and/or the group that a command may be
302 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
303 defined above) separated by a colon (':') and enclosed in a set of
304 parentheses. The first Runas_List indicates which users the command
305 may be run as via s
\bsu
\bud
\bdo
\bo's -
\b-u
\bu option. The second defines a list of
306 groups that can be specified via s
\bsu
\bud
\bdo
\bo's -
\b-g
\bg option. If both Runas_Lists
307 are specified, the command may be run with any combination of users and
308 groups listed in their respective Runas_Lists. If only the first is
309 specified, the command may be run as any user in the list but no -
\b-g
\bg
310 option may be specified. If the first Runas_List is empty but the
311 second is specified, the command may be run as the invoking user with
312 the group set to any listed in the Runas_List. If no Runas_Spec is
313 specified the command may be run as r
\bro
\boo
\bot
\bt and no group may be specified.
315 A Runas_Spec sets the default for the commands that follow it. What
316 this means is that for the entry:
318 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
320 The user d
\bdg
\bgb
\bb may run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm -- but only
321 as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br. E.g.,
323 $ sudo -u operator /bin/ls.
328 1.7.4 July 21, 2010 5
334 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
337 It is also possible to override a Runas_Spec later on in an entry. If
338 we modify the entry like so:
340 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
342 Then user d
\bdg
\bgb
\bb is now allowed to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br, but _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl
343 and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm as r
\bro
\boo
\bot
\bt.
345 We can extend this to allow d
\bdg
\bgb
\bb to run /bin/ls with either the user or
346 group set to o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br:
348 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
351 In the following example, user t
\btc
\bcm
\bm may run commands that access a modem
352 device file with the dialer group. Note that in this example only the
353 group will be set, the command still runs as user t
\btc
\bcm
\bm.
355 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
356 /usr/local/bin/minicom
358 S
\bSE
\bEL
\bLi
\bin
\bnu
\bux
\bx_
\b_S
\bSp
\bpe
\bec
\bc
359 On systems with SELinux support, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries may optionally have an
360 SELinux role and/or type associated with a command. If a role or type
361 is specified with the command it will override any default values
362 specified in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. A role or type specified on the command line,
363 however, will supercede the values in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
365 T
\bTa
\bag
\bg_
\b_S
\bSp
\bpe
\bec
\bc
366 A command may have zero or more tags associated with it. There are
367 eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
368 NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
369 tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
370 the tag unless it is overridden by the opposite tag (i.e.: PASSWD
371 overrides NOPASSWD and NOEXEC overrides EXEC).
373 _
\bN_
\bO_
\bP_
\bA_
\bS_
\bS_
\bW_
\bD _
\ba_
\bn_
\bd _
\bP_
\bA_
\bS_
\bS_
\bW_
\bD
375 By default, s
\bsu
\bud
\bdo
\bo requires that a user authenticate him or herself
376 before running a command. This behavior can be modified via the
377 NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
378 the commands that follow it in the Cmnd_Spec_List. Conversely, the
379 PASSWD tag can be used to reverse things. For example:
381 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
383 would allow the user r
\bra
\bay
\by to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm
384 as r
\bro
\boo
\bot
\bt on the machine rushmore without authenticating himself. If we
385 only want r
\bra
\bay
\by to be able to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl without a password the entry
388 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
390 Note, however, that the PASSWD tag has no effect on users who are in
394 1.7.4 July 21, 2010 6
400 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
403 the group specified by the _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option.
405 By default, if the NOPASSWD tag is applied to any of the entries for a
406 user on the current host, he or she will be able to run sudo -l without
407 a password. Additionally, a user may only run sudo -v without a
408 password if the NOPASSWD tag is present for all a user's entries that
409 pertain to the current host. This behavior may be overridden via the
410 verifypw and listpw options.
412 _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC
414 If s
\bsu
\bud
\bdo
\bo has been compiled with _
\bn_
\bo_
\be_
\bx_
\be_
\bc support and the underlying
415 operating system supports it, the NOEXEC tag can be used to prevent a
416 dynamically-linked executable from running further commands itself.
418 In the following example, user a
\baa
\bar
\bro
\bon
\bn may run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and
419 _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi but shell escapes will be disabled.
421 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
423 See the "PREVENTING SHELL ESCAPES" section below for more details on
424 how NOEXEC works and whether or not it will work on your system.
426 _
\bS_
\bE_
\bT_
\bE_
\bN_
\bV _
\ba_
\bn_
\bd _
\bN_
\bO_
\bS_
\bE_
\bT_
\bE_
\bN_
\bV
428 These tags override the value of the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option on a per-command
429 basis. Note that if SETENV has been set for a command, any environment
430 variables set on the command line way are not subject to the
431 restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such,
432 only trusted users should be allowed to set variables in this manner.
433 If the command matched is A
\bAL
\bLL
\bL, the SETENV tag is implied for that
434 command; this default may be overridden by use of the NOSETENV tag.
436 _
\bL_
\bO_
\bG_
\b__
\bI_
\bN_
\bP_
\bU_
\bT _
\ba_
\bn_
\bd _
\bN_
\bO_
\bL_
\bO_
\bG_
\b__
\bI_
\bN_
\bP_
\bU_
\bT
438 These tags override the value of the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt option on a per-command
439 basis. For more information, see the description of _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt in the
440 "SUDOERS OPTIONS" section below.
442 _
\bL_
\bO_
\bG_
\b__
\bO_
\bU_
\bT_
\bP_
\bU_
\bT _
\ba_
\bn_
\bd _
\bN_
\bO_
\bL_
\bO_
\bG_
\b__
\bO_
\bU_
\bT_
\bP_
\bU_
\bT
444 These tags override the value of the _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt option on a per-command
445 basis. For more information, see the description of _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt in the
446 "SUDOERS OPTIONS" section below.
448 W
\bWi
\bil
\bld
\bdc
\bca
\bar
\brd
\bds
\bs
449 s
\bsu
\bud
\bdo
\bo allows shell-style _
\bw_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs (aka meta or glob characters) to be
450 used in host names, path names and command line arguments in the
451 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. Wildcard matching is done via the P
\bPO
\bOS
\bSI
\bIX
\bX _
\bg_
\bl_
\bo_
\bb(3) and
452 _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) routines. Note that these are _
\bn_
\bo_
\bt regular expressions.
454 * Matches any set of zero or more characters.
456 ? Matches any single character.
460 1.7.4 July 21, 2010 7
466 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
469 [...] Matches any character in the specified range.
471 [!...] Matches any character n
\bno
\bot
\bt in the specified range.
473 \x For any character "x", evaluates to "x". This is used to
474 escape special characters such as: "*", "?", "[", and "}".
476 POSIX character classes may also be used if your system's _
\bg_
\bl_
\bo_
\bb(3) and
477 _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) functions support them. However, because the ':' character
478 has special meaning in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, it must be escaped. For example:
480 /bin/ls [[\:alpha\:]]*
482 Would match any file name beginning with a letter.
484 Note that a forward slash ('/') will n
\bno
\bot
\bt be matched by wildcards used
485 in the path name. When matching the command line arguments, however, a
486 slash d
\bdo
\boe
\bes
\bs get matched by wildcards. This is to make a path like:
490 match _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bw_
\bh_
\bo but not _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bX_
\b1_
\b1_
\b/_
\bx_
\bt_
\be_
\br_
\bm.
