distinct ways _\bs_\bu_\bd_\bo_\be_\br_\bs can deal with environment variables.
By default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled. This causes commands to
- be executed with a minimal environment containing TERM, PATH, HOME,
- MAIL, SHELL, LOGNAME, USER and USERNAME in addition to variables from
- the invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp options.
- This is effectively a whitelist for environment variables.
+ be executed with a minimal environment containing the TERM, PATH, HOME,
+ MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in addition
+ to variables from the invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp options. This is effectively a whitelist for environment
+ variables.
If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled, any variables not
explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are inherited
before s\bsu\bud\bdo\bo even begins execution and, as such, it is not possible for
s\bsu\bud\bdo\bo to preserve them.
- As a special case, If s\bsu\bud\bdo\bo's -\b-i\bi option (initial login) is specified,
+ As a special case, if s\bsu\bud\bdo\bo's -\b-i\bi option (initial login) is specified,
_\bs_\bu_\bd_\bo_\be_\br_\bs will initialize the environment regardless of the value of
_\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt. The _\bD_\bI_\bS_\bP_\bL_\bA_\bY, _\bP_\bA_\bT_\bH and _\bT_\bE_\bR_\bM variables remain unchanged;
_\bH_\bO_\bM_\bE, _\bM_\bA_\bI_\bL, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, and _\bL_\bO_\bG_\bN_\bA_\bM_\bE are set based on the target user.
On Linux and AIX systems the contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt are also
included. All other environment variables are removed.
+ Lastly, if the _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option is defined, any variables present in
+ that file will be set to their specified values.
+
S\bSU\bUD\bDO\bOE\bER\bRS\bS F\bFI\bIL\bLE\bE F\bFO\bOR\bRM\bMA\bAT\bT
The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases
(basically variables) and user specifications (which specify who may
A hard limit of 128 nested include files is enforced to prevent include
file loops.
- The file name may include the %h escape, signifying the short form of
- the host name. I.e., if the machine's host name is "xerxes", then
+ If the path to the include file is not fully-qualified (does not begin
+ with a _\b/), it must be located in the same directory as the sudoers file
+ it was included from. For example, if _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs contains the line:
+
+ #include sudoers.local
+
+ the file that will be included is _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl.
+
+ The file name may also include the %h escape, signifying the short form
+ of the host name. I.e., if the machine's host name is "xerxes", then
#include /etc/sudoers.%h
use the EDITOR or VISUAL if they match a value
specified in editor. This flag is _\bo_\bf_\bf by default.
- env_reset If set, s\bsu\bud\bdo\bo will reset the environment to only contain
- the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
- variables. Any variables in the caller's environment
- that match the env_keep and env_check lists are then
- added. The default contents of the env_keep and
- env_check lists are displayed when s\bsu\bud\bdo\bo is run by root
- with the _\b-_\bV option. If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set,
- its value will be used for the PATH environment
- variable. This flag is _\bo_\bn by default.
+ env_reset If set, s\bsu\bud\bdo\bo will run the command in a minimal
+ environment containing the TERM, PATH, HOME, MAIL,
+ SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
+ Any variables in the caller's environment that match
+ the env_keep and env_check lists are then added,
+ followed by any variables present in the file specified
+ by the _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option (if any). The default contents
+ of the env_keep and env_check lists are displayed when
+ s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option. If the
+ _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set, its value will be used for
+ the PATH environment variable. This flag is _\bo_\bn by
+ default.
fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
style globbing when matching path names. However,
log_year If set, the four-digit year will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
- long_otp_prompt When validating with a One Time Password (OPT) scheme
+ long_otp_prompt When validating with a One Time Password (OTP) scheme
such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
make it easier to cut and paste the challenge to a
local window. It's not as pretty as the default but
To include a literal `%' character, the string `%%'
should be used.
- Path names that end in six or more Xs will have the Xs
- replaced with a unique combination of digits and
- letters, similar to the _\bm_\bk_\bt_\be_\bm_\bp_\b(_\b) function.
-
iolog_file The path name, relative to _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br, in which to store
input/output logs when the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt
options are enabled or when the LOG_INPUT or LOG_OUTPUT
See the _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option above for a list of supported
percent (`%') escape sequences.
+ In addition to the escape sequences, path names that
+ end in six or more Xs will have the Xs replaced with a
+ unique combination of digits and letters, similar to
+ the _\bm_\bk_\bt_\be_\bm_\bp_\b(_\b) function.
