SUDOERS(4) Programmer's Manual SUDOERS(4)
N\bNA\bAM\bME\bE
- s\bsu\bud\bdo\boe\ber\brs\bs - default sudo security policy module
+ s\bsu\bud\bdo\boe\ber\brs\bs - default sudo security policy plugin
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- The _\bs_\bu_\bd_\bo_\be_\br_\bs policy module determines a user's s\bsu\bud\bdo\bo privileges. It is the
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs policy plugin determines a user's s\bsu\bud\bdo\bo privileges. It is the
default s\bsu\bud\bdo\bo policy plugin. The policy is driven by the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs
file or, optionally in LDAP. The policy format is described in detail in
the _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bF_\bI_\bL_\bE _\bF_\bO_\bR_\bM_\bA_\bT section. For information on storing _\bs_\bu_\bd_\bo_\be_\br_\bs
policy information in LDAP, please see sudoers.ldap(4).
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf f\bfo\bor\br s\bsu\bud\bdo\boe\ber\brs\bs
+ s\bsu\bud\bdo\bo consults the sudo.conf(4) file to determine which policy and and I/O
+ logging plugins to load. If no sudo.conf(4) file is present, or if it
+ contains no Plugin lines, s\bsu\bud\bdo\boe\ber\brs\bs will be used for policy decisions and
+ I/O logging. To explicitly configure sudo.conf(4) to use the s\bsu\bud\bdo\boe\ber\brs\bs
+ plugin, the following configuration can be used.
+
+ Plugin sudoers_policy sudoers.so
+ Plugin sudoers_io sudoers.so
+
+ Starting with s\bsu\bud\bdo\bo 1.8.5, it is possible to specify optional arguments to
+ the s\bsu\bud\bdo\boe\ber\brs\bs plugin in the sudo.conf(4) file. These arguments, if
+ present, should be listed after the path to the plugin (i.e. after
+ _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bs_\bo). Multiple arguments may be specified, separated by white
+ space. For example:
+
+ Plugin sudoers_policy sudoers.so sudoers_mode=0400
+
+ The following plugin arguments are supported:
+
+ ldap_conf=pathname
+ The _\bl_\bd_\ba_\bp_\b__\bc_\bo_\bn_\bf argument can be used to override the default path
+ to the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file.
+
+ ldap_secret=pathname
+ The _\bl_\bd_\ba_\bp_\b__\bs_\be_\bc_\br_\be_\bt argument can be used to override the default
+ path to the _\bl_\bd_\ba_\bp_\b._\bs_\be_\bc_\br_\be_\bt file.
+
+ sudoers_file=pathname
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bf_\bi_\bl_\be argument can be used to override the default
+ path to the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+
+ sudoers_uid=uid
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bu_\bi_\bd argument can be used to override the default
+ owner of the sudoers file. It should be specified as a numeric
+ user ID.
+
+ sudoers_gid=gid
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bg_\bi_\bd argument can be used to override the default
+ group of the sudoers file. It must be specified as a numeric
+ group ID (not a group name).
+
+ sudoers_mode=mode
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bm_\bo_\bd_\be argument can be used to override the default
+ file mode for the sudoers file. It should be specified as an
+ octal value.
+
+ For more information on configuring sudo.conf(4), please refer to its
+ manual.
+
A\bAu\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bti\bio\bon\bn a\ban\bnd\bd l\blo\bog\bgg\bgi\bin\bng\bg
The _\bs_\bu_\bd_\bo_\be_\br_\bs security policy requires that most users authenticate
themselves before they can use s\bsu\bud\bdo\bo. A password is not required if the
'!'* %:#nonunix_gid |
'!'* User_Alias
- A User_List is made up of one or more user names, user ids (prefixed with
- `#'), system group names and ids (prefixed with `%' and `%#'
+ A User_List is made up of one or more user names, user IDs (prefixed with
+ `#'), system group names and IDs (prefixed with `%' and `%#'
respectively), netgroups (prefixed with `+'), non-Unix group names and
IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
list item may be prefixed with zero or more `!' operators. An odd number
characters must be included inside the quotes.
