--- /dev/null
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+
+N\bNA\bAM\bME\bE
+ sudoers - default sudo security policy module
+
+D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs policy module determines a user's s\bsu\bud\bdo\bo privileges. It is
+ the default s\bsu\bud\bdo\bo policy plugin. The policy is driven by the
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file or, optionally in LDAP. The policy format is
+ described in detail in the "SUDOERS FILE FORMAT" section. For
+ information on storing _\bs_\bu_\bd_\bo_\be_\br_\bs policy information in LDAP, please see
+ _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bd_\ba_\bp(4).
+
+ A\bAu\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bti\bio\bon\bn a\ban\bnd\bd L\bLo\bog\bgg\bgi\bin\bng\bg
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs security policy requires that most users authenticate
+ themselves before they can use s\bsu\bud\bdo\bo. A password is not required if the
+ invoking user is root, if the target user is the same as the invoking
+ user, or if the policy has disabled authentication for the user or
+ command. Unlike _\bs_\bu(1), when _\bs_\bu_\bd_\bo_\be_\br_\bs requires authentication, it
+ validates the invoking user's credentials, not the target user's (or
+ root's) credentials. This can be changed via the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and
+ _\br_\bu_\bn_\ba_\bs_\bp_\bw flags, described later.
+
+ If a user who is not listed in the policy tries to run a command via
+ s\bsu\bud\bdo\bo, mail is sent to the proper authorities. The address used for
+ such mail is configurable via the _\bm_\ba_\bi_\bl_\bt_\bo Defaults entry (described
+ later) and defaults to root.
+
+ Note that mail will not be sent if an unauthorized user tries to run
+ s\bsu\bud\bdo\bo with the -\b-l\bl or -\b-v\bv option. This allows users to determine for
+ themselves whether or not they are allowed to use s\bsu\bud\bdo\bo.
+
+ If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment variable is set,
+ the _\bs_\bu_\bd_\bo_\be_\br_\bs policy will use this value to determine who the actual user
+ is. This can be used by a user to log commands through sudo even when
+ a root shell has been invoked. It also allows the -\b-e\be option to remain
+ useful even when invoked via a sudo-run script or program. Note,
+ however, that the _\bs_\bu_\bd_\bo_\be_\br_\bs lookup is still done for root, not the user
+ specified by SUDO_USER.
+
+ _\bs_\bu_\bd_\bo_\be_\br_\bs uses time stamp files for credential caching. Once a user has
+ been authenticated, a time stamp is updated and the user may then use
+ sudo without a password for a short period of time (5 minutes unless
+ overridden by the _\bt_\bi_\bm_\be_\bo_\bu_\bt option. By default, _\bs_\bu_\bd_\bo_\be_\br_\bs uses a tty-based
+ time stamp which means that there is a separate time stamp for each of
+ a user's login sessions. The _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option can be disabled to
+ force the use of a single time stamp for all of a user's sessions.
+
+ _\bs_\bu_\bd_\bo_\be_\br_\bs can log both successful and unsuccessful attempts (as well as
+ errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By default, _\bs_\bu_\bd_\bo_\be_\br_\bs will
+ log via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable via the _\bs_\by_\bs_\bl_\bo_\bg and _\bl_\bo_\bg_\bf_\bi_\bl_\be
+ Defaults settings.
+
+ _\bs_\bu_\bd_\bo_\be_\br_\bs also supports logging a command's input and output streams.
+ I/O logging is not on by default but can be enabled using the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt
+ and _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt Defaults flags as well as the LOG_INPUT and LOG_OUTPUT
+ command tags.
+
+ C\bCo\bom\bmm\bma\ban\bnd\bd E\bEn\bnv\bvi\bir\bro\bon\bnm\bme\ben\bnt\bt
+ Since environment variables can influence program behavior, _\bs_\bu_\bd_\bo_\be_\br_\bs
+ provides a means to restrict which variables from the user's
+ environment are inherited by the command to be run. There are two
+ distinct ways _\bs_\bu_\bd_\bo_\be_\br_\bs can deal with environment variables.
+
+ By default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled. This causes commands to
+ be executed with a new, minimal environment. On AIX (and Linux systems
+ without PAM), the environment is initialized with the contents of the
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt file. On BSD systems, if the _\bu_\bs_\be_\b__\bl_\bo_\bg_\bi_\bn_\bc_\bl_\ba_\bs_\bs option is
+ enabled, the environment is initialized based on the _\bp_\ba_\bt_\bh and _\bs_\be_\bt_\be_\bn_\bv
+ settings in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The new environment contains the TERM,
+ PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables
+ in addition to variables from the invoking process permitted by the
+ _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp options. This is effectively a whitelist for
+ environment variables.
+
+ If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled, any variables not
+ explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are inherited
+ from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be
+ behave like a blacklist. Since it is not possible to blacklist all
+ potentially dangerous environment variables, use of the default
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
+
+ In all cases, environment variables with a value beginning with () are
+ removed as they could be interpreted as b\bba\bas\bsh\bh functions. The list of
+ environment variables that s\bsu\bud\bdo\bo allows or denies is contained in the
+ output of sudo -V when run as root.
+
+ Note that the dynamic linker on most operating systems will remove
+ variables that can control dynamic linking from the environment of
+ setuid executables, including s\bsu\bud\bdo\bo. Depending on the operating system
+ this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
+ others. These type of variables are removed from the environment
+ before s\bsu\bud\bdo\bo even begins execution and, as such, it is not possible for
+ s\bsu\bud\bdo\bo to preserve them.
+
+ As a special case, if s\bsu\bud\bdo\bo's -\b-i\bi option (initial login) is specified,
+ _\bs_\bu_\bd_\bo_\be_\br_\bs will initialize the environment regardless of the value of
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt. The _\bD_\bI_\bS_\bP_\bL_\bA_\bY, _\bP_\bA_\bT_\bH and _\bT_\bE_\bR_\bM variables remain unchanged;
+ _\bH_\bO_\bM_\bE, _\bM_\bA_\bI_\bL, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, and _\bL_\bO_\bG_\bN_\bA_\bM_\bE are set based on the target user.
+ On AIX (and Linux systems without PAM), the contents of
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt are also included. On BSD systems, if the
+ _\bu_\bs_\be_\b__\bl_\bo_\bg_\bi_\bn_\bc_\bl_\ba_\bs_\bs option is enabled, the _\bp_\ba_\bt_\bh and _\bs_\be_\bt_\be_\bn_\bv variables in
+ _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf are also applied. All other environment variables are
+ removed.
+
+ Finally, if the _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option is defined, any variables present in
+ that file will be set to their specified values as long as they would
+ not conflict with an existing environment variable.
+
+S\bSU\bUD\bDO\bOE\bER\bRS\bS F\bFI\bIL\bLE\bE F\bFO\bOR\bRM\bMA\bAT\bT
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases
+ (basically variables) and user specifications (which specify who may
+ run what).
+
+ When multiple entries match for a user, they are applied in order.
+ Where there are multiple matches, the last match is used (which is not
+ necessarily the most specific match).
+
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended Backus-Naur
+ Form (EBNF). Don't despair if you don't know what EBNF is; it is
+ fairly simple, and the definitions below are annotated.
+
+ Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
+ EBNF is a concise and exact way of describing the grammar of a
+ language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
+
+ symbol ::= definition | alternate1 | alternate2 ...
+
+ Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a grammar for
+ the language. EBNF also contains the following operators, which many
+ readers will recognize from regular expressions. Do not, however,
+ confuse them with "wildcard" characters, which have different meanings.
+
+ ? Means that the preceding symbol (or group of symbols) is optional.
+ That is, it may appear once or not at all.
+
+ * Means that the preceding symbol (or group of symbols) may appear
+ zero or more times.
+
+ + Means that the preceding symbol (or group of symbols) may appear
+ one or more times.
+
+ Parentheses may be used to group symbols together. For clarity, we
+ will use single quotes ('') to designate what is a verbatim character
+ string (as opposed to a symbol name).
