+++ /dev/null
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
-N\bNA\bAM\bME\bE
- sudoers - list of which users may execute what
-
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases
- (basically variables) and user specifications (which specify who may
- run what).
-
- When multiple entries match for a user, they are applied in order.
- Where there are multiple matches, the last match is used (which is not
- necessarily the most specific match).
-
- The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended Backus-Naur
- Form (EBNF). Don't despair if you don't know what EBNF is; it is
- fairly simple, and the definitions below are annotated.
-
- Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
- EBNF is a concise and exact way of describing the grammar of a
- language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
-
- symbol ::= definition | alternate1 | alternate2 ...
-
- Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a grammar for
- the language. EBNF also contains the following operators, which many
- readers will recognize from regular expressions. Do not, however,
- confuse them with "wildcard" characters, which have different meanings.
-
- ? Means that the preceding symbol (or group of symbols) is optional.
- That is, it may appear once or not at all.
-
- * Means that the preceding symbol (or group of symbols) may appear
- zero or more times.
-
- + Means that the preceding symbol (or group of symbols) may appear
- one or more times.
-
- Parentheses may be used to group symbols together. For clarity, we
- will use single quotes ('') to designate what is a verbatim character
- string (as opposed to a symbol name).
-
- A\bAl\bli\bia\bas\bse\bes\bs
- There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
- and Cmnd_Alias.
-
- Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
- 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
- 'Host_Alias' Host_Alias (':' Host_Alias)* |
- 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
-
- User_Alias ::= NAME '=' User_List
-
- Runas_Alias ::= NAME '=' Runas_List
-
- Host_Alias ::= NAME '=' Host_List
-
-
-
-1.7.4 July 21, 2010 1
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
-
- Cmnd_Alias ::= NAME '=' Cmnd_List
-
- NAME ::= [A-Z]([A-Z][0-9]_)*
-
- Each _\ba_\bl_\bi_\ba_\bs definition is of the form
-
- Alias_Type NAME = item1, item2, ...
-
- where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias, Host_Alias, or
- Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
- underscore characters ('_'). A NAME m\bmu\bus\bst\bt start with an uppercase
- letter. It is possible to put several alias definitions of the same
- type on a single line, joined by a colon (':'). E.g.,
-
- Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
-
- The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member follow.
-
- User_List ::= User |
- User ',' User_List
-
- User ::= '!'* user name |
- '!'* '#'uid |
- '!'* '%'group |
- '!'* '+'netgroup |
- '!'* '%:'nonunix_group |
- '!'* User_Alias
-
- A User_List is made up of one or more user names, uids (prefixed with
- '#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
- and User_Aliases. Each list item may be prefixed with zero or more '!'
- operators. An odd number of '!' operators negate the value of the
- item; an even number just cancel each other out.
-
- A user name, group, netgroup or nonunix_group may be enclosed in double
- quotes to avoid the need for escaping special characters. Alternately,
- special characters may be specified in escaped hex mode, e.g. \x20 for
- space.
-
- The nonunix_group syntax depends on the underlying implementation. For
- instance, the QAS AD backend supports the following formats:
-
- +\bo Group in the same domain: "Group Name"
-
- +\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
-
- +\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
-
- Note that quotes around group names are optional. Unquoted strings
- must use a backslash (\) to escape spaces and the '@' symbol.
-
- Runas_List ::= Runas_Member |
- Runas_Member ',' Runas_List
-
-
-
-1.7.4 July 21, 2010 2
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
-
- Runas_Member ::= '!'* user name |
- '!'* '#'uid |
- '!'* '%'group |
- '!'* +netgroup |
- '!'* Runas_Alias
-
- A Runas_List is similar to a User_List except that instead of
- User_Aliases it can contain Runas_Aliases. Note that user names and
- groups are matched as strings. In other words, two users (groups) with
- the same uid (gid) are considered to be distinct. If you wish to match
- all user names with the same uid (e.g. root and toor), you can use a
- uid instead (#0 in the example given).
-
- Host_List ::= Host |
- Host ',' Host_List
-
- Host ::= '!'* host name |
- '!'* ip_addr |
- '!'* network(/netmask)? |
- '!'* '+'netgroup |
- '!'* Host_Alias
-
- A Host_List is made up of one or more host names, IP addresses, network
- numbers, netgroups (prefixed with '+') and other aliases. Again, the
- value of an item may be negated with the '!' operator. If you do not
- specify a netmask along with the network number, s\bsu\bud\bdo\bo will query each
- of the local host's network interfaces and, if the network number
- corresponds to one of the hosts's network interfaces, the corresponding
- netmask will be used. The netmask may be specified either in standard
- IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
- CIDR notation (number of bits, e.g. 24 or 64). A host name may include
- shell-style wildcards (see the Wildcards section below), but unless the
- host name command on your machine returns the fully qualified host
- name, you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
- Note s\bsu\bud\bdo\bo only inspects actual network interfaces; this means that IP
- address 127.0.0.1 (localhost) will never match. Also, the host name
- "localhost" will only match if that is the actual host name, which is
- usually only the case for non-networked systems.