The actual nonunix_group and nonunix_gid syntax depends on the underlying
- group provider plugin (see the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn description below). For
- instance, the QAS AD plugin supports the following formats:
+ group provider plugin. For instance, the QAS AD plugin supports the
+ following formats:
o\bo Group in the same domain: "%:Group Name"
o\bo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
+ See _\bG_\bR_\bO_\bU_\bP _\bP_\bR_\bO_\bV_\bI_\bD_\bE_\bR _\bP_\bL_\bU_\bG_\bI_\bN_\bS for more information.
+
Note that quotes around group names are optional. Unquoted strings must
use a backslash (`\') to escape spaces and special characters. See _\bO_\bt_\bh_\be_\br
_\bs_\bp_\be_\bc_\bi_\ba_\bl _\bc_\bh_\ba_\br_\ba_\bc_\bt_\be_\br_\bs _\ba_\bn_\bd _\br_\be_\bs_\be_\br_\bv_\be_\bd _\bw_\bo_\br_\bd_\bs for a list of characters that need
``localhost'' will only match if that is the actual host name, which is
usually only the case for non-networked systems.
+ digest ::= [A-Fa-f0-9]+ |
+ [[A-Za-z0-9+/=]+
+
+ Digest_Spec ::= "sha224" ':' digest |
+ "sha256" ':' digest |
+ "sha384" ':' digest |
+ "sha512" ':' digest
+
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
file name args |
file name '""'
- Cmnd ::= '!'* command name |
+ Cmnd ::= Digest_Spec? '!'* command name |
'!'* directory |
'!'* "sudoedit" |
'!'* Cmnd_Alias
the Cmnd must match exactly those given by the user on the command line
(or match the wildcards if there are any). Note that the following
characters must be escaped with a `\' if they are used in command
- arguments: `,', `:', `=', `\'. The special command ``sudoedit'' is used
+ arguments: `,', `:', `=', `\'. The built-in command ``sudoedit'' is used
to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may
- take command line arguments just as a normal command does.
+ take command line arguments just as a normal command does. Note that
+ ``sudoedit'' is a command built into s\bsu\bud\bdo\bo itself and must be specified in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs without a leading path.
+
+ If a command name is prefixed with a Digest_Spec, the command will only
+ match successfully if it can be verified using the specified SHA-2
+ digest. This may be useful in situations where the user invoking s\bsu\bud\bdo\bo
+ has write access to the command or its parent directory. The following
+ digest formats are supported: sha224, sha256, sha384 and sha512. The
+ string may be specified in either hex or base64 format (base64 is more
+ compact). There are several utilities capable of generating SHA-2
+ digests in hex format such as openssl, shasum, sha224sum, sha256sum,
+ sha384sum, sha512sum.
+
+ For example, using openssl:
+
+ $ openssl dgst -sha224 /bin/ls
+ SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
+
+ It is also possible to use openssl to generate base64 output:
+
+ $ openssl dgst -binary -sha224 /bin/ls | openssl base64
+ EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
+
+ Command digests are only supported by version 1.8.7 or higher.
D\bDe\bef\bfa\bau\bul\blt\bts\bs
Certain configuration options may be changed from their default values at
it is overridden by the opposite tag (in other words, PASSWD overrides
NOPASSWD and NOEXEC overrides EXEC).
- _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
+ _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD and _\bP_\bA_\bS_\bS_\bW_\bD
- By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself before
- running a command. This behavior can be modified via the NOPASSWD tag.
- Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that
- follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used
- to reverse things. For example:
+ By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself
+ before running a command. This behavior can be modified via the
+ NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
+ the commands that follow it in the Cmnd_Spec_List. Conversely, the
+ PASSWD tag can be used to reverse things. For example:
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
- would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as
- r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we only
- want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry would
- be:
+ would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
+ as r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we
+ only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry
+ would be:
- ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
- Note, however, that the PASSWD tag has no effect on users who are in the
- group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
+ Note, however, that the PASSWD tag has no effect on users who are in
+ the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
- By default, if the NOPASSWD tag is applied to any of the entries for a
- user on the current host, he or she will be able to run ``sudo -l''
- without a password. Additionally, a user may only run ``sudo -v''
- without a password if the NOPASSWD tag is present for all a user's
- entries that pertain to the current host. This behavior may be
- overridden via the _\bv_\be_\br_\bi_\bf_\by_\bp_\bw and _\bl_\bi_\bs_\bt_\bp_\bw options.
