sudoers - list of which users may execute what
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries:
- aliases (basically variables) and user specifications
- (which specify who may run what).
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases
+ (basically variables) and user specifications (which specify who may
+ run what).
- When multiple entries match for a user, they are applied
- in order. Where there are multiple matches, the last
- match is used (which is not necessarily the most specific
- match).
+ When multiple entries match for a user, they are applied in order.
+ Where there are multiple matches, the last match is used (which is not
+ necessarily the most specific match).
- The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended
- Backus-Naur Form (EBNF). Don't despair if you don't know
- what EBNF is; it is fairly simple, and the definitions
- below are annotated.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended Backus-Naur
+ Form (EBNF). Don't despair if you don't know what EBNF is; it is
+ fairly simple, and the definitions below are annotated.
- Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
-
- EBNF is a concise and exact way of describing the grammar
- of a language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\b
- _\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
+ Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
+ EBNF is a concise and exact way of describing the grammar of a
+ language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
symbol ::= definition | alternate1 | alternate2 ...
- Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a
- grammar for the language. EBNF also contains the follow
- ing operators, which many readers will recognize from reg
- ular expressions. Do not, however, confuse them with
- "wildcard" characters, which have different meanings.
+ Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a grammar for
+ the language. EBNF also contains the following operators, which many
+ readers will recognize from regular expressions. Do not, however,
+ confuse them with "wildcard" characters, which have different meanings.
- ? Means that the preceding symbol (or group of symbols)
- is optional. That is, it may appear once or not at
- all.
+ ? Means that the preceding symbol (or group of symbols) is optional.
+ That is, it may appear once or not at all.
- * Means that the preceding symbol (or group of symbols)
- may appear zero or more times.
+ * Means that the preceding symbol (or group of symbols) may appear
+ zero or more times.
- + Means that the preceding symbol (or group of symbols)
- may appear one or more times.
+ + Means that the preceding symbol (or group of symbols) may appear
+ one or more times.
- Parentheses may be used to group symbols together. For
- clarity, we will use single quotes ('') to designate what
- is a verbatim character string (as opposed to a symbol
- name).
+ Parentheses may be used to group symbols together. For clarity, we
+ will use single quotes ('') to designate what is a verbatim character
+ string (as opposed to a symbol name).
- A\bAl\bli\bia\bas\bse\bes\bs
+ A\bAl\bli\bia\bas\bse\bes\bs
+ There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
+ and Cmnd_Alias.
- There are four kinds of aliases: User_Alias, Runas_Alias,
- Host_Alias and Cmnd_Alias.
+ Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
+ 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
+ 'Host_Alias' Host_Alias (':' Host_Alias)* |
+ 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
+ User_Alias ::= NAME '=' User_List
+ Runas_Alias ::= NAME '=' Runas_List
+ Host_Alias ::= NAME '=' Host_List
-1.6.9p15 March 23, 2008 1
+1.7.4 July 21, 2010 1
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
- 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
- 'Host_Alias' Host_Alias (':' Host_Alias)* |
- 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
-
- User_Alias ::= NAME '=' User_List
-
- Runas_Alias ::= NAME '=' Runas_List
-
- Host_Alias ::= NAME '=' Host_List
Cmnd_Alias ::= NAME '=' Cmnd_List
Alias_Type NAME = item1, item2, ...
- where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias,
- Host_Alias, or Cmnd_Alias. A NAME is a string of upper
- case letters, numbers, and underscore characters ('_'). A
- NAME m\bmu\bus\bst\bt start with an uppercase letter. It is possible
- to put several alias definitions of the same type on a
- single line, joined by a colon (':'). E.g.,
+ where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias, Host_Alias, or
+ Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
+ underscore characters ('_'). A NAME m\bmu\bus\bst\bt start with an uppercase
+ letter. It is possible to put several alias definitions of the same
+ type on a single line, joined by a colon (':'). E.g.,
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
- The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member
- follow.
+ The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member follow.
User_List ::= User |
User ',' User_List
- User ::= '!'* username |
+ User ::= '!'* user name |
+ '!'* '#'uid |
'!'* '%'group |
'!'* '+'netgroup |
+ '!'* '%:'nonunix_group |
'!'* User_Alias
- A User_List is made up of one or more usernames, system
- groups (prefixed with '%'), netgroups (prefixed with '+')
- and other aliases. Each list item may be prefixed with
- one or more '!' operators. An odd number of '!' operators
- negate the value of the item; an even number just cancel
- each other out.
+ A User_List is made up of one or more user names, uids (prefixed with
+ '#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
+ and User_Aliases. Each list item may be prefixed with zero or more '!'
+ operators. An odd number of '!' operators negate the value of the
+ item; an even number just cancel each other out.
+
+ A user name, group, netgroup or nonunix_group may be enclosed in double
+ quotes to avoid the need for escaping special characters. Alternately,
+ special characters may be specified in escaped hex mode, e.g. \x20 for
+ space.
+
+ The nonunix_group syntax depends on the underlying implementation. For
+ instance, the QAS AD backend supports the following formats:
- Runas_List ::= Runas_User |
- Runas_User ',' Runas_List
+ +\bo Group in the same domain: "Group Name"
- Runas_User ::= '!'* username |
- '!'* '#'uid |
- '!'* '%'group |
- '!'* +netgroup |
- '!'* Runas_Alias
+ +\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
+ +\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
+ Note that quotes around group names are optional. Unquoted strings
+ must use a backslash (\) to escape spaces and the '@' symbol.
-1.6.9p15 March 23, 2008 2
+ Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
+
+
+
+1.7.4 July 21, 2010 2
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- A Runas_List is similar to a User_List except that it can
- also contain uids (prefixed with '#') and instead of
- User_Aliases it can contain Runas_Aliases. Note that
- usernames and groups are matched as strings. In other
- words, two users (groups) with the same uid (gid) are con
- sidered to be distinct. If you wish to match all user
- names with the same uid (e.g. root and toor), you can use
- a uid instead (#0 in the example given).
+
+ Runas_Member ::= '!'* user name |
+ '!'* '#'uid |
+ '!'* '%'group |
+ '!'* +netgroup |
+ '!'* Runas_Alias
+
+ A Runas_List is similar to a User_List except that instead of
+ User_Aliases it can contain Runas_Aliases. Note that user names and
+ groups are matched as strings. In other words, two users (groups) with
+ the same uid (gid) are considered to be distinct. If you wish to match
+ all user names with the same uid (e.g. root and toor), you can use a
+ uid instead (#0 in the example given).
Host_List ::= Host |
Host ',' Host_List
- Host ::= '!'* hostname |
+ Host ::= '!'* host name |
'!'* ip_addr |
'!'* network(/netmask)? |
'!'* '+'netgroup |
'!'* Host_Alias
- A Host_List is made up of one or more hostnames, IP
- addresses, network numbers, netgroups (prefixed with '+')
- and other aliases. Again, the value of an item may be
- negated with the '!' operator. If you do not specify a
- netmask along with the network number, s\bsu\bud\bdo\bo will query
- each of the local host's network interfaces and, if the
- network number corresponds to one of the hosts's network
- interfaces, the corresponding netmask will be used. The
- netmask may be specified either in standard IP address
- notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
- CIDR notation (number of bits, e.g. 24 or 64). A hostname
- may include shell-style wildcards (see the Wildcards sec
- tion below), but unless the hostname command on your
- machine returns the fully qualified hostname, you'll need
- to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
+ A Host_List is made up of one or more host names, IP addresses, network
+ numbers, netgroups (prefixed with '+') and other aliases. Again, the
+ value of an item may be negated with the '!' operator. If you do not
+ specify a netmask along with the network number, s\bsu\bud\bdo\bo will query each
+ of the local host's network interfaces and, if the network number
+ corresponds to one of the hosts's network interfaces, the corresponding
+ netmask will be used. The netmask may be specified either in standard
+ IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
+ CIDR notation (number of bits, e.g. 24 or 64). A host name may include
+ shell-style wildcards (see the Wildcards section below), but unless the
+ host name command on your machine returns the fully qualified host
+ name, you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
+ Note s\bsu\bud\bdo\bo only inspects actual network interfaces; this means that IP
+ address 127.0.0.1 (localhost) will never match. Also, the host name
+ "localhost" will only match if that is the actual host name, which is
+ usually only the case for non-networked systems.
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
- commandname ::= filename |
- filename args |
- filename '""'
+ commandname ::= file name |
+ file name args |
+ file name '""'
Cmnd ::= '!'* commandname |
'!'* directory |
'!'* "sudoedit" |
'!'* Cmnd_Alias
- A Cmnd_List is a list of one or more commandnames, direc
- tories, and other aliases. A commandname is a fully qual
- ified filename which may include shell-style wildcards
- (see the Wildcards section below). A simple filename
- allows the user to run the command with any arguments
- he/she wishes. However, you may also specify command line
- arguments (including wildcards). Alternately, you can
- specify "" to indicate that the command may only be run
+ A Cmnd_List is a list of one or more commandnames, directories, and
+ other aliases. A commandname is a fully qualified file name which may
-1.6.9p15 March 23, 2008 3
+1.7.4 July 21, 2010 3
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- w\bwi\bit\bth\bho\bou\but\bt command line arguments. A directory is a fully
- qualified pathname ending in a '/'. When you specify a
- directory in a Cmnd_List, the user will be able to run any
- file within that directory (but not in any subdirectories
- therein).