+
+ A\bAl\bli\bia\bas\bse\bes\bs
+ There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
+ and Cmnd_Alias.
+
+ Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
+ 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
+ 'Host_Alias' Host_Alias (':' Host_Alias)* |
+ 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
+
+ User_Alias ::= NAME '=' User_List
+
+ Runas_Alias ::= NAME '=' Runas_List
+
+ Host_Alias ::= NAME '=' Host_List
+
+ Cmnd_Alias ::= NAME '=' Cmnd_List
+
+ NAME ::= [A-Z]([A-Z][0-9]_)*
+
+ Each _\ba_\bl_\bi_\ba_\bs definition is of the form
+
+ Alias_Type NAME = item1, item2, ...
+
+ where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias, Host_Alias, or
+ Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
+ underscore characters ('_'). A NAME m\bmu\bus\bst\bt start with an uppercase
+ letter. It is possible to put several alias definitions of the same
+ type on a single line, joined by a colon (':'). E.g.,
+
+ Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
+
+ The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member follow.
+
+ User_List ::= User |
+ User ',' User_List
+
+ User ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* User_Alias
+
+ A User_List is made up of one or more user names, user ids (prefixed
+ with '#'), system group names and ids (prefixed with '%' and '%#'
+ respectively), netgroups (prefixed with '+'), non-Unix group names and
+ IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
+ list item may be prefixed with zero or more '!' operators. An odd
+ number of '!' operators negate the value of the item; an even number
+ just cancel each other out.
+
+ A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
+ may be enclosed in double quotes to avoid the need for escaping special
+ characters. Alternately, special characters may be specified in
+ escaped hex mode, e.g. \x20 for space. When using double quotes, any
+ prefix characters must be included inside the quotes.
+
+ The actual nonunix_group and nonunix_gid syntax depends on the
+ underlying group provider plugin (see the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn description
+ below). For instance, the QAS AD plugin supports the following
+ formats:
+
+ o Group in the same domain: "Group Name"
+
+ o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
+
+ o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
+
+ Note that quotes around group names are optional. Unquoted strings
+ must use a backslash (\) to escape spaces and special characters. See
+ "Other special characters and reserved words" for a list of characters
+ that need to be escaped.
+
+ Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
+
+ Runas_Member ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* +netgroup |
+ '!'* Runas_Alias
+
+ A Runas_List is similar to a User_List except that instead of
+ User_Aliases it can contain Runas_Aliases. Note that user names and
+ groups are matched as strings. In other words, two users (groups) with
+ the same uid (gid) are considered to be distinct. If you wish to match
+ all user names with the same uid (e.g. root and toor), you can use a
+ uid instead (#0 in the example given).
+
+ Host_List ::= Host |
+ Host ',' Host_List
+
+ Host ::= '!'* host name |
+ '!'* ip_addr |
+ '!'* network(/netmask)? |
+ '!'* +netgroup |
+ '!'* Host_Alias
+
+ A Host_List is made up of one or more host names, IP addresses, network
+ numbers, netgroups (prefixed with '+') and other aliases. Again, the
+ value of an item may be negated with the '!' operator. If you do not
+ specify a netmask along with the network number, s\bsu\bud\bdo\bo will query each
+ of the local host's network interfaces and, if the network number
+ corresponds to one of the hosts's network interfaces, the corresponding
+ netmask will be used. The netmask may be specified either in standard
+ IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
+ CIDR notation (number of bits, e.g. 24 or 64). A host name may include
+ shell-style wildcards (see the Wildcards section below), but unless the
+ host name command on your machine returns the fully qualified host
+ name, you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
+ Note s\bsu\bud\bdo\bo only inspects actual network interfaces; this means that IP
+ address 127.0.0.1 (localhost) will never match. Also, the host name
+ "localhost" will only match if that is the actual host name, which is
+ usually only the case for non-networked systems.
+
+ Cmnd_List ::= Cmnd |
+ Cmnd ',' Cmnd_List
+
+ commandname ::= file name |
+ file name args |
+ file name '""'
+
+ Cmnd ::= '!'* commandname |
+ '!'* directory |
+ '!'* "sudoedit" |
+ '!'* Cmnd_Alias
+
+ A Cmnd_List is a list of one or more commandnames, directories, and
+ other aliases. A commandname is a fully qualified file name which may
+ include shell-style wildcards (see the Wildcards section below). A
+ simple file name allows the user to run the command with any arguments
+ he/she wishes. However, you may also specify command line arguments
+ (including wildcards). Alternately, you can specify "" to indicate
+ that the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A
+ directory is a fully qualified path name ending in a '/'. When you
+ specify a directory in a Cmnd_List, the user will be able to run any
+ file within that directory (but not in any subdirectories therein).
+
+ If a Cmnd has associated command line arguments, then the arguments in
+ the Cmnd must match exactly those given by the user on the command line
+ (or match the wildcards if there are any). Note that the following
+ characters must be escaped with a '\' if they are used in command
+ arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
+ to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It
+ may take command line arguments just as a normal command does.
+
+ D\bDe\bef\bfa\bau\bul\blt\bts\bs
+ Certain configuration options may be changed from their default values
+ at runtime via one or more Default_Entry lines. These may affect all
+ users on any host, all users on a specific host, a specific user, a
+ specific command, or commands being run as a specific user. Note that
+ per-command entries may not include command line arguments. If you
+ need to specify arguments, define a Cmnd_Alias and reference that
+ instead.
+
+ Default_Type ::= 'Defaults' |
+ 'Defaults' '@' Host_List |
+ 'Defaults' ':' User_List |
+ 'Defaults' '!' Cmnd_List |
+ 'Defaults' '>' Runas_List
+
+ Default_Entry ::= Default_Type Parameter_List
+
+ Parameter_List ::= Parameter |
+ Parameter ',' Parameter_List
+
+ Parameter ::= Parameter '=' Value |
+ Parameter '+=' Value |
+ Parameter '-=' Value |
+ '!'* Parameter
+
+ Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
+ implicitly boolean and can be turned off via the '!' operator. Some
+ integer, string and list parameters may also be used in a boolean
+ context to disable them. Values may be enclosed in double quotes (")
+ when they contain multiple words. Special characters may be escaped
+ with a backslash (\).
+
+ Lists have two additional assignment operators, += and -=. These
+ operators are used to add to and delete from a list respectively. It
+ is not an error to use the -= operator to remove an element that does
+ not exist in a list.
+
+ Defaults entries are parsed in the following order: generic, host and
+ user Defaults first, then runas Defaults and finally command defaults.
+
+ See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
+
+ U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
+ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
+ (':' Host_List '=' Cmnd_Spec_List)*
+
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+
+ Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+
+ Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
+
+ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
+
+ Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
+ 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
+
+ A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
+ what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
+ but this can be changed on a per-command basis.
+
+ The basic structure of a user specification is `who where = (as_whom)
+ what'. Let's break that down into its constituent parts:
+
+ R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
+ A Runas_Spec determines the user and/or the group that a command may be
+ run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
+ defined above) separated by a colon (':') and enclosed in a set of
+ parentheses. The first Runas_List indicates which users the command
+ may be run as via s\bsu\bud\bdo\bo's -\b-u\bu option. The second defines a list of
+ groups that can be specified via s\bsu\bud\bdo\bo's -\b-g\bg option. If both Runas_Lists
+ are specified, the command may be run with any combination of users and
+ groups listed in their respective Runas_Lists. If only the first is
+ specified, the command may be run as any user in the list but no -\b-g\bg
+ option may be specified. If the first Runas_List is empty but the
+ second is specified, the command may be run as the invoking user with
+ the group set to any listed in the Runas_List. If no Runas_Spec is
+ specified the command may be run as r\bro\boo\bot\bt and no group may be specified.
