4 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
8 sudoers - list of which users may execute what
10 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
11 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is composed of two types of entries: aliases
12 (basically variables) and user specifications (which specify who may
15 When multiple entries match for a user, they are applied in order.
16 Where there are multiple matches, the last match is used (which is not
17 necessarily the most specific match).
19 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs grammar will be described below in Extended Backus-Naur
20 Form (EBNF). Don't despair if you don't know what EBNF is; it is
21 fairly simple, and the definitions below are annotated.
23 Q
\bQu
\bui
\bic
\bck
\bk g
\bgu
\bui
\bid
\bde
\be t
\bto
\bo E
\bEB
\bBN
\bNF
\bF
24 EBNF is a concise and exact way of describing the grammar of a
25 language. Each EBNF definition is made up of _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be_
\bs. E.g.,
27 symbol ::= definition | alternate1 | alternate2 ...
29 Each _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be references others and thus makes up a grammar for
30 the language. EBNF also contains the following operators, which many
31 readers will recognize from regular expressions. Do not, however,
32 confuse them with "wildcard" characters, which have different meanings.
34 ? Means that the preceding symbol (or group of symbols) is optional.
35 That is, it may appear once or not at all.
37 * Means that the preceding symbol (or group of symbols) may appear
40 + Means that the preceding symbol (or group of symbols) may appear
43 Parentheses may be used to group symbols together. For clarity, we
44 will use single quotes ('') to designate what is a verbatim character
45 string (as opposed to a symbol name).
47 A
\bAl
\bli
\bia
\bas
\bse
\bes
\bs
48 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
51 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
52 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
53 'Host_Alias' Host_Alias (':' Host_Alias)* |
54 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
56 User_Alias ::= NAME '=' User_List
58 Runas_Alias ::= NAME '=' Runas_List
60 Host_Alias ::= NAME '=' Host_List
70 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
74 Cmnd_Alias ::= NAME '=' Cmnd_List
76 NAME ::= [A-Z]([A-Z][0-9]_)*
78 Each _
\ba_
\bl_
\bi_
\ba_
\bs definition is of the form
80 Alias_Type NAME = item1, item2, ...
82 where _
\bA_
\bl_
\bi_
\ba_
\bs_
\b__
\bT_
\by_
\bp_
\be is one of User_Alias, Runas_Alias, Host_Alias, or
83 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
84 underscore characters ('_'). A NAME m
\bmu
\bus
\bst
\bt start with an uppercase
85 letter. It is possible to put several alias definitions of the same
86 type on a single line, joined by a colon (':'). E.g.,
88 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
90 The definitions of what constitutes a valid _
\ba_
\bl_
\bi_
\ba_
\bs member follow.
95 User ::= '!'* user name |
100 '!'* %:nonunix_group |
101 '!'* %:#nonunix_gid |
104 A User_List is made up of one or more user names, user ids (prefixed
105 with '#'), system group names and ids (prefixed with '%' and '%#'
106 respectively), netgroups (prefixed with '+'), non-Unix group names and
107 IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
108 list item may be prefixed with zero or more '!' operators. An odd
109 number of '!' operators negate the value of the item; an even number
110 just cancel each other out.
112 A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
113 may be enclosed in double quotes to avoid the need for escaping special
114 characters. Alternately, special characters may be specified in
115 escaped hex mode, e.g. \x20 for space. When using double quotes, any
116 prefix characters must be included inside the quotes.
118 The nonunix_group and nonunix_gid syntax depends on the underlying
119 implementation. For instance, the QAS AD backend supports the
122 +
\bo Group in the same domain: "Group Name"
124 +
\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
126 +
\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
130 1.7.6 April 9, 2011 2
136 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
139 Note that quotes around group names are optional. Unquoted strings
140 must use a backslash (\) to escape spaces and special characters. See
141 "Other special characters and reserved words" for a list of characters
142 that need to be escaped.
144 Runas_List ::= Runas_Member |
145 Runas_Member ',' Runas_List
147 Runas_Member ::= '!'* user name |
151 '!'* %:nonunix_group |
152 '!'* %:#nonunix_gid |
156 A Runas_List is similar to a User_List except that instead of
157 User_Aliases it can contain Runas_Aliases. Note that user names and
158 groups are matched as strings. In other words, two users (groups) with
159 the same uid (gid) are considered to be distinct. If you wish to match
160 all user names with the same uid (e.g. root and toor), you can use a
161 uid instead (#0 in the example given).
166 Host ::= '!'* host name |
168 '!'* network(/netmask)? |
172 A Host_List is made up of one or more host names, IP addresses, network
173 numbers, netgroups (prefixed with '+') and other aliases. Again, the
174 value of an item may be negated with the '!' operator. If you do not
175 specify a netmask along with the network number, s
\bsu
\bud
\bdo
\bo will query each
176 of the local host's network interfaces and, if the network number
177 corresponds to one of the hosts's network interfaces, the corresponding
178 netmask will be used. The netmask may be specified either in standard
179 IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
180 CIDR notation (number of bits, e.g. 24 or 64). A host name may include
181 shell-style wildcards (see the Wildcards section below), but unless the
182 host name command on your machine returns the fully qualified host
183 name, you'll need to use the _
\bf_
\bq_
\bd_
\bn option for wildcards to be useful.
184 Note s
\bsu
\bud
\bdo
\bo only inspects actual network interfaces; this means that IP
185 address 127.0.0.1 (localhost) will never match. Also, the host name
186 "localhost" will only match if that is the actual host name, which is
187 usually only the case for non-networked systems.
192 commandname ::= file name |
196 1.7.6 April 9, 2011 3
202 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
208 Cmnd ::= '!'* commandname |
213 A Cmnd_List is a list of one or more commandnames, directories, and
214 other aliases. A commandname is a fully qualified file name which may
215 include shell-style wildcards (see the Wildcards section below). A
216 simple file name allows the user to run the command with any arguments
217 he/she wishes. However, you may also specify command line arguments
218 (including wildcards). Alternately, you can specify "" to indicate
219 that the command may only be run w
\bwi
\bit
\bth
\bho
\bou
\but
\bt command line arguments. A
220 directory is a fully qualified path name ending in a '/'. When you
221 specify a directory in a Cmnd_List, the user will be able to run any
222 file within that directory (but not in any subdirectories therein).
224 If a Cmnd has associated command line arguments, then the arguments in
225 the Cmnd must match exactly those given by the user on the command line
226 (or match the wildcards if there are any). Note that the following
227 characters must be escaped with a '\' if they are used in command
228 arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
229 to permit a user to run s
\bsu
\bud
\bdo
\bo with the -
\b-e
\be option (or as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt). It
230 may take command line arguments just as a normal command does.
232 D
\bDe
\bef
\bfa
\bau
\bul
\blt
\bts
\bs
233 Certain configuration options may be changed from their default values
234 at runtime via one or more Default_Entry lines. These may affect all
235 users on any host, all users on a specific host, a specific user, a
236 specific command, or commands being run as a specific user. Note that
237 per-command entries may not include command line arguments. If you
238 need to specify arguments, define a Cmnd_Alias and reference that
241 Default_Type ::= 'Defaults' |
242 'Defaults' '@' Host_List |
243 'Defaults' ':' User_List |
244 'Defaults' '!' Cmnd_List |
245 'Defaults' '>' Runas_List
247 Default_Entry ::= Default_Type Parameter_List
249 Parameter_List ::= Parameter |
250 Parameter ',' Parameter_List
252 Parameter ::= Parameter '=' Value |
253 Parameter '+=' Value |
254 Parameter '-=' Value |
257 Parameters may be f
\bfl
\bla
\bag
\bgs
\bs, i
\bin
\bnt
\bte
\beg
\bge
\ber
\br values, s
\bst
\btr
\bri
\bin
\bng
\bgs
\bs, or l
\bli
\bis
\bst
\bts
\bs. Flags are
258 implicitly boolean and can be turned off via the '!' operator. Some
262 1.7.6 April 9, 2011 4
268 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
271 integer, string and list parameters may also be used in a boolean
272 context to disable them. Values may be enclosed in double quotes (")
273 when they contain multiple words. Special characters may be escaped
274 with a backslash (\).
276 Lists have two additional assignment operators, += and -=. These
277 operators are used to add to and delete from a list respectively. It
278 is not an error to use the -= operator to remove an element that does
281 Defaults entries are parsed in the following order: generic, host and
282 user Defaults first, then runas Defaults and finally command defaults.