-
- If a Cmnd has associated command line arguments, then the
- arguments in the Cmnd must match exactly those given by
- the user on the command line (or match the wildcards if
- there are any). Note that the following characters must
- be escaped with a '\' if they are used in command argu
- ments: ',', ':', '=', '\'. The special command "sudoedit"
- is used to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be flag (or
- as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may take command line arguments just as
- a normal command does.
-
- D\bDe\bef\bfa\bau\bul\blt\bts\bs
-
- Certain configuration options may be changed from their
- default values at runtime via one or more Default_Entry
- lines. These may affect all users on any host, all users
- on a specific host, a specific user, or commands being run
- as a specific user.
+ include shell-style wildcards (see the Wildcards section below). A
+ simple file name allows the user to run the command with any arguments
+ he/she wishes. However, you may also specify command line arguments
+ (including wildcards). Alternately, you can specify "" to indicate
+ that the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A
+ directory is a fully qualified path name ending in a '/'. When you
+ specify a directory in a Cmnd_List, the user will be able to run any
+ file within that directory (but not in any subdirectories therein).
+
+ If a Cmnd has associated command line arguments, then the arguments in
+ the Cmnd must match exactly those given by the user on the command line
+ (or match the wildcards if there are any). Note that the following
+ characters must be escaped with a '\' if they are used in command
+ arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
+ to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It
+ may take command line arguments just as a normal command does.
+
+ D\bDe\bef\bfa\bau\bul\blt\bts\bs
+ Certain configuration options may be changed from their default values
+ at runtime via one or more Default_Entry lines. These may affect all
+ users on any host, all users on a specific host, a specific user, a
+ specific command, or commands being run as a specific user. Note that
+ per-command entries may not include command line arguments. If you
+ need to specify arguments, define a Cmnd_Alias and reference that
+ instead.
Default_Type ::= 'Defaults' |
'Defaults' '@' Host_List |
'Defaults' ':' User_List |
+ 'Defaults' '!' Cmnd_List |
'Defaults' '>' Runas_List
Default_Entry ::= Default_Type Parameter_List
Parameter '-=' Value |
'!'* Parameter
- Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or
- l\bli\bis\bst\bts\bs. Flags are implicitly boolean and can be turned off
- via the '!' operator. Some integer, string and list
- parameters may also be used in a boolean context to dis
- able them. Values may be enclosed in double quotes (")
- when they contain multiple words. Special characters may
- be escaped with a backslash (\).
+ Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
+ implicitly boolean and can be turned off via the '!' operator. Some
+ integer, string and list parameters may also be used in a boolean
+ context to disable them. Values may be enclosed in double quotes (")
+ when they contain multiple words. Special characters may be escaped
+ with a backslash (\).
- Lists have two additional assignment operators, += and -=.
- These operators are used to add to and delete from a list
- respectively. It is not an error to use the -= operator
- to remove an element that does not exist in a list.
+ Lists have two additional assignment operators, += and -=. These
+ operators are used to add to and delete from a list respectively. It
+ is not an error to use the -= operator to remove an element that does
+ not exist in a list.
- See "SUDOERS OPTIONS" for a list of supported Defaults
- parameters.
-1.6.9p15 March 23, 2008 4
+1.7.4 July 21, 2010 4
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
+ Defaults entries are parsed in the following order: generic, host and
+ user Defaults first, then runas Defaults and finally command defaults.
+ See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
+
+ U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
(':' Host_List '=' Cmnd_Spec_List)*
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
- Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+ Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+
+ Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
- Runas_Spec ::= '(' Runas_List ')'
+ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
- 'SETENV:' | 'NOSETENV:')
+ 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
+ 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
+
+ A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
+ what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
+ but this can be changed on a per-command basis.
+
+ The basic structure of a user specification is `who = where (as_whom)
+ what'. Let's break that down into its constituent parts:
+
+ R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
+ A Runas_Spec determines the user and/or the group that a command may be
+ run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
+ defined above) separated by a colon (':') and enclosed in a set of
+ parentheses. The first Runas_List indicates which users the command
+ may be run as via s\bsu\bud\bdo\bo's -\b-u\bu option. The second defines a list of
+ groups that can be specified via s\bsu\bud\bdo\bo's -\b-g\bg option. If both Runas_Lists
+ are specified, the command may be run with any combination of users and
+ groups listed in their respective Runas_Lists. If only the first is
+ specified, the command may be run as any user in the list but no -\b-g\bg
+ option may be specified. If the first Runas_List is empty but the
+ second is specified, the command may be run as the invoking user with
+ the group set to any listed in the Runas_List. If no Runas_Spec is
+ specified the command may be run as r\bro\boo\bot\bt and no group may be specified.
+
+ A Runas_Spec sets the default for the commands that follow it. What
+ this means is that for the entry:
+
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
- A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may
- run (and as what user) on specified hosts. By default,
- commands are run as r\bro\boo\bot\bt, but this can be changed on a
- per-command basis.
+ The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm -- but only
+ as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
- Let's break that down into its constituent parts:
+ $ sudo -u operator /bin/ls.
- R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
- A Runas_Spec is simply a Runas_List (as defined above)
- enclosed in a set of parentheses. If you do not specify a
- Runas_Spec in the user specification, a default Runas_Spec
- of r\bro\boo\bot\bt will be used. A Runas_Spec sets the default for
- commands that follow it. What this means is that for the
- entry:
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
- The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
- -- but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+1.7.4 July 21, 2010 5
- $ sudo -u operator /bin/ls.
- It is also possible to override a Runas_Spec later on in
- an entry. If we modify the entry like so:
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
- Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br,
- but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
- T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- A command may have zero or more tags associated with it.
- There are six possible tag values, NOPASSWD, PASSWD,
- NOEXEC, EXEC, SETENV and NOSETENV. Once a tag is set on a
- Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the
- tag unless it is overridden by the opposite tag (i.e.:
- PASSWD overrides NOPASSWD and NOEXEC overrides EXEC).
+ It is also possible to override a Runas_Spec later on in an entry. If
+ we modify the entry like so:
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
-1.6.9p15 March 23, 2008 5
+ Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
+ and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
+ We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
+ group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
+ dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
+ /usr/bin/lprm
+ In the following example, user t\btc\bcm\bm may run commands that access a modem
+ device file with the dialer group. Note that in this example only the
+ group will be set, the command still runs as user t\btc\bcm\bm.
+ tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
+ /usr/local/bin/minicom
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
+ On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
+ SELinux role and/or type associated with a command. If a role or type
+ is specified with the command it will override any default values
+ specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line,
+ however, will supercede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
+ A command may have zero or more tags associated with it. There are
+ eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
+ NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
+ tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
+ the tag unless it is overridden by the opposite tag (i.e.: PASSWD
+ overrides NOPASSWD and NOEXEC overrides EXEC).
_\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
- By default, s\bsu\bud\bdo\bo requires that a user authenticate him or
- herself before running a command. This behavior can be
- modified via the NOPASSWD tag. Like a Runas_Spec, the
- NOPASSWD tag sets a default for the commands that follow
- it in the Cmnd_Spec_List. Conversely, the PASSWD tag can
- be used to reverse things. For example:
+ By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself
+ before running a command. This behavior can be modified via the
+ NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
+ the commands that follow it in the Cmnd_Spec_List. Conversely, the
+ PASSWD tag can be used to reverse things. For example:
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
- would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as root on the machine rushmore as r\bro\boo\bot\bt
- without authenticating himself. If we only want r\bra\bay\by to be
- able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry would
- be:
+ would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
+ as r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we
+ only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry
+ would be:
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
- Note, however, that the PASSWD tag has no effect on users
- who are in the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
+ Note, however, that the PASSWD tag has no effect on users who are in
+
+
+
+1.7.4 July 21, 2010 6
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
- By default, if the NOPASSWD tag is applied to any of the
- entries for a user on the current host, he or she will be
- able to run sudo -l without a password. Additionally, a
- user may only run sudo -v without a password if the
- NOPASSWD tag is present for all a user's entries that per
- tain to the current host. This behavior may be overridden
- via the verifypw and listpw options.
+ By default, if the NOPASSWD tag is applied to any of the entries for a
+ user on the current host, he or she will be able to run sudo -l without
+ a password. Additionally, a user may only run sudo -v without a
+ password if the NOPASSWD tag is present for all a user's entries that
+ pertain to the current host. This behavior may be overridden via the
+ verifypw and listpw options.
_\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
- underlying operating system supports it, the NOEXEC tag
- can be used to prevent a dynamically-linked executable
- from running further commands itself.