-
- Cmnd_List ::= Cmnd |
- Cmnd ',' Cmnd_List
-
- commandname ::= file name |
- file name args |
- file name '""'
-
- Cmnd ::= '!'* commandname |
- '!'* directory |
- '!'* "sudoedit" |
- '!'* Cmnd_Alias
-
- A Cmnd_List is a list of one or more commandnames, directories, and
- other aliases. A commandname is a fully qualified file name which may
-
-
-
-1.7.4 July 21, 2010 3
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- include shell-style wildcards (see the Wildcards section below). A
- simple file name allows the user to run the command with any arguments
- he/she wishes. However, you may also specify command line arguments
- (including wildcards). Alternately, you can specify "" to indicate
- that the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A
- directory is a fully qualified path name ending in a '/'. When you
- specify a directory in a Cmnd_List, the user will be able to run any
- file within that directory (but not in any subdirectories therein).
-
- If a Cmnd has associated command line arguments, then the arguments in
- the Cmnd must match exactly those given by the user on the command line
- (or match the wildcards if there are any). Note that the following
- characters must be escaped with a '\' if they are used in command
- arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
- to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It
- may take command line arguments just as a normal command does.
-
- D\bDe\bef\bfa\bau\bul\blt\bts\bs
- Certain configuration options may be changed from their default values
- at runtime via one or more Default_Entry lines. These may affect all
- users on any host, all users on a specific host, a specific user, a
- specific command, or commands being run as a specific user. Note that
- per-command entries may not include command line arguments. If you
- need to specify arguments, define a Cmnd_Alias and reference that
- instead.
-
- Default_Type ::= 'Defaults' |
- 'Defaults' '@' Host_List |
- 'Defaults' ':' User_List |
- 'Defaults' '!' Cmnd_List |
- 'Defaults' '>' Runas_List
-
- Default_Entry ::= Default_Type Parameter_List
-
- Parameter_List ::= Parameter |
- Parameter ',' Parameter_List
-
- Parameter ::= Parameter '=' Value |
- Parameter '+=' Value |
- Parameter '-=' Value |
- '!'* Parameter
-
- Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
- implicitly boolean and can be turned off via the '!' operator. Some
- integer, string and list parameters may also be used in a boolean
- context to disable them. Values may be enclosed in double quotes (")
- when they contain multiple words. Special characters may be escaped
- with a backslash (\).
-
- Lists have two additional assignment operators, += and -=. These
- operators are used to add to and delete from a list respectively. It
- is not an error to use the -= operator to remove an element that does
- not exist in a list.
-
-
-
-
-1.7.4 July 21, 2010 4
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- Defaults entries are parsed in the following order: generic, host and
- user Defaults first, then runas Defaults and finally command defaults.
-
- See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
-
- U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
- User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
- (':' Host_List '=' Cmnd_Spec_List)*
-
- Cmnd_Spec_List ::= Cmnd_Spec |
- Cmnd_Spec ',' Cmnd_Spec_List
-
- Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
-
- Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
-
- SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
-
- Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
- 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
- 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
-
- A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
- what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
- but this can be changed on a per-command basis.
-
- The basic structure of a user specification is `who = where (as_whom)
- what'. Let's break that down into its constituent parts:
-
- R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
- A Runas_Spec determines the user and/or the group that a command may be
- run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
- defined above) separated by a colon (':') and enclosed in a set of
- parentheses. The first Runas_List indicates which users the command
- may be run as via s\bsu\bud\bdo\bo's -\b-u\bu option. The second defines a list of
- groups that can be specified via s\bsu\bud\bdo\bo's -\b-g\bg option. If both Runas_Lists
- are specified, the command may be run with any combination of users and
- groups listed in their respective Runas_Lists. If only the first is
- specified, the command may be run as any user in the list but no -\b-g\bg
- option may be specified. If the first Runas_List is empty but the
- second is specified, the command may be run as the invoking user with
- the group set to any listed in the Runas_List. If no Runas_Spec is
- specified the command may be run as r\bro\boo\bot\bt and no group may be specified.
-
- A Runas_Spec sets the default for the commands that follow it. What
- this means is that for the entry:
-
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
-
- The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm -- but only
- as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
-
- $ sudo -u operator /bin/ls.
-
-
-
-
-1.7.4 July 21, 2010 5
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- It is also possible to override a Runas_Spec later on in an entry. If
- we modify the entry like so:
-
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
-
- Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
- and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
-
- We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
- group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
-
- dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
- /usr/bin/lprm
-
- In the following example, user t\btc\bcm\bm may run commands that access a modem
- device file with the dialer group. Note that in this example only the
- group will be set, the command still runs as user t\btc\bcm\bm.
-
- tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
- /usr/local/bin/minicom
-
- S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
- On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
- SELinux role and/or type associated with a command. If a role or type
- is specified with the command it will override any default values
- specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line,
- however, will supercede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
- T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
- A command may have zero or more tags associated with it. There are
- eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
- NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
- tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
- the tag unless it is overridden by the opposite tag (i.e.: PASSWD
- overrides NOPASSWD and NOEXEC overrides EXEC).
-
- _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
-
- By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself
- before running a command. This behavior can be modified via the
- NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
- the commands that follow it in the Cmnd_Spec_List. Conversely, the
- PASSWD tag can be used to reverse things. For example:
-
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
-
- would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
- as r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we
- only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry
- would be:
-
- ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
-
- Note, however, that the PASSWD tag has no effect on users who are in
-
-
-
-1.7.4 July 21, 2010 6
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
-
- By default, if the NOPASSWD tag is applied to any of the entries for a
- user on the current host, he or she will be able to run sudo -l without
- a password. Additionally, a user may only run sudo -v without a
- password if the NOPASSWD tag is present for all a user's entries that
- pertain to the current host. This behavior may be overridden via the
- verifypw and listpw options.