492 E
\bEx
\bxc
\bce
\bep
\bpt
\bti
\bio
\bon
\bns
\bs t
\bto
\bo w
\bwi
\bil
\bld
\bdc
\bca
\bar
\brd
\bd r
\bru
\bul
\ble
\bes
\bs
493 The following exceptions apply to the above rules:
495 "" If the empty string "" is the only command line argument in the
496 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry it means that command is not allowed to be run
497 with a
\ban
\bny
\by arguments.
499 I
\bIn
\bnc
\bcl
\blu
\bud
\bdi
\bin
\bng
\bg o
\bot
\bth
\bhe
\ber
\br f
\bfi
\bil
\ble
\bes
\bs f
\bfr
\bro
\bom
\bm w
\bwi
\bit
\bth
\bhi
\bin
\bn s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
500 It is possible to include other _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs files from within the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
501 file currently being parsed using the #include and #includedir
504 This can be used, for example, to keep a site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file in
505 addition to a local, per-machine file. For the sake of this example
506 the site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs and the per-machine one will
507 be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. To include _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl from within
508 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs we would use the following line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs:
510 #include /etc/sudoers.local
512 When s
\bsu
\bud
\bdo
\bo reaches this line it will suspend processing of the current
513 file (_
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) and switch to _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. Upon reaching
514 the end of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl, the rest of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
515 processed. Files that are included may themselves include other files.
516 A hard limit of 128 nested include files is enforced to prevent include
519 The file name may include the %h escape, signifying the short form of
520 the host name. I.e., if the machine's host name is "xerxes", then
522 #include /etc/sudoers.%h
526 1.7.4 July 21, 2010 8
532 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
535 will cause s
\bsu
\bud
\bdo
\bo to include the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bx_
\be_
\br_
\bx_
\be_
\bs.
537 The #includedir directive can be used to create a _
\bs_
\bu_
\bd_
\bo_
\b._
\bd directory that
538 the system package manager can drop _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs rules into as part of
539 package installation. For example, given:
541 #includedir /etc/sudoers.d
543 s
\bsu
\bud
\bdo
\bo will read each file in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd, skipping file names that
544 end in ~ or contain a . character to avoid causing problems with
545 package manager or editor temporary/backup files. Files are parsed in
546 sorted lexical order. That is, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b0_
\b1_
\b__
\bf_
\bi_
\br_
\bs_
\bt will be parsed
547 before _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Be aware that because the sorting is
548 lexical, not numeric, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b__
\bw_
\bh_
\bo_
\bo_
\bp_
\bs would be loaded a
\baf
\bft
\bte
\ber
\br
549 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Using a consistent number of leading zeroes
550 in the file names can be used to avoid such problems.
552 Note that unlike files included via #include, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will not edit the
553 files in a #includedir directory unless one of them contains a syntax
554 error. It is still possible to run v
\bvi
\bis
\bsu
\bud
\bdo
\bo with the -f flag to edit the
557 O
\bOt
\bth
\bhe
\ber
\br s
\bsp
\bpe
\bec
\bci
\bia
\bal
\bl c
\bch
\bha
\bar
\bra
\bac
\bct
\bte
\ber
\brs
\bs a
\ban
\bnd
\bd r
\bre
\bes
\bse
\ber
\brv
\bve
\bed
\bd w
\bwo
\bor
\brd
\bds
\bs
558 The pound sign ('#') is used to indicate a comment (unless it is part
559 of a #include directive or unless it occurs in the context of a user
560 name and is followed by one or more digits, in which case it is treated
561 as a uid). Both the comment character and any text after it, up to the
562 end of the line, are ignored.
564 The reserved word A
\bAL
\bLL
\bL is a built-in _
\ba_
\bl_
\bi_
\ba_
\bs that always causes a match to
565 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
566 User_Alias, Runas_Alias, or Host_Alias. You should not try to define
567 your own _
\ba_
\bl_
\bi_
\ba_
\bs called A
\bAL
\bLL
\bL as the built-in alias will be used in
568 preference to your own. Please note that using A
\bAL
\bLL
\bL can be dangerous
569 since in a command context, it allows the user to run a
\ban
\bny
\by command on
572 An exclamation point ('!') can be used as a logical _
\bn_
\bo_
\bt operator both
573 in an _
\ba_
\bl_
\bi_
\ba_
\bs and in front of a Cmnd. This allows one to exclude certain
574 values. Note, however, that using a ! in conjunction with the built-in
575 ALL alias to allow a user to run "all but a few" commands rarely works
576 as intended (see SECURITY NOTES below).
578 Long lines can be continued with a backslash ('\') as the last
579 character on the line.
581 Whitespace between elements in a list as well as special syntactic
582 characters in a _
\bU_
\bs_
\be_
\br _
\bS_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn ('=', ':', '(', ')') is optional.
584 The following characters must be escaped with a backslash ('\') when
585 used as part of a word (e.g. a user name or host name): '@', '!', '=',
586 ':', ',', '(', ')', '\'.
592 1.7.4 July 21, 2010 9
598 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
601 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
602 s
\bsu
\bud
\bdo
\bo's behavior can be modified by Default_Entry lines, as explained
603 earlier. A list of all supported Defaults parameters, grouped by type,
606 B
\bBo
\boo
\bol
\ble
\bea
\ban
\bn F
\bFl
\bla
\bag
\bgs
\bs:
608 always_set_home If enabled, s
\bsu
\bud
\bdo
\bo will set the HOME environment variable
609 to the home directory of the target user (which is root
610 unless the -
\b-u
\bu option is used). This effectively means
611 that the -
\b-H
\bH option is always implied. Note that HOME
612 is already set when the the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is
613 enabled, so _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is only effective for
614 configurations where _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is disabled. This flag
615 is _
\bo_
\bf_
\bf by default.
617 authenticate If set, users must authenticate themselves via a
618 password (or other means of authentication) before they
619 may run commands. This default may be overridden via
620 the PASSWD and NOPASSWD tags. This flag is _
\bo_
\bn by
624 If set, the user may use s
\bsu
\bud
\bdo
\bo's -
\b-C
\bC option which
625 overrides the default starting point at which s
\bsu
\bud
\bdo
\bo
626 begins closing open file descriptors. This flag is _
\bo_
\bf_
\bf
629 compress_io If set, and s
\bsu
\bud
\bdo
\bo is configured to log a command's input
630 or output, the I/O logs will be compressed using z
\bzl
\bli
\bib
\bb.
631 This flag is _
\bo_
\bn by default when s
\bsu
\bud
\bdo
\bo is compiled with
632 z
\bzl
\bli
\bib
\bb support.