+
mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
%h will expand to the host name of the machine.
Default is *** SECURITY information for %h ***.
- noexec_file This option is deprecated and will be removed in a
- future release of s\bsu\bud\bdo\bo. The path to the noexec file
- should now be set in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file.
+ noexec_file This option is no longer supported. The path to the
+ noexec file should now be set in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
+ file.
passprompt The default prompt to use when asking for a password;
can be overridden via the -\b-p\bp option or the SUDO_PROMPT
escape sequences are supported:
%H expanded to the local host name including the
- domain name (on if the machine's host name is fully
- qualified or the _\bf_\bq_\bd_\bn option is set)
+ domain name (only if the machine's host name is
+ fully qualified or the _\bf_\bq_\bd_\bn option is set)
%h expanded to the local host name without the domain
name
S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be options specifies the fully qualified path to
- a file containing variables to be set in the environment of
+ env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option specifies the fully qualified path to a
+ file containing variables to be set in the environment of
the program being run. Entries in this file should either
be of the form VARIABLE=value or export VARIABLE=value.
The value may optionally be surrounded by single or double
exempt_group
Users in this group are exempt from password and PATH
- requirements. This is not set by default.
+ requirements. The group name specified should not include
+ a % prefix. This is not set by default.
group_plugin
A string containing a _\bs_\bu_\bd_\bo_\be_\br_\bs group plugin with optional
For example, given _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-_\bg_\br_\bo_\bu_\bp, a group file in Unix
group format, the sample group plugin can be used:
- Defaults sudo_plugin="sample_group.so /etc/sudo-group"
+ Defaults group_plugin="sample_group.so /etc/sudo-group"
For more information see _\bs_\bu_\bd_\bo_\b__\bp_\bl_\bu_\bg_\bi_\bn(4).
privilege escalation. In the specific case of an editor, a safer
approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+D\bDE\bEB\bBU\bUG\bG F\bFL\bLA\bAG\bGS\bS
+ Versions 1.8.4 and higher of the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin supports a debugging
+ framework that can help track down what the plugin is doing internally
+ if there is a problem. This can be configured in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
+ file as described in _\bs_\bu_\bd_\bo(1m).
+
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs plugin uses the same debug flag format as s\bsu\bud\bdo\bo itself:
+ _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by.
+
+ The priorities used by _\bs_\bu_\bd_\bo_\be_\br_\bs, in order of decreasing severity, are:
+ _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg. Each priority,
+ when specified, also includes all priorities higher than it. For
+ example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages logged at
+ _\bn_\bo_\bt_\bi_\bc_\be and higher.
+
+ The following subsystems are used by _\bs_\bu_\bd_\bo_\be_\br_\bs:
+
+ _\ba_\bl_\bi_\ba_\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
+
+ _\ba_\bl_\bl matches every subsystem
+
+ _\ba_\bu_\bd_\bi_\bt BSM and Linux audit code
+
+ _\ba_\bu_\bt_\bh user authentication
+
+ _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs settings
+
+ _\be_\bn_\bv environment handling
+
+ _\bl_\bd_\ba_\bp LDAP-based sudoers
+
+ _\bl_\bo_\bg_\bg_\bi_\bn_\bg logging support
+
+ _\bm_\ba_\bt_\bc_\bh matching of users, groups, hosts and netgroups in _\bs_\bu_\bd_\bo_\be_\br_\bs
+
+ _\bn_\be_\bt_\bi_\bf network interface handling
+
+ _\bn_\bs_\bs network service switch handling in _\bs_\bu_\bd_\bo_\be_\br_\bs
+
+ _\bp_\ba_\br_\bs_\be_\br _\bs_\bu_\bd_\bo_\be_\br_\bs file parsing
+
+ _\bp_\be_\br_\bm_\bs permission setting
+
+ _\bp_\bl_\bu_\bg_\bi_\bn The equivalent of _\bm_\ba_\bi_\bn for the plugin.
+
+ _\bp_\bt_\by pseudo-tty related code
+
+ _\br_\bb_\bt_\br_\be_\be redblack tree internals
+
+ _\bu_\bt_\bi_\bl utility functions
+
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
_\bs_\bu_\bd_\bo_\be_\br_\bs will check the ownership of its time stamp directory
(_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
-1.8.1p2 May 16, 2011 SUDOERS(4)
+1.8.4 February 5, 2012 SUDOERS(4)