-
- _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
-
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
- operating system supports it, the NOEXEC tag can be used to prevent a
- dynamically-linked executable from running further commands itself.
-
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
-
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
- See the "PREVENTING SHELL ESCAPES" section below for more details on
- how NOEXEC works and whether or not it will work on your system.
-
- _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
-
- These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
- basis. Note that if SETENV has been set for a command, any environment
- variables set on the command line way are not subject to the
- restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such,
- only trusted users should be allowed to set variables in this manner.
- If the command matched is A\bAL\bLL\bL, the SETENV tag is implied for that
- command; this default may be overridden by use of the NOSETENV tag.
-
- _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
-
- These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
- basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
- "SUDOERS OPTIONS" section below.
-
- _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
-
- These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
- basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
- "SUDOERS OPTIONS" section below.
-
- W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
- s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
- used in host names, path names and command line arguments in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX _\bg_\bl_\bo_\bb(3) and
- _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routines. Note that these are _\bn_\bo_\bt regular expressions.
-
- * Matches any set of zero or more characters.
-
- ? Matches any single character.
-
-
-
-1.7.4 July 21, 2010 7
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- [...] Matches any character in the specified range.
-
- [!...] Matches any character n\bno\bot\bt in the specified range.
-
- \x For any character "x", evaluates to "x". This is used to
- escape special characters such as: "*", "?", "[", and "}".
-
- POSIX character classes may also be used if your system's _\bg_\bl_\bo_\bb(3) and
- _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) functions support them. However, because the ':' character
- has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
-
- /bin/ls [[\:alpha\:]]*
-
- Would match any file name beginning with a letter.
-
- Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
- in the path name. When matching the command line arguments, however, a
- slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
-
- /usr/bin/*
-
- match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
-
- E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
- The following exceptions apply to the above rules:
-
- "" If the empty string "" is the only command line argument in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
- with a\ban\bny\by arguments.
-
- I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
- It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file currently being parsed using the #include and #includedir
- directives.
-
- This can be used, for example, to keep a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in
- addition to a local, per-machine file. For the sake of this example
- the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will
- be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from within
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
-
- #include /etc/sudoers.local
-
- When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
- file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching
- the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
- processed. Files that are included may themselves include other files.
- A hard limit of 128 nested include files is enforced to prevent include
- file loops.
-
- The file name may include the %h escape, signifying the short form of
- the host name. I.e., if the machine's host name is "xerxes", then
-
- #include /etc/sudoers.%h
-
-
-
-1.7.4 July 21, 2010 8
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
-
- The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
- the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
- package installation. For example, given:
-
- #includedir /etc/sudoers.d
-
- s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
- end in ~ or contain a . character to avoid causing problems with
- package manager or editor temporary/backup files. Files are parsed in
- sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
- before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
- lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
- in the file names can be used to avoid such problems.
-
- Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
- files in a #includedir directory unless one of them contains a syntax
- error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
- files directly.
-
- O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
- The pound sign ('#') is used to indicate a comment (unless it is part
- of a #include directive or unless it occurs in the context of a user
- name and is followed by one or more digits, in which case it is treated
- as a uid). Both the comment character and any text after it, up to the
- end of the line, are ignored.
-
- The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
- succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
- User_Alias, Runas_Alias, or Host_Alias. You should not try to define
- your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
- preference to your own. Please note that using A\bAL\bLL\bL can be dangerous
- since in a command context, it allows the user to run a\ban\bny\by command on
- the system.
-
- An exclamation point ('!') can be used as a logical _\bn_\bo_\bt operator both
- in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This allows one to exclude certain
- values. Note, however, that using a ! in conjunction with the built-in
- ALL alias to allow a user to run "all but a few" commands rarely works
- as intended (see SECURITY NOTES below).
-
- Long lines can be continued with a backslash ('\') as the last
- character on the line.
-
- Whitespace between elements in a list as well as special syntactic
- characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':', '(', ')') is optional.
-
- The following characters must be escaped with a backslash ('\') when
- used as part of a word (e.g. a user name or host name): '@', '!', '=',
- ':', ',', '(', ')', '\'.
-
-
-
-
-
-1.7.4 July 21, 2010 9
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
-S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
- s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
- earlier. A list of all supported Defaults parameters, grouped by type,
- are listed below.
-
- B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
-
- always_set_home If enabled, s\bsu\bud\bdo\bo will set the HOME environment variable
- to the home directory of the target user (which is root
- unless the -\b-u\bu option is used). This effectively means
- that the -\b-H\bH option is always implied. Note that HOME
- is already set when the the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is
- enabled, so _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be is only effective for
- configurations where _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled. This flag
- is _\bo_\bf_\bf by default.
-
- authenticate If set, users must authenticate themselves via a
- password (or other means of authentication) before they
- may run commands. This default may be overridden via
- the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
- default.
-
- closefrom_override
- If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
- overrides the default starting point at which s\bsu\bud\bdo\bo
- begins closing open file descriptors. This flag is _\bo_\bf_\bf
- by default.
-
- compress_io If set, and s\bsu\bud\bdo\bo is configured to log a command's input
- or output, the I/O logs will be compressed using z\bzl\bli\bib\bb.
- This flag is _\bo_\bn by default when s\bsu\bud\bdo\bo is compiled with
- z\bzl\bli\bib\bb support.
