4 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
8 sudoers - list of which users may execute what
10 D
\bDE
\bES
\bSC
\bCR
\bRI
\bIP
\bPT
\bTI
\bIO
\bON
\bN
11 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file is composed of two types of entries: aliases
12 (basically variables) and user specifications (which specify who may
15 When multiple entries match for a user, they are applied in order.
16 Where there are multiple matches, the last match is used (which is not
17 necessarily the most specific match).
19 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs grammar will be described below in Extended Backus-Naur
20 Form (EBNF). Don't despair if you don't know what EBNF is; it is
21 fairly simple, and the definitions below are annotated.
23 Q
\bQu
\bui
\bic
\bck
\bk g
\bgu
\bui
\bid
\bde
\be t
\bto
\bo E
\bEB
\bBN
\bNF
\bF
24 EBNF is a concise and exact way of describing the grammar of a
25 language. Each EBNF definition is made up of _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be_
\bs. E.g.,
27 symbol ::= definition | alternate1 | alternate2 ...
29 Each _
\bp_
\br_
\bo_
\bd_
\bu_
\bc_
\bt_
\bi_
\bo_
\bn _
\br_
\bu_
\bl_
\be references others and thus makes up a grammar for
30 the language. EBNF also contains the following operators, which many
31 readers will recognize from regular expressions. Do not, however,
32 confuse them with "wildcard" characters, which have different meanings.
34 ? Means that the preceding symbol (or group of symbols) is optional.
35 That is, it may appear once or not at all.
37 * Means that the preceding symbol (or group of symbols) may appear
40 + Means that the preceding symbol (or group of symbols) may appear
43 Parentheses may be used to group symbols together. For clarity, we
44 will use single quotes ('') to designate what is a verbatim character
45 string (as opposed to a symbol name).
47 A
\bAl
\bli
\bia
\bas
\bse
\bes
\bs
48 There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
51 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
52 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
53 'Host_Alias' Host_Alias (':' Host_Alias)* |
54 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
56 User_Alias ::= NAME '=' User_List
58 Runas_Alias ::= NAME '=' Runas_List
60 Host_Alias ::= NAME '=' Host_List
64 1.7.2p6 April 7, 2010 1
70 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
74 Cmnd_Alias ::= NAME '=' Cmnd_List
76 NAME ::= [A-Z]([A-Z][0-9]_)*
78 Each _
\ba_
\bl_
\bi_
\ba_
\bs definition is of the form
80 Alias_Type NAME = item1, item2, ...
82 where _
\bA_
\bl_
\bi_
\ba_
\bs_
\b__
\bT_
\by_
\bp_
\be is one of User_Alias, Runas_Alias, Host_Alias, or
83 Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
84 underscore characters ('_'). A NAME m
\bmu
\bus
\bst
\bt start with an uppercase
85 letter. It is possible to put several alias definitions of the same
86 type on a single line, joined by a colon (':'). E.g.,
88 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
90 The definitions of what constitutes a valid _
\ba_
\bl_
\bi_
\ba_
\bs member follow.
95 User ::= '!'* username |
99 '!'* '%:'nonunix_group |
102 A User_List is made up of one or more usernames, uids (prefixed with
103 '#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
104 and User_Aliases. Each list item may be prefixed with zero or more '!'
105 operators. An odd number of '!' operators negate the value of the
106 item; an even number just cancel each other out.
108 A username, group, netgroup and nonunix_groups may be enclosed in
109 double quotes to avoid the need for escaping special characters.
110 Alternately, special characters may be specified in escaped hex mode,
113 The nonunix_group syntax depends on the underlying implementation. For
114 instance, the QAS AD backend supports the following formats:
116 +
\bo Group in the same domain: "Group Name"
118 +
\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
120 +
\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
122 Note that quotes around group names are optional. Unquoted strings
123 must use a backslash (\) to escape spaces and the '@' symbol.
125 Runas_List ::= Runas_Member |
126 Runas_Member ',' Runas_List
130 1.7.2p6 April 7, 2010 2
136 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
140 Runas_Member ::= '!'* username |
146 A Runas_List is similar to a User_List except that instead of
147 User_Aliases it can contain Runas_Aliases. Note that usernames and
148 groups are matched as strings. In other words, two users (groups) with
149 the same uid (gid) are considered to be distinct. If you wish to match
150 all usernames with the same uid (e.g. root and toor), you can use a uid
151 instead (#0 in the example given).
156 Host ::= '!'* hostname |
158 '!'* network(/netmask)? |
162 A Host_List is made up of one or more hostnames, IP addresses, network
163 numbers, netgroups (prefixed with '+') and other aliases. Again, the
164 value of an item may be negated with the '!' operator. If you do not
165 specify a netmask along with the network number, s
\bsu
\bud
\bdo
\bo will query each
166 of the local host's network interfaces and, if the network number
167 corresponds to one of the hosts's network interfaces, the corresponding
168 netmask will be used. The netmask may be specified either in standard
169 IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
170 CIDR notation (number of bits, e.g. 24 or 64). A hostname may include
171 shell-style wildcards (see the Wildcards section below), but unless the
172 hostname command on your machine returns the fully qualified hostname,
173 you'll need to use the _
\bf_
\bq_
\bd_
\bn option for wildcards to be useful.
178 commandname ::= filename |
182 Cmnd ::= '!'* commandname |
187 A Cmnd_List is a list of one or more commandnames, directories, and
188 other aliases. A commandname is a fully qualified filename which may
189 include shell-style wildcards (see the Wildcards section below). A
190 simple filename allows the user to run the command with any arguments
191 he/she wishes. However, you may also specify command line arguments
192 (including wildcards). Alternately, you can specify "" to indicate
196 1.7.2p6 April 7, 2010 3
202 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
205 that the command may only be run w
\bwi
\bit
\bth
\bho
\bou
\but
\bt command line arguments. A
206 directory is a fully qualified pathname ending in a '/'. When you
207 specify a directory in a Cmnd_List, the user will be able to run any
208 file within that directory (but not in any subdirectories therein).
210 If a Cmnd has associated command line arguments, then the arguments in
211 the Cmnd must match exactly those given by the user on the command line
212 (or match the wildcards if there are any). Note that the following
213 characters must be escaped with a '\' if they are used in command
214 arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
215 to permit a user to run s
\bsu
\bud
\bdo
\bo with the -
\b-e
\be option (or as s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt). It
216 may take command line arguments just as a normal command does.
218 D
\bDe
\bef
\bfa
\bau
\bul
\blt
\bts
\bs
219 Certain configuration options may be changed from their default values
220 at runtime via one or more Default_Entry lines. These may affect all
221 users on any host, all users on a specific host, a specific user, a
222 specific command, or commands being run as a specific user. Note that
223 per-command entries may not include command line arguments. If you
224 need to specify arguments, define a Cmnd_Alias and reference that
227 Default_Type ::= 'Defaults' |
228 'Defaults' '@' Host_List |
229 'Defaults' ':' User_List |
230 'Defaults' '!' Cmnd_List |
231 'Defaults' '>' Runas_List
233 Default_Entry ::= Default_Type Parameter_List
235 Parameter_List ::= Parameter |
236 Parameter ',' Parameter_List
238 Parameter ::= Parameter '=' Value |
239 Parameter '+=' Value |
240 Parameter '-=' Value |
243 Parameters may be f
\bfl
\bla
\bag
\bgs
\bs, i
\bin
\bnt
\bte
\beg
\bge
\ber
\br values, s
\bst
\btr
\bri
\bin
\bng
\bgs
\bs, or l
\bli
\bis
\bst
\bts
\bs. Flags are
244 implicitly boolean and can be turned off via the '!' operator. Some
245 integer, string and list parameters may also be used in a boolean
246 context to disable them. Values may be enclosed in double quotes (")
247 when they contain multiple words. Special characters may be escaped
248 with a backslash (\).
250 Lists have two additional assignment operators, += and -=. These
251 operators are used to add to and delete from a list respectively. It
252 is not an error to use the -= operator to remove an element that does
255 Defaults entries are parsed in the following order: generic, host and
256 user Defaults first, then runas Defaults and finally command defaults.