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
+ operating system supports it, the NOEXEC tag can be used to prevent a
+ dynamically-linked executable from running further commands itself.
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be
- and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- See the "PREVENTING SHELL ESCAPES" section below for more
- details on how NOEXEC works and whether or not it will
- work on your system.
+ See the "PREVENTING SHELL ESCAPES" section below for more details on
+ how NOEXEC works and whether or not it will work on your system.
_\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
- These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a
- per-command basis. Note that if SETENV has been set for a
- command, any environment variables set on the command line
- way are not subject to the restrictions imposed by
- _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted
- users should be allowed to set variables in this manner.
+ These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
+ basis. Note that if SETENV has been set for a command, any environment
+ variables set on the command line way are not subject to the
+ restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such,
+ only trusted users should be allowed to set variables in this manner.
+ If the command matched is A\bAL\bLL\bL, the SETENV tag is implied for that
+ command; this default may be overridden by use of the NOSETENV tag.
+ _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
+ These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
+ "SUDOERS OPTIONS" section below.
-1.6.9p15 March 23, 2008 6
+ _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
+ These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
+ "SUDOERS OPTIONS" section below.
+ W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
+ s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
+ used in host names, path names and command line arguments in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX _\bg_\bl_\bo_\bb(3) and
+ _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routines. Note that these are _\bn_\bo_\bt regular expressions.
+
+ * Matches any set of zero or more characters.
+ ? Matches any single character.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+1.7.4 July 21, 2010 7
- If the command matched is A\bAL\bLL\bL, the SETENV tag is implied
- for that command; this default may be overridden by use of
- the UNSETENV tag.
- W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
- s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob char
- acters) to be used in pathnames as well as command line
- arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done
- via the P\bPO\bOS\bSI\bIX\bX _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routine. Note that these are _\bn_\bo_\bt
- regular expressions.
- * Matches any set of zero or more characters.
- ? Matches any single character.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
[...] Matches any character in the specified range.
[!...] Matches any character n\bno\bot\bt in the specified range.
- \x For any character "x", evaluates to "x". This is
- used to escape special characters such as: "*",
- "?", "[", and "}".
+ \x For any character "x", evaluates to "x". This is used to
+ escape special characters such as: "*", "?", "[", and "}".
+
+ POSIX character classes may also be used if your system's _\bg_\bl_\bo_\bb(3) and
+ _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) functions support them. However, because the ':' character
+ has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
+
+ /bin/ls [[\:alpha\:]]*
- Note that a forward slash ('/') will n\bno\bot\bt be matched by
- wildcards used in the pathname. When matching the command
- line arguments, however, a slash d\bdo\boe\bes\bs get matched by wild
- cards. This is to make a path like:
+ Would match any file name beginning with a letter.
+
+ Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
+ in the path name. When matching the command line arguments, however, a
+ slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
/usr/bin/*
match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
- E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
-
+ E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
The following exceptions apply to the above rules:
- "" If the empty string "" is the only command line
- argument in the _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that com
- mand is not allowed to be run with a\ban\bny\by arguments.
+ "" If the empty string "" is the only command line argument in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
+ with a\ban\bny\by arguments.
- O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
+ I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
+ It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file currently being parsed using the #include and #includedir
+ directives.
- The pound sign ('#') is used to indicate a comment (unless
- it is part of a #include directive or unless it occurs in
- the context of a user name and is followed by one or more
- digits, in which case it is treated as a uid). Both the
- comment character and any text after it, up to the end of
- the line, are ignored.
+ This can be used, for example, to keep a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in
+ addition to a local, per-machine file. For the sake of this example
+ the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will
+ be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from within
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
- The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always
- causes a match to succeed. It can be used wherever one
- might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
- or Host_Alias. You should not try to define your own
+ #include /etc/sudoers.local
+ When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
+ file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching
+ the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ processed. Files that are included may themselves include other files.
+ A hard limit of 128 nested include files is enforced to prevent include
+ file loops.
+ The file name may include the %h escape, signifying the short form of
+ the host name. I.e., if the machine's host name is "xerxes", then
-1.6.9p15 March 23, 2008 7
+ #include /etc/sudoers.%h
+1.7.4 July 21, 2010 8
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
- _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
- preference to your own. Please note that using A\bAL\bLL\bL can be
- dangerous since in a command context, it allows the user
- to run a\ban\bny\by command on the system.
- An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
- operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
- allows one to exclude certain values. Note, however, that
- using a ! in conjunction with the built-in ALL alias to
- allow a user to run "all but a few" commands rarely works
- as intended (see SECURITY NOTES below).
- Long lines can be continued with a backslash ('\') as the
- last character on the line.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Whitespace between elements in a list as well as special
- syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
- '(', ')') is optional.
- The following characters must be escaped with a backslash
- ('\') when used as part of a word (e.g. a username or
- hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
+ will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
+
+ The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
+ the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
+ package installation. For example, given:
+
+ #includedir /etc/sudoers.d
+
+ s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
+ end in ~ or contain a . character to avoid causing problems with
+ package manager or editor temporary/backup files. Files are parsed in
+ sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
+ before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
+ lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
+ in the file names can be used to avoid such problems.
+
+ Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
+ files in a #includedir directory unless one of them contains a syntax
+ error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
+ files directly.
+
+ O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
+ The pound sign ('#') is used to indicate a comment (unless it is part
+ of a #include directive or unless it occurs in the context of a user
+ name and is followed by one or more digits, in which case it is treated
+ as a uid). Both the comment character and any text after it, up to the
+ end of the line, are ignored.
+
+ The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
+ succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
+ User_Alias, Runas_Alias, or Host_Alias. You should not try to define
+ your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
+ preference to your own. Please note that using A\bAL\bLL\bL can be dangerous
+ since in a command context, it allows the user to run a\ban\bny\by command on
+ the system.
+
+ An exclamation point ('!') can be used as a logical _\bn_\bo_\bt operator both
+ in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This allows one to exclude certain
+ values. Note, however, that using a ! in conjunction with the built-in
+ ALL alias to allow a user to run "all but a few" commands rarely works
+ as intended (see SECURITY NOTES below).
-S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
- s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as
- explained earlier. A list of all supported Defaults
- parameters, grouped by type, are listed below.
+ Long lines can be continued with a backslash ('\') as the last
+ character on the line.
- F\bFl\bla\bag\bgs\bs:
+ Whitespace between elements in a list as well as special syntactic
+ characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':', '(', ')') is optional.
- always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment
- variable to the home directory of the tar
- get user (which is root unless the -\b-u\bu
- option is used). This effectively means
- that the -\b-H\bH flag is always implied. This
- flag is _\bo_\bf_\bf by default.
+ The following characters must be escaped with a backslash ('\') when
+ used as part of a word (e.g. a user name or host name): '@', '!', '=',
+ ':', ',', '(', ')', '\'.
- authenticate If set, users must authenticate themselves
- via a password (or other means of authen
- tication) before they may run commands.
- This default may be overridden via the
- PASSWD and NOPASSWD tags. This flag is _\bo_\bn
- by default.
- env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the
- EDITOR or VISUAL environment variables
- before falling back on the default editor
- list. Note that this may create a secu
- rity hole as it allows the user to run any
- arbitrary command as root without logging.
- A safer alternative is to place a colon-
- separated list of editors in the editor
- variable. v\bvi\bis\bsu\bud\bdo\bo will then only use the
- EDITOR or VISUAL if they match a value
-1.6.9p15 March 23, 2008 8
+1.7.4 July 21, 2010 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- specified in editor. This flag is _\bo_\bf_\bf by
+S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
+ s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
+ earlier. A list of all supported Defaults parameters, grouped by type,
+ are listed below.
+
+ B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
+
+ always_set_home If enabled, s\bsu\bud\bdo\bo will set the HOME environment variable
+ to the home directory of the target user (which is root
+ unless the -\b-u\bu option is used). This effectively means
+ that the -\b-H\bH option is always implied. Note that HOME
+ is already set when the the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is
+ enabled, so _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be is only effective for
+ configurations where _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled. This flag
+ is _\bo_\bf_\bf by default.
+
+ authenticate If set, users must authenticate themselves via a
+ password (or other means of authentication) before they
+ may run commands. This default may be overridden via
+ the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
default.
- env_reset If set, s\bsu\bud\bdo\bo will reset the environment to
- only contain the LOGNAME, SHELL, USER,
- USERNAME and the SUDO_* variables. Any
- variables in the caller's environment that
- match the env_keep and env_check lists are
- then added. The default contents of the
- env_keep and env_check lists are displayed
- when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV
- option. If s\bsu\bud\bdo\bo was compiled with the
- SECURE_PATH option, its value will be used
- for the PATH environment variable. This
- flag is _\bo_\bn by default.
+ closefrom_override
+ If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
+ overrides the default starting point at which s\bsu\bud\bdo\bo
+ begins closing open file descriptors. This flag is _\bo_\bf_\bf
+ by default.