+
+ A Runas_Spec sets the default for the commands that follow it. What
+ this means is that for the entry:
+
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+
+ The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm -- but only
+ as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+
+ $ sudo -u operator /bin/ls
+
+ It is also possible to override a Runas_Spec later on in an entry. If
+ we modify the entry like so:
+
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+
+ Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
+ and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
+
+ We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
+ group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
+
+ dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
+ /usr/bin/lprm
+
+ Note that while the group portion of the Runas_Spec permits the user to
+ run as command with that group, it does not force the user to do so.
+ If no group is specified on the command line, the command will run with
+ the group listed in the target user's password database entry. The
+ following would all be permitted by the sudoers entry above:
+
+ $ sudo -u operator /bin/ls
+ $ sudo -u operator -g operator /bin/ls
+ $ sudo -g operator /bin/ls
+
+ In the following example, user t\btc\bcm\bm may run commands that access a modem
+ device file with the dialer group.
+
+ tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
+ /usr/local/bin/minicom
+
+ Note that in this example only the group will be set, the command still
+ runs as user t\btc\bcm\bm. E.g.
+
+ $ sudo -g dialer /usr/bin/cu
+
+ Multiple users and groups may be present in a Runas_Spec, in which case
+ the user may select any combination of users and groups via the -\b-u\bu and
+ -\b-g\bg options. In this example:
+
+ alan ALL = (root, bin : operator, system) ALL
+
+ user a\bal\bla\ban\bn may run any command as either user root or bin, optionally
+ setting the group to operator or system.
+
+ S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
+ On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
+ SELinux role and/or type associated with a command. If a role or type
+ is specified with the command it will override any default values
+ specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line,
+ however, will supercede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+ T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
+ A command may have zero or more tags associated with it. There are
+ eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
+ NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
+ tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
+ the tag unless it is overridden by the opposite tag (i.e.: PASSWD
+ overrides NOPASSWD and NOEXEC overrides EXEC).
+
+ _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
+
+ By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself
+ before running a command. This behavior can be modified via the
+ NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
+ the commands that follow it in the Cmnd_Spec_List. Conversely, the
+ PASSWD tag can be used to reverse things. For example:
+
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+
+ would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
+ as r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we
+ only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry
+ would be:
+
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+
+ Note, however, that the PASSWD tag has no effect on users who are in
+ the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
+
+ By default, if the NOPASSWD tag is applied to any of the entries for a
+ user on the current host, he or she will be able to run sudo -l without
+ a password. Additionally, a user may only run sudo -v without a
+ password if the NOPASSWD tag is present for all a user's entries that
+ pertain to the current host. This behavior may be overridden via the
+ verifypw and listpw options.
+
+ _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
+ operating system supports it, the NOEXEC tag can be used to prevent a
+ dynamically-linked executable from running further commands itself.
+
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+ See the "Preventing Shell Escapes" section below for more details on
+ how NOEXEC works and whether or not it will work on your system.
+
+ _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
+
+ These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
+ basis. Note that if SETENV has been set for a command, the user may
+ disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
+ Additionally, environment variables set on the command line are not
+ subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set
+ variables in this manner. If the command matched is A\bAL\bLL\bL, the SETENV
+ tag is implied for that command; this default may be overridden by use
+ of the NOSETENV tag.
+
+ _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
+
+ These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
+ "SUDOERS OPTIONS" section below.
+
+ _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
+
+ These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
+ "SUDOERS OPTIONS" section below.
+
+ W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
+ s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
+ used in host names, path names and command line arguments in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX _\bg_\bl_\bo_\bb(3) and
+ _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routines. Note that these are _\bn_\bo_\bt regular expressions.
+
+ * Matches any set of zero or more characters.
+
+ ? Matches any single character.
+
+ [...] Matches any character in the specified range.
+
+ [!...] Matches any character n\bno\bot\bt in the specified range.
+
+ \x For any character "x", evaluates to "x". This is used to
+ escape special characters such as: "*", "?", "[", and "}".
+
+ POSIX character classes may also be used if your system's _\bg_\bl_\bo_\bb(3) and
+ _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) functions support them. However, because the ':' character
+ has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
+
+ /bin/ls [[\:alpha\:]]*
+
+ Would match any file name beginning with a letter.
+
+ Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
+ in the path name. When matching the command line arguments, however, a
+ slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
+
+ /usr/bin/*
+
+ match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
+
+ E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
+ The following exceptions apply to the above rules:
+
+ "" If the empty string "" is the only command line argument in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
+ with a\ban\bny\by arguments.
+
+ I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
+ It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file currently being parsed using the #include and #includedir
+ directives.
+
+ This can be used, for example, to keep a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in
+ addition to a local, per-machine file. For the sake of this example
+ the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will
+ be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from within
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
+
+ #include /etc/sudoers.local
+
+ When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
+ file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching
+ the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ processed. Files that are included may themselves include other files.
+ A hard limit of 128 nested include files is enforced to prevent include
+ file loops.
+
+ If the path to the include file is not fully-qualified (does not begin
+ with a _\b/), it must be located in the same directory as the sudoers file
+ it was included from. For example, if _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs contains the line:
+
+ #include sudoers.local
+
+ the file that will be included is _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl.
+
+ The file name may also include the %h escape, signifying the short form
+ of the host name. I.e., if the machine's host name is "xerxes", then
+
+ #include /etc/sudoers.%h
+
+ will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
+
+ The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
+ the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
+ package installation. For example, given:
+
+ #includedir /etc/sudoers.d
+
+ s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
+ end in ~ or contain a . character to avoid causing problems with
+ package manager or editor temporary/backup files. Files are parsed in
+ sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
+ before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
+ lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
+ in the file names can be used to avoid such problems.
+
+ Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
+ files in a #includedir directory unless one of them contains a syntax
+ error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
+ files directly.
+
+ O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
+ The pound sign ('#') is used to indicate a comment (unless it is part
+ of a #include directive or unless it occurs in the context of a user
+ name and is followed by one or more digits, in which case it is treated
+ as a uid). Both the comment character and any text after it, up to the
+ end of the line, are ignored.
+
+ The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
+ succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
+ User_Alias, Runas_Alias, or Host_Alias. You should not try to define
+ your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
+ preference to your own. Please note that using A\bAL\bLL\bL can be dangerous
+ since in a command context, it allows the user to run a\ban\bny\by command on
+ the system.
+
+ An exclamation point ('!') can be used as a logical _\bn_\bo_\bt operator both
+ in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This allows one to exclude certain
+ values. Note, however, that using a ! in conjunction with the built-in
+ ALL alias to allow a user to run "all but a few" commands rarely works
+ as intended (see SECURITY NOTES below).
+
+ Long lines can be continued with a backslash ('\') as the last
+ character on the line.
+
+ Whitespace between elements in a list as well as special syntactic
+ characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':', '(', ')') is optional.
+
+ The following characters must be escaped with a backslash ('\') when
+ used as part of a word (e.g. a user name or host name): '!', '=', ':',
+ ',', '(', ')', '\'.
+
+S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
+ s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
+ earlier. A list of all supported Defaults parameters, grouped by type,
+ are listed below.
+
+ B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
+
+ always_set_home If enabled, s\bsu\bud\bdo\bo will set the HOME environment variable
+ to the home directory of the target user (which is root
+ unless the -\b-u\bu option is used). This effectively means
+ that the -\b-H\bH option is always implied. Note that HOME
+ is already set when the the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is
+ enabled, so _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be is only effective for
+ configurations where either _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled or
+ HOME is present in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This flag is _\bo_\bf_\bf
+ by default.
+
+ authenticate If set, users must authenticate themselves via a
+ password (or other means of authentication) before they
+ may run commands. This default may be overridden via
+ the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
+ default.
+
+ closefrom_override
+ If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
+ overrides the default starting point at which s\bsu\bud\bdo\bo
+ begins closing open file descriptors. This flag is _\bo_\bf_\bf
+ by default.
+
+ compress_io If set, and s\bsu\bud\bdo\bo is configured to log a command's input
+ or output, the I/O logs will be compressed using z\bzl\bli\bib\bb.