258 See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
262 1.7.2p6 April 7, 2010 4
268 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
271 U
\bUs
\bse
\ber
\br S
\bSp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn
272 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
273 (':' Host_List '=' Cmnd_Spec_List)*
275 Cmnd_Spec_List ::= Cmnd_Spec |
276 Cmnd_Spec ',' Cmnd_Spec_List
278 Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
280 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
282 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
283 'SETENV:' | 'NOSETENV:' )
285 A u
\bus
\bse
\ber
\br s
\bsp
\bpe
\bec
\bci
\bif
\bfi
\bic
\bca
\bat
\bti
\bio
\bon
\bn determines which commands a user may run (and as
286 what user) on specified hosts. By default, commands are run as r
\bro
\boo
\bot
\bt,
287 but this can be changed on a per-command basis.
289 The basic structure of a user specification is `who = where (as_whom)
290 what'. Let's break that down into its constituent parts:
292 R
\bRu
\bun
\bna
\bas
\bs_
\b_S
\bSp
\bpe
\bec
\bc
293 A Runas_Spec determines the user and/or the group that a command may be
294 run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
295 defined above) separated by a colon (':') and enclosed in a set of
296 parentheses. The first Runas_List indicates which users the command
297 may be run as via s
\bsu
\bud
\bdo
\bo's -
\b-u
\bu option. The second defines a list of
298 groups that can be specified via s
\bsu
\bud
\bdo
\bo's -
\b-g
\bg option. If both Runas_Lists
299 are specified, the command may be run with any combination of users and
300 groups listed in their respective Runas_Lists. If only the first is
301 specified, the command may be run as any user in the list but no -
\b-g
\bg
302 option may be specified. If the first Runas_List is empty but the
303 second is specified, the command may be run as the invoking user with
304 the group set to any listed in the Runas_List. If no Runas_Spec is
305 specified the command may be run as r
\bro
\boo
\bot
\bt and no group may be specified.
307 A Runas_Spec sets the default for the commands that follow it. What
308 this means is that for the entry:
310 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
312 The user d
\bdg
\bgb
\bb may run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm -- but only
313 as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br. E.g.,
315 $ sudo -u operator /bin/ls.
317 It is also possible to override a Runas_Spec later on in an entry. If
318 we modify the entry like so:
320 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
322 Then user d
\bdg
\bgb
\bb is now allowed to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs as o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br, but _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl
323 and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm as r
\bro
\boo
\bot
\bt.
328 1.7.2p6 April 7, 2010 5
334 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
337 We can extend this to allow d
\bdg
\bgb
\bb to run /bin/ls with either the user or
338 group set to o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br:
340 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
343 In the following example, user t
\btc
\bcm
\bm may run commands that access a modem
344 device file with the dialer group. Note that in this example only the
345 group will be set, the command still runs as user t
\btc
\bcm
\bm.
347 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
348 /usr/local/bin/minicom
350 T
\bTa
\bag
\bg_
\b_S
\bSp
\bpe
\bec
\bc
351 A command may have zero or more tags associated with it. There are
352 eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV and
353 NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in the
354 Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite
355 tag (i.e.: PASSWD overrides NOPASSWD and NOEXEC overrides EXEC).
357 _
\bN_
\bO_
\bP_
\bA_
\bS_
\bS_
\bW_
\bD _
\ba_
\bn_
\bd _
\bP_
\bA_
\bS_
\bS_
\bW_
\bD
359 By default, s
\bsu
\bud
\bdo
\bo requires that a user authenticate him or herself
360 before running a command. This behavior can be modified via the
361 NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
362 the commands that follow it in the Cmnd_Spec_List. Conversely, the
363 PASSWD tag can be used to reverse things. For example:
365 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
367 would allow the user r
\bra
\bay
\by to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl, _
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs, and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bp_
\br_
\bm
368 as r
\bro
\boo
\bot
\bt on the machine rushmore without authenticating himself. If we
369 only want r
\bra
\bay
\by to be able to run _
\b/_
\bb_
\bi_
\bn_
\b/_
\bk_
\bi_
\bl_
\bl without a password the entry
372 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
374 Note, however, that the PASSWD tag has no effect on users who are in
375 the group specified by the _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option.
377 By default, if the NOPASSWD tag is applied to any of the entries for a
378 user on the current host, he or she will be able to run sudo -l without
379 a password. Additionally, a user may only run sudo -v without a
380 password if the NOPASSWD tag is present for all a user's entries that
381 pertain to the current host. This behavior may be overridden via the
382 verifypw and listpw options.
384 _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC
386 If s
\bsu
\bud
\bdo
\bo has been compiled with _
\bn_
\bo_
\be_
\bx_
\be_
\bc support and the underlying
387 operating system supports it, the NOEXEC tag can be used to prevent a
388 dynamically-linked executable from running further commands itself.
390 In the following example, user a
\baa
\bar
\bro
\bon
\bn may run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and
394 1.7.2p6 April 7, 2010 6
400 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
403 _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi but shell escapes will be disabled.
405 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
407 See the "PREVENTING SHELL ESCAPES" section below for more details on
408 how NOEXEC works and whether or not it will work on your system.
410 _
\bS_
\bE_
\bT_
\bE_
\bN_
\bV _
\ba_
\bn_
\bd _
\bN_
\bO_
\bS_
\bE_
\bT_
\bE_
\bN_
\bV
412 These tags override the value of the _
\bs_
\be_
\bt_
\be_
\bn_
\bv option on a per-command
413 basis. Note that if SETENV has been set for a command, any environment
414 variables set on the command line way are not subject to the
415 restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such,
416 only trusted users should be allowed to set variables in this manner.
417 If the command matched is A
\bAL
\bLL
\bL, the SETENV tag is implied for that
418 command; this default may be overridden by use of the UNSETENV tag.
420 W
\bWi
\bil
\bld
\bdc
\bca
\bar
\brd
\bds
\bs
421 s
\bsu
\bud
\bdo
\bo allows shell-style _
\bw_
\bi_
\bl_
\bd_
\bc_
\ba_
\br_
\bd_
\bs (aka meta or glob characters) to be
422 used in hostnames, pathnames and command line arguments in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
423 file. Wildcard matching is done via the P
\bPO
\bOS
\bSI
\bIX
\bX _
\bg_
\bl_
\bo_
\bb(3) and _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3)
424 routines. Note that these are _
\bn_
\bo_
\bt regular expressions.
426 * Matches any set of zero or more characters.
428 ? Matches any single character.
430 [...] Matches any character in the specified range.
432 [!...] Matches any character n
\bno
\bot
\bt in the specified range.
434 \x For any character "x", evaluates to "x". This is used to
435 escape special characters such as: "*", "?", "[", and "}".
437 POSIX character classes may also be used if your system's _
\bg_
\bl_
\bo_
\bb(3) and
438 _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) functions support them. However, because the ':' character
439 has special meaning in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs, it must be escaped. For example:
441 /bin/ls [[\:alpha\:]]*
443 Would match any filename beginning with a letter.
445 Note that a forward slash ('/') will n
\bno
\bot
\bt be matched by wildcards used
446 in the pathname. When matching the command line arguments, however, a
447 slash d
\bdo
\boe
\bes
\bs get matched by wildcards. This is to make a path like:
451 match _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bw_
\bh_
\bo but not _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bX_
\b1_
\b1_
\b/_
\bx_
\bt_
\be_
\br_
\bm.
453 E
\bEx
\bxc
\bce
\bep
\bpt
\bti
\bio
\bon
\bns
\bs t
\bto
\bo w
\bwi
\bil
\bld
\bdc
\bca
\bar
\brd
\bd r
\bru
\bul
\ble
\bes
\bs
454 The following exceptions apply to the above rules:
456 "" If the empty string "" is the only command line argument in the
460 1.7.2p6 April 7, 2010 7
466 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
469 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry it means that command is not allowed to be run
470 with a
\ban
\bny
\by arguments.
472 I
\bIn
\bnc
\bcl
\blu
\bud
\bdi
\bin
\bng
\bg o
\bot
\bth
\bhe
\ber
\br f
\bfi
\bil
\ble
\bes
\bs f
\bfr
\bro
\bom
\bm w
\bwi
\bit
\bth
\bhi
\bin
\bn s
\bsu
\bud
\bdo
\boe
\ber
\brs
\bs
473 It is possible to include other _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs files from within the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
474 file currently being parsed using the #include and #includedir
477 This can be used, for example, to keep a site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file in
478 addition to a local, per-machine file. For the sake of this example
479 the site-wide _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs and the per-machine one will
480 be _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. To include _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl from within
481 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs we would use the following line in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs:
483 #include /etc/sudoers.local
485 When s
\bsu
\bud
\bdo
\bo reaches this line it will suspend processing of the current
486 file (_
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs) and switch to _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl. Upon reaching
487 the end of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bl_
\bo_
\bc_
\ba_
\bl, the rest of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
488 processed. Files that are included may themselves include other files.