- fqdn Set this flag if you want to put fully
- qualified hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
- I.e., instead of myhost you would use
- myhost.mydomain.edu. You may still use
- the short form if you wish (and even mix
- the two). Beware that turning on _\bf_\bq_\bd_\bn
- requires s\bsu\bud\bdo\bo to make DNS lookups which
- may make s\bsu\bud\bdo\bo unusable if DNS stops work
- ing (for example if the machine is not
- plugged into the network). Also note that
- you must use the host's official name as
- DNS knows it. That is, you may not use a
- host alias (CNAME entry) due to perfor
- mance issues and the fact that there is no
- way to get all aliases from DNS. If your
- machine's hostname (as returned by the
- hostname command) is already fully quali
- fied you shouldn't need to set _\bf_\bq_\bd_\bn. This
- flag is _\bo_\bf_\bf by default.
+ compress_io If set, and s\bsu\bud\bdo\bo is configured to log a command's input
+ or output, the I/O logs will be compressed using z\bzl\bli\bib\bb.
+ This flag is _\bo_\bn by default when s\bsu\bud\bdo\bo is compiled with
+ z\bzl\bli\bib\bb support.
- ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (cur
- rent dir) in the PATH environment vari
- able; the PATH itself is not modified.
- This flag is _\bo_\bf_\bf by default. Currently,
- while it is possible to set _\bi_\bg_\bn_\bo_\br_\be_\b__\bd_\bo_\bt in
- _\bs_\bu_\bd_\bo_\be_\br_\bs, its value is not used. This
- option should be considered read-only (it
- will be fixed in a future version of
- s\bsu\bud\bdo\bo).
+ env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
+ VISUAL environment variables before falling back on the
+ default editor list. Note that this may create a
+ security hole as it allows the user to run any
+ arbitrary command as root without logging. A safer
+ alternative is to place a colon-separated list of
+ editors in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
+ use the EDITOR or VISUAL if they match a value
+ specified in editor. This flag is _\bo_\bf_\bf by default.
- ignore_local_sudoers
- If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs
- will be skipped. This is intended for
- Enterprises that wish to prevent the usage
- of local sudoers files so that only LDAP
- is used. This thwarts the efforts of
- rogue operators who would attempt to add
- roles to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option
+ env_reset If set, s\bsu\bud\bdo\bo will reset the environment to only contain
+ the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
+ variables. Any variables in the caller's environment
+ that match the env_keep and env_check lists are then
+ added. The default contents of the env_keep and
+ env_check lists are displayed when s\bsu\bud\bdo\bo is run by root
+ with the _\b-_\bV option. If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set,
+ its value will be used for the PATH environment
+ variable. This flag is _\bo_\bn by default.
+
+ fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
-1.6.9p15 March 23, 2008 9
+1.7.4 July 21, 2010 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- is present, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even
- need to exist. Since this option tells
- s\bsu\bud\bdo\bo how to behave when no specific LDAP
- entries have been matched, this sudoOption
- is only meaningful for the cn=defaults
- section. This flag is _\bo_\bf_\bf by default.
+ style globbing when matching path names. However,
+ since it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a
+ long time to complete for some patterns, especially
+ when the pattern references a network file system that
+ is mounted on demand (automounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
+ option causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function,
+ which does not access the file system to do its
+ matching. The disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is
+ unable to match relative path names such as _\b._\b/_\bl_\bs or
+ _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has security implications when path
+ names that include globbing characters are used with
+ the negation operator, '!', as such rules can be
+ trivially bypassed. As such, this option should not be
+ used when _\bs_\bu_\bd_\bo_\be_\br_\bs contains rules that contain negated
+ path names which include globbing characters. This
+ flag is _\bo_\bf_\bf by default.
- insults If set, s\bsu\bud\bdo\bo will insult users when they
- enter an incorrect password. This flag is
+ fqdn Set this flag if you want to put fully qualified host
+ names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
+ would use myhost.mydomain.edu. You may still use the
+ short form if you wish (and even mix the two). Beware
+ that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
+ which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
+ example if the machine is not plugged into the
+ network). Also note that you must use the host's
+ official name as DNS knows it. That is, you may not
+ use a host alias (CNAME entry) due to performance
+ issues and the fact that there is no way to get all
+ aliases from DNS. If your machine's host name (as
+ returned by the hostname command) is already fully
+ qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
_\bo_\bf_\bf by default.
- log_host If set, the hostname will be logged in the
- (non-syslog) s\bsu\bud\bdo\bo log file. This flag is
+ ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current dir) in the
+ PATH environment variable; the PATH itself is not
+ modified. This flag is _\bo_\bf_\bf by default.
+
+ ignore_local_sudoers
+ If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ skipped. This is intended for Enterprises that wish to
+ prevent the usage of local sudoers files so that only
+ LDAP is used. This thwarts the efforts of rogue
+ operators who would attempt to add roles to
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option is present,
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
+ option tells s\bsu\bud\bdo\bo how to behave when no specific LDAP
+ entries have been matched, this sudoOption is only
+ meaningful for the cn=defaults section. This flag is
_\bo_\bf_\bf by default.
- log_year If set, the four-digit year will be logged
- in the (non-syslog) s\bsu\bud\bdo\bo log file. This
- flag is _\bo_\bf_\bf by default.
+ insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
+ incorrect password. This flag is _\bo_\bf_\bf by default.
- long_otp_prompt When validating with a One Time Password
- (OPT) scheme such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-
- line prompt is used to make it easier to
- cut and paste the challenge to a local
- window. It's not as pretty as the default
- but some people find it more convenient.
- This flag is _\bo_\bf_\bf by default.
+ log_host If set, the host name will be logged in the (non-
- mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a
- users runs s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by
- default.
- mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user
- running s\bsu\bud\bdo\bo does not enter the correct
- password. This flag is _\bo_\bf_\bf by default.
- mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo
- user if the invoking user exists in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not allowed to run
- commands on the current host. This flag
- is _\bo_\bf_\bf by default.
+1.7.4 July 21, 2010 11
- mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo
- user if the invoking user is allowed to
- use s\bsu\bud\bdo\bo but the command they are trying
- is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file entry
- or is explicitly denied. This flag is _\bo_\bf_\bf
- by default.
- mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo
- user if the invoking user is not in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is _\bo_\bn by default.
- noexec If set, all commands run via s\bsu\bud\bdo\bo will
- behave as if the NOEXEC tag has been set,
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.6.9p15 March 23, 2008 10
+ syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
+ log_year If set, the four-digit year will be logged in the (non-
+ syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
+ long_otp_prompt When validating with a One Time Password (OPT) scheme
+ such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
+ make it easier to cut and paste the challenge to a
+ local window. It's not as pretty as the default but
+ some people find it more convenient. This flag is _\bo_\bf_\bf
+ by default.
+ mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
+ s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
+ does not enter the correct password. This flag is _\bo_\bf_\bf
+ by default.
+ mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
+ allowed to run commands on the current host. This flag
+ is _\bo_\bf_\bf by default.
- unless overridden by a EXEC tag. See the
- description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
- well as the "PREVENTING SHELL ESCAPES"
- section at the end of this manual. This
- flag is _\bo_\bf_\bf by default.
+ mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user is allowed to use s\bsu\bud\bdo\bo but the command
+ they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
+ entry or is explicitly denied. This flag is _\bo_\bf_\bf by
+ default.
- path_info Normally, s\bsu\bud\bdo\bo will tell the user when a
- command could not be found in their PATH
- environment variable. Some sites may wish
- to disable this as it could be used to
- gather information on the location of exe
- cutables that the normal user does not
- have access to. The disadvantage is that
- if the executable is simply not in the
- user's PATH, s\bsu\bud\bdo\bo will tell the user that
- they are not allowed to run it, which can
- be confusing. This flag is _\bo_\bn by default.
+ mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
+ _\bo_\bn by default.
+
+ noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
+ NOEXEC tag has been set, unless overridden by a EXEC
+ tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
+ well as the "PREVENTING SHELL ESCAPES" section at the
+ end of this manual. This flag is _\bo_\bf_\bf by default.
+
+ path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
+ not be found in their PATH environment variable. Some
+ sites may wish to disable this as it could be used to
+ gather information on the location of executables that
+ the normal user does not have access to. The
+ disadvantage is that if the executable is simply not in
+ the user's PATH, s\bsu\bud\bdo\bo will tell the user that they are
+ not allowed to run it, which can be confusing. This
+ flag is _\bo_\bn by default.
passprompt_override
- The password prompt specified by
- _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will normally only be used if
- the passwod prompt provided by systems
- such as PAM matches the string "Pass
- word:". If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set,
- _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be used. This flag
- is _\bo_\bf_\bf by default.
+ The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
+ normally only be used if the password prompt provided
+ by systems such as PAM matches the string "Password:".
- preserve_groups By default s\bsu\bud\bdo\bo will initialize the group
- vector to the list of groups the target
- user is in. When _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set,
- the user's existing group vector is left
- unaltered. The real and effective group
- IDs, however, are still set to match the
- target user. This flag is _\bo_\bf_\bf by default.