+ This flag is _\bo_\bn by default when s\bsu\bud\bdo\bo is compiled with
+ z\bzl\bli\bib\bb support.
+
+ env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
+ VISUAL environment variables before falling back on the
+ default editor list. Note that this may create a
+ security hole as it allows the user to run any
+ arbitrary command as root without logging. A safer
+ alternative is to place a colon-separated list of
+ editors in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
+ use the EDITOR or VISUAL if they match a value
+ specified in editor. This flag is _\bo_\bf_\bf by default.
+
+ env_reset If set, s\bsu\bud\bdo\bo will run the command in a minimal
+ environment containing the TERM, PATH, HOME, MAIL,
+ SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
+ Any variables in the caller's environment that match
+ the env_keep and env_check lists are then added,
+ followed by any variables present in the file specified
+ by the _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option (if any). The default contents
+ of the env_keep and env_check lists are displayed when
+ s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option. If the
+ _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set, its value will be used for
+ the PATH environment variable. This flag is _\bo_\bn by
+ default.
+
+ fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
+ style globbing when matching path names. However,
+ since it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a
+ long time to complete for some patterns, especially
+ when the pattern references a network file system that
+ is mounted on demand (automounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
+ option causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function,
+ which does not access the file system to do its
+ matching. The disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is
+ unable to match relative path names such as _\b._\b/_\bl_\bs or
+ _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has security implications when path
+ names that include globbing characters are used with
+ the negation operator, '!', as such rules can be
+ trivially bypassed. As such, this option should not be
+ used when _\bs_\bu_\bd_\bo_\be_\br_\bs contains rules that contain negated
+ path names which include globbing characters. This
+ flag is _\bo_\bf_\bf by default.
+
+ fqdn Set this flag if you want to put fully qualified host
+ names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
+ would use myhost.mydomain.edu. You may still use the
+ short form if you wish (and even mix the two). Beware
+ that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
+ which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
+ example if the machine is not plugged into the
+ network). Also note that you must use the host's
+ official name as DNS knows it. That is, you may not
+ use a host alias (CNAME entry) due to performance
+ issues and the fact that there is no way to get all
+ aliases from DNS. If your machine's host name (as
+ returned by the hostname command) is already fully
+ qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
+ _\bo_\bf_\bf by default.
+
+ ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current dir) in the
+ PATH environment variable; the PATH itself is not
+ modified. This flag is _\bo_\bf_\bf by default.
+
+ ignore_local_sudoers
+ If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ skipped. This is intended for Enterprises that wish to
+ prevent the usage of local sudoers files so that only
+ LDAP is used. This thwarts the efforts of rogue
+ operators who would attempt to add roles to
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option is present,
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
+ option tells s\bsu\bud\bdo\bo how to behave when no specific LDAP
+ entries have been matched, this sudoOption is only
+ meaningful for the cn=defaults section. This flag is
+ _\bo_\bf_\bf by default.
+
+ insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
+ incorrect password. This flag is _\bo_\bf_\bf by default.
+
+ log_host If set, the host name will be logged in the (non-
+ syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
+
+ log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log all user input. If the standard input is not
+ connected to the user's tty, due to I/O redirection or
+ because the command is part of a pipeline, that input
+ is also captured and stored in a separate log file.
+
+ Input is logged to the directory specified by the
+ _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
+ unique session ID that is included in the normal s\bsu\bud\bdo\bo
+ log line, prefixed with _\bT_\bS_\bI_\bD_\b=. The _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be option
+ may be used to control the format of the session ID.
+
+ Note that user input may contain sensitive information
+ such as passwords (even if they are not echoed to the
+ screen), which will be stored in the log file
+ unencrypted. In most cases, logging the command output
+ via _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt is all that is required.
+
+ log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log all output that is sent to the screen, similar to
+ the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
+ standard error is not connected to the user's tty, due
+ to I/O redirection or because the command is part of a
+ pipeline, that output is also captured and stored in
+ separate log files.
+
+ Output is logged to the directory specified by the
+ _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
+ unique session ID that is included in the normal s\bsu\bud\bdo\bo
+ log line, prefixed with _\bT_\bS_\bI_\bD_\b=. The _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be option
+ may be used to control the format of the session ID.
+
+ Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
+ utility, which can also be used to list or search the
+ available logs.
+
+ log_year If set, the four-digit year will be logged in the (non-
+ syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
+
+ long_otp_prompt When validating with a One Time Password (OTP) scheme
+ such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
+ make it easier to cut and paste the challenge to a
+ local window. It's not as pretty as the default but
+ some people find it more convenient. This flag is _\bo_\bf_\bf
+ by default.
+
+ mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
+ s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
+
+ mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
+ does not enter the correct password. This flag is _\bo_\bf_\bf
+ by default.
+
+ mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
+ allowed to run commands on the current host. This flag
+ is _\bo_\bf_\bf by default.
+
+ mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user is allowed to use s\bsu\bud\bdo\bo but the command
+ they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
+ entry or is explicitly denied. This flag is _\bo_\bf_\bf by
+ default.
+
+ mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
+ _\bo_\bn by default.
+
+ noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
+ NOEXEC tag has been set, unless overridden by a EXEC
+ tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
+ well as the "Preventing Shell Escapes" section at the
+ end of this manual. This flag is _\bo_\bf_\bf by default.
+
+ path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
+ not be found in their PATH environment variable. Some
+ sites may wish to disable this as it could be used to
+ gather information on the location of executables that
+ the normal user does not have access to. The
+ disadvantage is that if the executable is simply not in
+ the user's PATH, s\bsu\bud\bdo\bo will tell the user that they are
+ not allowed to run it, which can be confusing. This
+ flag is _\bo_\bn by default.
+
+ passprompt_override
+ The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
+ normally only be used if the password prompt provided
+ by systems such as PAM matches the string "Password:".
+ If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always
+ be used. This flag is _\bo_\bf_\bf by default.
+
+ preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
+ the list of groups the target user is in. When
+ _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
+ vector is left unaltered. The real and effective group
+ IDs, however, are still set to match the target user.
+ This flag is _\bo_\bf_\bf by default.
+
+ pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
+ Unix programs, by turning off echo until the user hits
+ the return (or enter) key. Some users become confused
+ by this as it appears to them that s\bsu\bud\bdo\bo has hung at
+ this point. When _\bp_\bw_\bf_\be_\be_\bd_\bb_\ba_\bc_\bk is set, s\bsu\bud\bdo\bo will provide
+ visual feedback when the user presses a key. Note that
+ this does have a security impact as an onlooker may be
+ able to determine the length of the password being
+ entered. This flag is _\bo_\bf_\bf by default.
+
+ requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
+ to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
+ run from a login session and not via other means such
+ as _\bc_\br_\bo_\bn(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
+ default.
+
+ root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
+ this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
+ get a root shell by doing something like "sudo sudo
+ /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
+ will also prevent root from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+ Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
+ security; it exists purely for historical reasons.
+ This flag is _\bo_\bn by default.
+
+ rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
+ of the password of the invoking user. This flag is _\bo_\bf_\bf
+ by default.
+
+ runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option (defaults to root)
+ instead of the password of the invoking user. This
+ flag is _\bo_\bf_\bf by default.
+
+ set_home If enabled and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the
+ HOME environment variable will be set to the home
+ directory of the target user (which is root unless the
+ -\b-u\bu option is used). This effectively makes the -\b-s\bs
+ option imply -\b-H\bH. Note that HOME is already set when
+ the the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled, so _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is
+ only effective for configurations where either
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled or HOME is present in the
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This flag is _\bo_\bf_\bf by default.
+
+ set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and USERNAME
+ environment variables to the name of the target user
+ (usually root unless the -\b-u\bu option is given). However,
+ since some programs (including the RCS revision control
+ system) use LOGNAME to determine the real identity of
+ the user, it may be desirable to change this behavior.