284 See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
286 U
\bUs
\bse
\ber
\br S
\bSp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn
287 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
288 (':' Host_List '=' Cmnd_Spec_List)*
290 Cmnd_Spec_List ::= Cmnd_Spec |
291 Cmnd_Spec ',' Cmnd_Spec_List
293 Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
295 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
297 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
299 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
300 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
301 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
303 A u
\bus
\bse
\ber
\br s
\bsp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn determines which commands a user may run (and as
304 what user) on specified hosts. By default, commands are run as r
\bro
\boo
\bot
\bt,
305 but this can be changed on a per-command basis.
307 The basic structure of a user specification is `who where = (as_whom)
308 what'. Let's break that down into its constituent parts:
310 R
\bRu
\bun
\bna
\bas
\bs_
\b_S
\bSp
\bpe
\bec
\bc
311 A Runas_Spec determines the user and/or the group that a command may be
312 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
313 defined above) separated by a colon (':') and enclosed in a set of
314 parentheses. The first Runas_List indicates which users the command
315 may be run as via s
\bsu
\bud
\bdo
\bo's -
\b-u
\bu option. The second defines a list of
316 groups that can be specified via s
\bsu
\bud
\bdo
\bo's -
\b-g
\bg option. If both Runas_Lists
317 are specified, the command may be run with any combination of users and
318 groups listed in their respective Runas_Lists. If only the first is
319 specified, the command may be run as any user in the list but no -
\b-g
\bg
320 option may be specified. If the first Runas_List is empty but the
321 second is specified, the command may be run as the invoking user with
322 the group set to any listed in the Runas_List. If no Runas_Spec is
323 specified the command may be run as r
\bro
\boo
\bot
\bt and no group may be specified.
328 1.7.6 April 9, 2011 5
334 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
337 A Runas_Spec sets the default for the commands that follow it. What
338 this means is that for the entry:
340 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
342 The user d
\bdg
\bgb
\bb may run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm -- but only
343 as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br. E.g.,
345 $ sudo -u operator /bin/ls
347 It is also possible to override a Runas_Spec later on in an entry. If
348 we modify the entry like so:
350 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
352 Then user d
\bdg
\bgb
\bb is now allowed to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br, but _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl
353 and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm as r
\bro
\boo
\bot
\bt.
355 We can extend this to allow d
\bdg
\bgb
\bb to run /bin/ls with either the user or
356 group set to o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br:
358 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
361 Note that while the group portion of the Runas_Spec permits the user to
362 run as command with that group, it does not force the user to do so.
363 If no group is specified on the command line, the command will run with
364 the group listed in the target user's password database entry. The
365 following would all be permitted by the sudoers entry above:
367 $ sudo -u operator /bin/ls
368 $ sudo -u operator -g operator /bin/ls
369 $ sudo -g operator /bin/ls
371 In the following example, user t
\btc
\bcm
\bm may run commands that access a modem
372 device file with the dialer group.
374 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
375 /usr/local/bin/minicom
377 Note that in this example only the group will be set, the command still
378 runs as user t
\btc
\bcm
\bm. E.g.
380 $ sudo -g dialer /usr/bin/cu
382 Multiple users and groups may be present in a Runas_Spec, in which case
383 the user may select any combination of users and groups via the -
\b-u
\bu and
384 -
\b-g
\bg options. In this example:
386 alan ALL = (root, bin : operator, system) ALL
388 user a
\bal
\bla
\ban
\bn may run any command as either user root or bin, optionally
389 setting the group to operator or system.
394 1.7.6 April 9, 2011 6
400 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
403 S
\bSE
\bEL
\bLi
\bin
\bnu
\bux
\bx_
\b_S
\bSp
\bpe
\bec
\bc
404 On systems with SELinux support, _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries may optionally have an
405 SELinux role and/or type associated with a command. If a role or type
406 is specified with the command it will override any default values
407 specified in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. A role or type specified on the command line,
408 however, will supercede the values in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
410 T
\bTa
\bag
\bg_
\b_S
\bSp
\bpe
\bec
\bc
411 A command may have zero or more tags associated with it. There are
412 eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
413 NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
414 tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
415 the tag unless it is overridden by the opposite tag (i.e.: PASSWD
416 overrides NOPASSWD and NOEXEC overrides EXEC).
418 _
\bN_
\bO_
\bP_
\bA_
\bS_
\bS_
\bW_
\bD _
\ba_
\bn_
\bd _
\bP_
\bA_
\bS_
\bS_
\bW_
\bD
420 By default, s
\bsu
\bud
\bdo
\bo requires that a user authenticate him or herself
421 before running a command. This behavior can be modified via the
422 NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
423 the commands that follow it in the Cmnd_Spec_List. Conversely, the
424 PASSWD tag can be used to reverse things. For example:
426 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
428 would allow the user r
\bra
\bay
\by to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm
429 as r
\bro
\boo
\bot
\bt on the machine rushmore without authenticating himself. If we
430 only want r
\bra
\bay
\by to be able to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl without a password the entry
433 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
435 Note, however, that the PASSWD tag has no effect on users who are in
436 the group specified by the _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option.
438 By default, if the NOPASSWD tag is applied to any of the entries for a
439 user on the current host, he or she will be able to run sudo -l without
440 a password. Additionally, a user may only run sudo -v without a
441 password if the NOPASSWD tag is present for all a user's entries that
442 pertain to the current host. This behavior may be overridden via the
443 verifypw and listpw options.
445 _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC
447 If s
\bsu
\bud
\bdo
\bo has been compiled with _
\bn_
\bo_
\be_
\bx_
\be_
\bc support and the underlying
448 operating system supports it, the NOEXEC tag can be used to prevent a
449 dynamically-linked executable from running further commands itself.
451 In the following example, user a
\baa
\bar
\bro
\bon
\bn may run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and
452 _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi but shell escapes will be disabled.
454 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
456 See the "PREVENTING SHELL ESCAPES" section below for more details on
460 1.7.6 April 9, 2011 7
466 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
469 how NOEXEC works and whether or not it will work on your system.
471 _
\bS_
\bE_
\bT_
\bE_
\bN_
\bV _
\ba_
\bn_
\bd _
\bN_
\bO_
\bS_
\bE_
\bT_
\bE_
\bN_
\bV
473 These tags override the value of the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option on a per-command
474 basis. Note that if SETENV has been set for a command, the user may
475 disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the command line via the -
\b-E
\bE option.
476 Additionally, environment variables set on the command line are not
477 subject to the restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or
478 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users should be allowed to set
479 variables in this manner. If the command matched is A
\bAL
\bLL
\bL, the SETENV
480 tag is implied for that command; this default may be overridden by use
483 _
\bL_
\bO_
\bG_
\b__
\bI_
\bN_
\bP_
\bU_
\bT _
\ba_
\bn_
\bd _
\bN_
\bO_
\bL_
\bO_
\bG_
\b__
\bI_
\bN_
\bP_
\bU_
\bT
485 These tags override the value of the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt option on a per-command
486 basis. For more information, see the description of _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt in the
487 "SUDOERS OPTIONS" section below.
489 _
\bL_
\bO_
\bG_
\b__
\bO_
\bU_
\bT_
\bP_
\bU_
\bT _
\ba_
\bn_
\bd _
\bN_
\bO_
\bL_
\bO_
\bG_
\b__
\bO_
\bU_
\bT_
\bP_
\bU_
\bT
491 These tags override the value of the _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt option on a per-command
492 basis. For more information, see the description of _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt in the
493 "SUDOERS OPTIONS" section below.
495 W
\bWi
\bil
\bld
\bdc
\bca
\bar
\brd
\bds
\bs
496 s
\bsu
\bud
\bdo
\bo allows shell-style _
\bw_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs (aka meta or glob characters) to be
497 used in host names, path names and command line arguments in the
498 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. Wildcard matching is done via the P
\bPO
\bOS
\bSI
\bIX
\bX _
\bg_
\bl_
\bo_
\bb(3) and
499 _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) routines. Note that these are _
\bn_
\bo_
\bt regular expressions.
501 * Matches any set of zero or more characters.
503 ? Matches any single character.
505 [...] Matches any character in the specified range.
507 [!...] Matches any character n
\bno
\bot
\bt in the specified range.
509 \x For any character "x", evaluates to "x". This is used to
510 escape special characters such as: "*", "?", "[", and "}".