-
- requiretty If set, s\bsu\bud\bdo\bo will only run when the user
- is logged in to a real tty. This will
- disallow things like "rsh somehost sudo
- ls" since _\br_\bs_\bh(1) does not allocate a tty.
- Because it is not possible to turn off
- echo when there is no tty present, some
- sites may wish to set this flag to prevent
- a user from entering a visible password.
- This flag is _\bo_\bf_\bf by default.
- root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too.
- Disabling this prevents users from "chain
- ing" s\bsu\bud\bdo\bo commands to get a root shell by
- doing something like "sudo sudo /bin/sh".
- Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
- will also prevent root and from running
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt. Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no
- real additional security; it exists purely
- for historical reasons. This flag is _\bo_\bn
+1.7.4 July 21, 2010 12
-1.6.9p15 March 23, 2008 11
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always
+ be used. This flag is _\bo_\bf_\bf by default.
+
+ preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
+ the list of groups the target user is in. When
+ _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
+ vector is left unaltered. The real and effective group
+ IDs, however, are still set to match the target user.
+ This flag is _\bo_\bf_\bf by default.
+ pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
+ Unix programs, by turning off echo until the user hits
+ the return (or enter) key. Some users become confused
+ by this as it appears to them that s\bsu\bud\bdo\bo has hung at
+ this point. When _\bp_\bw_\bf_\be_\be_\bd_\bb_\ba_\bc_\bk is set, s\bsu\bud\bdo\bo will provide
+ visual feedback when the user presses a key. Note that
+ this does have a security impact as an onlooker may be
+ able to determine the length of the password being
+ entered. This flag is _\bo_\bf_\bf by default.
+
+ requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
+ to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
+ run from a login session and not via other means such
+ as _\bc_\br_\bo_\bn(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
+ default.
+ root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
+ this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
+ get a root shell by doing something like "sudo sudo
+ /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
+ will also prevent root from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+ Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
+ security; it exists purely for historical reasons.
+ This flag is _\bo_\bn by default.
+
+ rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
+ of the password of the invoking user. This flag is _\bo_\bf_\bf
by default.
- rootpw If set, s\bsu\bud\bdo\bo will prompt for the root
- password instead of the password of the
- invoking user. This flag is _\bo_\bf_\bf by
- default.
+ runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option (defaults to root)
+ instead of the password of the invoking user. This
+ flag is _\bo_\bf_\bf by default.
+
+ set_home If enabled and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the
+ HOME environment variable will be set to the home
+ directory of the target user (which is root unless the
+ -\b-u\bu option is used). This effectively makes the -\b-s\bs
+ option imply -\b-H\bH. Note that HOME is already set when
+ the the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled, so _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is
+ only effective for configurations where _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is
+ disabled. This flag is _\bo_\bf_\bf by default.
+
+ set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and USERNAME
+
+
+
+1.7.4 July 21, 2010 13
+
- runaspw If set, s\bsu\bud\bdo\bo will prompt for the password
- of the user defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt
- option (defaults to root) instead of the
- password of the invoking user. This flag
- is _\bo_\bf_\bf by default.
- set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs
- flag the HOME environment variable will be
- set to the home directory of the target
- user (which is root unless the -\b-u\bu option
- is used). This effectively makes the -\b-s\bs
- flag imply -\b-H\bH. This flag is _\bo_\bf_\bf by
- default.
- set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER
- and USERNAME environment variables to the
- name of the target user (usually root
- unless the -\b-u\bu flag is given). However,
- since some programs (including the RCS
- revision control system) use LOGNAME to
- determine the real identity of the user,
- it may be desirable to change this behav
- ior. This can be done by negating the
- set_logname option. Note that if the
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been disabled,
- entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
- the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is
- _\bo_\bf_\bf by default.
- setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt
- option from the command line. Addition
- ally, environment variables set via the
- command line are not subject to the
- restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk,
- _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only
- trusted users should be allowed to set
- variables in this manner. This flag is
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ environment variables to the name of the target user
+ (usually root unless the -\b-u\bu option is given). However,
+ since some programs (including the RCS revision control
+ system) use LOGNAME to determine the real identity of
+ the user, it may be desirable to change this behavior.
+ This can be done by negating the set_logname option.
+ Note that if the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been
+ disabled, entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
+ the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bn by default.
+
+ setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
+ command line. Additionally, environment variables set
+ via the command line are not subject to the
+ restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be
+ allowed to set variables in this manner. This flag is
_\bo_\bf_\bf by default.
- shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no argu
- ments it acts as if the -\b-s\bs flag had been
- given. That is, it runs a shell as root
- (the shell is determined by the SHELL
- environment variable if it is set, falling
- back on the shell listed in the invoking
- user's /etc/passwd entry if not). This
- flag is _\bo_\bf_\bf by default.
+ shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
+ if the -\b-s\bs option had been given. That is, it runs a
+ shell as root (the shell is determined by the SHELL
+ environment variable if it is set, falling back on the
+ shell listed in the invoking user's /etc/passwd entry
+ if not). This flag is _\bo_\bf_\bf by default.
+
+ stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
+ effective UIDs are set to the target user (root by
+ default). This option changes that behavior such that
+ the real UID is left as the invoking user's UID. In
+ other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
+ This can be useful on systems that disable some
+ potentially dangerous functionality when a program is
+ run setuid. This option is only effective on systems
+ with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
+ This flag is _\bo_\bf_\bf by default.
+ targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ specified by the -\b-u\bu option (defaults to root) instead
+ of the password of the invoking user. In addition, the
+ timestamp file name will include the target user's
+ name. Note that this flag precludes the use of a uid
+ not listed in the passwd database as an argument to the
+ -\b-u\bu option. This flag is _\bo_\bf_\bf by default.
+ log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log all user input. If the standard input is not
+ connected to the user's tty, due to I/O redirection or
+ because the command is part of a pipeline, that input
+ is also captured and stored in a separate log file.
-1.6.9p15 March 23, 2008 12
+ Input is logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo directory using
+ a unique session ID that is included in the normal s\bsu\bud\bdo\bo
+ log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
+1.7.4 July 21, 2010 14
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the
- real and effective UIDs are set to the
- target user (root by default). This
- option changes that behavior such that the
- real UID is left as the invoking user's
- UID. In other words, this makes s\bsu\bud\bdo\bo act
- as a setuid wrapper. This can be useful
- on systems that disable some potentially
- dangerous functionality when a program is
- run setuid. This option is only effective
- on systems with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or
- _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function. This flag is _\bo_\bf_\bf by
- default.
- targetpw If set, s\bsu\bud\bdo\bo will prompt for the password
- of the user specified by the -\b-u\bu flag
- (defaults to root) instead of the password
- of the invoking user. Note that this pre
- cludes the use of a uid not listed in the
- passwd database as an argument to the -\b-u\bu
- flag. This flag is _\bo_\bf_\bf by default.
-
- tty_tickets If set, users must authenticate on a per-
- tty basis. Normally, s\bsu\bud\bdo\bo uses a direc
- tory in the ticket dir with the same name
- as the user running it. With this flag
- enabled, s\bsu\bud\bdo\bo will use a file named for
- the tty the user is logged in on in that
- directory. This flag is _\bo_\bf_\bf by default.
-
- use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults spec
- ified for the target user's login class if
- one exists. Only available if s\bsu\bud\bdo\bo is
- configured with the --with-logincap
- option. This flag is _\bo_\bf_\bf by default.
- I\bIn\bnt\bte\beg\bge\ber\brs\bs:
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- passwd_tries The number of tries a user gets to enter
- his/her password before s\bsu\bud\bdo\bo logs the
- failure and exits. The default is 3.
- I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log all output that is sent to the screen, similar to
+ the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
+ standard error is not connected to the user's tty, due
+ to I/O redirection or because the command is part of a
+ pipeline, that output is also captured and stored in
+ separate log files.
+
+ Output is logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo directory
+ using a unique session ID that is included in the
+ normal s\bsu\bud\bdo\bo log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
+
+ Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
+ utility, which can also be used to list or search the
+ available logs.
+
+ tty_tickets If set, users must authenticate on a per-tty basis.
+ With this flag enabled, s\bsu\bud\bdo\bo will use a file named for
+ the tty the user is logged in on in the user's time
+ stamp directory. If disabled, the time stamp of the
+ directory is used instead. This flag is _\bo_\bn by default.
+
+ umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
+ without modification. This makes it possible to
+ specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
+ user's own umask and matches historical behavior. If
+ _\bu_\bm_\ba_\bs_\bk_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is not set, s\bsu\bud\bdo\bo will set the umask to
+ be the union of the user's umask and what is specified
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
+
+ use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
+ target user's login class if one exists. Only
+ available if s\bsu\bud\bdo\bo is configured with the
+ --with-logincap option. This flag is _\bo_\bf_\bf by default.