+ By default, if the NOPASSWD tag is applied to any of the entries for a
+ user on the current host, he or she will be able to run ``sudo -l''
+ without a password. Additionally, a user may only run ``sudo -v''
+ without a password if the NOPASSWD tag is present for all a user's
+ entries that pertain to the current host. This behavior may be
+ overridden via the _\bv_\be_\br_\bi_\bf_\by_\bp_\bw and _\bl_\bi_\bs_\bt_\bp_\bw options.
- _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+ _\bN_\bO_\bE_\bX_\bE_\bC and _\bE_\bX_\bE_\bC
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
- operating system supports it, the NOEXEC tag can be used to prevent a
- dynamically-linked executable from running further commands itself.
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
+ operating system supports it, the NOEXEC tag can be used to prevent a
+ dynamically-linked executable from running further commands itself.
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- See the _\bP_\br_\be_\bv_\be_\bn_\bt_\bi_\bn_\bg _\bs_\bh_\be_\bl_\bl _\be_\bs_\bc_\ba_\bp_\be_\bs section below for more details on how
- NOEXEC works and whether or not it will work on your system.
+ See the _\bP_\br_\be_\bv_\be_\bn_\bt_\bi_\bn_\bg _\bs_\bh_\be_\bl_\bl _\be_\bs_\bc_\ba_\bp_\be_\bs section below for more details on how
+ NOEXEC works and whether or not it will work on your system.
- _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
+ _\bS_\bE_\bT_\bE_\bN_\bV and _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
- These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
- basis. Note that if SETENV has been set for a command, the user may
- disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
- Additionally, environment variables set on the command line are not
- subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set variables
- in this manner. If the command matched is A\bAL\bLL\bL, the SETENV tag is implied
- for that command; this default may be overridden by use of the NOSETENV
- tag.
+ These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
+ basis. Note that if SETENV has been set for a command, the user may
+ disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
+ Additionally, environment variables set on the command line are not
+ subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set
+ variables in this manner. If the command matched is A\bAL\bLL\bL, the SETENV
+ tag is implied for that command; this default may be overridden by use
+ of the NOSETENV tag.
- _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
+ _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT and _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
- These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
- basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
- _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
+ These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
+ _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
- _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
+ _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT and _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
- These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
- basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
- _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
+ These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
+ _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
used in host names, path names and command line arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX glob(3) and fnmatch(3)
- routines. Note that these are _\bn_\bo_\bt regular expressions.
+ file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
+ as specified by IEEE Std 1003.1 (``POSIX.1''). Note that these are _\bn_\bo_\bt
+ regular expressions.
* Matches any set of zero or more characters.
\x For any character `x', evaluates to `x'. This is used to
escape special characters such as: `*', `?', `[', and `]'.
- POSIX character classes may also be used if your system's glob(3) and
+ Character classes may also be used if your system's glob(3) and
fnmatch(3) functions support them. However, because the `:' character
has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
since in a command context, it allows the user to run a\ban\bny\by command on the
system.
- An exclamation point (`!') can be used as a logical _\bn_\bo_\bt operator both in
- an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This allows one to exclude certain
- values. Note, however, that using a `!' in conjunction with the built-in
- A\bAL\bLL\bL alias to allow a user to run ``all but a few'' commands rarely works
- as intended (see _\bS_\bE_\bC_\bU_\bR_\bI_\bT_\bY _\bN_\bO_\bT_\bE_\bS below).