512 POSIX character classes may also be used if your system's _
\bg_
\bl_
\bo_
\bb(3) and
513 _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) functions support them. However, because the ':' character
514 has special meaning in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, it must be escaped. For example:
516 /bin/ls [[\:alpha\:]]*
518 Would match any file name beginning with a letter.
520 Note that a forward slash ('/') will n
\bno
\bot
\bt be matched by wildcards used
521 in the path name. When matching the command line arguments, however, a
522 slash d
\bdo
\boe
\bes
\bs get matched by wildcards. This is to make a path like:
526 1.7.6 April 9, 2011 8
532 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
537 match _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bw_
\bh_
\bo but not _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bX_
\b1_
\b1_
\b/_
\bx_
\bt_
\be_
\br_
\bm.
539 E
\bEx
\bxc
\bce
\bep
\bpt
\bti
\bio
\bon
\bns
\bs t
\bto
\bo w
\bwi
\bil
\bld
\bdc
\bca
\bar
\brd
\bd r
\bru
\bul
\ble
\bes
\bs
540 The following exceptions apply to the above rules:
542 "" If the empty string "" is the only command line argument in the
543 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry it means that command is not allowed to be run
544 with a
\ban
\bny
\by arguments.
546 I
\bIn
\bnc
\bcl
\blu
\bud
\bdi
\bin
\bng
\bg o
\bot
\bth
\bhe
\ber
\br f
\bfi
\bil
\ble
\bes
\bs f
\bfr
\bro
\bom
\bm w
\bwi
\bit
\bth
\bhi
\bin
\bn s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
547 It is possible to include other _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs files from within the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
548 file currently being parsed using the #include and #includedir
551 This can be used, for example, to keep a site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file in
552 addition to a local, per-machine file. For the sake of this example
553 the site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs and the per-machine one will
554 be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. To include _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl from within
555 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs we would use the following line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs:
557 #include /etc/sudoers.local
559 When s
\bsu
\bud
\bdo
\bo reaches this line it will suspend processing of the current
560 file (_
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) and switch to _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. Upon reaching
561 the end of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl, the rest of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
562 processed. Files that are included may themselves include other files.
563 A hard limit of 128 nested include files is enforced to prevent include
566 The file name may include the %h escape, signifying the short form of
567 the host name. I.e., if the machine's host name is "xerxes", then
569 #include /etc/sudoers.%h
571 will cause s
\bsu
\bud
\bdo
\bo to include the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bx_
\be_
\br_
\bx_
\be_
\bs.
573 The #includedir directive can be used to create a _
\bs_
\bu_
\bd_
\bo_
\b._
\bd directory that
574 the system package manager can drop _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs rules into as part of
575 package installation. For example, given:
577 #includedir /etc/sudoers.d
579 s
\bsu
\bud
\bdo
\bo will read each file in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd, skipping file names that
580 end in ~ or contain a . character to avoid causing problems with
581 package manager or editor temporary/backup files. Files are parsed in
582 sorted lexical order. That is, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b0_
\b1_
\b__
\bf_
\bi_
\br_
\bs_
\bt will be parsed
583 before _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Be aware that because the sorting is
584 lexical, not numeric, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b__
\bw_
\bh_
\bo_
\bo_
\bp_
\bs would be loaded a
\baf
\bft
\bte
\ber
\br
585 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Using a consistent number of leading zeroes
586 in the file names can be used to avoid such problems.
588 Note that unlike files included via #include, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will not edit the
592 1.7.6 April 9, 2011 9
598 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
601 files in a #includedir directory unless one of them contains a syntax
602 error. It is still possible to run v
\bvi
\bis
\bsu
\bud
\bdo
\bo with the -f flag to edit the
605 O
\bOt
\bth
\bhe
\ber
\br s
\bsp
\bpe
\bec
\bci
\bia
\bal
\bl c
\bch
\bha
\bar
\bra
\bac
\bct
\bte
\ber
\brs
\bs a
\ban
\bnd
\bd r
\bre
\bes
\bse
\ber
\brv
\bve
\bed
\bd w
\bwo
\bor
\brd
\bds
\bs
606 The pound sign ('#') is used to indicate a comment (unless it is part
607 of a #include directive or unless it occurs in the context of a user
608 name and is followed by one or more digits, in which case it is treated
609 as a uid). Both the comment character and any text after it, up to the
610 end of the line, are ignored.
612 The reserved word A
\bAL
\bLL
\bL is a built-in _
\ba_
\bl_
\bi_
\ba_
\bs that always causes a match to
613 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
614 User_Alias, Runas_Alias, or Host_Alias. You should not try to define
615 your own _
\ba_
\bl_
\bi_
\ba_
\bs called A
\bAL
\bLL
\bL as the built-in alias will be used in
616 preference to your own. Please note that using A
\bAL
\bLL
\bL can be dangerous
617 since in a command context, it allows the user to run a
\ban
\bny
\by command on
620 An exclamation point ('!') can be used as a logical _
\bn_
\bo_
\bt operator both
621 in an _
\ba_
\bl_
\bi_
\ba_
\bs and in front of a Cmnd. This allows one to exclude certain
622 values. Note, however, that using a ! in conjunction with the built-in
623 ALL alias to allow a user to run "all but a few" commands rarely works
624 as intended (see SECURITY NOTES below).
626 Long lines can be continued with a backslash ('\') as the last
627 character on the line.
629 Whitespace between elements in a list as well as special syntactic
630 characters in a _
\bU_
\bs_
\be_
\br _
\bS_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn ('=', ':', '(', ')') is optional.
632 The following characters must be escaped with a backslash ('\') when
633 used as part of a word (e.g. a user name or host name): '!', '=', ':',
636 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
637 s
\bsu
\bud
\bdo
\bo's behavior can be modified by Default_Entry lines, as explained
638 earlier. A list of all supported Defaults parameters, grouped by type,
641 B
\bBo
\boo
\bol
\ble
\bea
\ban
\bn F
\bFl
\bla
\bag
\bgs
\bs:
643 always_set_home If enabled, s
\bsu
\bud
\bdo
\bo will set the HOME environment variable
644 to the home directory of the target user (which is root
645 unless the -
\b-u
\bu option is used). This effectively means
646 that the -
\b-H
\bH option is always implied. Note that HOME
647 is already set when the the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is
648 enabled, so _
\ba_
\bl_
\bw_
\ba_
\by_
\bs_
\b__
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is only effective for
649 configurations where either _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is disabled or
650 HOME is present in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list. This flag is _
\bo_
\bf_
\bf
653 authenticate If set, users must authenticate themselves via a
654 password (or other means of authentication) before they
658 1.7.6 April 9, 2011 10
664 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
667 may run commands. This default may be overridden via
668 the PASSWD and NOPASSWD tags. This flag is _
\bo_
\bn by
672 If set, the user may use s
\bsu
\bud
\bdo
\bo's -
\b-C
\bC option which
673 overrides the default starting point at which s
\bsu
\bud
\bdo
\bo
674 begins closing open file descriptors. This flag is _
\bo_
\bf_
\bf
677 compress_io If set, and s
\bsu
\bud
\bdo
\bo is configured to log a command's input
678 or output, the I/O logs will be compressed using z
\bzl
\bli
\bib
\bb.
679 This flag is _
\bo_
\bn by default when s
\bsu
\bud
\bdo
\bo is compiled with
680 z
\bzl
\bli
\bib
\bb support.
682 env_editor If set, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will use the value of the EDITOR or
683 VISUAL environment variables before falling back on the
684 default editor list. Note that this may create a
685 security hole as it allows the user to run any
686 arbitrary command as root without logging. A safer
687 alternative is to place a colon-separated list of
688 editors in the editor variable. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will then only
689 use the EDITOR or VISUAL if they match a value
690 specified in editor. This flag is _
\bo_
\bf_
\bf by default.
692 env_reset If set, s
\bsu
\bud
\bdo
\bo will reset the environment to only contain
693 the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
694 variables. Any variables in the caller's environment
695 that match the env_keep and env_check lists are then
696 added. The default contents of the env_keep and
697 env_check lists are displayed when s
\bsu
\bud
\bdo
\bo is run by root
698 with the _
\b-_
\bV option. If the _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh option is set,
699 its value will be used for the PATH environment
700 variable. This flag is _
\bo_
\bn by default.