634 env_editor If set, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will use the value of the EDITOR or
635 VISUAL environment variables before falling back on the
636 default editor list. Note that this may create a
637 security hole as it allows the user to run any
638 arbitrary command as root without logging. A safer
639 alternative is to place a colon-separated list of
640 editors in the editor variable. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will then only
641 use the EDITOR or VISUAL if they match a value
642 specified in editor. This flag is _
\bo_
\bf_
\bf by default.
644 env_reset If set, s
\bsu
\bud
\bdo
\bo will reset the environment to only contain
645 the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
646 variables. Any variables in the caller's environment
647 that match the env_keep and env_check lists are then
648 added. The default contents of the env_keep and
649 env_check lists are displayed when s
\bsu
\bud
\bdo
\bo is run by root
650 with the _
\b-_
\bV option. If the _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh option is set,
651 its value will be used for the PATH environment
652 variable. This flag is _
\bo_
\bn by default.
654 fast_glob Normally, s
\bsu
\bud
\bdo
\bo uses the _
\bg_
\bl_
\bo_
\bb(3) function to do shell-
658 1.7.4 July 21, 2010 10
664 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
667 style globbing when matching path names. However,
668 since it accesses the file system, _
\bg_
\bl_
\bo_
\bb(3) can take a
669 long time to complete for some patterns, especially
670 when the pattern references a network file system that
671 is mounted on demand (automounted). The _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb
672 option causes s
\bsu
\bud
\bdo
\bo to use the _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) function,
673 which does not access the file system to do its
674 matching. The disadvantage of _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is that it is
675 unable to match relative path names such as _
\b._
\b/_
\bl_
\bs or
676 _
\b._
\b._
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs. This has security implications when path
677 names that include globbing characters are used with
678 the negation operator, '!', as such rules can be
679 trivially bypassed. As such, this option should not be
680 used when _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs contains rules that contain negated
681 path names which include globbing characters. This
682 flag is _
\bo_
\bf_
\bf by default.
684 fqdn Set this flag if you want to put fully qualified host
685 names in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. I.e., instead of myhost you
686 would use myhost.mydomain.edu. You may still use the
687 short form if you wish (and even mix the two). Beware
688 that turning on _
\bf_
\bq_
\bd_
\bn requires s
\bsu
\bud
\bdo
\bo to make DNS lookups
689 which may make s
\bsu
\bud
\bdo
\bo unusable if DNS stops working (for
690 example if the machine is not plugged into the
691 network). Also note that you must use the host's
692 official name as DNS knows it. That is, you may not
693 use a host alias (CNAME entry) due to performance
694 issues and the fact that there is no way to get all
695 aliases from DNS. If your machine's host name (as
696 returned by the hostname command) is already fully
697 qualified you shouldn't need to set _
\bf_
\bq_
\bd_
\bn. This flag is
698 _
\bo_
\bf_
\bf by default.
700 ignore_dot If set, s
\bsu
\bud
\bdo
\bo will ignore '.' or '' (current dir) in the
701 PATH environment variable; the PATH itself is not
702 modified. This flag is _
\bo_
\bf_
\bf by default.
705 If set via LDAP, parsing of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
706 skipped. This is intended for Enterprises that wish to
707 prevent the usage of local sudoers files so that only
708 LDAP is used. This thwarts the efforts of rogue
709 operators who would attempt to add roles to
710 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. When this option is present,
711 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs does not even need to exist. Since this
712 option tells s
\bsu
\bud
\bdo
\bo how to behave when no specific LDAP
713 entries have been matched, this sudoOption is only
714 meaningful for the cn=defaults section. This flag is
715 _
\bo_
\bf_
\bf by default.
717 insults If set, s
\bsu
\bud
\bdo
\bo will insult users when they enter an
718 incorrect password. This flag is _
\bo_
\bf_
\bf by default.
720 log_host If set, the host name will be logged in the (non-
724 1.7.4 July 21, 2010 11
730 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
733 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
735 log_year If set, the four-digit year will be logged in the (non-
736 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
738 long_otp_prompt When validating with a One Time Password (OPT) scheme
739 such as S
\bS/
\b/K
\bKe
\bey
\by or O
\bOP
\bPI
\bIE
\bE, a two-line prompt is used to
740 make it easier to cut and paste the challenge to a
741 local window. It's not as pretty as the default but
742 some people find it more convenient. This flag is _
\bo_
\bf_
\bf
745 mail_always Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user every time a users runs
746 s
\bsu
\bud
\bdo
\bo. This flag is _
\bo_
\bf_
\bf by default.
748 mail_badpass Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the user running s
\bsu
\bud
\bdo
\bo
749 does not enter the correct password. This flag is _
\bo_
\bf_
\bf
752 mail_no_host If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
753 invoking user exists in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, but is not
754 allowed to run commands on the current host. This flag
755 is _
\bo_
\bf_
\bf by default.
757 mail_no_perms If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
758 invoking user is allowed to use s
\bsu
\bud
\bdo
\bo but the command
759 they are trying is not listed in their _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
760 entry or is explicitly denied. This flag is _
\bo_
\bf_
\bf by
763 mail_no_user If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
764 invoking user is not in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. This flag is
767 noexec If set, all commands run via s
\bsu
\bud
\bdo
\bo will behave as if the
768 NOEXEC tag has been set, unless overridden by a EXEC
769 tag. See the description of _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC below as
770 well as the "PREVENTING SHELL ESCAPES" section at the
771 end of this manual. This flag is _
\bo_
\bf_
\bf by default.
773 path_info Normally, s
\bsu
\bud
\bdo
\bo will tell the user when a command could
774 not be found in their PATH environment variable. Some
775 sites may wish to disable this as it could be used to
776 gather information on the location of executables that
777 the normal user does not have access to. The
778 disadvantage is that if the executable is simply not in
779 the user's PATH, s
\bsu
\bud
\bdo
\bo will tell the user that they are
780 not allowed to run it, which can be confusing. This
781 flag is _
\bo_
\bn by default.
784 The password prompt specified by _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will
785 normally only be used if the password prompt provided
786 by systems such as PAM matches the string "Password:".
790 1.7.4 July 21, 2010 12
796 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
799 If _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is set, _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will always
800 be used. This flag is _
\bo_
\bf_
\bf by default.
802 preserve_groups By default, s
\bsu
\bud
\bdo
\bo will initialize the group vector to
803 the list of groups the target user is in. When
804 _
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be_
\b__
\bg_
\br_
\bo_
\bu_
\bp_
\bs is set, the user's existing group
805 vector is left unaltered. The real and effective group
806 IDs, however, are still set to match the target user.
807 This flag is _
\bo_
\bf_
\bf by default.
809 pwfeedback By default, s
\bsu
\bud
\bdo
\bo reads the password like most other
810 Unix programs, by turning off echo until the user hits
811 the return (or enter) key. Some users become confused
812 by this as it appears to them that s
\bsu
\bud
\bdo
\bo has hung at
813 this point. When _
\bp_
\bw_
\bf_
\be_
\be_
\bd_
\bb_
\ba_
\bc_
\bk is set, s
\bsu
\bud
\bdo
\bo will provide
814 visual feedback when the user presses a key. Note that
815 this does have a security impact as an onlooker may be
816 able to determine the length of the password being
817 entered. This flag is _
\bo_
\bf_
\bf by default.