+ This can be done by negating the set_logname option.
+ Note that if the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been
+ disabled, entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
+ the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bn by default.
+
+ set_utmp When enabled, s\bsu\bud\bdo\bo will create an entry in the utmp (or
+ utmpx) file when a pseudo-tty is allocated. A pseudo-
+ tty is allocated by s\bsu\bud\bdo\bo when the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt, _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt
+ or _\bu_\bs_\be_\b__\bp_\bt_\by flags are enabled. By default, the new
+ entry will be a copy of the user's existing utmp entry
+ (if any), with the tty, time, type and pid fields
+ updated. This flag is _\bo_\bn by default.
+
+ setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
+ command line via the -\b-E\bE option. Additionally,
+ environment variables set via the command line are not
+ subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk,
+ _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users
+ should be allowed to set variables in this manner.
+ This flag is _\bo_\bf_\bf by default.
+
+ shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
+ if the -\b-s\bs option had been given. That is, it runs a
+ shell as root (the shell is determined by the SHELL
+ environment variable if it is set, falling back on the
+ shell listed in the invoking user's /etc/passwd entry
+ if not). This flag is _\bo_\bf_\bf by default.
+
+ stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
+ effective UIDs are set to the target user (root by
+ default). This option changes that behavior such that
+ the real UID is left as the invoking user's UID. In
+ other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
+ This can be useful on systems that disable some
+ potentially dangerous functionality when a program is
+ run setuid. This option is only effective on systems
+ with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
+ This flag is _\bo_\bf_\bf by default.
+
+ targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ specified by the -\b-u\bu option (defaults to root) instead
+ of the password of the invoking user. In addition, the
+ timestamp file name will include the target user's
+ name. Note that this flag precludes the use of a uid
+ not listed in the passwd database as an argument to the
+ -\b-u\bu option. This flag is _\bo_\bf_\bf by default.
+
+ tty_tickets If set, users must authenticate on a per-tty basis.
+ With this flag enabled, s\bsu\bud\bdo\bo will use a file named for
+ the tty the user is logged in on in the user's time
+ stamp directory. If disabled, the time stamp of the
+ directory is used instead. This flag is _\bo_\bn by default.
+
+ umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
+ without modification. This makes it possible to
+ specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
+ user's own umask and matches historical behavior. If
+ _\bu_\bm_\ba_\bs_\bk_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is not set, s\bsu\bud\bdo\bo will set the umask to
+ be the union of the user's umask and what is specified
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
+
+ use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
+ target user's login class if one exists. Only
+ available if s\bsu\bud\bdo\bo is configured with the
+ --with-logincap option. This flag is _\bo_\bf_\bf by default.
+
+ use_pty If set, s\bsu\bud\bdo\bo will run the command in a pseudo-pty even
+ if no I/O logging is being gone. A malicious program
+ run under s\bsu\bud\bdo\bo could conceivably fork a background
+ process that retains to the user's terminal device
+ after the main program has finished executing. Use of
+ this option will make that impossible. This flag is
+ _\bo_\bf_\bf by default.
+
+ utmp_runas If set, s\bsu\bud\bdo\bo will store the name of the runas user when
+ updating the utmp (or utmpx) file. By default, s\bsu\bud\bdo\bo
+ stores the name of the invoking user. This flag is _\bo_\bf_\bf
+ by default.
+
+ visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
+ enter a password but it is not possible to disable echo
+ on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
+ will prompt for a password even when it would be
+ visible on the screen. This makes it possible to run
+ things like "rsh somehost sudo ls" since _\br_\bs_\bh(1) does
+ not allocate a tty. This flag is _\bo_\bf_\bf by default.
+
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs:
+
+ closefrom Before it executes a command, s\bsu\bud\bdo\bo will close all open
+ file descriptors other than standard input, standard
+ output and standard error (ie: file descriptors 0-2).
+ The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to specify a different
+ file descriptor at which to start closing. The default
+ is 3.
+
+ passwd_tries The number of tries a user gets to enter his/her
+ password before s\bsu\bud\bdo\bo logs the failure and exits. The
+ default is 3.
+
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+
+ loglinelen Number of characters per line for the file log. This
+ value is used to decide when to wrap lines for nicer
+ log files. This has no effect on the syslog log file,
+ only the file log. The default is 80 (use 0 or negate
+ the option to disable word wrap).
+
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
+ out, or 0 for no timeout. The timeout may include a
+ fractional component if minute granularity is
+ insufficient, for example 2.5. The default is 5.
+
+ timestamp_timeout
+ Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
+ for a passwd again. The timeout may include a
+ fractional component if minute granularity is
+ insufficient, for example 2.5. The default is 5. Set
+ this to 0 to always prompt for a password. If set to a
+ value less than 0 the user's timestamp will never
+ expire. This can be used to allow users to create or
+ delete their own timestamps via sudo -v and sudo -k
+ respectively.
+
+ umask Umask to use when running the command. Negate this
+ option or set it to 0777 to preserve the user's umask.
+ The actual umask that is used will be the union of the
+ user's umask and the value of the _\bu_\bm_\ba_\bs_\bk option, which
+ defaults to 0022. This guarantees that s\bsu\bud\bdo\bo never
+ lowers the umask when running a command. Note on
+ systems that use PAM, the default PAM configuration may
+ specify its own umask which will override the value set
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+ S\bSt\btr\bri\bin\bng\bgs\bs:
+
+ badpass_message Message that is displayed if a user enters an incorrect
+ password. The default is Sorry, try again. unless
+ insults are enabled.
+
+ editor A colon (':') separated list of editors allowed to be
+ used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will choose the editor that
+ matches the user's EDITOR environment variable if
+ possible, or the first editor in the list that exists
+ and is executable. The default is "vi".
+
+ iolog_dir The top-level directory to use when constructing the
+ path name for the input/output log directory. Only
+ used if the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt options are enabled
+ or when the LOG_INPUT or LOG_OUTPUT tags are present
+ for a command. The session sequence number, if any, is
+ stored in the directory. The default is
+ "/var/log/sudo-io".
+
+ The following percent (`%') escape sequences are
+ supported:
+
+ %{seq}
+ expanded to a monotonically increasing base-36
+ sequence number, such as 0100A5, where every two
+ digits are used to form a new directory, e.g.
+ _\b0_\b1_\b/_\b0_\b0_\b/_\bA_\b5
+
+ %{user}
+ expanded to the invoking user's login name
+
+ %{group}
+ expanded to the name of the invoking user's real
+ group ID
+
+ %{runas_user}
+ expanded to the login name of the user the command
+ will be run as (e.g. root)
+
+ %{runas_group}
+ expanded to the group name of the user the command
+ will be run as (e.g. wheel)
+
+ %{hostname}
+ expanded to the local host name without the domain
+ name
+
+ %{command}
+ expanded to the base name of the command being run
+
+ In addition, any escape sequences supported by the
+ system's _\bs_\bt_\br_\bf_\bt_\bi_\bm_\be_\b(_\b) function will be expanded.
+
+ To include a literal `%' character, the string `%%'
+ should be used.
+
+ iolog_file The path name, relative to _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br, in which to store
+ input/output logs when the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt
+ options are enabled or when the LOG_INPUT or LOG_OUTPUT
+ tags are present for a command. Note that _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be
+ may contain directory components. The default is
+ "%{seq}".
+
+ See the _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option above for a list of supported
+ percent (`%') escape sequences.
+
+ In addition to the escape sequences, path names that
+ end in six or more Xs will have the Xs replaced with a
+ unique combination of digits and letters, similar to
+ the _\bm_\bk_\bt_\be_\bm_\bp_\b(_\b) function.
+
+ mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
+ %h will expand to the host name of the machine.
+ Default is *** SECURITY information for %h ***.
+
+ noexec_file This option is no longer supported. The path to the
+ noexec file should now be set in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
+ file.