+ An exclamation point (`!') can be used as a logical _\bn_\bo_\bt operator in a
+ list or _\ba_\bl_\bi_\ba_\bs as well as in front of a Cmnd. This allows one to exclude
+ certain values. For the `!' operator to be effective, there must be
+ something for it to exclude. For example, to match all users except for
+ root one would use:
+
+ ALL,!root
+
+ If the A\bAL\bLL\bL, is omitted, as in:
+
+ !root
+
+ it would explicitly deny root but not match any other users. This is
+ different from a true ``negation'' operator.
+
+ Note, however, that using a `!' in conjunction with the built-in A\bAL\bLL\bL
+ alias to allow a user to run ``all but a few'' commands rarely works as
+ intended (see _\bS_\bE_\bC_\bU_\bR_\bI_\bT_\bY _\bN_\bO_\bT_\bE_\bS below).
Long lines can be continued with a backslash (`\') as the last character
on the line.
This flag is _\bo_\bn by default when s\bsu\bud\bdo\bo is compiled with
z\bzl\bli\bib\bb support.
+ exec_background By default, s\bsu\bud\bdo\bo runs a command as the foreground
+ process as long as s\bsu\bud\bdo\bo itself is running in the
+ foreground. When the _\be_\bx_\be_\bc_\b__\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd flag is enabled
+ and the command is being run in a pty (due to I/O
+ logging or the _\bu_\bs_\be_\b__\bp_\bt_\by flag), the command will be run
+ as a background process. Attempts to read from the
+ controlling terminal (or to change terminal settings)
+ will result in the command being suspended with the
+ SIGTTIN signal (or SIGTTOU in the case of terminal
+ settings). If this happens when s\bsu\bud\bdo\bo is a foreground
+ process, the command will be granted the controlling
+ terminal and resumed in the foreground with no user
+ intervention required. The advantage of initially
+ running the command in the background is that s\bsu\bud\bdo\bo need
+ not read from the terminal unless the command
+ explicitly requests it. Otherwise, any terminal input
+ must be passed to the command, whether it has required
+ it or not (the kernel buffers terminals so it is not
+ possible to tell whether the command really wants the
+ input). This is different from historic _\bs_\bu_\bd_\bo behavior
+ or when the command is not being run in a pty.
+
+ For this to work seamlessly, the operating system must
+ support the automatic restarting of system calls.
+ Unfortunately, not all operating systems do this by
+ default, and even those that do may have bugs. For
+ example, Mac OS X fails to restart the t\btc\bcg\bge\bet\bta\bat\btt\btr\br() and
+ t\btc\bcs\bse\bet\bta\bat\btt\btr\br() system calls (this is a bug in Mac OS X).
+ Furthermore, because this behavior depends on the
+ command stopping with the SIGTTIN or SIGTTOU signals,
+ programs that catch these signals and suspend
+ themselves with a different signal (usually SIGTOP)
+ will not be automatically foregrounded. Some versions
+ of the linux su(1) command behave this way.
+
+ This setting is only supported by version 1.8.7 or
+ higher. It has no effect unless I/O logging is enabled
+ or the _\bu_\bs_\be_\b__\bp_\bt_\by flag is enabled.
+
env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
VISUAL environment variables before falling back on the
default editor list. Note that this may create a
well as the _\bP_\br_\be_\bv_\be_\bn_\bt_\bi_\bn_\bg _\bs_\bh_\be_\bl_\bl _\be_\bs_\bc_\ba_\bp_\be_\bs section at the end
of this manual. This flag is _\bo_\bf_\bf by default.
+ pam_session On systems that use PAM for authentication, s\bsu\bud\bdo\bo will
+ create a new PAM session for the command to be run in.
+ Disabling _\bp_\ba_\bm_\b__\bs_\be_\bs_\bs_\bi_\bo_\bn may be needed on older PAM
+ implementations or on operating systems where opening a
+ PAM session changes the utmp or wtmp files. If PAM
+ session support is disabled, resource limits may not be
+ updated for the command being run. This flag is _\bo_\bn by
+ default.
+
+ This setting is only supported by version 1.8.7 or
+ higher.