-
- env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
- VISUAL environment variables before falling back on the
- default editor list. Note that this may create a
- security hole as it allows the user to run any
- arbitrary command as root without logging. A safer
- alternative is to place a colon-separated list of
- editors in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
- use the EDITOR or VISUAL if they match a value
- specified in editor. This flag is _\bo_\bf_\bf by default.
-
- env_reset If set, s\bsu\bud\bdo\bo will reset the environment to only contain
- the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
- variables. Any variables in the caller's environment
- that match the env_keep and env_check lists are then
- added. The default contents of the env_keep and
- env_check lists are displayed when s\bsu\bud\bdo\bo is run by root
- with the _\b-_\bV option. If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set,
- its value will be used for the PATH environment
- variable. This flag is _\bo_\bn by default.
-
- fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
-
-
-
-1.7.4 July 21, 2010 10
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- style globbing when matching path names. However,
- since it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a
- long time to complete for some patterns, especially
- when the pattern references a network file system that
- is mounted on demand (automounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
- option causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function,
- which does not access the file system to do its
- matching. The disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is
- unable to match relative path names such as _\b._\b/_\bl_\bs or
- _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has security implications when path
- names that include globbing characters are used with
- the negation operator, '!', as such rules can be
- trivially bypassed. As such, this option should not be
- used when _\bs_\bu_\bd_\bo_\be_\br_\bs contains rules that contain negated
- path names which include globbing characters. This
- flag is _\bo_\bf_\bf by default.
-
- fqdn Set this flag if you want to put fully qualified host
- names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
- would use myhost.mydomain.edu. You may still use the
- short form if you wish (and even mix the two). Beware
- that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
- which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
- example if the machine is not plugged into the
- network). Also note that you must use the host's
- official name as DNS knows it. That is, you may not
- use a host alias (CNAME entry) due to performance
- issues and the fact that there is no way to get all
- aliases from DNS. If your machine's host name (as
- returned by the hostname command) is already fully
- qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
- _\bo_\bf_\bf by default.
-
- ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current dir) in the
- PATH environment variable; the PATH itself is not
- modified. This flag is _\bo_\bf_\bf by default.
-
- ignore_local_sudoers
- If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
- skipped. This is intended for Enterprises that wish to
- prevent the usage of local sudoers files so that only
- LDAP is used. This thwarts the efforts of rogue
- operators who would attempt to add roles to
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option is present,
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
- option tells s\bsu\bud\bdo\bo how to behave when no specific LDAP
- entries have been matched, this sudoOption is only
- meaningful for the cn=defaults section. This flag is
- _\bo_\bf_\bf by default.
-
- insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
- incorrect password. This flag is _\bo_\bf_\bf by default.
-
- log_host If set, the host name will be logged in the (non-
-
-
-
-1.7.4 July 21, 2010 11
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
-
- log_year If set, the four-digit year will be logged in the (non-
- syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
-
- long_otp_prompt When validating with a One Time Password (OPT) scheme
- such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
- make it easier to cut and paste the challenge to a
- local window. It's not as pretty as the default but
- some people find it more convenient. This flag is _\bo_\bf_\bf
- by default.
-
- mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
- s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
-
- mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
- does not enter the correct password. This flag is _\bo_\bf_\bf
- by default.
-
- mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
- invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
- allowed to run commands on the current host. This flag
- is _\bo_\bf_\bf by default.
-
- mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
- invoking user is allowed to use s\bsu\bud\bdo\bo but the command
- they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
- entry or is explicitly denied. This flag is _\bo_\bf_\bf by
- default.
-
- mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
- invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
- _\bo_\bn by default.
-
- noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
- NOEXEC tag has been set, unless overridden by a EXEC
- tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
- well as the "PREVENTING SHELL ESCAPES" section at the
- end of this manual. This flag is _\bo_\bf_\bf by default.
-
- path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
- not be found in their PATH environment variable. Some
- sites may wish to disable this as it could be used to
- gather information on the location of executables that
- the normal user does not have access to. The
- disadvantage is that if the executable is simply not in
- the user's PATH, s\bsu\bud\bdo\bo will tell the user that they are
- not allowed to run it, which can be confusing. This
- flag is _\bo_\bn by default.
-
- passprompt_override
- The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
- normally only be used if the password prompt provided
- by systems such as PAM matches the string "Password:".
-
-
-
-1.7.4 July 21, 2010 12
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always
- be used. This flag is _\bo_\bf_\bf by default.
-
- preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
- the list of groups the target user is in. When
- _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
- vector is left unaltered. The real and effective group
- IDs, however, are still set to match the target user.
- This flag is _\bo_\bf_\bf by default.
-
- pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
- Unix programs, by turning off echo until the user hits
- the return (or enter) key. Some users become confused
- by this as it appears to them that s\bsu\bud\bdo\bo has hung at
- this point. When _\bp_\bw_\bf_\be_\be_\bd_\bb_\ba_\bc_\bk is set, s\bsu\bud\bdo\bo will provide
- visual feedback when the user presses a key. Note that
- this does have a security impact as an onlooker may be
- able to determine the length of the password being
- entered. This flag is _\bo_\bf_\bf by default.
-
- requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
- to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
- run from a login session and not via other means such
- as _\bc_\br_\bo_\bn(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
- default.
-
- root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
- this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
- get a root shell by doing something like "sudo sudo
- /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
- will also prevent root from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
- Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
- security; it exists purely for historical reasons.
- This flag is _\bo_\bn by default.
-
- rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
- of the password of the invoking user. This flag is _\bo_\bf_\bf
- by default.