702 fast_glob Normally, s
\bsu
\bud
\bdo
\bo uses the _
\bg_
\bl_
\bo_
\bb(3) function to do shell-
703 style globbing when matching path names. However,
704 since it accesses the file system, _
\bg_
\bl_
\bo_
\bb(3) can take a
705 long time to complete for some patterns, especially
706 when the pattern references a network file system that
707 is mounted on demand (automounted). The _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb
708 option causes s
\bsu
\bud
\bdo
\bo to use the _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) function,
709 which does not access the file system to do its
710 matching. The disadvantage of _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is that it is
711 unable to match relative path names such as _
\b._
\b/_
\bl_
\bs or
712 _
\b._
\b._
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs. This has security implications when path
713 names that include globbing characters are used with
714 the negation operator, '!', as such rules can be
715 trivially bypassed. As such, this option should not be
716 used when _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs contains rules that contain negated
717 path names which include globbing characters. This
718 flag is _
\bo_
\bf_
\bf by default.
720 fqdn Set this flag if you want to put fully qualified host
724 1.7.6 April 9, 2011 11
730 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
733 names in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. I.e., instead of myhost you
734 would use myhost.mydomain.edu. You may still use the
735 short form if you wish (and even mix the two). Beware
736 that turning on _
\bf_
\bq_
\bd_
\bn requires s
\bsu
\bud
\bdo
\bo to make DNS lookups
737 which may make s
\bsu
\bud
\bdo
\bo unusable if DNS stops working (for
738 example if the machine is not plugged into the
739 network). Also note that you must use the host's
740 official name as DNS knows it. That is, you may not
741 use a host alias (CNAME entry) due to performance
742 issues and the fact that there is no way to get all
743 aliases from DNS. If your machine's host name (as
744 returned by the hostname command) is already fully
745 qualified you shouldn't need to set _
\bf_
\bq_
\bd_
\bn. This flag is
746 _
\bo_
\bf_
\bf by default.
748 ignore_dot If set, s
\bsu
\bud
\bdo
\bo will ignore '.' or '' (current dir) in the
749 PATH environment variable; the PATH itself is not
750 modified. This flag is _
\bo_
\bf_
\bf by default.
753 If set via LDAP, parsing of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
754 skipped. This is intended for Enterprises that wish to
755 prevent the usage of local sudoers files so that only
756 LDAP is used. This thwarts the efforts of rogue
757 operators who would attempt to add roles to
758 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. When this option is present,
759 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs does not even need to exist. Since this
760 option tells s
\bsu
\bud
\bdo
\bo how to behave when no specific LDAP
761 entries have been matched, this sudoOption is only
762 meaningful for the cn=defaults section. This flag is
763 _
\bo_
\bf_
\bf by default.
765 insults If set, s
\bsu
\bud
\bdo
\bo will insult users when they enter an
766 incorrect password. This flag is _
\bo_
\bf_
\bf by default.
768 log_host If set, the host name will be logged in the (non-
769 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
771 log_input If set, s
\bsu
\bud
\bdo
\bo will run the command in a _
\bp_
\bs_
\be_
\bu_
\bd_
\bo _
\bt_
\bt_
\by and
772 log all user input. If the standard input is not
773 connected to the user's tty, due to I/O redirection or
774 because the command is part of a pipeline, that input
775 is also captured and stored in a separate log file.
777 Input is logged to the directory specified by the
778 _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option (_
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo by default) using a
779 unique session ID that is included in the normal s
\bsu
\bud
\bdo
\bo
780 log line, prefixed with _
\bT_
\bS_
\bI_
\bD_
\b=.
782 Note that user input may contain sensitive information
783 such as passwords (even if they are not echoed to the
784 screen), which will be stored in the log file
785 unencrypted. In most cases, logging the command output
786 via _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt is all that is required.
790 1.7.6 April 9, 2011 12
796 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
799 log_output If set, s
\bsu
\bud
\bdo
\bo will run the command in a _
\bp_
\bs_
\be_
\bu_
\bd_
\bo _
\bt_
\bt_
\by and
800 log all output that is sent to the screen, similar to
801 the _
\bs_
\bc_
\br_
\bi_
\bp_
\bt(1) command. If the standard output or
802 standard error is not connected to the user's tty, due
803 to I/O redirection or because the command is part of a
804 pipeline, that output is also captured and stored in
807 Output is logged to the directory specified by the
808 _
\bi_
\bo_
\bl_
\bo_
\bg_
\b__
\bd_
\bi_
\br option (_
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo by default) using a
809 unique session ID that is included in the normal s
\bsu
\bud
\bdo
\bo
810 log line, prefixed with _
\bT_
\bS_
\bI_
\bD_
\b=.
812 Output logs may be viewed with the _
\bs_
\bu_
\bd_
\bo_
\br_
\be_
\bp_
\bl_
\ba_
\by(1m)
813 utility, which can also be used to list or search the
816 log_year If set, the four-digit year will be logged in the (non-
817 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
819 long_otp_prompt When validating with a One Time Password (OPT) scheme
820 such as S
\bS/
\b/K
\bKe
\bey
\by or O
\bOP
\bPI
\bIE
\bE, a two-line prompt is used to
821 make it easier to cut and paste the challenge to a
822 local window. It's not as pretty as the default but
823 some people find it more convenient. This flag is _
\bo_
\bf_
\bf
826 mail_always Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user every time a users runs
827 s
\bsu
\bud
\bdo
\bo. This flag is _
\bo_
\bf_
\bf by default.
829 mail_badpass Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the user running s
\bsu
\bud
\bdo
\bo
830 does not enter the correct password. This flag is _
\bo_
\bf_
\bf
833 mail_no_host If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
834 invoking user exists in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, but is not
835 allowed to run commands on the current host. This flag
836 is _
\bo_
\bf_
\bf by default.
838 mail_no_perms If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
839 invoking user is allowed to use s
\bsu
\bud
\bdo
\bo but the command
840 they are trying is not listed in their _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
841 entry or is explicitly denied. This flag is _
\bo_
\bf_
\bf by
844 mail_no_user If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
845 invoking user is not in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. This flag is
848 noexec If set, all commands run via s
\bsu
\bud
\bdo
\bo will behave as if the
849 NOEXEC tag has been set, unless overridden by a EXEC
850 tag. See the description of _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC below as
851 well as the "PREVENTING SHELL ESCAPES" section at the
852 end of this manual. This flag is _
\bo_
\bf_
\bf by default.
856 1.7.6 April 9, 2011 13
862 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
865 path_info Normally, s
\bsu
\bud
\bdo
\bo will tell the user when a command could
866 not be found in their PATH environment variable. Some
867 sites may wish to disable this as it could be used to
868 gather information on the location of executables that
869 the normal user does not have access to. The
870 disadvantage is that if the executable is simply not in
871 the user's PATH, s
\bsu
\bud
\bdo
\bo will tell the user that they are
872 not allowed to run it, which can be confusing. This
873 flag is _
\bo_
\bn by default.
876 The password prompt specified by _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will
877 normally only be used if the password prompt provided
878 by systems such as PAM matches the string "Password:".
879 If _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is set, _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will always
880 be used. This flag is _
\bo_
\bf_
\bf by default.
882 preserve_groups By default, s
\bsu
\bud
\bdo
\bo will initialize the group vector to
883 the list of groups the target user is in. When
884 _
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be_
\b__
\bg_
\br_
\bo_
\bu_
\bp_
\bs is set, the user's existing group
885 vector is left unaltered. The real and effective group
886 IDs, however, are still set to match the target user.
887 This flag is _
\bo_
\bf_
\bf by default.
889 pwfeedback By default, s
\bsu
\bud
\bdo
\bo reads the password like most other
890 Unix programs, by turning off echo until the user hits
891 the return (or enter) key. Some users become confused
892 by this as it appears to them that s
\bsu
\bud
\bdo
\bo has hung at
893 this point. When _
\bp_
\bw_
\bf_
\be_
\be_
\bd_
\bb_
\ba_
\bc_
\bk is set, s
\bsu
\bud
\bdo
\bo will provide
894 visual feedback when the user presses a key. Note that
895 this does have a security impact as an onlooker may be
896 able to determine the length of the password being
897 entered. This flag is _
\bo_
\bf_
\bf by default.
899 requiretty If set, s
\bsu
\bud
\bdo
\bo will only run when the user is logged in
900 to a real tty. When this flag is set, s
\bsu
\bud
\bdo
\bo can only be
901 run from a login session and not via other means such
902 as _
\bc_
\br_
\bo_
\bn(1m) or cgi-bin scripts. This flag is _
\bo_
\bf_
\bf by
905 root_sudo If set, root is allowed to run s
\bsu
\bud
\bdo
\bo too. Disabling
906 this prevents users from "chaining" s
\bsu
\bud
\bdo
\bo commands to
907 get a root shell by doing something like "sudo sudo
908 /bin/sh". Note, however, that turning off _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo
909 will also prevent root from running s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
910 Disabling _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo provides no real additional
911 security; it exists purely for historical reasons.