+
+ use_pty If set, s\bsu\bud\bdo\bo will run the command in a pseudo-pty even
+ if no I/O logging is being gone. A malicious program
+ run under s\bsu\bud\bdo\bo could conceivably fork a background
+ process that retains to the user's terminal device
+ after the main program has finished executing. Use of
+ this option will make that impossible.
+
+ visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
+ enter a password but it is not possible to disable echo
+ on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
+ will prompt for a password even when it would be
+ visible on the screen. This makes it possible to run
+ things like "rsh somehost sudo ls" since _\br_\bs_\bh(1) does
+ not allocate a tty. This flag is _\bo_\bf_\bf by default.
- loglinelen Number of characters per line for the file
- log. This value is used to decide when to
- wrap lines for nicer log files. This has
- no effect on the syslog log file, only the
- file log. The default is 80 (use 0 or
- negate the option to disable word wrap).
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs:
- passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password
- prompt times out. The default is 5; set
- this to 0 for no password timeout.
+ closefrom Before it executes a command, s\bsu\bud\bdo\bo will close all open
+ file descriptors other than standard input, standard
-1.6.9p15 March 23, 2008 13
+1.7.4 July 21, 2010 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ output and standard error (ie: file descriptors 0-2).
+ The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to specify a different
+ file descriptor at which to start closing. The default
+ is 3.
+
+ passwd_tries The number of tries a user gets to enter his/her
+ password before s\bsu\bud\bdo\bo logs the failure and exits. The
+ default is 3.
+
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+
+ loglinelen Number of characters per line for the file log. This
+ value is used to decide when to wrap lines for nicer
+ log files. This has no effect on the syslog log file,
+ only the file log. The default is 80 (use 0 or negate
+ the option to disable word wrap).
+
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
+ out, or 0 for no timeout. The timeout may include a
+ fractional component if minute granularity is
+ insufficient, for example 2.5. The default is 5.
+
timestamp_timeout
- Number of minutes that can elapse before
- s\bsu\bud\bdo\bo will ask for a passwd again. The
- default is 5. Set this to 0 to always
- prompt for a password. If set to a value
- less than 0 the user's timestamp will
- never expire. This can be used to allow
- users to create or delete their own times
- tamps via sudo -v and sudo -k respec
- tively.
-
- umask Umask to use when running the command.
- Negate this option or set it to 0777 to
- preserve the user's umask. The default is
- 0022.
+ Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
+ for a passwd again. The timeout may include a
+ fractional component if minute granularity is
+ insufficient, for example 2.5. The default is 5. Set
+ this to 0 to always prompt for a password. If set to a
+ value less than 0 the user's timestamp will never
+ expire. This can be used to allow users to create or
+ delete their own timestamps via sudo -v and sudo -k
+ respectively.
+
+ umask Umask to use when running the command. Negate this
+ option or set it to 0777 to preserve the user's umask.
+ The actual umask that is used will be the union of the
+ user's umask and 0022. This guarantees that s\bsu\bud\bdo\bo never
+ lowers the umask when running a command. Note on
+ systems that use PAM, the default PAM configuration may
+ specify its own umask which will override the value set
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs.
S\bSt\btr\bri\bin\bng\bgs\bs:
- badpass_message Message that is displayed if a user enters
- an incorrect password. The default is
- Sorry, try again. unless insults are
- enabled.
-
- editor A colon (':') separated list of editors
- allowed to be used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo
- will choose the editor that matches the
- user's EDITOR environment variable if pos
- sible, or the first editor in the list
- that exists and is executable. The
- default is the path to vi on your system.
-
- mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo
- user. The escape %h will expand to the
- hostname of the machine. Default is ***
- SECURITY information for %h ***.
-
- noexec_file Path to a shared library containing dummy
- versions of the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\b
- _\be_\bc_\bv_\be_\b(_\b) library functions that just return
- an error. This is used to implement the
- _\bn_\bo_\be_\bx_\be_\bc functionality on systems that sup
- port LD_PRELOAD or its equivalent.
- Defaults to
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
+ badpass_message Message that is displayed if a user enters an incorrect
+ password. The default is Sorry, try again. unless
+ insults are enabled.
- passprompt The default prompt to use when asking for
- a password; can be overridden via the -\b-p\bp
- option or the SUDO_PROMPT environment
- variable. The following percent (`%')
- escapes are supported:
+ editor A colon (':') separated list of editors allowed to be
+ used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will choose the editor that
+ matches the user's EDITOR environment variable if
+ possible, or the first editor in the list that exists
+ and is executable. The default is "vi".
- %H expanded to the local hostname includ
- ing the domain name (on if the
- machine's hostname is fully qualified
-1.6.9p15 March 23, 2008 14
+1.7.4 July 21, 2010 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- or the _\bf_\bq_\bd_\bn option is set)
+ mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
+ %h will expand to the host name of the machine.
+ Default is *** SECURITY information for %h ***.
- %h expanded to the local hostname without
- the domain name
+ noexec_file Path to a shared library containing dummy versions of
+ the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b) library functions
+ that just return an error. This is used to implement
+ the _\bn_\bo_\be_\bx_\be_\bc functionality on systems that support
+ LD_PRELOAD or its equivalent. Defaults to
+ _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
- %p expanded to the user whose password is
- being asked for (respects the _\br_\bo_\bo_\bt_\bp_\bw,
- _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
+ passprompt The default prompt to use when asking for a password;
+ can be overridden via the -\b-p\bp option or the SUDO_PROMPT
+ environment variable. The following percent (`%')
+ escapes are supported:
- %U expanded to the login name of the user
- the command will be run as (defaults
- to root)
+ %H expanded to the local host name including the
+ domain name (on if the machine's host name is fully
+ qualified or the _\bf_\bq_\bd_\bn option is set)
- %u expanded to the invoking user's login
+ %h expanded to the local host name without the domain
name
- %% two consecutive % characters are col
- lapsed into a single % character
+ %p expanded to the user whose password is being asked
+ for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
+ flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
+
+ %U expanded to the login name of the user the command
+ will be run as (defaults to root)
+
+ %u expanded to the invoking user's login name
+
+ %% two consecutive % characters are collapsed into a
+ single % character
The default value is Password:.
- runas_default The default user to run commands as if the
- -\b-u\bu flag is not specified on the command
- line. This defaults to root. Note that
- if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
+ role The default SELinux role to use when constructing a new
+ security context to run the command. The default role
+ may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
+ via command line options. This option is only
+ available whe s\bsu\bud\bdo\bo is built with SELinux support.
+
+ runas_default The default user to run commands as if the -\b-u\bu option is
+ not specified on the command line. This defaults to
+ root. Note that if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
before any Runas_Alias specifications.
- syslog_badpri Syslog priority to use when user authenti
- cates unsuccessfully. Defaults to alert.
+ syslog_badpri Syslog priority to use when user authenticates
+ unsuccessfully. Defaults to alert.
- syslog_goodpri Syslog priority to use when user authenti
- cates successfully. Defaults to notice.
+ syslog_goodpri Syslog priority to use when user authenticates
+ successfully. Defaults to notice.
- timestampdir The directory in which s\bsu\bud\bdo\bo stores its
- timestamp files. The default is
- _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo.
- timestampowner The owner of the timestamp directory and
- the timestamps stored therein. The
- default is root.
- S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- exempt_group
- Users in this group are exempt from password
- and PATH requirements. This is not set by
- default.
+1.7.4 July 21, 2010 17
- lecture This option controls when a short lecture will
- be printed along with the password prompt. It
- has the following possible values:
- always Always lecture the user.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.6.9p15 March 23, 2008 15
+ sudoers_locale Locale to use when parsing the sudoers file. Note that
+ changing the locale may affect how sudoers is
+ interpreted. Defaults to "C".
+ timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
+ The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
+ timestampowner The owner of the timestamp directory and the timestamps
+ stored therein. The default is root.
+ type The default SELinux type to use when constructing a new
+ security context to run the command. The default type
+ may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
+ via command line options. This option is only
+ available whe s\bsu\bud\bdo\bo is built with SELinux support.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+
+ askpass The _\ba_\bs_\bk_\bp_\ba_\bs_\bs option specifies the fully qualified path to a
+ helper program used to read the user's password when no
+ terminal is available. This may be the case when s\bsu\bud\bdo\bo is
+ executed from a graphical (as opposed to text-based)
+ application. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs should
+ display the argument passed to it as the prompt and write
+ the user's password to the standard output. The value of
+ _\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
+ variable.
+
+ env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be options specifies the fully qualified path to
+ a file containing variables to be set in the environment of
+ the program being run. Entries in this file should either
+ be of the form VARIABLE=value or export VARIABLE=value.
+ The value may optionally be surrounded by single or double
+ quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
+ environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
+ exempt_group
+ Users in this group are exempt from password and PATH
+ requirements. This is not set by default.
+
+ lecture This option controls when a short lecture will be printed
+ along with the password prompt. It has the following
+ possible values:
+
+ always Always lecture the user.
never Never lecture the user.
- once Only lecture the user the first time
- they run s\bsu\bud\bdo\bo.