819 requiretty If set, s
\bsu
\bud
\bdo
\bo will only run when the user is logged in
820 to a real tty. When this flag is set, s
\bsu
\bud
\bdo
\bo can only be
821 run from a login session and not via other means such
822 as _
\bc_
\br_
\bo_
\bn(1m) or cgi-bin scripts. This flag is _
\bo_
\bf_
\bf by
825 root_sudo If set, root is allowed to run s
\bsu
\bud
\bdo
\bo too. Disabling
826 this prevents users from "chaining" s
\bsu
\bud
\bdo
\bo commands to
827 get a root shell by doing something like "sudo sudo
828 /bin/sh". Note, however, that turning off _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo
829 will also prevent root from running s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
830 Disabling _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo provides no real additional
831 security; it exists purely for historical reasons.
832 This flag is _
\bo_
\bn by default.
834 rootpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the root password instead
835 of the password of the invoking user. This flag is _
\bo_
\bf_
\bf
838 runaspw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
839 defined by the _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt option (defaults to root)
840 instead of the password of the invoking user. This
841 flag is _
\bo_
\bf_
\bf by default.
843 set_home If enabled and s
\bsu
\bud
\bdo
\bo is invoked with the -
\b-s
\bs option the
844 HOME environment variable will be set to the home
845 directory of the target user (which is root unless the
846 -
\b-u
\bu option is used). This effectively makes the -
\b-s
\bs
847 option imply -
\b-H
\bH. Note that HOME is already set when
848 the the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is enabled, so _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is
849 only effective for configurations where _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is
850 disabled. This flag is _
\bo_
\bf_
\bf by default.
852 set_logname Normally, s
\bsu
\bud
\bdo
\bo will set the LOGNAME, USER and USERNAME
856 1.7.4 July 21, 2010 13
862 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
865 environment variables to the name of the target user
866 (usually root unless the -
\b-u
\bu option is given). However,
867 since some programs (including the RCS revision control
868 system) use LOGNAME to determine the real identity of
869 the user, it may be desirable to change this behavior.
870 This can be done by negating the set_logname option.
871 Note that if the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option has not been
872 disabled, entries in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list will override
873 the value of _
\bs_
\be_
\bt_
\b__
\bl_
\bo_
\bg_
\bn_
\ba_
\bm_
\be. This flag is _
\bo_
\bn by default.
875 setenv Allow the user to disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the
876 command line. Additionally, environment variables set
877 via the command line are not subject to the
878 restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or
879 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users should be
880 allowed to set variables in this manner. This flag is
881 _
\bo_
\bf_
\bf by default.
883 shell_noargs If set and s
\bsu
\bud
\bdo
\bo is invoked with no arguments it acts as
884 if the -
\b-s
\bs option had been given. That is, it runs a
885 shell as root (the shell is determined by the SHELL
886 environment variable if it is set, falling back on the
887 shell listed in the invoking user's /etc/passwd entry
888 if not). This flag is _
\bo_
\bf_
\bf by default.
890 stay_setuid Normally, when s
\bsu
\bud
\bdo
\bo executes a command the real and
891 effective UIDs are set to the target user (root by
892 default). This option changes that behavior such that
893 the real UID is left as the invoking user's UID. In
894 other words, this makes s
\bsu
\bud
\bdo
\bo act as a setuid wrapper.
895 This can be useful on systems that disable some
896 potentially dangerous functionality when a program is
897 run setuid. This option is only effective on systems
898 with either the _
\bs_
\be_
\bt_
\br_
\be_
\bu_
\bi_
\bd_
\b(_
\b) or _
\bs_
\be_
\bt_
\br_
\be_
\bs_
\bu_
\bi_
\bd_
\b(_
\b) function.
899 This flag is _
\bo_
\bf_
\bf by default.
901 targetpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
902 specified by the -
\b-u
\bu option (defaults to root) instead
903 of the password of the invoking user. In addition, the
904 timestamp file name will include the target user's
905 name. Note that this flag precludes the use of a uid
906 not listed in the passwd database as an argument to the
907 -
\b-u
\bu option. This flag is _
\bo_
\bf_
\bf by default.
909 log_input If set, s
\bsu
\bud
\bdo
\bo will run the command in a _
\bp_
\bs_
\be_
\bu_
\bd_
\bo _
\bt_
\bt_
\by and
910 log all user input. If the standard input is not
911 connected to the user's tty, due to I/O redirection or
912 because the command is part of a pipeline, that input
913 is also captured and stored in a separate log file.
915 Input is logged to the _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo directory using
916 a unique session ID that is included in the normal s
\bsu
\bud
\bdo
\bo
917 log line, prefixed with _
\bT_
\bS_
\bI_
\bD_
\b=.
922 1.7.4 July 21, 2010 14
928 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
931 log_output If set, s
\bsu
\bud
\bdo
\bo will run the command in a _
\bp_
\bs_
\be_
\bu_
\bd_
\bo _
\bt_
\bt_
\by and
932 log all output that is sent to the screen, similar to
933 the _
\bs_
\bc_
\br_
\bi_
\bp_
\bt(1) command. If the standard output or
934 standard error is not connected to the user's tty, due
935 to I/O redirection or because the command is part of a
936 pipeline, that output is also captured and stored in
939 Output is logged to the _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo directory
940 using a unique session ID that is included in the
941 normal s
\bsu
\bud
\bdo
\bo log line, prefixed with _
\bT_
\bS_
\bI_
\bD_
\b=.
943 Output logs may be viewed with the _
\bs_
\bu_
\bd_
\bo_
\br_
\be_
\bp_
\bl_
\ba_
\by(1m)
944 utility, which can also be used to list or search the
947 tty_tickets If set, users must authenticate on a per-tty basis.
948 With this flag enabled, s
\bsu
\bud
\bdo
\bo will use a file named for
949 the tty the user is logged in on in the user's time
950 stamp directory. If disabled, the time stamp of the
951 directory is used instead. This flag is _
\bo_
\bn by default.
953 umask_override If set, s
\bsu
\bud
\bdo
\bo will set the umask as specified by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
954 without modification. This makes it possible to
955 specify a more permissive umask in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs than the
956 user's own umask and matches historical behavior. If
957 _
\bu_
\bm_
\ba_
\bs_
\bk_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is not set, s
\bsu
\bud
\bdo
\bo will set the umask to
958 be the union of the user's umask and what is specified
959 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. This flag is _
\bo_
\bf_
\bf by default.
961 use_loginclass If set, s
\bsu
\bud
\bdo
\bo will apply the defaults specified for the
962 target user's login class if one exists. Only
963 available if s
\bsu
\bud
\bdo
\bo is configured with the
964 --with-logincap option. This flag is _
\bo_
\bf_
\bf by default.
966 use_pty If set, s
\bsu
\bud
\bdo
\bo will run the command in a pseudo-pty even
967 if no I/O logging is being gone. A malicious program
968 run under s
\bsu
\bud
\bdo
\bo could conceivably fork a background
969 process that retains to the user's terminal device
970 after the main program has finished executing. Use of
971 this option will make that impossible.