489 A hard limit of 128 nested include files is enforced to prevent include
492 The filename may include the %h escape, signifying the short form of
493 the hostname. I.e., if the machine's hostname is "xerxes", then
495 #include /etc/sudoers.%h
497 will cause s
\bsu
\bud
\bdo
\bo to include the file _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bx_
\be_
\br_
\bx_
\be_
\bs.
499 The #includedir directive can be used to create a _
\bs_
\bu_
\bd_
\bo_
\b._
\bd directory that
500 the system package manager can drop _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs rules into as part of
501 package installation. For example, given:
503 #includedir /etc/sudoers.d
505 s
\bsu
\bud
\bdo
\bo will read each file in _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd, skipping file names that
506 end in ~ or contain a . character to avoid causing problems with
507 package manager or editor temporary/backup files. Files are parsed in
508 sorted lexical order. That is, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b0_
\b1_
\b__
\bf_
\bi_
\br_
\bs_
\bt will be parsed
509 before _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Be aware that because the sorting is
510 lexical, not numeric, _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b__
\bw_
\bh_
\bo_
\bo_
\bp_
\bs would be loaded a
\baf
\bft
\bte
\ber
\br
511 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs_
\b._
\bd_
\b/_
\b1_
\b0_
\b__
\bs_
\be_
\bc_
\bo_
\bn_
\bd. Using a consistent number of leading zeroes
512 in the file names can be used to avoid such problems.
514 Note that unlike files included via #include, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will not edit the
515 files in a #includedir directory unless one of them contains a syntax
516 error. It is still possible to run v
\bvi
\bis
\bsu
\bud
\bdo
\bo with the -f flag to edit the
519 O
\bOt
\bth
\bhe
\ber
\br s
\bsp
\bpe
\bec
\bci
\bia
\bal
\bl c
\bch
\bha
\bar
\bra
\bac
\bct
\bte
\ber
\brs
\bs a
\ban
\bnd
\bd r
\bre
\bes
\bse
\ber
\brv
\bve
\bed
\bd w
\bwo
\bor
\brd
\bds
\bs
520 The pound sign ('#') is used to indicate a comment (unless it is part
521 of a #include directive or unless it occurs in the context of a user
522 name and is followed by one or more digits, in which case it is treated
526 1.7.2p6 April 7, 2010 8
532 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
535 as a uid). Both the comment character and any text after it, up to the
536 end of the line, are ignored.
538 The reserved word A
\bAL
\bLL
\bL is a built-in _
\ba_
\bl_
\bi_
\ba_
\bs that always causes a match to
539 succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
540 User_Alias, Runas_Alias, or Host_Alias. You should not try to define
541 your own _
\ba_
\bl_
\bi_
\ba_
\bs called A
\bAL
\bLL
\bL as the built-in alias will be used in
542 preference to your own. Please note that using A
\bAL
\bLL
\bL can be dangerous
543 since in a command context, it allows the user to run a
\ban
\bny
\by command on
546 An exclamation point ('!') can be used as a logical _
\bn_
\bo_
\bt operator both
547 in an _
\ba_
\bl_
\bi_
\ba_
\bs and in front of a Cmnd. This allows one to exclude certain
548 values. Note, however, that using a ! in conjunction with the built-in
549 ALL alias to allow a user to run "all but a few" commands rarely works
550 as intended (see SECURITY NOTES below).
552 Long lines can be continued with a backslash ('\') as the last
553 character on the line.
555 Whitespace between elements in a list as well as special syntactic
556 characters in a _
\bU_
\bs_
\be_
\br _
\bS_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn ('=', ':', '(', ')') is optional.
558 The following characters must be escaped with a backslash ('\') when
559 used as part of a word (e.g. a username or hostname): '@', '!', '=',
560 ':', ',', '(', ')', '\'.
562 S
\bSU
\bUD
\bDO
\bOE
\bER
\bRS
\bS O
\bOP
\bPT
\bTI
\bIO
\bON
\bNS
\bS
563 s
\bsu
\bud
\bdo
\bo's behavior can be modified by Default_Entry lines, as explained
564 earlier. A list of all supported Defaults parameters, grouped by type,
567 F
\bFl
\bla
\bag
\bgs
\bs:
569 always_set_home If set, s
\bsu
\bud
\bdo
\bo will set the HOME environment variable to
570 the home directory of the target user (which is root
571 unless the -
\b-u
\bu option is used). This effectively means
572 that the -
\b-H
\bH option is always implied. This flag is _
\bo_
\bf_
\bf
575 authenticate If set, users must authenticate themselves via a
576 password (or other means of authentication) before they
577 may run commands. This default may be overridden via
578 the PASSWD and NOPASSWD tags. This flag is _
\bo_
\bn by
582 If set, the user may use s
\bsu
\bud
\bdo
\bo's -
\b-C
\bC option which
583 overrides the default starting point at which s
\bsu
\bud
\bdo
\bo
584 begins closing open file descriptors. This flag is _
\bo_
\bf_
\bf
587 env_editor If set, v
\bvi
\bis
\bsu
\bud
\bdo
\bo will use the value of the EDITOR or
588 VISUAL environment variables before falling back on the
592 1.7.2p6 April 7, 2010 9
598 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
601 default editor list. Note that this may create a
602 security hole as it allows the user to run any
603 arbitrary command as root without logging. A safer
604 alternative is to place a colon-separated list of
605 editors in the editor variable. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will then only
606 use the EDITOR or VISUAL if they match a value
607 specified in editor. This flag is _
\bo_
\bf_
\bf by default.
609 env_reset If set, s
\bsu
\bud
\bdo
\bo will reset the environment to only contain
610 the LOGNAME, SHELL, USER, USERNAME and the SUDO_*
611 variables. Any variables in the caller's environment
612 that match the env_keep and env_check lists are then
613 added. The default contents of the env_keep and
614 env_check lists are displayed when s
\bsu
\bud
\bdo
\bo is run by root
615 with the _
\b-_
\bV option. If the _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh option is set,
616 its value will be used for the PATH environment
617 variable. This flag is _
\bo_
\bn by default.
619 fqdn Set this flag if you want to put fully qualified
620 hostnames in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. I.e., instead of myhost
621 you would use myhost.mydomain.edu. You may still use
622 the short form if you wish (and even mix the two).
623 Beware that turning on _
\bf_
\bq_
\bd_
\bn requires s
\bsu
\bud
\bdo
\bo to make DNS
624 lookups which may make s
\bsu
\bud
\bdo
\bo unusable if DNS stops
625 working (for example if the machine is not plugged into
626 the network). Also note that you must use the host's
627 official name as DNS knows it. That is, you may not
628 use a host alias (CNAME entry) due to performance
629 issues and the fact that there is no way to get all
630 aliases from DNS. If your machine's hostname (as
631 returned by the hostname command) is already fully
632 qualified you shouldn't need to set _
\bf_
\bq_
\bd_
\bn. This flag is
633 _
\bo_
\bf_
\bf by default.
635 ignore_dot If set, s
\bsu
\bud
\bdo
\bo will ignore '.' or '' (current dir) in the
636 PATH environment variable; the PATH itself is not
637 modified. This flag is _
\bo_
\bf_
\bf by default.
640 If set via LDAP, parsing of _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs will be
641 skipped. This is intended for Enterprises that wish to
642 prevent the usage of local sudoers files so that only
643 LDAP is used. This thwarts the efforts of rogue
644 operators who would attempt to add roles to
645 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. When this option is present,
646 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs does not even need to exist. Since this
647 option tells s
\bsu
\bud
\bdo
\bo how to behave when no specific LDAP
648 entries have been matched, this sudoOption is only
649 meaningful for the cn=defaults section. This flag is
650 _
\bo_
\bf_
\bf by default.
652 insults If set, s
\bsu
\bud
\bdo
\bo will insult users when they enter an
653 incorrect password. This flag is _
\bo_
\bf_
\bf by default.
658 1.7.2p6 April 7, 2010 10
664 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
667 log_host If set, the hostname will be logged in the (non-syslog)
668 s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
670 log_year If set, the four-digit year will be logged in the (non-
671 syslog) s
\bsu
\bud
\bdo
\bo log file. This flag is _
\bo_
\bf_
\bf by default.