+ once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
- If no value is specified, a value of _\bo_\bn_\bc_\be is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\bo_\bn_\bc_\be.
+ If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\bo_\bn_\bc_\be.
- lecture_file
- Path to a file containing an alternate s\bsu\bud\bdo\bo
- lecture that will be used in place of the
- standard lecture if the named file exists. By
- default, s\bsu\bud\bdo\bo uses a built-in lecture.
- listpw This option controls when a password will be
- required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
- flag. It has the following possible values:
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD
- flag set to avoid entering a password.
- always The user must always enter a password
- to use the -\b-l\bl flag.
+1.7.4 July 21, 2010 18
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
- entries for the current host must have
- the NOPASSWD flag set to avoid enter
- ing a password.
- never The user need never enter a password
- to use the -\b-l\bl flag.
- If no value is specified, a value of _\ba_\bn_\by is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\ba_\bn_\by.
- logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log
- file). Setting a path turns on logging to a
- file; negating this option turns it off. By
- default, s\bsu\bud\bdo\bo logs via syslog.
- mailerflags Flags to use when invoking mailer. Defaults to
- -\b-t\bt.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- mailerpath Path to mail program used to send warning
- mail. Defaults to the path to sendmail found
- at configure time.
- mailto Address to send warning and error mail to.
- The address should be enclosed in double
+ lecture_file
+ Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
+ will be used in place of the standard lecture if the named
+ file exists. By default, s\bsu\bud\bdo\bo uses a built-in lecture.
+ listpw This option controls when a password will be required when
+ a user runs s\bsu\bud\bdo\bo with the -\b-l\bl option. It has the following
+ possible values:
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
+ must have the NOPASSWD flag set to avoid entering a
+ password.
-1.6.9p15 March 23, 2008 16
+ always The user must always enter a password to use the -\b-l\bl
+ option.
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ current host must have the NOPASSWD flag set to
+ avoid entering a password.
+ never The user need never enter a password to use the -\b-l\bl
+ option.
+ If no value is specified, a value of _\ba_\bn_\by is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\ba_\bn_\by.
+ logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
+ Setting a path turns on logging to a file; negating this
+ option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
+ mailerpath Path to mail program used to send warning mail. Defaults
+ to the path to sendmail found at configure time.
- quotes (") to protect against s\bsu\bud\bdo\bo interpret
- ing the @ sign. Defaults to root.
+ mailfrom Address to use for the "from" address when sending warning
+ and error mail. The address should be enclosed in double
+ quotes (") to protect against s\bsu\bud\bdo\bo interpreting the @ sign.
+ Defaults to the name of the user running s\bsu\bud\bdo\bo.
- syslog Syslog facility if syslog is being used for
- logging (negate to disable syslog logging).
- Defaults to local2.
+ mailto Address to send warning and error mail to. The address
+ should be enclosed in double quotes (") to protect against
+ s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
- verifypw This option controls when a password will be
- required when a user runs s\bsu\bud\bdo\bo with the -\b-v\bv
- flag. It has the following possible values:
+ secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
+ trust the people running s\bsu\bud\bdo\bo to have a sane PATH
+ environment variable you may want to use this. Another use
+ is if you want to have the "root path" be separate from the
+ "user path." Users in the group specified by the
+ _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
+ option is not set by default.
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD
- flag set to avoid entering a password.
+ syslog Syslog facility if syslog is being used for logging (negate
- always The user must always enter a password
- to use the -\b-v\bv flag.
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
- entries for the current host must have
- the NOPASSWD flag set to avoid enter
- ing a password.
- never The user need never enter a password
- to use the -\b-v\bv flag.
+1.7.4 July 21, 2010 19
- If no value is specified, a value of _\ba_\bl_\bl is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\ba_\bl_\bl.
- L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- env_check Environment variables to be removed from
- the user's environment if the variable's
- value contains % or / characters. This
- can be used to guard against printf-style
- format vulnerabilities in poorly-written
- programs. The argument may be a dou
- ble-quoted, space-separated list or a sin
- gle value without double-quotes. The list
- can be replaced, added to, deleted from,
- or disabled by using the =, +=, -=, and !
- operators respectively. Regardless of
- whether the env_reset option is enabled or
- disabled, variables specified by env_check
- will be preserved in the environment if
- they pass the aforementioned check. The
- default list of environment variables to
- check is displayed when s\bsu\bud\bdo\bo is run by
- root with the _\b-_\bV option.
- env_delete Environment variables to be removed from
- the user's environment. The argument may
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.6.9p15 March 23, 2008 17
+ to disable syslog logging). Defaults to auth.
+ verifypw This option controls when a password will be required when
+ a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
+ possible values:
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
+ must have the NOPASSWD flag set to avoid entering a
+ password.
+ always The user must always enter a password to use the -\b-v\bv
+ option.
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ current host must have the NOPASSWD flag set to
+ avoid entering a password.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ never The user need never enter a password to use the -\b-v\bv
+ option.
+ If no value is specified, a value of _\ba_\bl_\bl is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\ba_\bl_\bl.
- be a double-quoted, space-separated list
- or a single value without double-quotes.
- The list can be replaced, added to,
- deleted from, or disabled by using the =,
- +=, -=, and ! operators respectively. The
- default list of environment variables to
- remove is displayed when s\bsu\bud\bdo\bo is run by
- root with the _\b-_\bV option. Note that many
- operating systems will remove potentially
- dangerous variables from the environment
- of any setuid process (such as s\bsu\bud\bdo\bo).
-
- env_keep Environment variables to be preserved in
- the user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt
- option is in effect. This allows fine-
- grained control over the environment
- s\bsu\bud\bdo\bo-spawned processes will receive. The
- argument may be a double-quoted, space-
- separated list or a single value without
- double-quotes. The list can be replaced,
- added to, deleted from, or disabled by
- using the =, +=, -=, and ! operators
- respectively. The default list of vari
- ables to keep is displayed when s\bsu\bud\bdo\bo is
- run by root with the _\b-_\bV option.
-
- When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following
- values for the syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg
- Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your OS supports it), a\bau\but\bth\bh, d\bda\bae\be\b
- m\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3, l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5,
- l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities are
- supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be,
- and w\bwa\bar\brn\bni\bin\bng\bg.
+ L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+ env_check Environment variables to be removed from the user's
+ environment if the variable's value contains % or /
+ characters. This can be used to guard against printf-
+ style format vulnerabilities in poorly-written
+ programs. The argument may be a double-quoted, space-
+ separated list or a single value without double-quotes.
+ The list can be replaced, added to, deleted from, or
+ disabled by using the =, +=, -=, and ! operators
+ respectively. Regardless of whether the env_reset
+ option is enabled or disabled, variables specified by
+ env_check will be preserved in the environment if they
+ pass the aforementioned check. The default list of
+ environment variables to check is displayed when s\bsu\bud\bdo\bo
+ is run by root with the _\b-_\bV option.
- _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
+ env_delete Environment variables to be removed from the user's
+ environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
+ The argument may be a double-quoted, space-separated
+ list or a single value without double-quotes. The list
+ can be replaced, added to, deleted from, or disabled by
+ using the =, +=, -=, and ! operators respectively. The
+ default list of environment variables to remove is
+ displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
+ Note that many operating systems will remove
+ potentially dangerous variables from the environment of
+ any setuid process (such as s\bsu\bud\bdo\bo).
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
+ env_keep Environment variables to be preserved in the user's
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Since the _\bs_\bu_\bd_\bo_\be_\br_\bs file is parsed in a single pass, order
- is important. In general, you should structure _\bs_\bu_\bd_\bo_\be_\br_\bs
- such that the Host_Alias, User_Alias, and Cmnd_Alias spec
- ifications come first, followed by any Default_Entry
- lines, and finally the Runas_Alias and user specifica
- tions. The basic rule of thumb is you cannot reference an
- Alias that has not already been defined.
- Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
- these are a bit contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+1.7.4 July 21, 2010 20
-1.6.9p15 March 23, 2008 18
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
+ This allows fine-grained control over the environment
+ s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
+ be a double-quoted, space-separated list or a single
+ value without double-quotes. The list can be replaced,
+ added to, deleted from, or disabled by using the =, +=,
+ -=, and ! operators respectively. The default list of
+ variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
+ with the _\b-_\bV option.
+ When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following values for the
+ syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your
+ OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3,
+ l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities
+ are supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be, and
+ w\bwa\bar\brn\bni\bin\bng\bg.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+
+ _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
+
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
+
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
+
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
+ contrived. First, we allow a few environment variables to pass and
+ then define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+ # Run X applications through sudo; HOME is used to find the
+ # .Xauthority file. Note that other programs use HOME to find
+ # configuration files and this may lead to privilege escalation!
+ Defaults env_keep += "DISPLAY HOME"
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
+ Runas_Alias ADMINGRP = adm, oper
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
+
+
+
+1.7.4 July 21, 2010 21
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
Host_Alias CDROM = orion, perseus, hercules
# Cmnd alias specification
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
- Here we override some of the compiled in default values.