973 visiblepw By default, s
\bsu
\bud
\bdo
\bo will refuse to run if the user must
974 enter a password but it is not possible to disable echo
975 on the terminal. If the _
\bv_
\bi_
\bs_
\bi_
\bb_
\bl_
\be_
\bp_
\bw flag is set, s
\bsu
\bud
\bdo
\bo
976 will prompt for a password even when it would be
977 visible on the screen. This makes it possible to run
978 things like "rsh somehost sudo ls" since _
\br_
\bs_
\bh(1) does
979 not allocate a tty. This flag is _
\bo_
\bf_
\bf by default.
981 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs:
983 closefrom Before it executes a command, s
\bsu
\bud
\bdo
\bo will close all open
984 file descriptors other than standard input, standard
988 1.7.4 July 21, 2010 15
994 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
997 output and standard error (ie: file descriptors 0-2).
998 The _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm option can be used to specify a different
999 file descriptor at which to start closing. The default
1002 passwd_tries The number of tries a user gets to enter his/her
1003 password before s
\bsu
\bud
\bdo
\bo logs the failure and exits. The
1006 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1008 loglinelen Number of characters per line for the file log. This
1009 value is used to decide when to wrap lines for nicer
1010 log files. This has no effect on the syslog log file,
1011 only the file log. The default is 80 (use 0 or negate
1012 the option to disable word wrap).
1014 passwd_timeout Number of minutes before the s
\bsu
\bud
\bdo
\bo password prompt times
1015 out, or 0 for no timeout. The timeout may include a
1016 fractional component if minute granularity is
1017 insufficient, for example 2.5. The default is 5.
1020 Number of minutes that can elapse before s
\bsu
\bud
\bdo
\bo will ask
1021 for a passwd again. The timeout may include a
1022 fractional component if minute granularity is
1023 insufficient, for example 2.5. The default is 5. Set
1024 this to 0 to always prompt for a password. If set to a
1025 value less than 0 the user's timestamp will never
1026 expire. This can be used to allow users to create or
1027 delete their own timestamps via sudo -v and sudo -k
1030 umask Umask to use when running the command. Negate this
1031 option or set it to 0777 to preserve the user's umask.
1032 The actual umask that is used will be the union of the
1033 user's umask and 0022. This guarantees that s
\bsu
\bud
\bdo
\bo never
1034 lowers the umask when running a command. Note on
1035 systems that use PAM, the default PAM configuration may
1036 specify its own umask which will override the value set
1037 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1039 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs:
1041 badpass_message Message that is displayed if a user enters an incorrect
1042 password. The default is Sorry, try again. unless
1043 insults are enabled.
1045 editor A colon (':') separated list of editors allowed to be
1046 used with v
\bvi
\bis
\bsu
\bud
\bdo
\bo. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will choose the editor that
1047 matches the user's EDITOR environment variable if
1048 possible, or the first editor in the list that exists
1049 and is executable. The default is "vi".
1054 1.7.4 July 21, 2010 16
1060 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1063 mailsub Subject of the mail sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user. The escape
1064 %h will expand to the host name of the machine.
1065 Default is *** SECURITY information for %h ***.
1067 noexec_file Path to a shared library containing dummy versions of
1068 the _
\be_
\bx_
\be_
\bc_
\bv_
\b(_
\b), _
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) and _
\bf_
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) library functions
1069 that just return an error. This is used to implement
1070 the _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality on systems that support
1071 LD_PRELOAD or its equivalent. Defaults to
1072 _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b__
\bn_
\bo_
\be_
\bx_
\be_
\bc_
\b._
\bs_
\bo.
1074 passprompt The default prompt to use when asking for a password;
1075 can be overridden via the -
\b-p
\bp option or the SUDO_PROMPT
1076 environment variable. The following percent (`%')
1077 escapes are supported:
1079 %H expanded to the local host name including the
1080 domain name (on if the machine's host name is fully
1081 qualified or the _
\bf_
\bq_
\bd_
\bn option is set)
1083 %h expanded to the local host name without the domain
1086 %p expanded to the user whose password is being asked
1087 for (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw
1088 flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs)
1090 %U expanded to the login name of the user the command
1091 will be run as (defaults to root)
1093 %u expanded to the invoking user's login name
1095 %% two consecutive % characters are collapsed into a
1098 The default value is Password:.
1100 role The default SELinux role to use when constructing a new
1101 security context to run the command. The default role
1102 may be overridden on a per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or
1103 via command line options. This option is only
1104 available whe s
\bsu
\bud
\bdo
\bo is built with SELinux support.
1106 runas_default The default user to run commands as if the -
\b-u
\bu option is
1107 not specified on the command line. This defaults to
1108 root. Note that if _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt is set it m
\bmu
\bus
\bst
\bt occur
1109 before any Runas_Alias specifications.
1111 syslog_badpri Syslog priority to use when user authenticates
1112 unsuccessfully. Defaults to alert.
1114 syslog_goodpri Syslog priority to use when user authenticates
1115 successfully. Defaults to notice.
1120 1.7.4 July 21, 2010 17
1126 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1129 sudoers_locale Locale to use when parsing the sudoers file. Note that
1130 changing the locale may affect how sudoers is
1131 interpreted. Defaults to "C".
1133 timestampdir The directory in which s
\bsu
\bud
\bdo
\bo stores its timestamp files.
1134 The default is _
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo.
1136 timestampowner The owner of the timestamp directory and the timestamps
1137 stored therein. The default is root.
1139 type The default SELinux type to use when constructing a new
1140 security context to run the command. The default type
1141 may be overridden on a per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or
1142 via command line options. This option is only
1143 available whe s
\bsu
\bud
\bdo
\bo is built with SELinux support.
1145 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1147 askpass The _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs option specifies the fully qualified path to a
1148 helper program used to read the user's password when no
1149 terminal is available. This may be the case when s
\bsu
\bud
\bdo
\bo is
1150 executed from a graphical (as opposed to text-based)
1151 application. The program specified by _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs should
1152 display the argument passed to it as the prompt and write
1153 the user's password to the standard output. The value of
1154 _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs may be overridden by the SUDO_ASKPASS environment
1157 env_file The _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be options specifies the fully qualified path to
1158 a file containing variables to be set in the environment of
1159 the program being run. Entries in this file should either
1160 be of the form VARIABLE=value or export VARIABLE=value.
1161 The value may optionally be surrounded by single or double
1162 quotes. Variables in this file are subject to other s
\bsu
\bud
\bdo
\bo
1163 environment settings such as _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp and _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk.
1166 Users in this group are exempt from password and PATH
1167 requirements. This is not set by default.
1169 lecture This option controls when a short lecture will be printed
1170 along with the password prompt. It has the following
1173 always Always lecture the user.
1175 never Never lecture the user.
1177 once Only lecture the user the first time they run s
\bsu
\bud
\bdo
\bo.
1179 If no value is specified, a value of _
\bo_
\bn_
\bc_
\be is implied.
1180 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1181 The default value is _
\bo_
\bn_
\bc_
\be.