+
+ passprompt The default prompt to use when asking for a password;
+ can be overridden via the -\b-p\bp option or the SUDO_PROMPT
+ environment variable. The following percent (`%')
+ escape sequences are supported:
+
+ %H expanded to the local host name including the
+ domain name (only if the machine's host name is
+ fully qualified or the _\bf_\bq_\bd_\bn option is set)
+
+ %h expanded to the local host name without the domain
+ name
+
+ %p expanded to the user whose password is being asked
+ for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
+ flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
+
+ %U expanded to the login name of the user the command
+ will be run as (defaults to root)
+
+ %u expanded to the invoking user's login name
+
+ %% two consecutive % characters are collapsed into a
+ single % character
+
+ The default value is Password:.
+
+ role The default SELinux role to use when constructing a new
+ security context to run the command. The default role
+ may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
+ via command line options. This option is only
+ available whe s\bsu\bud\bdo\bo is built with SELinux support.
+
+ runas_default The default user to run commands as if the -\b-u\bu option is
+ not specified on the command line. This defaults to
+ root.
+
+ syslog_badpri Syslog priority to use when user authenticates
+ unsuccessfully. Defaults to alert.
+
+ The following syslog priorities are supported: a\bal\ble\ber\brt\bt,
+ c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be, and w\bwa\bar\brn\bni\bin\bng\bg.
+
+ syslog_goodpri Syslog priority to use when user authenticates
+ successfully. Defaults to notice.
+
+ See syslog_badpri for the list of supported syslog
+ priorities.
+
+ sudoers_locale Locale to use when parsing the sudoers file, logging
+ commands, and sending email. Note that changing the
+ locale may affect how sudoers is interpreted. Defaults
+ to "C".
+
+ timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
+ The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
+
+ timestampowner The owner of the timestamp directory and the timestamps
+ stored therein. The default is root.
+
+ type The default SELinux type to use when constructing a new
+ security context to run the command. The default type
+ may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
+ via command line options. This option is only
+ available whe s\bsu\bud\bdo\bo is built with SELinux support.
+
+ S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+
+ env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option specifies the fully qualified path to a
+ file containing variables to be set in the environment of
+ the program being run. Entries in this file should either
+ be of the form VARIABLE=value or export VARIABLE=value.
+ The value may optionally be surrounded by single or double
+ quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
+ environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
+
+ exempt_group
+ Users in this group are exempt from password and PATH
+ requirements. The group name specified should not include
+ a % prefix. This is not set by default.
+
+ group_plugin
+ A string containing a _\bs_\bu_\bd_\bo_\be_\br_\bs group plugin with optional
+ arguments. This can be used to implement support for the
+ nonunix_group syntax described earlier. The string should
+ consist of the plugin path, either fully-qualified or
+ relative to the _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc directory, followed by
+ any configuration arguments the plugin requires. These
+ arguments (if any) will be passed to the plugin's
+ initialization function. If arguments are present, the
+ string must be enclosed in double quotes (").
+
+ For example, given _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-_\bg_\br_\bo_\bu_\bp, a group file in Unix
+ group format, the sample group plugin can be used:
+
+ Defaults group_plugin="sample_group.so /etc/sudo-group"
+
+ For more information see _\bs_\bu_\bd_\bo_\b__\bp_\bl_\bu_\bg_\bi_\bn(4).
+
+ lecture This option controls when a short lecture will be printed
+ along with the password prompt. It has the following
+ possible values:
+
+ always Always lecture the user.
+
+ never Never lecture the user.
+
+ once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
+
+ If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\bo_\bn_\bc_\be.
+
+ lecture_file
+ Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
+ will be used in place of the standard lecture if the named
+ file exists. By default, s\bsu\bud\bdo\bo uses a built-in lecture.
+
+ listpw This option controls when a password will be required when
+ a user runs s\bsu\bud\bdo\bo with the -\b-l\bl option. It has the following
+ possible values:
+
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
+ must have the NOPASSWD flag set to avoid entering a
+ password.
+
+ always The user must always enter a password to use the -\b-l\bl
+ option.
+
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ current host must have the NOPASSWD flag set to
+ avoid entering a password.
+
+ never The user need never enter a password to use the -\b-l\bl
+ option.
+
+ If no value is specified, a value of _\ba_\bn_\by is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\ba_\bn_\by.
+
+ logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
+ Setting a path turns on logging to a file; negating this
+ option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
+
+ mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
+
+ mailerpath Path to mail program used to send warning mail. Defaults
+ to the path to sendmail found at configure time.
+
+ mailfrom Address to use for the "from" address when sending warning
+ and error mail. The address should be enclosed in double
+ quotes (") to protect against s\bsu\bud\bdo\bo interpreting the @ sign.
+ Defaults to the name of the user running s\bsu\bud\bdo\bo.
+
+ mailto Address to send warning and error mail to. The address
+ should be enclosed in double quotes (") to protect against
+ s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
+
+ secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
+ trust the people running s\bsu\bud\bdo\bo to have a sane PATH
+ environment variable you may want to use this. Another use
+ is if you want to have the "root path" be separate from the
+ "user path." Users in the group specified by the
+ _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
+ option is not set by default.
+
+ syslog Syslog facility if syslog is being used for logging (negate
+ to disable syslog logging). Defaults to auth.
+
+ The following syslog facilities are supported: a\bau\but\bth\bhp\bpr\bri\biv\bv (if
+ your OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1,
+ l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3, l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7.
+
+ verifypw This option controls when a password will be required when
+ a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
+ possible values:
+
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
+ must have the NOPASSWD flag set to avoid entering a
+ password.
+
+ always The user must always enter a password to use the -\b-v\bv
+ option.
+
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ current host must have the NOPASSWD flag set to
+ avoid entering a password.
+
+ never The user need never enter a password to use the -\b-v\bv
+ option.
+
+ If no value is specified, a value of _\ba_\bl_\bl is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\ba_\bl_\bl.
+
+ L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+
+ env_check Environment variables to be removed from the user's
+ environment if the variable's value contains % or /
+ characters. This can be used to guard against printf-
+ style format vulnerabilities in poorly-written
+ programs. The argument may be a double-quoted, space-
+ separated list or a single value without double-quotes.
+ The list can be replaced, added to, deleted from, or
+ disabled by using the =, +=, -=, and ! operators
+ respectively. Regardless of whether the env_reset
+ option is enabled or disabled, variables specified by
+ env_check will be preserved in the environment if they
+ pass the aforementioned check. The default list of
+ environment variables to check is displayed when s\bsu\bud\bdo\bo
+ is run by root with the _\b-_\bV option.
+
+ env_delete Environment variables to be removed from the user's
+ environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
+ The argument may be a double-quoted, space-separated
+ list or a single value without double-quotes. The list
+ can be replaced, added to, deleted from, or disabled by
+ using the =, +=, -=, and ! operators respectively. The
+ default list of environment variables to remove is
+ displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
+ Note that many operating systems will remove
+ potentially dangerous variables from the environment of
+ any setuid process (such as s\bsu\bud\bdo\bo).
+
+ env_keep Environment variables to be preserved in the user's
+ environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
+ This allows fine-grained control over the environment
+ s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
+ be a double-quoted, space-separated list or a single
+ value without double-quotes. The list can be replaced,
+ added to, deleted from, or disabled by using the =, +=,
+ -=, and ! operators respectively. The default list of
+ variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
+ with the _\b-_\bV option.
+
+S\bSU\bUD\bDO\bO.\b.C\bCO\bON\bNF\bF
+ The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file determines which plugins the s\bsu\bud\bdo\bo front end
+ will load. If no _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file is present, or it contains no
+ Plugin lines, s\bsu\bud\bdo\bo will use the _\bs_\bu_\bd_\bo_\be_\br_\bs security policy and I/O
+ logging, which corresponds to the following _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+
+ #
+ # Default /etc/sudo.conf file
+ #
+ # Format:
+ # Plugin plugin_name plugin_path plugin_options ...