673 long_otp_prompt When validating with a One Time Password (OPT) scheme
674 such as S
\bS/
\b/K
\bKe
\bey
\by or O
\bOP
\bPI
\bIE
\bE, a two-line prompt is used to
675 make it easier to cut and paste the challenge to a
676 local window. It's not as pretty as the default but
677 some people find it more convenient. This flag is _
\bo_
\bf_
\bf
680 mail_always Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user every time a users runs
681 s
\bsu
\bud
\bdo
\bo. This flag is _
\bo_
\bf_
\bf by default.
683 mail_badpass Send mail to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the user running s
\bsu
\bud
\bdo
\bo
684 does not enter the correct password. This flag is _
\bo_
\bf_
\bf
687 mail_no_host If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
688 invoking user exists in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file, but is not
689 allowed to run commands on the current host. This flag
690 is _
\bo_
\bf_
\bf by default.
692 mail_no_perms If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
693 invoking user is allowed to use s
\bsu
\bud
\bdo
\bo but the command
694 they are trying is not listed in their _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file
695 entry or is explicitly denied. This flag is _
\bo_
\bf_
\bf by
698 mail_no_user If set, mail will be sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user if the
699 invoking user is not in the _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file. This flag is
702 noexec If set, all commands run via s
\bsu
\bud
\bdo
\bo will behave as if the
703 NOEXEC tag has been set, unless overridden by a EXEC
704 tag. See the description of _
\bN_
\bO_
\bE_
\bX_
\bE_
\bC _
\ba_
\bn_
\bd _
\bE_
\bX_
\bE_
\bC below as
705 well as the "PREVENTING SHELL ESCAPES" section at the
706 end of this manual. This flag is _
\bo_
\bf_
\bf by default.
708 path_info Normally, s
\bsu
\bud
\bdo
\bo will tell the user when a command could
709 not be found in their PATH environment variable. Some
710 sites may wish to disable this as it could be used to
711 gather information on the location of executables that
712 the normal user does not have access to. The
713 disadvantage is that if the executable is simply not in
714 the user's PATH, s
\bsu
\bud
\bdo
\bo will tell the user that they are
715 not allowed to run it, which can be confusing. This
716 flag is _
\bo_
\bn by default.
719 The password prompt specified by _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will
720 normally only be used if the passwod prompt provided by
724 1.7.2p6 April 7, 2010 11
730 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
733 systems such as PAM matches the string "Password:". If
734 _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is set, _
\bp_
\ba_
\bs_
\bs_
\bp_
\br_
\bo_
\bm_
\bp_
\bt will always be
735 used. This flag is _
\bo_
\bf_
\bf by default.
737 preserve_groups By default, s
\bsu
\bud
\bdo
\bo will initialize the group vector to
738 the list of groups the target user is in. When
739 _
\bp_
\br_
\be_
\bs_
\be_
\br_
\bv_
\be_
\b__
\bg_
\br_
\bo_
\bu_
\bp_
\bs is set, the user's existing group
740 vector is left unaltered. The real and effective group
741 IDs, however, are still set to match the target user.
742 This flag is _
\bo_
\bf_
\bf by default.
744 pwfeedback By default, s
\bsu
\bud
\bdo
\bo reads the password like most other
745 Unix programs, by turning off echo until the user hits
746 the return (or enter) key. Some users become confused
747 by this as it appears to them that s
\bsu
\bud
\bdo
\bo has hung at
748 this point. When _
\bp_
\bw_
\bf_
\be_
\be_
\bd_
\bb_
\ba_
\bc_
\bk is set, s
\bsu
\bud
\bdo
\bo will provide
749 visual feedback when the user presses a key. Note that
750 this does have a security impact as an onlooker may be
751 able to determine the length of the password being
752 entered. This flag is _
\bo_
\bf_
\bf by default.
754 requiretty If set, s
\bsu
\bud
\bdo
\bo will only run when the user is logged in
755 to a real tty. When this flag is set, s
\bsu
\bud
\bdo
\bo can only be
756 run from a login session and not via other means such
757 as _
\bc_
\br_
\bo_
\bn(1m) or cgi-bin scripts. This flag is _
\bo_
\bf_
\bf by
760 root_sudo If set, root is allowed to run s
\bsu
\bud
\bdo
\bo too. Disabling
761 this prevents users from "chaining" s
\bsu
\bud
\bdo
\bo commands to
762 get a root shell by doing something like "sudo sudo
763 /bin/sh". Note, however, that turning off _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo
764 will also prevent root and from running s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
765 Disabling _
\br_
\bo_
\bo_
\bt_
\b__
\bs_
\bu_
\bd_
\bo provides no real additional
766 security; it exists purely for historical reasons.
767 This flag is _
\bo_
\bn by default.
769 rootpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the root password instead
770 of the password of the invoking user. This flag is _
\bo_
\bf_
\bf
773 runaspw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
774 defined by the _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt option (defaults to root)
775 instead of the password of the invoking user. This
776 flag is _
\bo_
\bf_
\bf by default.
778 set_home If set and s
\bsu
\bud
\bdo
\bo is invoked with the -
\b-s
\bs option the HOME
779 environment variable will be set to the home directory
780 of the target user (which is root unless the -
\b-u
\bu option
781 is used). This effectively makes the -
\b-s
\bs option imply
782 -
\b-H
\bH. This flag is _
\bo_
\bf_
\bf by default.
784 set_logname Normally, s
\bsu
\bud
\bdo
\bo will set the LOGNAME, USER and USERNAME
785 environment variables to the name of the target user
786 (usually root unless the -
\b-u
\bu option is given). However,
790 1.7.2p6 April 7, 2010 12
796 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
799 since some programs (including the RCS revision control
800 system) use LOGNAME to determine the real identity of
801 the user, it may be desirable to change this behavior.
802 This can be done by negating the set_logname option.
803 Note that if the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option has not been
804 disabled, entries in the _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp list will override
805 the value of _
\bs_
\be_
\bt_
\b__
\bl_
\bo_
\bg_
\bn_
\ba_
\bm_
\be. This flag is _
\bo_
\bf_
\bf by default.
807 setenv Allow the user to disable the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option from the
808 command line. Additionally, environment variables set
809 via the command line are not subject to the
810 restrictions imposed by _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk, _
\be_
\bn_
\bv_
\b__
\bd_
\be_
\bl_
\be_
\bt_
\be, or
811 _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp. As such, only trusted users should be
812 allowed to set variables in this manner. This flag is
813 _
\bo_
\bf_
\bf by default.
815 shell_noargs If set and s
\bsu
\bud
\bdo
\bo is invoked with no arguments it acts as
816 if the -
\b-s
\bs option had been given. That is, it runs a
817 shell as root (the shell is determined by the SHELL
818 environment variable if it is set, falling back on the
819 shell listed in the invoking user's /etc/passwd entry
820 if not). This flag is _
\bo_
\bf_
\bf by default.
822 fast_glob Normally, s
\bsu
\bud
\bdo
\bo uses the _
\bg_
\bl_
\bo_
\bb(3) function to do shell-
823 style globbing when matching pathnames. However, since
824 it accesses the file system, _
\bg_
\bl_
\bo_
\bb(3) can take a long
825 time to complete for some patterns, especially when the
826 pattern references a network file system that is
827 mounted on demand (automounted). The _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb option
828 causes s
\bsu
\bud
\bdo
\bo to use the _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3) function, which does
829 not access the file system to do its matching. The
830 disadvantage of _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is that it is unable to match
831 relative pathnames such as _
\b._
\b/_
\bl_
\bs or _
\b._
\b._
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\bs. This has
832 security implications when path names that include
833 globbing characters are used with the negation
834 operator, '!', as such rules can be trivially bypassed.
835 As such, this option should not be used when _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
836 contains rules that contain negated path names which
837 include globbing characters. This flag is _
\bo_
\bf_
\bf by
840 stay_setuid Normally, when s
\bsu
\bud
\bdo
\bo executes a command the real and
841 effective UIDs are set to the target user (root by
842 default). This option changes that behavior such that
843 the real UID is left as the invoking user's UID. In
844 other words, this makes s
\bsu
\bud
\bdo
\bo act as a setuid wrapper.
845 This can be useful on systems that disable some
846 potentially dangerous functionality when a program is
847 run setuid. This option is only effective on systems
848 with either the _
\bs_
\be_
\bt_
\br_
\be_
\bu_
\bi_
\bd_
\b(_
\b) or _
\bs_
\be_
\bt_
\br_
\be_
\bs_
\bu_
\bi_
\bd_
\b(_
\b) function.
849 This flag is _
\bo_
\bf_
\bf by default.