-
- runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
- defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option (defaults to root)
- instead of the password of the invoking user. This
- flag is _\bo_\bf_\bf by default.
-
- set_home If enabled and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the
- HOME environment variable will be set to the home
- directory of the target user (which is root unless the
- -\b-u\bu option is used). This effectively makes the -\b-s\bs
- option imply -\b-H\bH. Note that HOME is already set when
- the the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled, so _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is
- only effective for configurations where _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is
- disabled. This flag is _\bo_\bf_\bf by default.
-
- set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and USERNAME
-
-
-
-1.7.4 July 21, 2010 13
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- environment variables to the name of the target user
- (usually root unless the -\b-u\bu option is given). However,
- since some programs (including the RCS revision control
- system) use LOGNAME to determine the real identity of
- the user, it may be desirable to change this behavior.
- This can be done by negating the set_logname option.
- Note that if the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been
- disabled, entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
- the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bn by default.
-
- setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
- command line. Additionally, environment variables set
- via the command line are not subject to the
- restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be
- allowed to set variables in this manner. This flag is
- _\bo_\bf_\bf by default.
-
- shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
- if the -\b-s\bs option had been given. That is, it runs a
- shell as root (the shell is determined by the SHELL
- environment variable if it is set, falling back on the
- shell listed in the invoking user's /etc/passwd entry
- if not). This flag is _\bo_\bf_\bf by default.
-
- stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
- effective UIDs are set to the target user (root by
- default). This option changes that behavior such that
- the real UID is left as the invoking user's UID. In
- other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
- This can be useful on systems that disable some
- potentially dangerous functionality when a program is
- run setuid. This option is only effective on systems
- with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
- This flag is _\bo_\bf_\bf by default.
-
- targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
- specified by the -\b-u\bu option (defaults to root) instead
- of the password of the invoking user. In addition, the
- timestamp file name will include the target user's
- name. Note that this flag precludes the use of a uid
- not listed in the passwd database as an argument to the
- -\b-u\bu option. This flag is _\bo_\bf_\bf by default.
-
- log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
- log all user input. If the standard input is not
- connected to the user's tty, due to I/O redirection or
- because the command is part of a pipeline, that input
- is also captured and stored in a separate log file.
-
- Input is logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo directory using
- a unique session ID that is included in the normal s\bsu\bud\bdo\bo
- log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
-
-
-
-
-1.7.4 July 21, 2010 14
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
- log all output that is sent to the screen, similar to
- the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
- standard error is not connected to the user's tty, due
- to I/O redirection or because the command is part of a
- pipeline, that output is also captured and stored in
- separate log files.
-
- Output is logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo directory
- using a unique session ID that is included in the
- normal s\bsu\bud\bdo\bo log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
-
- Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
- utility, which can also be used to list or search the
- available logs.
-
- tty_tickets If set, users must authenticate on a per-tty basis.
- With this flag enabled, s\bsu\bud\bdo\bo will use a file named for
- the tty the user is logged in on in the user's time
- stamp directory. If disabled, the time stamp of the
- directory is used instead. This flag is _\bo_\bn by default.
-
- umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
- without modification. This makes it possible to
- specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
- user's own umask and matches historical behavior. If
- _\bu_\bm_\ba_\bs_\bk_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is not set, s\bsu\bud\bdo\bo will set the umask to
- be the union of the user's umask and what is specified
- in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
-
- use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
- target user's login class if one exists. Only
- available if s\bsu\bud\bdo\bo is configured with the
- --with-logincap option. This flag is _\bo_\bf_\bf by default.
-
- use_pty If set, s\bsu\bud\bdo\bo will run the command in a pseudo-pty even
- if no I/O logging is being gone. A malicious program
- run under s\bsu\bud\bdo\bo could conceivably fork a background
- process that retains to the user's terminal device
- after the main program has finished executing. Use of
- this option will make that impossible.
-
- visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
- enter a password but it is not possible to disable echo
- on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
- will prompt for a password even when it would be
- visible on the screen. This makes it possible to run
- things like "rsh somehost sudo ls" since _\br_\bs_\bh(1) does
- not allocate a tty. This flag is _\bo_\bf_\bf by default.
-
- I\bIn\bnt\bte\beg\bge\ber\brs\bs:
-
- closefrom Before it executes a command, s\bsu\bud\bdo\bo will close all open
- file descriptors other than standard input, standard
-
-
-
-1.7.4 July 21, 2010 15
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- output and standard error (ie: file descriptors 0-2).
- The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to specify a different
- file descriptor at which to start closing. The default
- is 3.
-
- passwd_tries The number of tries a user gets to enter his/her
- password before s\bsu\bud\bdo\bo logs the failure and exits. The
- default is 3.
-
- I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
-
- loglinelen Number of characters per line for the file log. This
- value is used to decide when to wrap lines for nicer
- log files. This has no effect on the syslog log file,
- only the file log. The default is 80 (use 0 or negate
- the option to disable word wrap).
-
- passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
- out, or 0 for no timeout. The timeout may include a
- fractional component if minute granularity is
- insufficient, for example 2.5. The default is 5.
-
- timestamp_timeout
- Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
- for a passwd again. The timeout may include a
- fractional component if minute granularity is
- insufficient, for example 2.5. The default is 5. Set
- this to 0 to always prompt for a password. If set to a
- value less than 0 the user's timestamp will never
- expire. This can be used to allow users to create or
- delete their own timestamps via sudo -v and sudo -k
- respectively.