+
+ passprompt_override
+ The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
+ normally only be used if the password prompt provided
+ by systems such as PAM matches the string
+ ``Password:''. If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set,
+ _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be used. This flag is _\bo_\bf_\bf by
+ default.
+
path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
not be found in their PATH environment variable. Some
sites may wish to disable this as it could be used to
not allowed to run it, which can be confusing. This
flag is _\bo_\bn by default.
- passprompt_override
- The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
- normally only be used if the password prompt provided
- by systems such as PAM matches the string
- ``Password:''. If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set,
- _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be used. This flag is _\bo_\bf_\bf by
- default.
-
preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
the list of groups the target user is in. When
_\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
unique combination of digits and letters, similar to
the mktemp(3) function.
+ If the path created by concatenating _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br and
+ _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be already exists, the existing I/O log file
+ will be truncated and overwritten unless _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be
+ ends in six or more Xs.
+
limitprivs The default Solaris limit privileges to use when
constructing a new privilege set for a command. This
bounds all privileges of the executing process. The
escape %h will expand to the host name of the machine.
Default is ``*** SECURITY information for %h ***''.
- noexec_file This option is no longer supported. The path to the
- noexec file should now be set in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
- file.
+ maxseq The maximum sequence number that will be substituted
+ for the ``%{seq}'' escape in the I/O log file (see the
+ _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br description above for more information).
+ While the value substituted for ``%{seq}'' is in base
+ 36, _\bm_\ba_\bx_\bs_\be_\bq itself should be expressed in decimal.
+ Values larger than 2176782336 (which corresponds to the
+ base 36 sequence number ``ZZZZZZ'') will be silently
+ truncated to 2176782336. The default value is
+ 2176782336.
+
+ Once the local sequence number reaches the value of
+ _\bm_\ba_\bx_\bs_\be_\bq, it will ``roll over'' to zero, after which
+ s\bsu\bud\bdo\boe\ber\brs\bs will truncate and re-use any existing I/O log
+ pathnames.
+
+ This setting is only supported by version 1.8.7 or
+ higher.
+
+ noexec_file As of s\bsu\bud\bdo\bo version 1.8.1 this option is no longer
+ supported. The path to the noexec file should now be
+ set in the sudo.conf(4) file.
passprompt The default prompt to use when asking for a password;
can be overridden via the -\b-p\bp option or the SUDO_PROMPT
a % prefix. This is not set by default.
group_plugin A string containing a _\bs_\bu_\bd_\bo_\be_\br_\bs group plugin with optional
- arguments. This can be used to implement support for the
- nonunix_group syntax described earlier. The string should
- consist of the plugin path, either fully-qualified or
- relative to the _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc directory, followed by
- any configuration arguments the plugin requires. These
+ arguments. The string should consist of the plugin path,
+ either fully-qualified or relative to the
+ _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo directory, followed by any
+ configuration arguments the plugin requires. These
arguments (if any) will be passed to the plugin's
initialization function. If arguments are present, the
string must be enclosed in double quotes ("").
- For example, given _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-_\bg_\br_\bo_\bu_\bp, a group file in Unix
- group format, the sample group plugin can be used:
-
- Defaults group_plugin="sample_group.so /etc/sudo-group"
-
- For more information see sudo_plugin(4).
+ For more information see GROUP PROVIDER PLUGINS.
lecture This option controls when a short lecture will be printed
along with the password prompt. It has the following
variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
with the -\b-V\bV option.
+G\bGR\bRO\bOU\bUP\bP P\bPR\bRO\bOV\bVI\bID\bDE\bER\bR P\bPL\bLU\bUG\bGI\bIN\bNS\bS
+ The s\bsu\bud\bdo\boe\ber\brs\bs plugin supports its own plugin interface to allow non-Unix
+ group lookups which can query a group source other than the standard Unix
+ group database. This can be used to implement support for the
+ nonunix_group syntax described earlier.
+
+ Group provider plugins are specified via the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn Defaults
+ setting. The argument to _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn should consist of the plugin path,
+ either fully-qualified or relative to the _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo
+ directory, followed by any configuration options the plugin requires.