851 targetpw If set, s
\bsu
\bud
\bdo
\bo will prompt for the password of the user
852 specified by the -
\b-u
\bu option (defaults to root) instead
856 1.7.2p6 April 7, 2010 13
862 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
865 of the password of the invoking user. Note that this
866 precludes the use of a uid not listed in the passwd
867 database as an argument to the -
\b-u
\bu option. This flag is
868 _
\bo_
\bf_
\bf by default.
870 tty_tickets If set, users must authenticate on a per-tty basis.
871 Normally, s
\bsu
\bud
\bdo
\bo uses a directory in the ticket dir with
872 the same name as the user running it. With this flag
873 enabled, s
\bsu
\bud
\bdo
\bo will use a file named for the tty the
874 user is logged in on in that directory. This flag is
875 _
\bo_
\bf_
\bf by default.
877 umask_override If set, s
\bsu
\bud
\bdo
\bo will set the umask as specified by _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs
878 without modification. This makes it possible to
879 specify a more permissive umask in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs than the
880 user's own umask and matches historical behavior. If
881 _
\bu_
\bm_
\ba_
\bs_
\bk_
\b__
\bo_
\bv_
\be_
\br_
\br_
\bi_
\bd_
\be is not set, s
\bsu
\bud
\bdo
\bo will set the umask to
882 be the union of the user's umask and what is specified
883 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs. This flag is _
\bo_
\bf_
\bf by default.
885 use_loginclass If set, s
\bsu
\bud
\bdo
\bo will apply the defaults specified for the
886 target user's login class if one exists. Only
887 available if s
\bsu
\bud
\bdo
\bo is configured with the
888 --with-logincap option. This flag is _
\bo_
\bf_
\bf by default.
890 visiblepw By default, s
\bsu
\bud
\bdo
\bo will refuse to run if the user must
891 enter a password but it is not possible to disable echo
892 on the terminal. If the _
\bv_
\bi_
\bs_
\bi_
\bb_
\bl_
\be_
\bp_
\bw flag is set, s
\bsu
\bud
\bdo
\bo
893 will prompt for a password even when it would be
894 visible on the screen. This makes it possible to run
895 things like "rsh somehost sudo ls" since _
\br_
\bs_
\bh(1) does
896 not allocate a tty. This flag is _
\bo_
\bf_
\bf by default.
898 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs:
900 closefrom Before it executes a command, s
\bsu
\bud
\bdo
\bo will close all open
901 file descriptors other than standard input, standard
902 output and standard error (ie: file descriptors 0-2).
903 The _
\bc_
\bl_
\bo_
\bs_
\be_
\bf_
\br_
\bo_
\bm option can be used to specify a different
904 file descriptor at which to start closing. The default
907 passwd_tries The number of tries a user gets to enter his/her
908 password before s
\bsu
\bud
\bdo
\bo logs the failure and exits. The
911 I
\bIn
\bnt
\bte
\beg
\bge
\ber
\brs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
913 loglinelen Number of characters per line for the file log. This
914 value is used to decide when to wrap lines for nicer
915 log files. This has no effect on the syslog log file,
916 only the file log. The default is 80 (use 0 or negate
917 the option to disable word wrap).
922 1.7.2p6 April 7, 2010 14
928 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
931 passwd_timeout Number of minutes before the s
\bsu
\bud
\bdo
\bo password prompt times
932 out. The default is 5; set this to 0 for no password
936 Number of minutes that can elapse before s
\bsu
\bud
\bdo
\bo will ask
937 for a passwd again. The default is 5. Set this to 0
938 to always prompt for a password. If set to a value
939 less than 0 the user's timestamp will never expire.
940 This can be used to allow users to create or delete
941 their own timestamps via sudo -v and sudo -k
944 umask Umask to use when running the command. Negate this
945 option or set it to 0777 to preserve the user's umask.
946 The actual umask that is used will be the union of the
947 user's umask and 0022. This guarantees that s
\bsu
\bud
\bdo
\bo never
948 lowers the umask when running a command. Note on
949 systems that use PAM, the default PAM configuration may
950 specify its own umask which will override the value set
951 in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
953 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs:
955 badpass_message Message that is displayed if a user enters an incorrect
956 password. The default is Sorry, try again. unless
959 editor A colon (':') separated list of editors allowed to be
960 used with v
\bvi
\bis
\bsu
\bud
\bdo
\bo. v
\bvi
\bis
\bsu
\bud
\bdo
\bo will choose the editor that
961 matches the user's EDITOR environment variable if
962 possible, or the first editor in the list that exists
963 and is executable. The default is the path to vi on
966 mailsub Subject of the mail sent to the _
\bm_
\ba_
\bi_
\bl_
\bt_
\bo user. The escape
967 %h will expand to the hostname of the machine. Default
968 is *** SECURITY information for %h ***.
970 noexec_file Path to a shared library containing dummy versions of
971 the _
\be_
\bx_
\be_
\bc_
\bv_
\b(_
\b), _
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) and _
\bf_
\be_
\bx_
\be_
\bc_
\bv_
\be_
\b(_
\b) library functions
972 that just return an error. This is used to implement
973 the _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality on systems that support
974 LD_PRELOAD or its equivalent. Defaults to
975 _
\b/_
\bu_
\bs_
\br_
\b/_
\bl_
\bo_
\bc_
\ba_
\bl_
\b/_
\bl_
\bi_
\bb_
\be_
\bx_
\be_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\b__
\bn_
\bo_
\be_
\bx_
\be_
\bc_
\b._
\bs_
\bo.
977 passprompt The default prompt to use when asking for a password;
978 can be overridden via the -
\b-p
\bp option or the SUDO_PROMPT
979 environment variable. The following percent (`%')
980 escapes are supported:
982 %H expanded to the local hostname including the domain
983 name (on if the machine's hostname is fully
984 qualified or the _
\bf_
\bq_
\bd_
\bn option is set)
988 1.7.2p6 April 7, 2010 15
994 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
997 %h expanded to the local hostname without the domain
1000 %p expanded to the user whose password is being asked
1001 for (respects the _
\br_
\bo_
\bo_
\bt_
\bp_
\bw, _
\bt_
\ba_
\br_
\bg_
\be_
\bt_
\bp_
\bw and _
\br_
\bu_
\bn_
\ba_
\bs_
\bp_
\bw
1002 flags in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs)
1004 %U expanded to the login name of the user the command
1005 will be run as (defaults to root)
1007 %u expanded to the invoking user's login name
1009 %% two consecutive % characters are collapsed into a
1012 The default value is Password:.
1014 runas_default The default user to run commands as if the -
\b-u
\bu option is
1015 not specified on the command line. This defaults to
1016 root. Note that if _
\br_
\bu_
\bn_
\ba_
\bs_
\b__
\bd_
\be_
\bf_
\ba_
\bu_
\bl_
\bt is set it m
\bmu
\bus
\bst
\bt occur
1017 before any Runas_Alias specifications.
1019 syslog_badpri Syslog priority to use when user authenticates
1020 unsuccessfully. Defaults to alert.
1022 syslog_goodpri Syslog priority to use when user authenticates
1023 successfully. Defaults to notice.
1025 sudoers_locale Locale to use when parsing the sudoers file. Note that
1026 changing the locale may affect how sudoers is
1027 interpreted. Defaults to "C".
1029 timestampdir The directory in which s
\bsu
\bud
\bdo
\bo stores its timestamp files.
1030 The default is _
\b/_
\bv_
\ba_
\br_
\b/_
\br_
\bu_
\bn_
\b/_
\bs_
\bu_
\bd_
\bo.
1032 timestampowner The owner of the timestamp directory and the timestamps
1033 stored therein. The default is root.
1035 S
\bSt
\btr
\bri
\bin
\bng
\bgs
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1037 askpass The _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs option specifies the fully qualified path to a
1038 helper program used to read the user's password when no
1039 terminal is available. This may be the case when s
\bsu
\bud
\bdo
\bo is
1040 executed from a graphical (as opposed to text-based)
1041 application. The program specified by _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs should
1042 display the argument passed to it as the prompt and write
1043 the user's password to the standard output. The value of
1044 _
\ba_
\bs_
\bk_
\bp_
\ba_
\bs_
\bs may be overridden by the SUDO_ASKPASS environment
1047 env_file The _
\be_
\bn_
\bv_
\b__
\bf_
\bi_
\bl_
\be options specifies the fully qualified path to
1048 a file containing variables to be set in the environment of
1049 the program being run. Entries in this file should either
1050 be of the form VARIABLE=value or export VARIABLE=value.