912 This flag is _
\bo_
\bn by default.
914 rootpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the root password instead
915 of the password of the invoking user. This flag is _
\bo_
\bf_
\bf
918 runaspw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
922 1.7.6 April 9, 2011 14
928 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
931 defined by the _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt option (defaults to root)
932 instead of the password of the invoking user. This
933 flag is _
\bo_
\bf_
\bf by default.
935 set_home If enabled and s
\bsu
\bud
\bdo
\bo is invoked with the -
\b-s
\bs option the
936 HOME environment variable will be set to the home
937 directory of the target user (which is root unless the
938 -
\b-u
\bu option is used). This effectively makes the -
\b-s
\bs
939 option imply -
\b-H
\bH. Note that HOME is already set when
940 the the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is enabled, so _
\bs_
\be_
\bt_
\b__
\bh_
\bo_
\bm_
\be is
941 only effective for configurations where either
942 _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt is disabled or HOME is present in the
943 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list. This flag is _
\bo_
\bf_
\bf by default.
945 set_logname Normally, s
\bsu
\bud
\bdo
\bo will set the LOGNAME, USER and USERNAME
946 environment variables to the name of the target user
947 (usually root unless the -
\b-u
\bu option is given). However,
948 since some programs (including the RCS revision control
949 system) use LOGNAME to determine the real identity of
950 the user, it may be desirable to change this behavior.
951 This can be done by negating the set_logname option.
952 Note that if the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option has not been
953 disabled, entries in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list will override
954 the value of _
\bs_
\be_
\bt_
\b__
\bl_
\bo_
\bg_
\bn_
\ba_
\bm_
\be. This flag is _
\bo_
\bn by default.
956 setenv Allow the user to disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the
957 command line. Additionally, environment variables set
958 via the command line are not subject to the
959 restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or
960 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users should be
961 allowed to set variables in this manner. This flag is
962 _
\bo_
\bf_
\bf by default.
964 shell_noargs If set and s
\bsu
\bud
\bdo
\bo is invoked with no arguments it acts as
965 if the -
\b-s
\bs option had been given. That is, it runs a
966 shell as root (the shell is determined by the SHELL
967 environment variable if it is set, falling back on the
968 shell listed in the invoking user's /etc/passwd entry
969 if not). This flag is _
\bo_
\bf_
\bf by default.
971 stay_setuid Normally, when s
\bsu
\bud
\bdo
\bo executes a command the real and
972 effective UIDs are set to the target user (root by
973 default). This option changes that behavior such that
974 the real UID is left as the invoking user's UID. In
975 other words, this makes s
\bsu
\bud
\bdo
\bo act as a setuid wrapper.
976 This can be useful on systems that disable some
977 potentially dangerous functionality when a program is
978 run setuid. This option is only effective on systems
979 with either the _
\bs_
\be_
\bt_
\br_
\be_
\bu_
\bi_
\bd_
\b(_
\b) or _
\bs_
\be_
\bt_
\br_
\be_
\bs_
\bu_
\bi_
\bd_
\b(_
\b) function.
980 This flag is _
\bo_
\bf_
\bf by default.
982 targetpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
983 specified by the -
\b-u
\bu option (defaults to root) instead
984 of the password of the invoking user. In addition, the
988 1.7.6 April 9, 2011 15
994 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
997 timestamp file name will include the target user's
998 name. Note that this flag precludes the use of a uid
999 not listed in the passwd database as an argument to the
1000 -
\b-u
\bu option. This flag is _
\bo_
\bf_
\bf by default.
1002 tty_tickets If set, users must authenticate on a per-tty basis.
1003 With this flag enabled, s
\bsu
\bud
\bdo
\bo will use a file named for
1004 the tty the user is logged in on in the user's time
1005 stamp directory. If disabled, the time stamp of the
1006 directory is used instead. This flag is _
\bo_
\bn by default.
1008 umask_override If set, s
\bsu
\bud
\bdo
\bo will set the umask as specified by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
1009 without modification. This makes it possible to
1010 specify a more permissive umask in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs than the
1011 user's own umask and matches historical behavior. If
1012 _
\bu_
\bm_
\ba_
\bs_
\bk_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is not set, s
\bsu
\bud
\bdo
\bo will set the umask to
1013 be the union of the user's umask and what is specified
1014 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. This flag is _
\bo_
\bf_
\bf by default.
1016 use_loginclass If set, s
\bsu
\bud
\bdo
\bo will apply the defaults specified for the
1017 target user's login class if one exists. Only
1018 available if s
\bsu
\bud
\bdo
\bo is configured with the
1019 --with-logincap option. This flag is _
\bo_
\bf_
\bf by default.
1021 use_pty If set, s
\bsu
\bud
\bdo
\bo will run the command in a pseudo-pty even
1022 if no I/O logging is being gone. A malicious program
1023 run under s
\bsu
\bud
\bdo
\bo could conceivably fork a background
1024 process that retains to the user's terminal device
1025 after the main program has finished executing. Use of
1026 this option will make that impossible.
1028 visiblepw By default, s
\bsu
\bud
\bdo
\bo will refuse to run if the user must
1029 enter a password but it is not possible to disable echo
1030 on the terminal. If the _
\bv_
\bi_
\bs_
\bi_
\bb_
\bl_
\be_
\bp_
\bw flag is set, s
\bsu
\bud
\bdo
\bo
1031 will prompt for a password even when it would be
1032 visible on the screen. This makes it possible to run
1033 things like "rsh somehost sudo ls" since _
\br_
\bs_
\bh(1) does
1034 not allocate a tty. This flag is _
\bo_
\bf_
\bf by default.
1036 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs:
1038 closefrom Before it executes a command, s
\bsu
\bud
\bdo
\bo will close all open
1039 file descriptors other than standard input, standard
1040 output and standard error (ie: file descriptors 0-2).
1041 The _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm option can be used to specify a different
1042 file descriptor at which to start closing. The default
1045 passwd_tries The number of tries a user gets to enter his/her
1046 password before s
\bsu
\bud
\bdo
\bo logs the failure and exits. The
1049 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1054 1.7.6 April 9, 2011 16
1060 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1063 loglinelen Number of characters per line for the file log. This
1064 value is used to decide when to wrap lines for nicer
1065 log files. This has no effect on the syslog log file,
1066 only the file log. The default is 80 (use 0 or negate
1067 the option to disable word wrap).
1069 passwd_timeout Number of minutes before the s
\bsu
\bud
\bdo
\bo password prompt times
1070 out, or 0 for no timeout. The timeout may include a
1071 fractional component if minute granularity is
1072 insufficient, for example 2.5. The default is 5.
1075 Number of minutes that can elapse before s
\bsu
\bud
\bdo
\bo will ask
1076 for a passwd again. The timeout may include a
1077 fractional component if minute granularity is
1078 insufficient, for example 2.5. The default is 5. Set
1079 this to 0 to always prompt for a password. If set to a
1080 value less than 0 the user's timestamp will never
1081 expire. This can be used to allow users to create or
1082 delete their own timestamps via sudo -v and sudo -k
1085 umask Umask to use when running the command. Negate this
1086 option or set it to 0777 to preserve the user's umask.
1087 The actual umask that is used will be the union of the
1088 user's umask and the value of the _
\bu_
\bm_
\ba_
\bs_
\bk option, which
1089 defaults to 0022. This guarantees that s
\bsu
\bud
\bdo
\bo never
1090 lowers the umask when running a command. Note on
1091 systems that use PAM, the default PAM configuration may
1092 specify its own umask which will override the value set
1093 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1095 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs:
1097 badpass_message Message that is displayed if a user enters an incorrect
1098 password. The default is Sorry, try again. unless
1099 insults are enabled.
1101 editor A colon (':') separated list of editors allowed to be
1102 used with v
\bvi
\bis
\bsu
\bud
\bdo
\bo. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will choose the editor that
1103 matches the user's EDITOR environment variable if
1104 possible, or the first editor in the list that exists
1105 and is executable. The default is "vi".
1107 iolog_dir The directory in which to store input/output logs when
1108 the _
\bl_
\bo_
\bg_
\b__
\bi_
\bn_
\bp_
\bu_
\bt or _
\bl_
\bo_
\bg_
\b__
\bo_
\bu_
\bt_
\bp_
\bu_
\bt options are enabled or when
1109 the LOG_INPUT or LOG_OUTPUT tags are present for a
1110 command. The default is "/var/log/sudo-io".
1112 mailsub Subject of the mail sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user. The escape
1113 %h will expand to the host name of the machine.