+ These options (if specified) will be passed to the plugin's
+ initialization function. If options are present, the string must be
+ enclosed in double quotes ("").
+
+ The following group provider plugins are installed by default:
+
+ group_file
+ The _\bg_\br_\bo_\bu_\bp_\b__\bf_\bi_\bl_\be plugin supports an alternate group file that
+ uses the same syntax as the _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp file. The path to the
+ group file should be specified as an option to the plugin. For
+ example, if the group file to be used is _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-_\bg_\br_\bo_\bu_\bp:
+
+ Defaults group_plugin="group_file.so /etc/sudo-group"
+
+ system_group
+ The _\bs_\by_\bs_\bt_\be_\bm_\b__\bg_\br_\bo_\bu_\bp plugin supports group lookups via the standard
+ C library functions g\bge\bet\btg\bgr\brn\bna\bam\bm() and g\bge\bet\btg\bgr\bri\bid\bd(). This plugin can
+ be used in instances where the user belongs to groups not
+ present in the user's supplemental group vector. This plugin
+ takes no options:
+
+ Defaults group_plugin=system_group.so
+
+ The group provider plugin API is described in detail in sudo_plugin(1m).
+
L\bLO\bOG\bG F\bFO\bOR\bRM\bMA\bAT\bT
s\bsu\bud\bdo\boe\ber\brs\bs can log events using either syslog(3) or a simple log file. In
each case the log format is almost identical.
when the _\bs_\bu_\bd_\bo_\be_\br_\bs file is located on a remote file system that maps
user ID 0 to a different value. Normally, s\bsu\bud\bdo\boe\ber\brs\bs tries to open
_\bs_\bu_\bd_\bo_\be_\br_\bs using group permissions to avoid this problem. Consider
- changing the ownership of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs by adding an option like
- ``sudoers_uid=N'' (where `N' is the user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file) to the s\bsu\bud\bdo\boe\ber\brs\bs plugin line in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+ either changing the ownership of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs or adding an argument
+ like ``sudoers_uid=N'' (where `N' is the user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file) to the end of the s\bsu\bud\bdo\boe\ber\brs\bs Plugin line in the sudo.conf(4) file.
unable to stat /etc/sudoers
The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file is missing.
/etc/sudoers is owned by uid N, should be 0
The _\bs_\bu_\bd_\bo_\be_\br_\bs file has the wrong owner. If you wish to change the
_\bs_\bu_\bd_\bo_\be_\br_\bs file owner, please add ``sudoers_uid=N'' (where `N' is the
- user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs plugin line in the
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+ user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs Plugin line in the
+ sudo.conf(4) file.
/etc/sudoers is world writable
The permissions on the _\bs_\bu_\bd_\bo_\be_\br_\bs file allow all users to write to it.
The _\bs_\bu_\bd_\bo_\be_\br_\bs file must not be world-writable, the default file mode is
0440 (readable by owner and group, writable by none). The default
mode may be changed via the ``sudoers_mode'' option to the s\bsu\bud\bdo\boe\ber\brs\bs
- plugin line in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+ Plugin line in the sudo.conf(4) file.
/etc/sudoers is owned by gid N, should be 1
The _\bs_\bu_\bd_\bo_\be_\br_\bs file has the wrong group ownership. If you wish to change
the _\bs_\bu_\bd_\bo_\be_\br_\bs file group ownership, please add ``sudoers_gid=N'' (where
- `N' is the group ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs plugin
- line in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+ `N' is the group ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs Plugin
+ line in the sudo.conf(4) file.
unable to open /var/adm/sudo/username/ttyname
_\bs_\bu_\bd_\bo_\be_\br_\bs was unable to read or create the user's time stamp file.
_\bl_\bo_\bg_\bl_\bi_\bn_\be_\bl_\be_\bn option is set to 0 (or negated with a `!'), word wrap
will be disabled.