1054 1.7.2p6 April 7, 2010 16
1060 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1063 The value may optionally be surrounded by single or double
1064 quotes. Variables in this file are subject to other s
\bsu
\bud
\bdo
\bo
1065 environment settings such as _
\be_
\bn_
\bv_
\b__
\bk_
\be_
\be_
\bp and _
\be_
\bn_
\bv_
\b__
\bc_
\bh_
\be_
\bc_
\bk.
1068 Users in this group are exempt from password and PATH
1069 requirements. This is not set by default.
1071 lecture This option controls when a short lecture will be printed
1072 along with the password prompt. It has the following
1075 always Always lecture the user.
1077 never Never lecture the user.
1079 once Only lecture the user the first time they run s
\bsu
\bud
\bdo
\bo.
1081 If no value is specified, a value of _
\bo_
\bn_
\bc_
\be is implied.
1082 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1083 The default value is _
\bo_
\bn_
\bc_
\be.
1086 Path to a file containing an alternate s
\bsu
\bud
\bdo
\bo lecture that
1087 will be used in place of the standard lecture if the named
1088 file exists. By default, s
\bsu
\bud
\bdo
\bo uses a built-in lecture.
1090 listpw This option controls when a password will be required when
1091 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-l
\bl option. It has the following
1094 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1095 must have the NOPASSWD flag set to avoid entering a
1098 always The user must always enter a password to use the -
\b-l
\bl
1101 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1102 current host must have the NOPASSWD flag set to
1103 avoid entering a password.
1105 never The user need never enter a password to use the -
\b-l
\bl
1108 If no value is specified, a value of _
\ba_
\bn_
\by is implied.
1109 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1110 The default value is _
\ba_
\bn_
\by.
1112 logfile Path to the s
\bsu
\bud
\bdo
\bo log file (not the syslog log file).
1113 Setting a path turns on logging to a file; negating this
1114 option turns it off. By default, s
\bsu
\bud
\bdo
\bo logs via syslog.
1116 mailerflags Flags to use when invoking mailer. Defaults to -
\b-t
\bt.
1120 1.7.2p6 April 7, 2010 17
1126 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1129 mailerpath Path to mail program used to send warning mail. Defaults
1130 to the path to sendmail found at configure time.
1132 mailfrom Address to use for the "from" address when sending warning
1133 and error mail. The address should be enclosed in double
1134 quotes (") to protect against s
\bsu
\bud
\bdo
\bo interpreting the @ sign.
1135 Defaults to the name of the user running s
\bsu
\bud
\bdo
\bo.
1137 mailto Address to send warning and error mail to. The address
1138 should be enclosed in double quotes (") to protect against
1139 s
\bsu
\bud
\bdo
\bo interpreting the @ sign. Defaults to root.
1141 secure_path Path used for every command run from s
\bsu
\bud
\bdo
\bo. If you don't
1142 trust the people running s
\bsu
\bud
\bdo
\bo to have a sane PATH
1143 environment variable you may want to use this. Another use
1144 is if you want to have the "root path" be separate from the
1145 "user path." Users in the group specified by the
1146 _
\be_
\bx_
\be_
\bm_
\bp_
\bt_
\b__
\bg_
\br_
\bo_
\bu_
\bp option are not affected by _
\bs_
\be_
\bc_
\bu_
\br_
\be_
\b__
\bp_
\ba_
\bt_
\bh. This
1147 option is not set by default.
1149 syslog Syslog facility if syslog is being used for logging (negate
1150 to disable syslog logging). Defaults to local2.
1152 verifypw This option controls when a password will be required when
1153 a user runs s
\bsu
\bud
\bdo
\bo with the -
\b-v
\bv option. It has the following
1156 all All the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the current host
1157 must have the NOPASSWD flag set to avoid entering a
1160 always The user must always enter a password to use the -
\b-v
\bv
1163 any At least one of the user's _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries for the
1164 current host must have the NOPASSWD flag set to
1165 avoid entering a password.
1167 never The user need never enter a password to use the -
\b-v
\bv
1170 If no value is specified, a value of _
\ba_
\bl_
\bl is implied.
1171 Negating the option results in a value of _
\bn_
\be_
\bv_
\be_
\br being used.
1172 The default value is _
\ba_
\bl_
\bl.
1174 L
\bLi
\bis
\bst
\bts
\bs t
\bth
\bha
\bat
\bt c
\bca
\ban
\bn b
\bbe
\be u
\bus
\bse
\bed
\bd i
\bin
\bn a
\ba b
\bbo
\boo
\bol
\ble
\bea
\ban
\bn c
\bco
\bon
\bnt
\bte
\bex
\bxt
\bt:
1176 env_check Environment variables to be removed from the user's
1177 environment if the variable's value contains % or /
1178 characters. This can be used to guard against printf-
1179 style format vulnerabilities in poorly-written
1180 programs. The argument may be a double-quoted, space-
1181 separated list or a single value without double-quotes.
1182 The list can be replaced, added to, deleted from, or
1186 1.7.2p6 April 7, 2010 18
1192 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1195 disabled by using the =, +=, -=, and ! operators
1196 respectively. Regardless of whether the env_reset
1197 option is enabled or disabled, variables specified by
1198 env_check will be preserved in the environment if they
1199 pass the aforementioned check. The default list of
1200 environment variables to check is displayed when s
\bsu
\bud
\bdo
\bo
1201 is run by root with the _
\b-_
\bV option.
1203 env_delete Environment variables to be removed from the user's
1204 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is not in effect.
1205 The argument may be a double-quoted, space-separated
1206 list or a single value without double-quotes. The list
1207 can be replaced, added to, deleted from, or disabled by
1208 using the =, +=, -=, and ! operators respectively. The
1209 default list of environment variables to remove is
1210 displayed when s
\bsu
\bud
\bdo
\bo is run by root with the _
\b-_
\bV option.
1211 Note that many operating systems will remove
1212 potentially dangerous variables from the environment of
1213 any setuid process (such as s
\bsu
\bud
\bdo
\bo).
1215 env_keep Environment variables to be preserved in the user's
1216 environment when the _
\be_
\bn_
\bv_
\b__
\br_
\be_
\bs_
\be_
\bt option is in effect.
1217 This allows fine-grained control over the environment
1218 s
\bsu
\bud
\bdo
\bo-spawned processes will receive. The argument may
1219 be a double-quoted, space-separated list or a single
1220 value without double-quotes. The list can be replaced,
1221 added to, deleted from, or disabled by using the =, +=,
1222 -=, and ! operators respectively. The default list of
1223 variables to keep is displayed when s
\bsu
\bud
\bdo
\bo is run by root
1224 with the _
\b-_
\bV option.
1226 When logging via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3), s
\bsu
\bud
\bdo
\bo accepts the following values for the
1227 syslog facility (the value of the s
\bsy
\bys
\bsl
\blo
\bog
\bg Parameter): a
\bau
\but
\bth
\bhp
\bpr
\bri
\biv
\bv (if your
1228 OS supports it), a
\bau
\but
\bth
\bh, d
\bda
\bae
\bem
\bmo
\bon
\bn, u
\bus
\bse
\ber
\br, l
\blo
\boc
\bca
\bal
\bl0
\b0, l
\blo
\boc
\bca
\bal
\bl1
\b1, l
\blo
\boc
\bca
\bal
\bl2
\b2, l
\blo
\boc
\bca
\bal
\bl3
\b3,
1229 l
\blo
\boc
\bca
\bal
\bl4
\b4, l
\blo
\boc
\bca
\bal
\bl5
\b5, l
\blo
\boc
\bca
\bal
\bl6
\b6, and l
\blo
\boc
\bca
\bal
\bl7
\b7. The following syslog priorities
1230 are supported: a
\bal
\ble
\ber
\brt
\bt, c
\bcr
\bri
\bit
\bt, d
\bde
\beb
\bbu
\bug
\bg, e
\bem
\bme
\ber
\brg
\bg, e
\ber
\brr
\br, i
\bin
\bnf
\bfo
\bo, n
\bno
\bot
\bti
\bic
\bce
\be, and
1231 w
\bwa
\bar
\brn
\bni
\bin
\bng
\bg.