1114 Default is *** SECURITY information for %h ***.
1116 noexec_file Path to a shared library containing dummy versions of
1120 1.7.6 April 9, 2011 17
1126 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1129 the _
\be_
\bx_
\be_
\bc_
\bv_
\b(_
\b), _
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) and _
\bf_
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) library functions
1130 that just return an error. This is used to implement
1131 the _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality on systems that support
1132 LD_PRELOAD or its equivalent. Defaults to
1133 _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b__
\bn_
\bo_
\be_
\bx_
\be_
\bc_
\b._
\bs_
\bo.
1135 passprompt The default prompt to use when asking for a password;
1136 can be overridden via the -
\b-p
\bp option or the SUDO_PROMPT
1137 environment variable. The following percent (`%')
1138 escapes are supported:
1140 %H expanded to the local host name including the
1141 domain name (on if the machine's host name is fully
1142 qualified or the _
\bf_
\bq_
\bd_
\bn option is set)
1144 %h expanded to the local host name without the domain
1147 %p expanded to the user whose password is being asked
1148 for (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw
1149 flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs)
1151 %U expanded to the login name of the user the command
1152 will be run as (defaults to root)
1154 %u expanded to the invoking user's login name
1156 %% two consecutive % characters are collapsed into a
1159 The default value is Password:.
1161 role The default SELinux role to use when constructing a new
1162 security context to run the command. The default role
1163 may be overridden on a per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or
1164 via command line options. This option is only
1165 available whe s
\bsu
\bud
\bdo
\bo is built with SELinux support.
1167 runas_default The default user to run commands as if the -
\b-u
\bu option is
1168 not specified on the command line. This defaults to
1169 root. Note that if _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt is set it m
\bmu
\bus
\bst
\bt occur
1170 before any Runas_Alias specifications.
1172 syslog_badpri Syslog priority to use when user authenticates
1173 unsuccessfully. Defaults to alert.
1175 syslog_goodpri Syslog priority to use when user authenticates
1176 successfully. Defaults to notice.
1178 sudoers_locale Locale to use when parsing the sudoers file, logging
1179 commands, and sending email. Note that changing the
1180 locale may affect how sudoers is interpreted. Defaults
1186 1.7.6 April 9, 2011 18
1192 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1195 timestampdir The directory in which s
\bsu
\bud
\bdo
\bo stores its timestamp files.
1196 The default is _
\b/_
\bv_
\ba_
\br_
\b/_
\ba_
\bd_
\bm_
\b/_
\bs_
\bu_
\bd_
\bo.
1198 timestampowner The owner of the timestamp directory and the timestamps
1199 stored therein. The default is root.
1201 type The default SELinux type to use when constructing a new
1202 security context to run the command. The default type
1203 may be overridden on a per-command basis in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs or
1204 via command line options. This option is only
1205 available whe s
\bsu
\bud
\bdo
\bo is built with SELinux support.
1207 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1209 askpass The _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs option specifies the fully qualified path to a
1210 helper program used to read the user's password when no
1211 terminal is available. This may be the case when s
\bsu
\bud
\bdo
\bo is
1212 executed from a graphical (as opposed to text-based)
1213 application. The program specified by _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs should
1214 display the argument passed to it as the prompt and write
1215 the user's password to the standard output. The value of
1216 _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs may be overridden by the SUDO_ASKPASS environment
1219 env_file The _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be options specifies the fully qualified path to
1220 a file containing variables to be set in the environment of
1221 the program being run. Entries in this file should either
1222 be of the form VARIABLE=value or export VARIABLE=value.
1223 The value may optionally be surrounded by single or double
1224 quotes. Variables in this file are subject to other s
\bsu
\bud
\bdo
\bo
1225 environment settings such as _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp and _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk.
1228 Users in this group are exempt from password and PATH
1229 requirements. This is not set by default.
1231 lecture This option controls when a short lecture will be printed
1232 along with the password prompt. It has the following
1235 always Always lecture the user.
1237 never Never lecture the user.
1239 once Only lecture the user the first time they run s
\bsu
\bud
\bdo
\bo.
1241 If no value is specified, a value of _
\bo_
\bn_
\bc_
\be is implied.
1242 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1243 The default value is _
\bo_
\bn_
\bc_
\be.
1246 Path to a file containing an alternate s
\bsu
\bud
\bdo
\bo lecture that
1247 will be used in place of the standard lecture if the named
1248 file exists. By default, s
\bsu
\bud
\bdo
\bo uses a built-in lecture.
1252 1.7.6 April 9, 2011 19
1258 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1261 listpw This option controls when a password will be required when
1262 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-l
\bl option. It has the following
1265 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1266 must have the NOPASSWD flag set to avoid entering a
1269 always The user must always enter a password to use the -
\b-l
\bl
1272 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1273 current host must have the NOPASSWD flag set to
1274 avoid entering a password.
1276 never The user need never enter a password to use the -
\b-l
\bl
1279 If no value is specified, a value of _
\ba_
\bn_
\by is implied.
1280 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1281 The default value is _
\ba_
\bn_
\by.
1283 logfile Path to the s
\bsu
\bud
\bdo
\bo log file (not the syslog log file).
1284 Setting a path turns on logging to a file; negating this
1285 option turns it off. By default, s
\bsu
\bud
\bdo
\bo logs via syslog.
1287 mailerflags Flags to use when invoking mailer. Defaults to -
\b-t
\bt.
1289 mailerpath Path to mail program used to send warning mail. Defaults
1290 to the path to sendmail found at configure time.
1292 mailfrom Address to use for the "from" address when sending warning
1293 and error mail. The address should be enclosed in double
1294 quotes (") to protect against s
\bsu
\bud
\bdo
\bo interpreting the @ sign.
1295 Defaults to the name of the user running s
\bsu
\bud
\bdo
\bo.
1297 mailto Address to send warning and error mail to. The address
1298 should be enclosed in double quotes (") to protect against
1299 s
\bsu
\bud
\bdo
\bo interpreting the @ sign. Defaults to root.
1301 secure_path Path used for every command run from s
\bsu
\bud
\bdo
\bo. If you don't
1302 trust the people running s
\bsu
\bud
\bdo
\bo to have a sane PATH
1303 environment variable you may want to use this. Another use
1304 is if you want to have the "root path" be separate from the
1305 "user path." Users in the group specified by the
1306 _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option are not affected by _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh. This
1307 option is not set by default.
1309 syslog Syslog facility if syslog is being used for logging (negate
1310 to disable syslog logging). Defaults to auth.
1312 verifypw This option controls when a password will be required when
1313 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option. It has the following
1318 1.7.6 April 9, 2011 20
1324 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1327 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1328 must have the NOPASSWD flag set to avoid entering a
1331 always The user must always enter a password to use the -
\b-v
\bv
1334 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1335 current host must have the NOPASSWD flag set to
1336 avoid entering a password.
1338 never The user need never enter a password to use the -
\b-v
\bv
1341 If no value is specified, a value of _
\ba_
\bl_
\bl is implied.
1342 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1343 The default value is _
\ba_
\bl_
\bl.
1345 L
\bLi
\bis
\bst
\bts
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1347 env_check Environment variables to be removed from the user's
1348 environment if the variable's value contains % or /
1349 characters. This can be used to guard against printf-
1350 style format vulnerabilities in poorly-written
1351 programs. The argument may be a double-quoted, space-
1352 separated list or a single value without double-quotes.
1353 The list can be replaced, added to, deleted from, or
1354 disabled by using the =, +=, -=, and ! operators
1355 respectively. Regardless of whether the env_reset
1356 option is enabled or disabled, variables specified by
1357 env_check will be preserved in the environment if they
1358 pass the aforementioned check. The default list of
1359 environment variables to check is displayed when s
\bsu
\bud
\bdo
\bo
1360 is run by root with the _
\b-_
\bV option.
1362 env_delete Environment variables to be removed from the user's
1363 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is not in effect.
1364 The argument may be a double-quoted, space-separated
1365 list or a single value without double-quotes. The list
1366 can be replaced, added to, deleted from, or disabled by
1367 using the =, +=, -=, and ! operators respectively. The
1368 default list of environment variables to remove is
1369 displayed when s
\bsu
\bud
\bdo
\bo is run by root with the _
\b-_
\bV option.
1370 Note that many operating systems will remove
1371 potentially dangerous variables from the environment of
1372 any setuid process (such as s
\bsu
\bud
\bdo
\bo).
1374 env_keep Environment variables to be preserved in the user's
1375 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is in effect.