-
- umask Umask to use when running the command. Negate this
- option or set it to 0777 to preserve the user's umask.
- The actual umask that is used will be the union of the
- user's umask and 0022. This guarantees that s\bsu\bud\bdo\bo never
- lowers the umask when running a command. Note on
- systems that use PAM, the default PAM configuration may
- specify its own umask which will override the value set
- in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
- S\bSt\btr\bri\bin\bng\bgs\bs:
-
- badpass_message Message that is displayed if a user enters an incorrect
- password. The default is Sorry, try again. unless
- insults are enabled.
-
- editor A colon (':') separated list of editors allowed to be
- used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will choose the editor that
- matches the user's EDITOR environment variable if
- possible, or the first editor in the list that exists
- and is executable. The default is "vi".
-
-
-
-
-1.7.4 July 21, 2010 16
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
- %h will expand to the host name of the machine.
- Default is *** SECURITY information for %h ***.
-
- noexec_file Path to a shared library containing dummy versions of
- the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b) library functions
- that just return an error. This is used to implement
- the _\bn_\bo_\be_\bx_\be_\bc functionality on systems that support
- LD_PRELOAD or its equivalent. Defaults to
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
-
- passprompt The default prompt to use when asking for a password;
- can be overridden via the -\b-p\bp option or the SUDO_PROMPT
- environment variable. The following percent (`%')
- escapes are supported:
-
- %H expanded to the local host name including the
- domain name (on if the machine's host name is fully
- qualified or the _\bf_\bq_\bd_\bn option is set)
-
- %h expanded to the local host name without the domain
- name
-
- %p expanded to the user whose password is being asked
- for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
- flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
-
- %U expanded to the login name of the user the command
- will be run as (defaults to root)
-
- %u expanded to the invoking user's login name
-
- %% two consecutive % characters are collapsed into a
- single % character
-
- The default value is Password:.
-
- role The default SELinux role to use when constructing a new
- security context to run the command. The default role
- may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
- via command line options. This option is only
- available whe s\bsu\bud\bdo\bo is built with SELinux support.
-
- runas_default The default user to run commands as if the -\b-u\bu option is
- not specified on the command line. This defaults to
- root. Note that if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
- before any Runas_Alias specifications.
-
- syslog_badpri Syslog priority to use when user authenticates
- unsuccessfully. Defaults to alert.
-
- syslog_goodpri Syslog priority to use when user authenticates
- successfully. Defaults to notice.
-
-
-
-
-1.7.4 July 21, 2010 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- sudoers_locale Locale to use when parsing the sudoers file. Note that
- changing the locale may affect how sudoers is
- interpreted. Defaults to "C".
-
- timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
- The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
-
- timestampowner The owner of the timestamp directory and the timestamps
- stored therein. The default is root.
-
- type The default SELinux type to use when constructing a new
- security context to run the command. The default type
- may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
- via command line options. This option is only
- available whe s\bsu\bud\bdo\bo is built with SELinux support.
-
- S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
-
- askpass The _\ba_\bs_\bk_\bp_\ba_\bs_\bs option specifies the fully qualified path to a
- helper program used to read the user's password when no
- terminal is available. This may be the case when s\bsu\bud\bdo\bo is
- executed from a graphical (as opposed to text-based)
- application. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs should
- display the argument passed to it as the prompt and write
- the user's password to the standard output. The value of
- _\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
- variable.
-
- env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be options specifies the fully qualified path to
- a file containing variables to be set in the environment of
- the program being run. Entries in this file should either
- be of the form VARIABLE=value or export VARIABLE=value.
- The value may optionally be surrounded by single or double
- quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
- environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
-
- exempt_group
- Users in this group are exempt from password and PATH
- requirements. This is not set by default.
-
- lecture This option controls when a short lecture will be printed
- along with the password prompt. It has the following
- possible values:
-
- always Always lecture the user.
-
- never Never lecture the user.
-
- once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
-
- If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
- Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
- The default value is _\bo_\bn_\bc_\be.
-
-
-
-
-1.7.4 July 21, 2010 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- lecture_file
- Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
- will be used in place of the standard lecture if the named
- file exists. By default, s\bsu\bud\bdo\bo uses a built-in lecture.
-
- listpw This option controls when a password will be required when
- a user runs s\bsu\bud\bdo\bo with the -\b-l\bl option. It has the following
- possible values:
-
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
- must have the NOPASSWD flag set to avoid entering a
- password.
-
- always The user must always enter a password to use the -\b-l\bl
- option.
-
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD flag set to
- avoid entering a password.
-
- never The user need never enter a password to use the -\b-l\bl
- option.
-
- If no value is specified, a value of _\ba_\bn_\by is implied.
- Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
- The default value is _\ba_\bn_\by.
-
- logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
- Setting a path turns on logging to a file; negating this
- option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
-
- mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
-
- mailerpath Path to mail program used to send warning mail. Defaults
- to the path to sendmail found at configure time.
-
- mailfrom Address to use for the "from" address when sending warning
- and error mail. The address should be enclosed in double
- quotes (") to protect against s\bsu\bud\bdo\bo interpreting the @ sign.
- Defaults to the name of the user running s\bsu\bud\bdo\bo.
-
- mailto Address to send warning and error mail to. The address
- should be enclosed in double quotes (") to protect against
- s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
-
- secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
- trust the people running s\bsu\bud\bdo\bo to have a sane PATH
- environment variable you may want to use this. Another use
- is if you want to have the "root path" be separate from the
- "user path." Users in the group specified by the
- _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
- option is not set by default.