-S\bSU\bUD\bDO\bO.\b.C\bCO\bON\bNF\bF
- The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file determines which plugins the s\bsu\bud\bdo\bo front end will
- load. If no _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file is present, or it contains no Plugin
- lines, s\bsu\bud\bdo\bo will use the _\bs_\bu_\bd_\bo_\be_\br_\bs security policy and I/O logging, which
- corresponds to the following _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
-
- #
- # Default /etc/sudo.conf file
- #
- # Format:
- # Plugin plugin_name plugin_path plugin_options ...
- # Path askpass /path/to/askpass
- # Path noexec /path/to/sudo_noexec.so
- # Debug sudo /var/log/sudo_debug all@warn
- # Set disable_coredump true
- #
- # The plugin_path is relative to /usr/local/libexec unless
- # fully qualified.
- # The plugin_name corresponds to a global symbol in the plugin
- # that contains the plugin interface structure.
- # The plugin_options are optional.
- #
- Plugin policy_plugin sudoers.so
- Plugin io_plugin sudoers.so
-
- P\bPl\blu\bug\bgi\bin\bn o\bop\bpt\bti\bio\bon\bns\bs
- Starting with s\bsu\bud\bdo\bo 1.8.5, it is possible to pass options to the _\bs_\bu_\bd_\bo_\be_\br_\bs
- plugin. Options may be listed after the path to the plugin (i.e. after
- _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bs_\bo); multiple options should be space-separated. For example:
-
- Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440
-
- The following plugin options are supported:
-
- sudoers_file=pathname
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bf_\bi_\bl_\be option can be used to override the default
- path to the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
- sudoers_uid=uid
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bu_\bi_\bd option can be used to override the default
- owner of the sudoers file. It should be specified as a numeric
- user ID.
-
- sudoers_gid=gid
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bg_\bi_\bd option can be used to override the default
- group of the sudoers file. It should be specified as a numeric
- group ID.
-
- sudoers_mode=mode
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bm_\bo_\bd_\be option can be used to override the default
- file mode for the sudoers file. It should be specified as an
- octal value.
-
- D\bDe\beb\bbu\bug\bg f\bfl\bla\bag\bgs\bs
- Versions 1.8.4 and higher of the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin supports a debugging
- framework that can help track down what the plugin is doing internally if
- there is a problem. This can be configured in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file as
- described in sudo(1m).
-
- The _\bs_\bu_\bd_\bo_\be_\br_\bs plugin uses the same debug flag format as the s\bsu\bud\bdo\bo front-end:
- _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by.
-
- The priorities used by _\bs_\bu_\bd_\bo_\be_\br_\bs, in order of decreasing severity, are:
- _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg. Each priority,
- when specified, also includes all priorities higher than it. For
- example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages logged at
- _\bn_\bo_\bt_\bi_\bc_\be and higher.
-
- The following subsystems are used by _\bs_\bu_\bd_\bo_\be_\br_\bs:
-
- _\ba_\bl_\bi_\ba_\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
-
- _\ba_\bl_\bl matches every subsystem
-
- _\ba_\bu_\bd_\bi_\bt BSM and Linux audit code
-
- _\ba_\bu_\bt_\bh user authentication
-
- _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs settings
-
- _\be_\bn_\bv environment handling
-
- _\bl_\bd_\ba_\bp LDAP-based sudoers
-
- _\bl_\bo_\bg_\bg_\bi_\bn_\bg logging support
-
- _\bm_\ba_\bt_\bc_\bh matching of users, groups, hosts and netgroups in _\bs_\bu_\bd_\bo_\be_\br_\bs
-
- _\bn_\be_\bt_\bi_\bf network interface handling
-
- _\bn_\bs_\bs network service switch handling in _\bs_\bu_\bd_\bo_\be_\br_\bs
-
- _\bp_\ba_\br_\bs_\be_\br _\bs_\bu_\bd_\bo_\be_\br_\bs file parsing
-
- _\bp_\be_\br_\bm_\bs permission setting
-
- _\bp_\bl_\bu_\bg_\bi_\bn The equivalent of _\bm_\ba_\bi_\bn for the plugin.