1186 1.7.4 July 21, 2010 18
1192 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1196 Path to a file containing an alternate s
\bsu
\bud
\bdo
\bo lecture that
1197 will be used in place of the standard lecture if the named
1198 file exists. By default, s
\bsu
\bud
\bdo
\bo uses a built-in lecture.
1200 listpw This option controls when a password will be required when
1201 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-l
\bl option. It has the following
1204 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1205 must have the NOPASSWD flag set to avoid entering a
1208 always The user must always enter a password to use the -
\b-l
\bl
1211 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1212 current host must have the NOPASSWD flag set to
1213 avoid entering a password.
1215 never The user need never enter a password to use the -
\b-l
\bl
1218 If no value is specified, a value of _
\ba_
\bn_
\by is implied.
1219 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1220 The default value is _
\ba_
\bn_
\by.
1222 logfile Path to the s
\bsu
\bud
\bdo
\bo log file (not the syslog log file).
1223 Setting a path turns on logging to a file; negating this
1224 option turns it off. By default, s
\bsu
\bud
\bdo
\bo logs via syslog.
1226 mailerflags Flags to use when invoking mailer. Defaults to -
\b-t
\bt.
1228 mailerpath Path to mail program used to send warning mail. Defaults
1229 to the path to sendmail found at configure time.
1231 mailfrom Address to use for the "from" address when sending warning
1232 and error mail. The address should be enclosed in double
1233 quotes (") to protect against s
\bsu
\bud
\bdo
\bo interpreting the @ sign.
1234 Defaults to the name of the user running s
\bsu
\bud
\bdo
\bo.
1236 mailto Address to send warning and error mail to. The address
1237 should be enclosed in double quotes (") to protect against
1238 s
\bsu
\bud
\bdo
\bo interpreting the @ sign. Defaults to root.
1240 secure_path Path used for every command run from s
\bsu
\bud
\bdo
\bo. If you don't
1241 trust the people running s
\bsu
\bud
\bdo
\bo to have a sane PATH
1242 environment variable you may want to use this. Another use
1243 is if you want to have the "root path" be separate from the
1244 "user path." Users in the group specified by the
1245 _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option are not affected by _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh. This
1246 option is not set by default.
1248 syslog Syslog facility if syslog is being used for logging (negate
1252 1.7.4 July 21, 2010 19
1258 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1261 to disable syslog logging). Defaults to auth.
1263 verifypw This option controls when a password will be required when
1264 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option. It has the following
1267 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1268 must have the NOPASSWD flag set to avoid entering a
1271 always The user must always enter a password to use the -
\b-v
\bv
1274 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1275 current host must have the NOPASSWD flag set to
1276 avoid entering a password.
1278 never The user need never enter a password to use the -
\b-v
\bv
1281 If no value is specified, a value of _
\ba_
\bl_
\bl is implied.
1282 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1283 The default value is _
\ba_
\bl_
\bl.
1285 L
\bLi
\bis
\bst
\bts
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1287 env_check Environment variables to be removed from the user's
1288 environment if the variable's value contains % or /
1289 characters. This can be used to guard against printf-
1290 style format vulnerabilities in poorly-written
1291 programs. The argument may be a double-quoted, space-
1292 separated list or a single value without double-quotes.
1293 The list can be replaced, added to, deleted from, or
1294 disabled by using the =, +=, -=, and ! operators
1295 respectively. Regardless of whether the env_reset
1296 option is enabled or disabled, variables specified by
1297 env_check will be preserved in the environment if they
1298 pass the aforementioned check. The default list of
1299 environment variables to check is displayed when s
\bsu
\bud
\bdo
\bo
1300 is run by root with the _
\b-_
\bV option.
1302 env_delete Environment variables to be removed from the user's
1303 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is not in effect.
1304 The argument may be a double-quoted, space-separated
1305 list or a single value without double-quotes. The list
1306 can be replaced, added to, deleted from, or disabled by
1307 using the =, +=, -=, and ! operators respectively. The
1308 default list of environment variables to remove is
1309 displayed when s
\bsu
\bud
\bdo
\bo is run by root with the _
\b-_
\bV option.
1310 Note that many operating systems will remove
1311 potentially dangerous variables from the environment of
1312 any setuid process (such as s
\bsu
\bud
\bdo
\bo).
1314 env_keep Environment variables to be preserved in the user's
1318 1.7.4 July 21, 2010 20
1324 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1327 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is in effect.
1328 This allows fine-grained control over the environment
1329 s
\bsu
\bud
\bdo
\bo-spawned processes will receive. The argument may
1330 be a double-quoted, space-separated list or a single
1331 value without double-quotes. The list can be replaced,
1332 added to, deleted from, or disabled by using the =, +=,
1333 -=, and ! operators respectively. The default list of
1334 variables to keep is displayed when s
\bsu
\bud
\bdo
\bo is run by root
1335 with the _
\b-_
\bV option.
1337 When logging via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3), s
\bsu
\bud
\bdo
\bo accepts the following values for the
1338 syslog facility (the value of the s
\bsy
\bys
\bsl
\blo
\bog
\bg Parameter): a
\bau
\but
\bth
\bhp
\bpr
\bri
\biv
\bv (if your
1339 OS supports it), a
\bau
\but
\bth
\bh, d
\bda
\bae
\bem
\bmo
\bon
\bn, u
\bus
\bse
\ber
\br, l
\blo
\boc
\bca
\bal
\bl0
\b0, l
\blo
\boc
\bca
\bal
\bl1
\b1, l
\blo
\boc
\bca
\bal
\bl2
\b2, l
\blo
\boc
\bca
\bal
\bl3
\b3,
1340 l
\blo
\boc
\bca
\bal
\bl4
\b4, l
\blo
\boc
\bca
\bal
\bl5
\b5, l
\blo
\boc
\bca
\bal
\bl6
\b6, and l
\blo
\boc
\bca
\bal
\bl7
\b7. The following syslog priorities
1341 are supported: a
\bal
\ble
\ber
\brt
\bt, c
\bcr
\bri
\bit
\bt, d
\bde
\beb
\bbu
\bug
\bg, e
\bem
\bme
\ber
\brg
\bg, e
\ber
\brr
\br, i
\bin
\bnf
\bfo
\bo, n
\bno
\bot
\bti
\bic
\bce
\be, and
1342 w
\bwa
\bar
\brn
\bni
\bin
\bng
\bg.
1344 F
\bFI
\bIL
\bLE
\bES
\bS
1345 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
1347 _
\b/_
\be_
\bt_
\bc_
\b/_
\bg_
\br_
\bo_
\bu_
\bp Local groups file
1349 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bg_
\br_
\bo_
\bu_
\bp List of network groups
1351 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo I/O log files
1353 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
1354 Below are example _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries. Admittedly, some of these are a bit
1355 contrived. First, we allow a few environment variables to pass and
1356 then define our _
\ba_
\bl_
\bi_
\ba_
\bs_
\be_
\bs:
1358 # Run X applications through sudo; HOME is used to find the
1359 # .Xauthority file. Note that other programs use HOME to find
1360 # configuration files and this may lead to privilege escalation!