+ # Path askpass /path/to/askpass
+ # Path noexec /path/to/sudo_noexec.so
+ # Debug sudo /var/log/sudo_debug all@warn
+ # Set disable_coredump true
+ #
+ # The plugin_path is relative to /usr/local/libexec unless
+ # fully qualified.
+ # The plugin_name corresponds to a global symbol in the plugin
+ # that contains the plugin interface structure.
+ # The plugin_options are optional.
+ #
+ Plugin policy_plugin sudoers.so
+ Plugin io_plugin sudoers.so
+
+ P\bPL\bLU\bUG\bGI\bIN\bN O\bOP\bPT\bTI\bIO\bON\bNS\bS
+ Starting with s\bsu\bud\bdo\bo 1.8.5 it is possible to pass options to the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ plugin. Options may be listed after the path to the plugin (i.e. after
+ _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bs_\bo); multiple options should be space-separated. For example:
+
+ Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
+
+ The following plugin options are supported:
+
+ sudoers_file=pathname
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bf_\bi_\bl_\be option can be used to override the default
+ path to the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+
+ sudoers_uid=uid
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bu_\bi_\bd option can be used to override the default
+ owner of the sudoers file. It should be specified as a
+ numeric user ID.
+
+ sudoers_gid=gid
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bg_\bi_\bd option can be used to override the default
+ group of the sudoers file. It should be specified as a
+ numeric group ID.
+
+ sudoers_mode=mode
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bm_\bo_\bd_\be option can be used to override the default
+ file mode for the sudoers file. It should be specified as an
+ octal value.
+
+ D\bDE\bEB\bBU\bUG\bG F\bFL\bLA\bAG\bGS\bS
+ Versions 1.8.4 and higher of the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin supports a debugging
+ framework that can help track down what the plugin is doing internally
+ if there is a problem. This can be configured in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
+ file as described in _\bs_\bu_\bd_\bo(1m).
+
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs plugin uses the same debug flag format as s\bsu\bud\bdo\bo itself:
+ _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by.
+
+ The priorities used by _\bs_\bu_\bd_\bo_\be_\br_\bs, in order of decreasing severity, are:
+ _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg. Each priority,
+ when specified, also includes all priorities higher than it. For
+ example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages logged at
+ _\bn_\bo_\bt_\bi_\bc_\be and higher.
+
+ The following subsystems are used by _\bs_\bu_\bd_\bo_\be_\br_\bs:
+
+ _\ba_\bl_\bi_\ba_\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
+
+ _\ba_\bl_\bl matches every subsystem
+
+ _\ba_\bu_\bd_\bi_\bt BSM and Linux audit code
+
+ _\ba_\bu_\bt_\bh user authentication
+
+ _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs settings
+
+ _\be_\bn_\bv environment handling
+
+ _\bl_\bd_\ba_\bp LDAP-based sudoers
+
+ _\bl_\bo_\bg_\bg_\bi_\bn_\bg logging support
+
+ _\bm_\ba_\bt_\bc_\bh matching of users, groups, hosts and netgroups in _\bs_\bu_\bd_\bo_\be_\br_\bs
+
+ _\bn_\be_\bt_\bi_\bf network interface handling
+
+ _\bn_\bs_\bs network service switch handling in _\bs_\bu_\bd_\bo_\be_\br_\bs
+
+ _\bp_\ba_\br_\bs_\be_\br _\bs_\bu_\bd_\bo_\be_\br_\bs file parsing
+
+ _\bp_\be_\br_\bm_\bs permission setting
+
+ _\bp_\bl_\bu_\bg_\bi_\bn The equivalent of _\bm_\ba_\bi_\bn for the plugin.
+
+ _\bp_\bt_\by pseudo-tty related code
+
+ _\br_\bb_\bt_\br_\be_\be redblack tree internals
+
+ _\bu_\bt_\bi_\bl utility functions
+
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf Sudo front end configuration
+
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+
+ _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
+
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
+
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
+
+ _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo Directory containing time stamps for the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs security policy
+
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on AIX and
+ Linux systems
+
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
+ contrived. First, we allow a few environment variables to pass and
+ then define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+
+ # Run X applications through sudo; HOME is used to find the
+ # .Xauthority file. Note that other programs use HOME to find
+ # configuration files and this may lead to privilege escalation!
+ Defaults env_keep += "DISPLAY HOME"
+
+ # User alias specification
+ User_Alias FULLTIMERS = millert, mikef, dowdy
+ User_Alias PARTTIMERS = bostley, jwfox, crawl
+ User_Alias WEBMASTERS = will, wendy, wim
+
+ # Runas alias specification
+ Runas_Alias OP = root, operator
+ Runas_Alias DB = oracle, sybase
+ Runas_Alias ADMINGRP = adm, oper
+
+ # Host alias specification
+ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
+
+ # Cmnd alias specification
+ Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
+ /usr/sbin/restore, /usr/sbin/rrestore
+ Cmnd_Alias KILL = /usr/bin/kill
+ Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+ Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+ Cmnd_Alias HALT = /usr/sbin/halt
+ Cmnd_Alias REBOOT = /usr/sbin/reboot
+ Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
+ /usr/local/bin/tcsh, /usr/bin/rsh, \
+ /usr/local/bin/zsh
+ Cmnd_Alias SU = /usr/bin/su
+ Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+
+ Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo
+ to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't
+ want to subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt
+ need not give a password, and we don't want to reset the LOGNAME, USER
+ or USERNAME environment variables when running commands as root.
+ Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an
+ additional local log file and make sure we log the year in each log
+ line since the log entries will be kept around for several years.
+ Lastly, we disable shell escapes for the commands in the PAGERS
+ Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
+
+ # Override built-in defaults
+ Defaults syslog=auth
+ Defaults>root !set_logname
+ Defaults:FULLTIMERS !lecture
+ Defaults:millert !authenticate
+ Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+ Defaults!PAGERS noexec
+
+ The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
+ what.
+
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
+
+ We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
+ any user.
+
+ FULLTIMERS ALL = NOPASSWD: ALL
+
+ Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
+ any host without authenticating themselves.
+
+ PARTTIMERS ALL = ALL
+
+ Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
+ any host but they must authenticate themselves first (since the entry
+ lacks the NOPASSWD tag).
+
+ jack CSNETS = ALL
+
+ The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
+ (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
+ those networks, only 128.138.204.0 has an explicit netmask (in CIDR
+ notation) indicating it is a class C network. For the other networks
+ in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be used during matching.
+
+ lisa CUNETS = ALL
+
+ The user l\bli\bis\bsa\ba may run any command on any host in the _\bC_\bU_\bN_\bE_\bT_\bS alias (the
+ class B network 128.138.0.0).
+
+ operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
+ sudoedit /etc/printcap, /usr/oper/bin/
+
+ The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance.
+ Here, those are commands related to backups, killing processes, the
+ printing system, shutting down the system, and any commands in the
+ directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
+
+ joe ALL = /usr/bin/su operator
+
+ The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
+
+ pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+
+ %opers ALL = (: ADMINGRP) /usr/sbin/
+
+ Users in the o\bop\bpe\ber\brs\bs group may run commands in _\b/_\bu_\bs_\br_\b/_\bs_\bb_\bi_\bn_\b/ as themselves
+ with any group in the _\bA_\bD_\bM_\bI_\bN_\bG_\bR_\bP Runas_Alias (the a\bad\bdm\bm and o\bop\bpe\ber\br groups).
+
+ The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
+ the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
+ multiple user names on the command line.
+
+ bob SPARC = (OP) ALL : SGI = (OP) ALL
+
+ The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
+ listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
+
+ jim +biglab = ALL
+
+ The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
+ s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
+
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+
+ Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
+ well as add and remove users, so they are allowed to run those commands
+ on all machines.
+
+ fred ALL = (DB) NOPASSWD: ALL
+
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
+ (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
+
+ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+
+ On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
+ not allowed to specify any options to the _\bs_\bu(1) command.