-
- syslog Syslog facility if syslog is being used for logging (negate
-
-
-
-1.7.4 July 21, 2010 19
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- to disable syslog logging). Defaults to auth.
-
- verifypw This option controls when a password will be required when
- a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
- possible values:
-
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
- must have the NOPASSWD flag set to avoid entering a
- password.
-
- always The user must always enter a password to use the -\b-v\bv
- option.
-
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD flag set to
- avoid entering a password.
-
- never The user need never enter a password to use the -\b-v\bv
- option.
-
- If no value is specified, a value of _\ba_\bl_\bl is implied.
- Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
- The default value is _\ba_\bl_\bl.
-
- L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
-
- env_check Environment variables to be removed from the user's
- environment if the variable's value contains % or /
- characters. This can be used to guard against printf-
- style format vulnerabilities in poorly-written
- programs. The argument may be a double-quoted, space-
- separated list or a single value without double-quotes.
- The list can be replaced, added to, deleted from, or
- disabled by using the =, +=, -=, and ! operators
- respectively. Regardless of whether the env_reset
- option is enabled or disabled, variables specified by
- env_check will be preserved in the environment if they
- pass the aforementioned check. The default list of
- environment variables to check is displayed when s\bsu\bud\bdo\bo
- is run by root with the _\b-_\bV option.
-
- env_delete Environment variables to be removed from the user's
- environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
- The argument may be a double-quoted, space-separated
- list or a single value without double-quotes. The list
- can be replaced, added to, deleted from, or disabled by
- using the =, +=, -=, and ! operators respectively. The
- default list of environment variables to remove is
- displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
- Note that many operating systems will remove
- potentially dangerous variables from the environment of
- any setuid process (such as s\bsu\bud\bdo\bo).
-
- env_keep Environment variables to be preserved in the user's
-
-
-
-1.7.4 July 21, 2010 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
- This allows fine-grained control over the environment
- s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
- be a double-quoted, space-separated list or a single
- value without double-quotes. The list can be replaced,
- added to, deleted from, or disabled by using the =, +=,
- -=, and ! operators respectively. The default list of
- variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
- with the _\b-_\bV option.
-
- When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following values for the
- syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your
- OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3,
- l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities
- are supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be, and
- w\bwa\bar\brn\bni\bin\bng\bg.
-
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
-
- _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
-
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
-
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
-
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
- contrived. First, we allow a few environment variables to pass and
- then define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
-
- # Run X applications through sudo; HOME is used to find the
- # .Xauthority file. Note that other programs use HOME to find
- # configuration files and this may lead to privilege escalation!
- Defaults env_keep += "DISPLAY HOME"
-
- # User alias specification
- User_Alias FULLTIMERS = millert, mikef, dowdy
- User_Alias PARTTIMERS = bostley, jwfox, crawl
- User_Alias WEBMASTERS = will, wendy, wim
-
- # Runas alias specification
- Runas_Alias OP = root, operator
- Runas_Alias DB = oracle, sybase
- Runas_Alias ADMINGRP = adm, oper
-
- # Host alias specification
- Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
- SGI = grolsch, dandelion, black :\
- ALPHA = widget, thalamus, foobar :\
- HPPA = boa, nag, python
- Host_Alias CUNETS = 128.138.0.0/255.255.0.0
- Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
- Host_Alias SERVERS = master, mail, www, ns
-
-
-
-1.7.4 July 21, 2010 21
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- Host_Alias CDROM = orion, perseus, hercules
-
- # Cmnd alias specification
- Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
- /usr/sbin/restore, /usr/sbin/rrestore
- Cmnd_Alias KILL = /usr/bin/kill
- Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
- Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
- Cmnd_Alias HALT = /usr/sbin/halt
- Cmnd_Alias REBOOT = /usr/sbin/reboot
- Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
- /usr/local/bin/tcsh, /usr/bin/rsh, \
- /usr/local/bin/zsh
- Cmnd_Alias SU = /usr/bin/su
- Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
-
- Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo
- to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't
- want to subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt
- need not give a password, and we don't want to reset the LOGNAME, USER
- or USERNAME environment variables when running commands as root.
- Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an
- additional local log file and make sure we log the year in each log
- line since the log entries will be kept around for several years.
- Lastly, we disable shell escapes for the commands in the PAGERS
- Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
-
- # Override built-in defaults
- Defaults syslog=auth
- Defaults>root !set_logname
- Defaults:FULLTIMERS !lecture
- Defaults:millert !authenticate
- Defaults@SERVERS log_year, logfile=/var/log/sudo.log
- Defaults!PAGERS noexec
-
- The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
- what.
-
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
-
- We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
- any user.
-
- FULLTIMERS ALL = NOPASSWD: ALL
-
- Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
- any host without authenticating themselves.
-
- PARTTIMERS ALL = ALL
-
- Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
- any host but they must authenticate themselves first (since the entry
- lacks the NOPASSWD tag).
-
-
-
-1.7.4 July 21, 2010 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- jack CSNETS = ALL
-
- The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
- (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
- those networks, only 128.138.204.0 has an explicit netmask (in CIDR
- notation) indicating it is a class C network. For the other networks
- in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be used during matching.
-
- lisa CUNETS = ALL
-
- The user l\bli\bis\bsa\ba may run any command on any host in the _\bC_\bU_\bN_\bE_\bT_\bS alias (the
- class B network 128.138.0.0).