1361 Defaults env_keep += "DISPLAY HOME"
1363 # User alias specification
1364 User_Alias FULLTIMERS = millert, mikef, dowdy
1365 User_Alias PARTTIMERS = bostley, jwfox, crawl
1366 User_Alias WEBMASTERS = will, wendy, wim
1368 # Runas alias specification
1369 Runas_Alias OP = root, operator
1370 Runas_Alias DB = oracle, sybase
1371 Runas_Alias ADMINGRP = adm, oper
1373 # Host alias specification
1374 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1375 SGI = grolsch, dandelion, black :\
1376 ALPHA = widget, thalamus, foobar :\
1377 HPPA = boa, nag, python
1378 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1379 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1380 Host_Alias SERVERS = master, mail, www, ns
1384 1.7.4 July 21, 2010 21
1390 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1393 Host_Alias CDROM = orion, perseus, hercules
1395 # Cmnd alias specification
1396 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1397 /usr/sbin/restore, /usr/sbin/rrestore
1398 Cmnd_Alias KILL = /usr/bin/kill
1399 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1400 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1401 Cmnd_Alias HALT = /usr/sbin/halt
1402 Cmnd_Alias REBOOT = /usr/sbin/reboot
1403 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1404 /usr/local/bin/tcsh, /usr/bin/rsh, \
1406 Cmnd_Alias SU = /usr/bin/su
1407 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1409 Here we override some of the compiled in default values. We want s
\bsu
\bud
\bdo
\bo
1410 to log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) using the _
\ba_
\bu_
\bt_
\bh facility in all cases. We don't
1411 want to subject the full time staff to the s
\bsu
\bud
\bdo
\bo lecture, user m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt
1412 need not give a password, and we don't want to reset the LOGNAME, USER
1413 or USERNAME environment variables when running commands as root.
1414 Additionally, on the machines in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, we keep an
1415 additional local log file and make sure we log the year in each log
1416 line since the log entries will be kept around for several years.
1417 Lastly, we disable shell escapes for the commands in the PAGERS
1418 Cmnd_Alias (_
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be, _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bp_
\bg and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\be_
\bs_
\bs).
1420 # Override built-in defaults
1421 Defaults syslog=auth
1422 Defaults>root !set_logname
1423 Defaults:FULLTIMERS !lecture
1424 Defaults:millert !authenticate
1425 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1426 Defaults!PAGERS noexec
1428 The _
\bU_
\bs_
\be_
\br _
\bs_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn is the part that actually determines who may run
1431 root ALL = (ALL) ALL
1432 %wheel ALL = (ALL) ALL
1434 We let r
\bro
\boo
\bot
\bt and any user in group w
\bwh
\bhe
\bee
\bel
\bl run any command on any host as
1437 FULLTIMERS ALL = NOPASSWD: ALL
1439 Full time sysadmins (m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt, m
\bmi
\bik
\bke
\bef
\bf, and d
\bdo
\bow
\bwd
\bdy
\by) may run any command on
1440 any host without authenticating themselves.
1442 PARTTIMERS ALL = ALL
1444 Part time sysadmins (b
\bbo
\bos
\bst
\btl
\ble
\bey
\by, j
\bjw
\bwf
\bfo
\box
\bx, and c
\bcr
\bra
\baw
\bwl
\bl) may run any command on
1445 any host but they must authenticate themselves first (since the entry
1446 lacks the NOPASSWD tag).
1450 1.7.4 July 21, 2010 22
1456 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1461 The user j
\bja
\bac
\bck
\bk may run any command on the machines in the _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS alias
1462 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1463 those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1464 notation) indicating it is a class C network. For the other networks
1465 in _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS, the local machine's netmask will be used during matching.
1469 The user l
\bli
\bis
\bsa
\ba may run any command on any host in the _
\bC_
\bU_
\bN_
\bE_
\bT_
\bS alias (the
1470 class B network 128.138.0.0).
1472 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1473 sudoedit /etc/printcap, /usr/oper/bin/
1475 The o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br user may run commands limited to simple maintenance.
1476 Here, those are commands related to backups, killing processes, the
1477 printing system, shutting down the system, and any commands in the
1478 directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bo_
\bp_
\be_
\br_
\b/_
\bb_
\bi_
\bn_
\b/.
1480 joe ALL = /usr/bin/su operator
1482 The user j
\bjo
\boe
\be may only _
\bs_
\bu(1) to operator.
1484 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1486 %opers ALL = (: ADMINGRP) /usr/sbin/
1488 Users in the o
\bop
\bpe
\ber
\brs
\bs group may run commands in _
\b/_
\bu_
\bs_
\br_
\b/_
\bs_
\bb_
\bi_
\bn_
\b/ as themselves
1489 with any group in the _
\bA_
\bD_
\bM_
\bI_
\bN_
\bG_
\bR_
\bP Runas_Alias (the a
\bad
\bdm
\bm and o
\bop
\bpe
\ber
\br groups).
1491 The user p
\bpe
\bet
\bte
\be is allowed to change anyone's password except for root on
1492 the _
\bH_
\bP_
\bP_
\bA machines. Note that this assumes _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(1) does not take
1493 multiple user names on the command line.
1495 bob SPARC = (OP) ALL : SGI = (OP) ALL
1497 The user b
\bbo
\bob
\bb may run anything on the _
\bS_
\bP_
\bA_
\bR_
\bC and _
\bS_
\bG_
\bI machines as any user
1498 listed in the _
\bO_
\bP Runas_Alias (r
\bro
\boo
\bot
\bt and o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br).
1502 The user j
\bji
\bim
\bm may run any command on machines in the _
\bb_
\bi_
\bg_
\bl_
\ba_
\bb netgroup.
1503 s
\bsu
\bud
\bdo
\bo knows that "biglab" is a netgroup due to the '+' prefix.
1505 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1507 Users in the s
\bse
\bec
\bcr
\bre
\bet
\bta
\bar
\bri
\bie
\bes
\bs netgroup need to help manage the printers as
1508 well as add and remove users, so they are allowed to run those commands
1511 fred ALL = (DB) NOPASSWD: ALL
1516 1.7.4 July 21, 2010 23
1522 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1525 The user f
\bfr
\bre
\bed
\bd can run commands as any user in the _
\bD_
\bB Runas_Alias
1526 (o
\bor
\bra
\bac
\bcl
\ble
\be or s
\bsy
\byb
\bba
\bas
\bse
\be) without giving a password.
1528 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1530 On the _
\bA_
\bL_
\bP_
\bH_
\bA machines, user j
\bjo
\boh
\bhn
\bn may su to anyone except root but he is
1531 not allowed to specify any options to the _
\bs_
\bu(1) command.
1533 jen ALL, !SERVERS = ALL
1535 The user j
\bje
\ben
\bn may run any command on any machine except for those in the
1536 _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias (master, mail, www and ns).
1538 jill SERVERS = /usr/bin/, !SU, !SHELLS
1540 For any machine in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, j
\bji
\bil
\bll
\bl may run any commands in
1541 the directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/ except for those commands belonging to the _
\bS_
\bU
1542 and _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS Cmnd_Aliases.