1233 F
\bFI
\bIL
\bLE
\bES
\bS
1234 _
\b/_
\be_
\bt_
\bc_
\b/_
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs List of who can run what
1236 _
\b/_
\be_
\bt_
\bc_
\b/_
\bg_
\br_
\bo_
\bu_
\bp Local groups file
1238 _
\b/_
\be_
\bt_
\bc_
\b/_
\bn_
\be_
\bt_
\bg_
\br_
\bo_
\bu_
\bp List of network groups
1240 E
\bEX
\bXA
\bAM
\bMP
\bPL
\bLE
\bES
\bS
1241 Below are example _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entries. Admittedly, some of these are a bit
1242 contrived. First, we define our _
\ba_
\bl_
\bi_
\ba_
\bs_
\be_
\bs:
1244 # User alias specification
1245 User_Alias FULLTIMERS = millert, mikef, dowdy
1246 User_Alias PARTTIMERS = bostley, jwfox, crawl
1247 User_Alias WEBMASTERS = will, wendy, wim
1252 1.7.2p6 April 7, 2010 19
1258 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1261 # Runas alias specification
1262 Runas_Alias OP = root, operator
1263 Runas_Alias DB = oracle, sybase
1264 Runas_Alias ADMINGRP = adm, oper
1266 # Host alias specification
1267 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
1268 SGI = grolsch, dandelion, black :\
1269 ALPHA = widget, thalamus, foobar :\
1270 HPPA = boa, nag, python
1271 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
1272 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
1273 Host_Alias SERVERS = master, mail, www, ns
1274 Host_Alias CDROM = orion, perseus, hercules
1276 # Cmnd alias specification
1277 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
1278 /usr/sbin/restore, /usr/sbin/rrestore
1279 Cmnd_Alias KILL = /usr/bin/kill
1280 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
1281 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
1282 Cmnd_Alias HALT = /usr/sbin/halt
1283 Cmnd_Alias REBOOT = /usr/sbin/reboot
1284 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
1285 /usr/local/bin/tcsh, /usr/bin/rsh, \
1287 Cmnd_Alias SU = /usr/bin/su
1288 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
1290 Here we override some of the compiled in default values. We want s
\bsu
\bud
\bdo
\bo
1291 to log via _
\bs_
\by_
\bs_
\bl_
\bo_
\bg(3) using the _
\ba_
\bu_
\bt_
\bh facility in all cases. We don't
1292 want to subject the full time staff to the s
\bsu
\bud
\bdo
\bo lecture, user m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt
1293 need not give a password, and we don't want to reset the LOGNAME, USER
1294 or USERNAME environment variables when running commands as root.
1295 Additionally, on the machines in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, we keep an
1296 additional local log file and make sure we log the year in each log
1297 line since the log entries will be kept around for several years.
1298 Lastly, we disable shell escapes for the commands in the PAGERS
1299 Cmnd_Alias (_
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be, _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bp_
\bg and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bl_
\be_
\bs_
\bs).
1301 # Override built-in defaults
1302 Defaults syslog=auth
1303 Defaults>root !set_logname
1304 Defaults:FULLTIMERS !lecture
1305 Defaults:millert !authenticate
1306 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
1307 Defaults!PAGERS noexec
1309 The _
\bU_
\bs_
\be_
\br _
\bs_
\bp_
\be_
\bc_
\bi_
\bf_
\bi_
\bc_
\ba_
\bt_
\bi_
\bo_
\bn is the part that actually determines who may run
1312 root ALL = (ALL) ALL
1313 %wheel ALL = (ALL) ALL
1318 1.7.2p6 April 7, 2010 20
1324 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1327 We let r
\bro
\boo
\bot
\bt and any user in group w
\bwh
\bhe
\bee
\bel
\bl run any command on any host as
1330 FULLTIMERS ALL = NOPASSWD: ALL
1332 Full time sysadmins (m
\bmi
\bil
\bll
\ble
\ber
\brt
\bt, m
\bmi
\bik
\bke
\bef
\bf, and d
\bdo
\bow
\bwd
\bdy
\by) may run any command on
1333 any host without authenticating themselves.
1335 PARTTIMERS ALL = ALL
1337 Part time sysadmins (b
\bbo
\bos
\bst
\btl
\ble
\bey
\by, j
\bjw
\bwf
\bfo
\box
\bx, and c
\bcr
\bra
\baw
\bwl
\bl) may run any command on
1338 any host but they must authenticate themselves first (since the entry
1339 lacks the NOPASSWD tag).
1343 The user j
\bja
\bac
\bck
\bk may run any command on the machines in the _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS alias
1344 (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
1345 those networks, only 128.138.204.0 has an explicit netmask (in CIDR
1346 notation) indicating it is a class C network. For the other networks
1347 in _
\bC_
\bS_
\bN_
\bE_
\bT_
\bS, the local machine's netmask will be used during matching.
1351 The user l
\bli
\bis
\bsa
\ba may run any command on any host in the _
\bC_
\bU_
\bN_
\bE_
\bT_
\bS alias (the
1352 class B network 128.138.0.0).
1354 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
1355 sudoedit /etc/printcap, /usr/oper/bin/
1357 The o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br user may run commands limited to simple maintenance.
1358 Here, those are commands related to backups, killing processes, the
1359 printing system, shutting down the system, and any commands in the
1360 directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bo_
\bp_
\be_
\br_
\b/_
\bb_
\bi_
\bn_
\b/.
1362 joe ALL = /usr/bin/su operator
1364 The user j
\bjo
\boe
\be may only _
\bs_
\bu(1) to operator.
1366 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
1368 %opers ALL = (: ADMINGRP) /usr/sbin/
1370 Users in the o
\bop
\bpe
\ber
\brs
\bs group may run commands in _
\b/_
\bu_
\bs_
\br_
\b/_
\bs_
\bb_
\bi_
\bn_
\b/ as themselves
1371 with any group in the _
\bA_
\bD_
\bM_
\bI_
\bN_
\bG_
\bR_
\bP Runas_Alias (the a
\bad
\bdm
\bm and o
\bop
\bpe
\ber
\br groups).
1373 The user p
\bpe
\bet
\bte
\be is allowed to change anyone's password except for root on
1374 the _
\bH_
\bP_
\bP_
\bA machines. Note that this assumes _
\bp_
\ba_
\bs_
\bs_
\bw_
\bd(1) does not take
1375 multiple usernames on the command line.
1377 bob SPARC = (OP) ALL : SGI = (OP) ALL
1379 The user b
\bbo
\bob
\bb may run anything on the _
\bS_
\bP_
\bA_
\bR_
\bC and _
\bS_
\bG_
\bI machines as any user
1380 listed in the _
\bO_
\bP Runas_Alias (r
\bro
\boo
\bot
\bt and o
\bop
\bpe
\ber
\bra
\bat
\bto
\bor
\br).
1384 1.7.2p6 April 7, 2010 21
1390 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1395 The user j
\bji
\bim
\bm may run any command on machines in the _
\bb_
\bi_
\bg_
\bl_
\ba_
\bb netgroup.
1396 s
\bsu
\bud
\bdo
\bo knows that "biglab" is a netgroup due to the '+' prefix.
1398 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
1400 Users in the s
\bse
\bec
\bcr
\bre
\bet
\bta
\bar
\bri
\bie
\bes
\bs netgroup need to help manage the printers as
1401 well as add and remove users, so they are allowed to run those commands
1404 fred ALL = (DB) NOPASSWD: ALL
1406 The user f
\bfr
\bre
\bed
\bd can run commands as any user in the _
\bD_
\bB Runas_Alias
1407 (o
\bor
\bra
\bac
\bcl
\ble
\be or s
\bsy
\byb
\bba
\bas
\bse
\be) without giving a password.
1409 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
1411 On the _
\bA_
\bL_
\bP_
\bH_
\bA machines, user j
\bjo
\boh
\bhn
\bn may su to anyone except root but he is
1412 not allowed to specify any options to the _
\bs_
\bu(1) command.
1414 jen ALL, !SERVERS = ALL
1416 The user j
\bje
\ben
\bn may run any command on any machine except for those in the
1417 _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias (master, mail, www and ns).
1419 jill SERVERS = /usr/bin/, !SU, !SHELLS
1421 For any machine in the _
\bS_
\bE_
\bR_
\bV_
\bE_
\bR_
\bS Host_Alias, j
\bji
\bil
\bll
\bl may run any commands in
1422 the directory _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/ except for those commands belonging to the _
\bS_
\bU
1423 and _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS Cmnd_Aliases.
1425 steve CSNETS = (operator) /usr/local/op_commands/
1427 The user s
\bst
\bte
\bev
\bve
\be may run any command in the directory
1428 /usr/local/op_commands/ but only as user operator.