-
- operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
- sudoedit /etc/printcap, /usr/oper/bin/
-
- The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance.
- Here, those are commands related to backups, killing processes, the
- printing system, shutting down the system, and any commands in the
- directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
-
- joe ALL = /usr/bin/su operator
-
- The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
-
- pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
-
- %opers ALL = (: ADMINGRP) /usr/sbin/
-
- Users in the o\bop\bpe\ber\brs\bs group may run commands in _\b/_\bu_\bs_\br_\b/_\bs_\bb_\bi_\bn_\b/ as themselves
- with any group in the _\bA_\bD_\bM_\bI_\bN_\bG_\bR_\bP Runas_Alias (the a\bad\bdm\bm and o\bop\bpe\ber\br groups).
-
- The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
- the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
- multiple user names on the command line.
-
- bob SPARC = (OP) ALL : SGI = (OP) ALL
-
- The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
- listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
-
- jim +biglab = ALL
-
- The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
- s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
-
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-
- Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
- well as add and remove users, so they are allowed to run those commands
- on all machines.
-
- fred ALL = (DB) NOPASSWD: ALL
-
-
-
-
-1.7.4 July 21, 2010 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
- (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
-
- john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
-
- On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
- not allowed to specify any options to the _\bs_\bu(1) command.
-
- jen ALL, !SERVERS = ALL
-
- The user j\bje\ben\bn may run any command on any machine except for those in the
- _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and ns).
-
- jill SERVERS = /usr/bin/, !SU, !SHELLS
-
- For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
- the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU
- and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
-
- steve CSNETS = (operator) /usr/local/op_commands/
-
- The user s\bst\bte\bev\bve\be may run any command in the directory
- /usr/local/op_commands/ but only as user operator.
-
- matt valkyrie = KILL
-
- On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be able to kill
- hung processes.
-
- WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
-
- On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias (will, wendy,
- and wim), may run any command as user www (which owns the web pages) or
- simply _\bs_\bu(1) to www.
-
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
-
- Any user may mount or unmount a CD-ROM on the machines in the CDROM
- Host_Alias (orion, perseus, hercules) without entering a password.
- This is a bit tedious for users to type, so it is a prime candidate for
- encapsulating in a shell script.
-
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- It is generally not effective to "subtract" commands from ALL using the
- '!' operator. A user can trivially circumvent this by copying the
- desired command to a different name and then executing that. For
- example:
-
- bill ALL = ALL, !SU, !SHELLS
-
- Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
- _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
- use a shell escape from an editor or other program. Therefore, these
-
-
-
-1.7.4 July 21, 2010 24
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- kind of restrictions should be considered advisory at best (and
- reinforced by policy).
-
- Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
- reliably negate commands where the path name includes globbing (aka
- wildcard) characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
- function cannot resolve relative paths. While this is typically only
- an inconvenience for rules that grant privileges, it can result in a
- security issue for rules that subtract or revoke privileges.
-
- For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
-
- john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
- /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
-
- User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
- changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
-
-P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
- Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
- pleases, including run other programs. This can be a security issue
- since it is not uncommon for a program to allow shell escapes, which
- lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
- that permit shell escapes include shells (obviously), editors,
- paginators, mail and terminal programs.
-
- There are two basic approaches to this problem:
-
- restrict Avoid giving users access to commands that allow the user to
- run arbitrary commands. Many editors have a restricted mode
- where shell escapes are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better
- solution to running editors via s\bsu\bud\bdo\bo. Due to the large
- number of programs that offer shell escapes, restricting
- users to the set of programs that do not if often unworkable.
-
- noexec Many systems that support shared libraries have the ability
- to override default library functions by pointing an
- environment variable (usually LD_PRELOAD) to an alternate
- shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality
- can be used to prevent a program run by s\bsu\bud\bdo\bo from executing
- any other programs. Note, however, that this applies only to
- native dynamically-linked executables. Statically-linked
- executables and foreign executables running under binary
- emulation are not affected.
-
- To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run the
- following as root:
-
- sudo -V | grep "dummy exec"
-
- If the resulting output contains a line that begins with:
-
- File containing dummy exec functions:
-
-
-
-
-1.7.4 July 21, 2010 25
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
- in the standard library with its own that simply return an
- error. Unfortunately, there is no foolproof way to know
- whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
- should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
- MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
- UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating
- systems that support the LD_PRELOAD environment variable.
- Check your operating system's manual pages for the dynamic
- linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
- to see if LD_PRELOAD is supported.
-
- To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as
- documented in the User Specification section above. Here is
- that example again:
-
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
- This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
- with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
- from executing other commands (such as a shell). If you are
- unsure whether or not your system is capable of supporting
- _\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
-
- Note that restricting shell escapes is not a panacea. Programs running
- as root are still capable of many potentially hazardous operations
- (such as changing or overwriting files) that could lead to unintended
- privilege escalation. In the specific case of an editor, a safer
- approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
-
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bg_\bl_\bo_\bb(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
-
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
- locks the file and does grammatical checking. It is imperative that
- _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
- syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
- When using netgroups of machines (as opposed to users), if you store
- fully qualified host name in the netgroup (as is usually the case), you
- either need to have the machine's host name be fully qualified as
- returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- http://www.sudo.ws/sudo/bugs/
-
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
-
-
-
-
-
-1.7.4 July 21, 2010 26
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of
- merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
- http://www.sudo.ws/sudo/license.html for complete details.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.4 July 21, 2010 27
-
-