1544 steve CSNETS = (operator) /usr/local/op_commands/
1546 The user s
\bst
\bte
\bev
\bve
\be may run any command in the directory
1547 /usr/local/op_commands/ but only as user operator.
1549 matt valkyrie = KILL
1551 On his personal workstation, valkyrie, m
\bma
\bat
\btt
\bt needs to be able to kill
1554 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1556 On the host www, any user in the _
\bW_
\bE_
\bB_
\bM_
\bA_
\bS_
\bT_
\bE_
\bR_
\bS User_Alias (will, wendy,
1557 and wim), may run any command as user www (which owns the web pages) or
1558 simply _
\bs_
\bu(1) to www.
1560 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1561 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1563 Any user may mount or unmount a CD-ROM on the machines in the CDROM
1564 Host_Alias (orion, perseus, hercules) without entering a password.
1565 This is a bit tedious for users to type, so it is a prime candidate for
1566 encapsulating in a shell script.
1568 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
1569 It is generally not effective to "subtract" commands from ALL using the
1570 '!' operator. A user can trivially circumvent this by copying the
1571 desired command to a different name and then executing that. For
1574 bill ALL = ALL, !SU, !SHELLS
1576 Doesn't really prevent b
\bbi
\bil
\bll
\bl from running the commands listed in _
\bS_
\bU or
1577 _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS since he can simply copy those commands to a different name, or
1578 use a shell escape from an editor or other program. Therefore, these
1582 1.7.4 July 21, 2010 24
1588 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1591 kind of restrictions should be considered advisory at best (and
1592 reinforced by policy).
1594 Furthermore, if the _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb option is in use, it is not possible to
1595 reliably negate commands where the path name includes globbing (aka
1596 wildcard) characters. This is because the C library's _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3)
1597 function cannot resolve relative paths. While this is typically only
1598 an inconvenience for rules that grant privileges, it can result in a
1599 security issue for rules that subtract or revoke privileges.
1601 For example, given the following _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry:
1603 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
1604 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1606 User j
\bjo
\boh
\bhn
\bn can still run /usr/bin/passwd root if _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is enabled by
1607 changing to _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn and running ./passwd root instead.
1609 P
\bPR
\bRE
\bEV
\bVE
\bEN
\bNT
\bTI
\bIN
\bNG
\bG S
\bSH
\bHE
\bEL
\bLL
\bL E
\bES
\bSC
\bCA
\bAP
\bPE
\bES
\bS
1610 Once s
\bsu
\bud
\bdo
\bo executes a program, that program is free to do whatever it
1611 pleases, including run other programs. This can be a security issue
1612 since it is not uncommon for a program to allow shell escapes, which
1613 lets a user bypass s
\bsu
\bud
\bdo
\bo's access control and logging. Common programs
1614 that permit shell escapes include shells (obviously), editors,
1615 paginators, mail and terminal programs.
1617 There are two basic approaches to this problem:
1619 restrict Avoid giving users access to commands that allow the user to
1620 run arbitrary commands. Many editors have a restricted mode
1621 where shell escapes are disabled, though s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt is a better
1622 solution to running editors via s
\bsu
\bud
\bdo
\bo. Due to the large
1623 number of programs that offer shell escapes, restricting
1624 users to the set of programs that do not if often unworkable.
1626 noexec Many systems that support shared libraries have the ability
1627 to override default library functions by pointing an
1628 environment variable (usually LD_PRELOAD) to an alternate
1629 shared library. On such systems, s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality
1630 can be used to prevent a program run by s
\bsu
\bud
\bdo
\bo from executing
1631 any other programs. Note, however, that this applies only to
1632 native dynamically-linked executables. Statically-linked
1633 executables and foreign executables running under binary
1634 emulation are not affected.
1636 To tell whether or not s
\bsu
\bud
\bdo
\bo supports _
\bn_
\bo_
\be_
\bx_
\be_
\bc, you can run the
1639 sudo -V | grep "dummy exec"
1641 If the resulting output contains a line that begins with:
1643 File containing dummy exec functions:
1648 1.7.4 July 21, 2010 25
1654 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1657 then s
\bsu
\bud
\bdo
\bo may be able to replace the exec family of functions
1658 in the standard library with its own that simply return an
1659 error. Unfortunately, there is no foolproof way to know
1660 whether or not _
\bn_
\bo_
\be_
\bx_
\be_
\bc will work at compile-time. _
\bn_
\bo_
\be_
\bx_
\be_
\bc
1661 should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
1662 MacOS X, and HP-UX 11.x. It is known n
\bno
\bot
\bt to work on AIX and
1663 UnixWare. _
\bn_
\bo_
\be_
\bx_
\be_
\bc is expected to work on most operating
1664 systems that support the LD_PRELOAD environment variable.
1665 Check your operating system's manual pages for the dynamic
1666 linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
1667 to see if LD_PRELOAD is supported.
1669 To enable _
\bn_
\bo_
\be_
\bx_
\be_
\bc for a command, use the NOEXEC tag as
1670 documented in the User Specification section above. Here is
1673 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1675 This allows user a
\baa
\bar
\bro
\bon
\bn to run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi
1676 with _
\bn_
\bo_
\be_
\bx_
\be_
\bc enabled. This will prevent those two commands
1677 from executing other commands (such as a shell). If you are
1678 unsure whether or not your system is capable of supporting
1679 _
\bn_
\bo_
\be_
\bx_
\be_
\bc you can always just try it out and see if it works.
1681 Note that restricting shell escapes is not a panacea. Programs running
1682 as root are still capable of many potentially hazardous operations
1683 (such as changing or overwriting files) that could lead to unintended
1684 privilege escalation. In the specific case of an editor, a safer
1685 approach is to give the user permission to run s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
1687 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
1688 _
\br_
\bs_
\bh(1), _
\bs_
\bu(1), _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3), _
\bg_
\bl_
\bo_
\bb(3), _
\bs_
\bu_
\bd_
\bo(1m), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(8)
1690 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
1691 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file should a
\bal
\blw
\bwa
\bay
\bys
\bs be edited by the v
\bvi
\bis
\bsu
\bud
\bdo
\bo command which
1692 locks the file and does grammatical checking. It is imperative that
1693 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs be free of syntax errors since s
\bsu
\bud
\bdo
\bo will not run with a
1694 syntactically incorrect _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
1696 When using netgroups of machines (as opposed to users), if you store
1697 fully qualified host name in the netgroup (as is usually the case), you
1698 either need to have the machine's host name be fully qualified as
1699 returned by the hostname command or use the _
\bf_
\bq_
\bd_
\bn option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1702 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
1703 http://www.sudo.ws/sudo/bugs/
1705 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
1706 Limited free support is available via the sudo-users mailing list, see
1707 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1714 1.7.4 July 21, 2010 26
1720 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1723 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
1724 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
1725 including, but not limited to, the implied warranties of
1726 merchantability and fitness for a particular purpose are disclaimed.
1727 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
1728 http://www.sudo.ws/sudo/license.html for complete details.
1780 1.7.4 July 21, 2010 27