1376 This allows fine-grained control over the environment
1377 s
\bsu
\bud
\bdo
\bo-spawned processes will receive. The argument may
1378 be a double-quoted, space-separated list or a single
1379 value without double-quotes. The list can be replaced,
1380 added to, deleted from, or disabled by using the =, +=,
1384 1.7.6 April 9, 2011 21
1390 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1393 -=, and ! operators respectively. The default list of
1394 variables to keep is displayed when s
\bsu
\bud
\bdo
\bo is run by root
1395 with the _
\b-_
\bV option.
1397 When logging via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3), s
\bsu
\bud
\bdo
\bo accepts the following values for the
1398 syslog facility (the value of the s
\bsy
\bys
\bsl
\blo
\bog
\bg Parameter): a
\bau
\but
\bth
\bhp
\bpr
\bri
\biv
\bv (if your
1399 OS supports it), a
\bau
\but
\bth
\bh, d
\bda
\bae
\bem
\bmo
\bon
\bn, u
\bus
\bse
\ber
\br, l
\blo
\boc
\bca
\bal
\bl0
\b0, l
\blo
\boc
\bca
\bal
\bl1
\b1, l
\blo
\boc
\bca
\bal
\bl2
\b2, l
\blo
\boc
\bca
\bal
\bl3
\b3,
1400 l
\blo
\boc
\bca
\bal
\bl4
\b4, l
\blo
\boc
\bca
\bal
\bl5
\b5, l
\blo
\boc
\bca
\bal
\bl6
\b6, and l
\blo
\boc
\bca
\bal
\bl7
\b7. The following syslog priorities
1401 are supported: a
\bal
\ble
\ber
\brt
\bt, c
\bcr
\bri
\bit
\bt, d
\bde
\beb
\bbu
\bug
\bg, e
\bem
\bme
\ber
\brg
\bg, e
\ber
\brr
\br, i
\bin
\bnf
\bfo
\bo, n
\bno
\bot
\bti
\bic
\bce
\be, and
1402 w
\bwa
\bar
\brn
\bni
\bin
\bng
\bg.
1404 F
\bFI
\bIL
\bLE
\bES
\bS
1405 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
1407 _
\b/_
\be_
\bt_
\bc_
\b/_
\bg_
\br_
\bo_
\bu_
\bp Local groups file
1409 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bg_
\br_
\bo_
\bu_
\bp List of network groups
1411 _
\b/_
\bv_
\ba_
\br_
\b/_
\bl_
\bo_
\bg_
\b/_
\bs_
\bu_
\bd_
\bo_
\b-_
\bi_
\bo I/O log files
1413 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
1414 Below are example _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries. Admittedly, some of these are a bit
1415 contrived. First, we allow a few environment variables to pass and
1416 then define our _
\ba_
\bl_
\bi_
\ba_
\bs_
\be_
\bs:
1418 # Run X applications through sudo; HOME is used to find the
1419 # .Xauthority file. Note that other programs use HOME to find
1420 # configuration files and this may lead to privilege escalation!
1421 Defaults env_keep += "DISPLAY HOME"
1423 # User alias specification
1424 User_Alias FULLTIMERS = millert, mikef, dowdy
1425 User_Alias PARTTIMERS = bostley, jwfox, crawl
1426 User_Alias WEBMASTERS = will, wendy, wim
1428 # Runas alias specification
1429 Runas_Alias OP = root, operator
1430 Runas_Alias DB = oracle, sybase
1431 Runas_Alias ADMINGRP = adm, oper
1433 # Host alias specification
1434 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1435 SGI = grolsch, dandelion, black :\
1436 ALPHA = widget, thalamus, foobar :\
1437 HPPA = boa, nag, python
1438 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1439 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1440 Host_Alias SERVERS = master, mail, www, ns
1441 Host_Alias CDROM = orion, perseus, hercules
1443 # Cmnd alias specification
1444 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1445 /usr/sbin/restore, /usr/sbin/rrestore
1446 Cmnd_Alias KILL = /usr/bin/kill
1450 1.7.6 April 9, 2011 22
1456 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1459 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1460 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1461 Cmnd_Alias HALT = /usr/sbin/halt
1462 Cmnd_Alias REBOOT = /usr/sbin/reboot
1463 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1464 /usr/local/bin/tcsh, /usr/bin/rsh, \
1466 Cmnd_Alias SU = /usr/bin/su
1467 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1469 Here we override some of the compiled in default values. We want s
\bsu
\bud
\bdo
\bo
1470 to log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) using the _
\ba_
\bu_
\bt_
\bh facility in all cases. We don't
1471 want to subject the full time staff to the s
\bsu
\bud
\bdo
\bo lecture, user m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt
1472 need not give a password, and we don't want to reset the LOGNAME, USER
1473 or USERNAME environment variables when running commands as root.
1474 Additionally, on the machines in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, we keep an
1475 additional local log file and make sure we log the year in each log
1476 line since the log entries will be kept around for several years.
1477 Lastly, we disable shell escapes for the commands in the PAGERS
1478 Cmnd_Alias (_
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be, _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bp_
\bg and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\be_
\bs_
\bs).
1480 # Override built-in defaults
1481 Defaults syslog=auth
1482 Defaults>root !set_logname
1483 Defaults:FULLTIMERS !lecture
1484 Defaults:millert !authenticate
1485 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1486 Defaults!PAGERS noexec
1488 The _
\bU_
\bs_
\be_
\br _
\bs_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn is the part that actually determines who may run
1491 root ALL = (ALL) ALL
1492 %wheel ALL = (ALL) ALL
1494 We let r
\bro
\boo
\bot
\bt and any user in group w
\bwh
\bhe
\bee
\bel
\bl run any command on any host as
1497 FULLTIMERS ALL = NOPASSWD: ALL
1499 Full time sysadmins (m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt, m
\bmi
\bik
\bke
\bef
\bf, and d
\bdo
\bow
\bwd
\bdy
\by) may run any command on
1500 any host without authenticating themselves.
1502 PARTTIMERS ALL = ALL
1504 Part time sysadmins (b
\bbo
\bos
\bst
\btl
\ble
\bey
\by, j
\bjw
\bwf
\bfo
\box
\bx, and c
\bcr
\bra
\baw
\bwl
\bl) may run any command on
1505 any host but they must authenticate themselves first (since the entry
1506 lacks the NOPASSWD tag).
1510 The user j
\bja
\bac
\bck
\bk may run any command on the machines in the _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS alias
1511 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1512 those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1516 1.7.6 April 9, 2011 23
1522 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1525 notation) indicating it is a class C network. For the other networks
1526 in _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS, the local machine's netmask will be used during matching.
1530 The user l
\bli
\bis
\bsa
\ba may run any command on any host in the _
\bC_
\bU_
\bN_
\bE_
\bT_
\bS alias (the
1531 class B network 128.138.0.0).
1533 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1534 sudoedit /etc/printcap, /usr/oper/bin/
1536 The o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br user may run commands limited to simple maintenance.
1537 Here, those are commands related to backups, killing processes, the
1538 printing system, shutting down the system, and any commands in the
1539 directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bo_
\bp_
\be_
\br_
\b/_
\bb_
\bi_
\bn_
\b/.
1541 joe ALL = /usr/bin/su operator
1543 The user j
\bjo
\boe
\be may only _
\bs_
\bu(1) to operator.
1545 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1547 %opers ALL = (: ADMINGRP) /usr/sbin/
1549 Users in the o
\bop
\bpe
\ber
\brs
\bs group may run commands in _
\b/_
\bu_
\bs_
\br_
\b/_
\bs_
\bb_
\bi_
\bn_
\b/ as themselves
1550 with any group in the _
\bA_
\bD_
\bM_
\bI_
\bN_
\bG_
\bR_
\bP Runas_Alias (the a
\bad
\bdm
\bm and o
\bop
\bpe
\ber
\br groups).
1552 The user p
\bpe
\bet
\bte
\be is allowed to change anyone's password except for root on
1553 the _
\bH_
\bP_
\bP_
\bA machines. Note that this assumes _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(1) does not take
1554 multiple user names on the command line.
1556 bob SPARC = (OP) ALL : SGI = (OP) ALL
1558 The user b
\bbo
\bob
\bb may run anything on the _
\bS_
\bP_
\bA_
\bR_
\bC and _
\bS_
\bG_
\bI machines as any user
1559 listed in the _
\bO_
\bP Runas_Alias (r
\bro
\boo
\bot
\bt and o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br).