-
- _\bp_\bt_\by pseudo-tty related code
-
- _\br_\bb_\bt_\br_\be_\be redblack tree internals
-
- _\bu_\bt_\bi_\bl utility functions
-
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf Sudo front end configuration
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
- /usr/sbin/restore, /usr/sbin/rrestore
+ /usr/sbin/restore, /usr/sbin/rrestore,\
+ sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
+ /home/operator/bin/start_backups
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance. Here,
those are commands related to backups, killing processes, the printing
system, shutting down the system, and any commands in the directory
- _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
+ _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/. Note that one command in the DUMPS Cmnd_Alias includes a
+ sha224 digest, _\b/_\bh_\bo_\bm_\be_\b/_\bo_\bp_\be_\br_\ba_\bt_\bo_\br_\b/_\bb_\bi_\bn_\b/_\bs_\bt_\ba_\br_\bt_\b__\bb_\ba_\bc_\bk_\bu_\bp_\bs. This is because the
+ directory containing the script is writable by the operator user. If the
+ script is modified (resulting in a digest mismatch) it will no longer be
+ possible to run it via s\bsu\bud\bdo\bo.
joe ALL = /usr/bin/su operator
stamp file is stale and will ignore it. Administrators should not rely
on this feature as it is not universally available.
+D\bDE\bEB\bBU\bUG\bGG\bGI\bIN\bNG\bG
+ Versions 1.8.4 and higher of the s\bsu\bud\bdo\boe\ber\brs\bs plugin support a flexible
+ debugging framework that can help track down what the plugin is doing
+ internally if there is a problem. This can be configured in the
+ sudo.conf(4) file.
+
+ The s\bsu\bud\bdo\boe\ber\brs\bs plugin uses the same debug flag format as the s\bsu\bud\bdo\bo front-end:
+ _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by.
+
+ The priorities used by s\bsu\bud\bdo\boe\ber\brs\bs, in order of decreasing severity, are:
+ _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg. Each priority,
+ when specified, also includes all priorities higher than it. For
+ example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages logged at
+ _\bn_\bo_\bt_\bi_\bc_\be and higher.
+
+ The following subsystems are used by the s\bsu\bud\bdo\boe\ber\brs\bs plugin:
+
+ _\ba_\bl_\bi_\ba_\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
+
+ _\ba_\bl_\bl matches every subsystem
+
+ _\ba_\bu_\bd_\bi_\bt BSM and Linux audit code
+
+ _\ba_\bu_\bt_\bh user authentication
+
+ _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs settings
+
+ _\be_\bn_\bv environment handling
+
+ _\bl_\bd_\ba_\bp LDAP-based sudoers
+
+ _\bl_\bo_\bg_\bg_\bi_\bn_\bg logging support
+
+ _\bm_\ba_\bt_\bc_\bh matching of users, groups, hosts and netgroups in _\bs_\bu_\bd_\bo_\be_\br_\bs
+
+ _\bn_\be_\bt_\bi_\bf network interface handling
+
+ _\bn_\bs_\bs network service switch handling in _\bs_\bu_\bd_\bo_\be_\br_\bs
+
+ _\bp_\ba_\br_\bs_\be_\br _\bs_\bu_\bd_\bo_\be_\br_\bs file parsing
+
+ _\bp_\be_\br_\bm_\bs permission setting
+
+ _\bp_\bl_\bu_\bg_\bi_\bn The equivalent of _\bm_\ba_\bi_\bn for the plugin.
+
+ _\bp_\bt_\by pseudo-tty related code
+
+ _\br_\bb_\bt_\br_\be_\be redblack tree internals
+
+ _\bu_\bt_\bi_\bl utility functions
+ For example:
+
+ Debug sudo /var/log/sudo_debug match@info,nss@info
+
+ For more information, see the sudo.conf(4) manual.
+
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
+ ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4),
sudoers.ldap(4), sudo_plugin(1m), sudo(1m), visudo(1m)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
complete details.
-Sudo 1.8.6 July 16, 2012 Sudo 1.8.6
+Sudo 1.8.7 April 30, 2013 Sudo 1.8.7
projects / debian / sudo / blobdiff