+
+ jen ALL, !SERVERS = ALL
+
+ The user j\bje\ben\bn may run any command on any machine except for those in the
+ _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and ns).
+
+ jill SERVERS = /usr/bin/, !SU, !SHELLS
+
+ For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
+ the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU
+ and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
+
+ steve CSNETS = (operator) /usr/local/op_commands/
+
+ The user s\bst\bte\bev\bve\be may run any command in the directory
+ /usr/local/op_commands/ but only as user operator.
+
+ matt valkyrie = KILL
+
+ On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be able to kill
+ hung processes.
+
+ WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+
+ On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias (will, wendy,
+ and wim), may run any command as user www (which owns the web pages) or
+ simply _\bs_\bu(1) to www.
+
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+
+ Any user may mount or unmount a CD-ROM on the machines in the CDROM
+ Host_Alias (orion, perseus, hercules) without entering a password.
+ This is a bit tedious for users to type, so it is a prime candidate for
+ encapsulating in a shell script.
+
+S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ L\bLi\bim\bmi\bit\bta\bat\bti\bio\bon\bns\bs o\bof\bf t\bth\bhe\be '\b'!\b!'\b' o\bop\bpe\ber\bra\bat\bto\bor\br
+ It is generally not effective to "subtract" commands from ALL using the
+ '!' operator. A user can trivially circumvent this by copying the
+ desired command to a different name and then executing that. For
+ example:
+
+ bill ALL = ALL, !SU, !SHELLS
+
+ Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
+ _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
+ use a shell escape from an editor or other program. Therefore, these
+ kind of restrictions should be considered advisory at best (and
+ reinforced by policy).
+
+ In general, if a user has sudo ALL there is nothing to prevent them
+ from creating their own program that gives them a root shell (or making
+ their own copy of a shell) regardless of any '!' elements in the user
+ specification.
+
+ S\bSe\bec\bcu\bur\bri\bit\bty\by i\bim\bmp\bpl\bli\bic\bca\bat\bti\bio\bon\bns\bs o\bof\bf _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
+ If the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to reliably
+ negate commands where the path name includes globbing (aka wildcard)
+ characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function cannot
+ resolve relative paths. While this is typically only an inconvenience
+ for rules that grant privileges, it can result in a security issue for
+ rules that subtract or revoke privileges.
+
+ For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+ User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
+ changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
+
+ P\bPr\bre\bev\bve\ben\bnt\bti\bin\bng\bg S\bSh\bhe\bel\bll\bl E\bEs\bsc\bca\bap\bpe\bes\bs
+ Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
+ pleases, including run other programs. This can be a security issue
+ since it is not uncommon for a program to allow shell escapes, which
+ lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
+ that permit shell escapes include shells (obviously), editors,
+ paginators, mail and terminal programs.
+
+ There are two basic approaches to this problem:
+
+ restrict Avoid giving users access to commands that allow the user to
+ run arbitrary commands. Many editors have a restricted mode
+ where shell escapes are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better
+ solution to running editors via s\bsu\bud\bdo\bo. Due to the large
+ number of programs that offer shell escapes, restricting
+ users to the set of programs that do not is often unworkable.
+
+ noexec Many systems that support shared libraries have the ability
+ to override default library functions by pointing an
+ environment variable (usually LD_PRELOAD) to an alternate
+ shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality
+ can be used to prevent a program run by s\bsu\bud\bdo\bo from executing
+ any other programs. Note, however, that this applies only to
+ native dynamically-linked executables. Statically-linked
+ executables and foreign executables running under binary
+ emulation are not affected.
+
+ The _\bn_\bo_\be_\bx_\be_\bc feature is known to work on SunOS, Solaris, *BSD,
+ Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
+ above. It should be supported on most operating systems that
+ support the LD_PRELOAD environment variable. Check your
+ operating system's manual pages for the dynamic linker
+ (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
+ if LD_PRELOAD is supported.
+
+ On Solaris 10 and higher, _\bn_\bo_\be_\bx_\be_\bc uses Solaris privileges
+ instead of the LD_PRELOAD environment variable.
+
+ To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as
+ documented in the User Specification section above. Here is
+ that example again:
+
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+ This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
+ with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
+ from executing other commands (such as a shell). If you are
+ unsure whether or not your system is capable of supporting
+ _\bn_\bo_\be_\bx_\be_\bc you can always just try it out and check whether shell
+ escapes work when _\bn_\bo_\be_\bx_\be_\bc is enabled.
+
+ Note that restricting shell escapes is not a panacea. Programs running
+ as root are still capable of many potentially hazardous operations
+ (such as changing or overwriting files) that could lead to unintended
+ privilege escalation. In the specific case of an editor, a safer
+ approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+
+ T\bTi\bim\bme\be s\bst\bta\bam\bmp\bp f\bfi\bil\ble\be c\bch\bhe\bec\bck\bks\bs
+ _\bs_\bu_\bd_\bo_\be_\br_\bs will check the ownership of its time stamp directory
+ (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
+ not owned by root or if it is writable by a user other than root. On
+ systems that allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if
+ the time stamp directory is located in a world-writable directory
+ (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the time stamp
+ directory before s\bsu\bud\bdo\bo is run. However, because _\bs_\bu_\bd_\bo_\be_\br_\bs checks the
+ ownership and mode of the directory and its contents, the only damage
+ that can be done is to "hide" files by putting them in the time stamp
+ dir. This is unlikely to happen since once the time stamp dir is owned
+ by root and inaccessible by any other user, the user placing files
+ there would be unable to get them back out.
+
+ _\bs_\bu_\bd_\bo_\be_\br_\bs will not honor time stamps set far in the future. Time stamps
+ with a date greater than current_time + 2 * TIMEOUT will be ignored and
+ sudo will log and complain. This is done to keep a user from creating
+ his/her own time stamp with a bogus date on systems that allow users to
+ give away files if the time stamp directory is located in a world-
+ writable directory.
+
+ On systems where the boot time is available, _\bs_\bu_\bd_\bo_\be_\br_\bs will ignore time
+ stamps that date from before the machine booted.
+
+ Since time stamp files live in the file system, they can outlive a
+ user's login session. As a result, a user may be able to login, run a
+ command with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run
+ s\bsu\bud\bdo\bo without authenticating so long as the time stamp file's
+ modification time is within 5 minutes (or whatever the timeout is set
+ to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled, the time stamp
+ has per-tty granularity but still may outlive the user's session. On
+ Linux systems where the devpts filesystem is used, Solaris systems with
+ the devices filesystem, as well as other systems that utilize a devfs
+ filesystem that monotonically increase the inode number of devices as
+ they are created (such as Mac OS X), _\bs_\bu_\bd_\bo_\be_\br_\bs is able to determine when
+ a tty-based time stamp file is stale and will ignore it.
+ Administrators should not rely on this feature as it is not universally
+ available.
+
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bg_\bl_\bo_\bb(3), _\bm_\bk_\bt_\be_\bm_\bp(3), _\bs_\bt_\br_\bf_\bt_\bi_\bm_\be(3),
+ _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bd_\ba_\bp(4), _\bs_\bu_\bd_\bo_\b__\bp_\bl_\bu_\bg_\bi_\bn(1m), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(1m)
+
+C\bCA\bAV\bVE\bEA\bAT\bTS\bS
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
+ locks the file and does grammatical checking. It is imperative that
+ _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
+ syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+
+ When using netgroups of machines (as opposed to users), if you store
+ fully qualified host name in the netgroup (as is usually the case), you
+ either need to have the machine's host name be fully qualified as
+ returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
+
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
+
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of
+ merchantability and fitness for a particular purpose are disclaimed.
+ See the LICENSE file distributed with s\bsu\bud\bdo\bo or
+ http://www.sudo.ws/sudo/license.html for complete details.
+
+
+
+1.8.5 March 28, 2012 SUDOERS(4)
projects / debian / sudo / blobdiff