1563 The user j
\bji
\bim
\bm may run any command on machines in the _
\bb_
\bi_
\bg_
\bl_
\ba_
\bb netgroup.
1564 s
\bsu
\bud
\bdo
\bo knows that "biglab" is a netgroup due to the '+' prefix.
1566 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1568 Users in the s
\bse
\bec
\bcr
\bre
\bet
\bta
\bar
\bri
\bie
\bes
\bs netgroup need to help manage the printers as
1569 well as add and remove users, so they are allowed to run those commands
1572 fred ALL = (DB) NOPASSWD: ALL
1574 The user f
\bfr
\bre
\bed
\bd can run commands as any user in the _
\bD_
\bB Runas_Alias
1575 (o
\bor
\bra
\bac
\bcl
\ble
\be or s
\bsy
\byb
\bba
\bas
\bse
\be) without giving a password.
1577 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1582 1.7.6 April 9, 2011 24
1588 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1591 On the _
\bA_
\bL_
\bP_
\bH_
\bA machines, user j
\bjo
\boh
\bhn
\bn may su to anyone except root but he is
1592 not allowed to specify any options to the _
\bs_
\bu(1) command.
1594 jen ALL, !SERVERS = ALL
1596 The user j
\bje
\ben
\bn may run any command on any machine except for those in the
1597 _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias (master, mail, www and ns).
1599 jill SERVERS = /usr/bin/, !SU, !SHELLS
1601 For any machine in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, j
\bji
\bil
\bll
\bl may run any commands in
1602 the directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/ except for those commands belonging to the _
\bS_
\bU
1603 and _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS Cmnd_Aliases.
1605 steve CSNETS = (operator) /usr/local/op_commands/
1607 The user s
\bst
\bte
\bev
\bve
\be may run any command in the directory
1608 /usr/local/op_commands/ but only as user operator.
1610 matt valkyrie = KILL
1612 On his personal workstation, valkyrie, m
\bma
\bat
\btt
\bt needs to be able to kill
1615 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1617 On the host www, any user in the _
\bW_
\bE_
\bB_
\bM_
\bA_
\bS_
\bT_
\bE_
\bR_
\bS User_Alias (will, wendy,
1618 and wim), may run any command as user www (which owns the web pages) or
1619 simply _
\bs_
\bu(1) to www.
1621 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1622 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1624 Any user may mount or unmount a CD-ROM on the machines in the CDROM
1625 Host_Alias (orion, perseus, hercules) without entering a password.
1626 This is a bit tedious for users to type, so it is a prime candidate for
1627 encapsulating in a shell script.
1629 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
1630 It is generally not effective to "subtract" commands from ALL using the
1631 '!' operator. A user can trivially circumvent this by copying the
1632 desired command to a different name and then executing that. For
1635 bill ALL = ALL, !SU, !SHELLS
1637 Doesn't really prevent b
\bbi
\bil
\bll
\bl from running the commands listed in _
\bS_
\bU or
1638 _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS since he can simply copy those commands to a different name, or
1639 use a shell escape from an editor or other program. Therefore, these
1640 kind of restrictions should be considered advisory at best (and
1641 reinforced by policy).
1643 Furthermore, if the _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb option is in use, it is not possible to
1644 reliably negate commands where the path name includes globbing (aka
1648 1.7.6 April 9, 2011 25
1654 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1657 wildcard) characters. This is because the C library's _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3)
1658 function cannot resolve relative paths. While this is typically only
1659 an inconvenience for rules that grant privileges, it can result in a
1660 security issue for rules that subtract or revoke privileges.
1662 For example, given the following _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry:
1664 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
1665 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1667 User j
\bjo
\boh
\bhn
\bn can still run /usr/bin/passwd root if _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is enabled by
1668 changing to _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn and running ./passwd root instead.
1670 P
\bPR
\bRE
\bEV
\bVE
\bEN
\bNT
\bTI
\bIN
\bNG
\bG S
\bSH
\bHE
\bEL
\bLL
\bL E
\bES
\bSC
\bCA
\bAP
\bPE
\bES
\bS
1671 Once s
\bsu
\bud
\bdo
\bo executes a program, that program is free to do whatever it
1672 pleases, including run other programs. This can be a security issue
1673 since it is not uncommon for a program to allow shell escapes, which
1674 lets a user bypass s
\bsu
\bud
\bdo
\bo's access control and logging. Common programs
1675 that permit shell escapes include shells (obviously), editors,
1676 paginators, mail and terminal programs.
1678 There are two basic approaches to this problem:
1680 restrict Avoid giving users access to commands that allow the user to
1681 run arbitrary commands. Many editors have a restricted mode
1682 where shell escapes are disabled, though s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt is a better
1683 solution to running editors via s
\bsu
\bud
\bdo
\bo. Due to the large
1684 number of programs that offer shell escapes, restricting
1685 users to the set of programs that do not is often unworkable.
1687 noexec Many systems that support shared libraries have the ability
1688 to override default library functions by pointing an
1689 environment variable (usually LD_PRELOAD) to an alternate
1690 shared library. On such systems, s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality
1691 can be used to prevent a program run by s
\bsu
\bud
\bdo
\bo from executing
1692 any other programs. Note, however, that this applies only to
1693 native dynamically-linked executables. Statically-linked
1694 executables and foreign executables running under binary
1695 emulation are not affected.
1697 To tell whether or not s
\bsu
\bud
\bdo
\bo supports _
\bn_
\bo_
\be_
\bx_
\be_
\bc, you can run the
1700 sudo -V | grep "dummy exec"
1702 If the resulting output contains a line that begins with:
1704 File containing dummy exec functions:
1706 then s
\bsu
\bud
\bdo
\bo may be able to replace the exec family of functions
1707 in the standard library with its own that simply return an
1708 error. Unfortunately, there is no foolproof way to know
1709 whether or not _
\bn_
\bo_
\be_
\bx_
\be_
\bc will work at compile-time. _
\bn_
\bo_
\be_
\bx_
\be_
\bc
1710 should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
1714 1.7.6 April 9, 2011 26
1720 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1723 MacOS X, and HP-UX 11.x. It is known n
\bno
\bot
\bt to work on AIX and
1724 UnixWare. _
\bn_
\bo_
\be_
\bx_
\be_
\bc is expected to work on most operating
1725 systems that support the LD_PRELOAD environment variable.
1726 Check your operating system's manual pages for the dynamic
1727 linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
1728 to see if LD_PRELOAD is supported.
1730 To enable _
\bn_
\bo_
\be_
\bx_
\be_
\bc for a command, use the NOEXEC tag as
1731 documented in the User Specification section above. Here is
1734 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1736 This allows user a
\baa
\bar
\bro
\bon
\bn to run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi
1737 with _
\bn_
\bo_
\be_
\bx_
\be_
\bc enabled. This will prevent those two commands
1738 from executing other commands (such as a shell). If you are
1739 unsure whether or not your system is capable of supporting
1740 _
\bn_
\bo_
\be_
\bx_
\be_
\bc you can always just try it out and see if it works.
1742 Note that restricting shell escapes is not a panacea. Programs running
1743 as root are still capable of many potentially hazardous operations
1744 (such as changing or overwriting files) that could lead to unintended
1745 privilege escalation. In the specific case of an editor, a safer
1746 approach is to give the user permission to run s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
1748 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
1749 _
\br_
\bs_
\bh(1), _
\bs_
\bu(1), _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3), _
\bg_
\bl_
\bo_
\bb(3), _
\bs_
\bu_
\bd_
\bo(1m), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(8)
1751 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
1752 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file should a
\bal
\blw
\bwa
\bay
\bys
\bs be edited by the v
\bvi
\bis
\bsu
\bud
\bdo
\bo command which
1753 locks the file and does grammatical checking. It is imperative that
1754 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs be free of syntax errors since s
\bsu
\bud
\bdo
\bo will not run with a
1755 syntactically incorrect _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
1757 When using netgroups of machines (as opposed to users), if you store
1758 fully qualified host name in the netgroup (as is usually the case), you
1759 either need to have the machine's host name be fully qualified as
1760 returned by the hostname command or use the _
\bf_
\bq_
\bd_
\bn option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1763 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
1764 http://www.sudo.ws/sudo/bugs/
1766 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
1767 Limited free support is available via the sudo-users mailing list, see
1768 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1771 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
1772 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
1773 including, but not limited to, the implied warranties of
1774 merchantability and fitness for a particular purpose are disclaimed.
1775 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
1776 http://www.sudo.ws/sudo/license.html for complete details.
1780 1.7.6 April 9, 2011 27