1430 matt valkyrie = KILL
1432 On his personal workstation, valkyrie, m
\bma
\bat
\btt
\bt needs to be able to kill
1435 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
1437 On the host www, any user in the _
\bW_
\bE_
\bB_
\bM_
\bA_
\bS_
\bT_
\bE_
\bR_
\bS User_Alias (will, wendy,
1438 and wim), may run any command as user www (which owns the web pages) or
1439 simply _
\bs_
\bu(1) to www.
1441 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
1442 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
1444 Any user may mount or unmount a CD-ROM on the machines in the CDROM
1445 Host_Alias (orion, perseus, hercules) without entering a password.
1446 This is a bit tedious for users to type, so it is a prime candidate for
1450 1.7.2p6 April 7, 2010 22
1456 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1459 encapsulating in a shell script.
1461 S
\bSE
\bEC
\bCU
\bUR
\bRI
\bIT
\bTY
\bY N
\bNO
\bOT
\bTE
\bES
\bS
1462 It is generally not effective to "subtract" commands from ALL using the
1463 '!' operator. A user can trivially circumvent this by copying the
1464 desired command to a different name and then executing that. For
1467 bill ALL = ALL, !SU, !SHELLS
1469 Doesn't really prevent b
\bbi
\bil
\bll
\bl from running the commands listed in _
\bS_
\bU or
1470 _
\bS_
\bH_
\bE_
\bL_
\bL_
\bS since he can simply copy those commands to a different name, or
1471 use a shell escape from an editor or other program. Therefore, these
1472 kind of restrictions should be considered advisory at best (and
1473 reinforced by policy).
1475 Furthermore, if the _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb option is in use, it is not possible to
1476 reliably negate commands where the path name includes globbing (aka
1477 wildcard) characters. This is because the C library's _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3)
1478 function cannot resolve relative paths. While this is typically only
1479 an inconvenience for rules that grant privileges, it can result in a
1480 security issue for rules that subtract or revoke privileges.
1482 For example, given the following _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs entry:
1484 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
1485 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
1487 User j
\bjo
\boh
\bhn
\bn can still run /usr/bin/passwd root if _
\bf_
\ba_
\bs_
\bt_
\b__
\bg_
\bl_
\bo_
\bb is enabled by
1488 changing to _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn and running ./passwd root instead.
1490 P
\bPR
\bRE
\bEV
\bVE
\bEN
\bNT
\bTI
\bIN
\bNG
\bG S
\bSH
\bHE
\bEL
\bLL
\bL E
\bES
\bSC
\bCA
\bAP
\bPE
\bES
\bS
1491 Once s
\bsu
\bud
\bdo
\bo executes a program, that program is free to do whatever it
1492 pleases, including run other programs. This can be a security issue
1493 since it is not uncommon for a program to allow shell escapes, which
1494 lets a user bypass s
\bsu
\bud
\bdo
\bo's access control and logging. Common programs
1495 that permit shell escapes include shells (obviously), editors,
1496 paginators, mail and terminal programs.
1498 There are two basic approaches to this problem:
1500 restrict Avoid giving users access to commands that allow the user to
1501 run arbitrary commands. Many editors have a restricted mode
1502 where shell escapes are disabled, though s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt is a better
1503 solution to running editors via s
\bsu
\bud
\bdo
\bo. Due to the large
1504 number of programs that offer shell escapes, restricting
1505 users to the set of programs that do not if often unworkable.
1507 noexec Many systems that support shared libraries have the ability
1508 to override default library functions by pointing an
1509 environment variable (usually LD_PRELOAD) to an alternate
1510 shared library. On such systems, s
\bsu
\bud
\bdo
\bo's _
\bn_
\bo_
\be_
\bx_
\be_
\bc functionality
1511 can be used to prevent a program run by s
\bsu
\bud
\bdo
\bo from executing
1512 any other programs. Note, however, that this applies only to
1516 1.7.2p6 April 7, 2010 23
1522 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1525 native dynamically-linked executables. Statically-linked
1526 executables and foreign executables running under binary
1527 emulation are not affected.
1529 To tell whether or not s
\bsu
\bud
\bdo
\bo supports _
\bn_
\bo_
\be_
\bx_
\be_
\bc, you can run the
1532 sudo -V | grep "dummy exec"
1534 If the resulting output contains a line that begins with:
1536 File containing dummy exec functions:
1538 then s
\bsu
\bud
\bdo
\bo may be able to replace the exec family of functions
1539 in the standard library with its own that simply return an
1540 error. Unfortunately, there is no foolproof way to know
1541 whether or not _
\bn_
\bo_
\be_
\bx_
\be_
\bc will work at compile-time. _
\bn_
\bo_
\be_
\bx_
\be_
\bc
1542 should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
1543 MacOS X, and HP-UX 11.x. It is known n
\bno
\bot
\bt to work on AIX and
1544 UnixWare. _
\bn_
\bo_
\be_
\bx_
\be_
\bc is expected to work on most operating
1545 systems that support the LD_PRELOAD environment variable.
1546 Check your operating system's manual pages for the dynamic
1547 linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
1548 to see if LD_PRELOAD is supported.
1550 To enable _
\bn_
\bo_
\be_
\bx_
\be_
\bc for a command, use the NOEXEC tag as
1551 documented in the User Specification section above. Here is
1554 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1556 This allows user a
\baa
\bar
\bro
\bon
\bn to run _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bm_
\bo_
\br_
\be and _
\b/_
\bu_
\bs_
\br_
\b/_
\bb_
\bi_
\bn_
\b/_
\bv_
\bi
1557 with _
\bn_
\bo_
\be_
\bx_
\be_
\bc enabled. This will prevent those two commands
1558 from executing other commands (such as a shell). If you are
1559 unsure whether or not your system is capable of supporting
1560 _
\bn_
\bo_
\be_
\bx_
\be_
\bc you can always just try it out and see if it works.
1562 Note that restricting shell escapes is not a panacea. Programs running
1563 as root are still capable of many potentially hazardous operations
1564 (such as changing or overwriting files) that could lead to unintended
1565 privilege escalation. In the specific case of an editor, a safer
1566 approach is to give the user permission to run s
\bsu
\bud
\bdo
\boe
\bed
\bdi
\bit
\bt.
1568 S
\bSE
\bEE
\bE A
\bAL
\bLS
\bSO
\bO
1569 _
\br_
\bs_
\bh(1), _
\bs_
\bu(1), _
\bf_
\bn_
\bm_
\ba_
\bt_
\bc_
\bh(3), _
\bg_
\bl_
\bo_
\bb(3), _
\bs_
\bu_
\bd_
\bo(1m), _
\bv_
\bi_
\bs_
\bu_
\bd_
\bo(8)
1571 C
\bCA
\bAV
\bVE
\bEA
\bAT
\bTS
\bS
1572 The _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file should a
\bal
\blw
\bwa
\bay
\bys
\bs be edited by the v
\bvi
\bis
\bsu
\bud
\bdo
\bo command which
1573 locks the file and does grammatical checking. It is imperative that
1574 _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs be free of syntax errors since s
\bsu
\bud
\bdo
\bo will not run with a
1575 syntactically incorrect _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs file.
1577 When using netgroups of machines (as opposed to users), if you store
1578 fully qualified hostnames in the netgroup (as is usually the case), you
1582 1.7.2p6 April 7, 2010 24
1588 SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
1591 either need to have the machine's hostname be fully qualified as
1592 returned by the hostname command or use the _
\bf_
\bq_
\bd_
\bn option in _
\bs_
\bu_
\bd_
\bo_
\be_
\br_
\bs.
1595 If you feel you have found a bug in s
\bsu
\bud
\bdo
\bo, please submit a bug report at
1596 http://www.sudo.ws/sudo/bugs/
1598 S
\bSU
\bUP
\bPP
\bPO
\bOR
\bRT
\bT
1599 Limited free support is available via the sudo-users mailing list, see
1600 http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
1603 D
\bDI
\bIS
\bSC
\bCL
\bLA
\bAI
\bIM
\bME
\bER
\bR
1604 s
\bsu
\bud
\bdo
\bo is provided ``AS IS'' and any express or implied warranties,
1605 including, but not limited to, the implied warranties of
1606 merchantability and fitness for a particular purpose are disclaimed.
1607 See the LICENSE file distributed with s
\bsu
\bud
\bdo
\bo or
1608 http://www.sudo.ws/sudo/license.html for complete details.
1648 1.7.2p6 April 7, 2010 25