- We want s\bsu\bud\bdo\bo to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility
- in all cases. We don't want to subject the full time
- staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt need not give a
- password, and we don't want to reset the LOGNAME, USER or
- USERNAME environment variables when running commands as
- root. Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS
- Host_Alias, we keep an additional local log file and make
- sure we log the year in each log line since the log
- entries will be kept around for several years. Lastly, we
- disable shell escapes for the commands in the PAGERS
+ Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo
+ to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't
+ want to subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt
+ need not give a password, and we don't want to reset the LOGNAME, USER
+ or USERNAME environment variables when running commands as root.
+ Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an
+ additional local log file and make sure we log the year in each log
+ line since the log entries will be kept around for several years.
+ Lastly, we disable shell escapes for the commands in the PAGERS
Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
# Override built-in defaults
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
Defaults!PAGERS noexec
+ The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
+ what.
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
+ We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
+ any user.
-1.6.9p15 March 23, 2008 19
-
+ FULLTIMERS ALL = NOPASSWD: ALL
+ Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
+ any host without authenticating themselves.
+ PARTTIMERS ALL = ALL
+ Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
+ any host but they must authenticate themselves first (since the entry
+ lacks the NOPASSWD tag).
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter
- mines who may run what.
+1.7.4 July 21, 2010 22
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
- We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on
- any host as any user.
- FULLTIMERS ALL = NOPASSWD: ALL
- Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run
- any command on any host without authenticating themselves.
- PARTTIMERS ALL = ALL
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run
- any command on any host but they must authenticate them
- selves first (since the entry lacks the NOPASSWD tag).
jack CSNETS = ALL
- The user j\bja\bac\bck\bk may run any command on the machines in the
- _\bC_\bS_\bN_\bE_\bT_\bS alias (the networks 128.138.243.0, 128.138.204.0,
- and 128.138.242.0). Of those networks, only 128.138.204.0
- has an explicit netmask (in CIDR notation) indicating it
- is a class C network. For the other networks in _\bC_\bS_\bN_\bE_\bT_\bS,
- the local machine's netmask will be used during matching.
+ The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
+ (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
+ those networks, only 128.138.204.0 has an explicit netmask (in CIDR
+ notation) indicating it is a class C network. For the other networks
+ in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be used during matching.
lisa CUNETS = ALL
- The user l\bli\bis\bsa\ba may run any command on any host in the
- _\bC_\bU_\bN_\bE_\bT_\bS alias (the class B network 128.138.0.0).
+ The user l\bli\bis\bsa\ba may run any command on any host in the _\bC_\bU_\bN_\bE_\bT_\bS alias (the
+ class B network 128.138.0.0).
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
- The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple main
- tenance. Here, those are commands related to backups,
- killing processes, the printing system, shutting down the
- system, and any commands in the directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
+ The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance.
+ Here, those are commands related to backups, killing processes, the
+ printing system, shutting down the system, and any commands in the
+ directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
joe ALL = /usr/bin/su operator
The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
- pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
+ pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+
+ %opers ALL = (: ADMINGRP) /usr/sbin/
+
+ Users in the o\bop\bpe\ber\brs\bs group may run commands in _\b/_\bu_\bs_\br_\b/_\bs_\bb_\bi_\bn_\b/ as themselves
+ with any group in the _\bA_\bD_\bM_\bI_\bN_\bG_\bR_\bP Runas_Alias (the a\bad\bdm\bm and o\bop\bpe\ber\br groups).
- The user p\bpe\bet\bte\be is allowed to change anyone's password
- except for root on the _\bH_\bP_\bP_\bA machines. Note that this
- assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take multiple usernames on the
- command line.
+ The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
+ the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
+ multiple user names on the command line.
bob SPARC = (OP) ALL : SGI = (OP) ALL
+ The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
+ listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
+ jim +biglab = ALL
-1.6.9p15 March 23, 2008 20
+ The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
+ s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+ Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
+ well as add and remove users, so they are allowed to run those commands
+ on all machines.
+ fred ALL = (DB) NOPASSWD: ALL
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
- machines as any user listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt
- and o\bop\bpe\ber\bra\bat\bto\bor\br).
+1.7.4 July 21, 2010 23
- jim +biglab = ALL
- The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb
- netgroup. s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to
- the '+' prefix.
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the
- printers as well as add and remove users, so they are
- allowed to run those commands on all machines.
- fred ALL = (DB) NOPASSWD: ALL
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
- Runas_Alias (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
+
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
+ (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
- On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except
- root but he is not allowed to give _\bs_\bu(1) any flags.
+ On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
+ not allowed to specify any options to the _\bs_\bu(1) command.
jen ALL, !SERVERS = ALL
- The user j\bje\ben\bn may run any command on any machine except for
- those in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and
- ns).
+ The user j\bje\ben\bn may run any command on any machine except for those in the
+ _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and ns).
jill SERVERS = /usr/bin/, !SU, !SHELLS
- For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run
- any commands in the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those
- commands belonging to the _\bS_\bU and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
+ For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
+ the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU
+ and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
steve CSNETS = (operator) /usr/local/op_commands/
matt valkyrie = KILL
- On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be
- able to kill hung processes.
+ On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be able to kill
+ hung processes.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
- On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias
- (will, wendy, and wim), may run any command as user www
- (which owns the web pages) or simply _\bs_\bu(1) to www.
+ On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias (will, wendy,
+ and wim), may run any command as user www (which owns the web pages) or
+ simply _\bs_\bu(1) to www.
+
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+
+ Any user may mount or unmount a CD-ROM on the machines in the CDROM
+ Host_Alias (orion, perseus, hercules) without entering a password.
+ This is a bit tedious for users to type, so it is a prime candidate for
+ encapsulating in a shell script.
+
+S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ It is generally not effective to "subtract" commands from ALL using the
+ '!' operator. A user can trivially circumvent this by copying the
+ desired command to a different name and then executing that. For
+ example:
+
+ bill ALL = ALL, !SU, !SHELLS
+ Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
+ _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
+ use a shell escape from an editor or other program. Therefore, these
-1.6.9p15 March 23, 2008 21
+1.7.4 July 21, 2010 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+ kind of restrictions should be considered advisory at best (and
+ reinforced by policy).
- Any user may mount or unmount a CD-ROM on the machines in
- the CDROM Host_Alias (orion, perseus, hercules) without
- entering a password. This is a bit tedious for users to
- type, so it is a prime candidate for encapsulating in a
- shell script.
+ Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
+ reliably negate commands where the path name includes globbing (aka
+ wildcard) characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
+ function cannot resolve relative paths. While this is typically only
+ an inconvenience for rules that grant privileges, it can result in a
+ security issue for rules that subtract or revoke privileges.
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- It is generally not effective to "subtract" commands from
- ALL using the '!' operator. A user can trivially circum
- vent this by copying the desired command to a different
- name and then executing that. For example:
+ For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
- bill ALL = ALL, !SU, !SHELLS
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
- Doesn't really prevent b\bbi\bil\bll\bl from running the commands
- listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those com
- mands to a different name, or use a shell escape from an
- editor or other program. Therefore, these kind of
- restrictions should be considered advisory at best (and
- reinforced by policy).
+ User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
+ changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
- Once s\bsu\bud\bdo\bo executes a program, that program is free to do
- whatever it pleases, including run other programs. This
- can be a security issue since it is not uncommon for a
- program to allow shell escapes, which lets a user bypass
- s\bsu\bud\bdo\bo's access control and logging. Common programs that
- permit shell escapes include shells (obviously), editors,
+ Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
+ pleases, including run other programs. This can be a security issue
+ since it is not uncommon for a program to allow shell escapes, which
+ lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
+ that permit shell escapes include shells (obviously), editors,
paginators, mail and terminal programs.
There are two basic approaches to this problem:
- restrict Avoid giving users access to commands that allow
- the user to run arbitrary commands. Many edi
- tors have a restricted mode where shell escapes
- are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better solu
- tion to running editors via s\bsu\bud\bdo\bo. Due to the
- large number of programs that offer shell
- escapes, restricting users to the set of pro
- grams that do not if often unworkable.
-
- noexec Many systems that support shared libraries have
- the ability to override default library func
- tions by pointing an environment variable (usu
- ally LD_PRELOAD) to an alternate shared library.
- On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality can
- be used to prevent a program run by s\bsu\bud\bdo\bo from
- executing any other programs. Note, however,
- that this applies only to native dynamically-
- linked executables. Statically-linked executa
- bles and foreign executables running under
+ restrict Avoid giving users access to commands that allow the user to
+ run arbitrary commands. Many editors have a restricted mode
+ where shell escapes are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better
+ solution to running editors via s\bsu\bud\bdo\bo. Due to the large
+ number of programs that offer shell escapes, restricting
+ users to the set of programs that do not if often unworkable.
+
+ noexec Many systems that support shared libraries have the ability
+ to override default library functions by pointing an
+ environment variable (usually LD_PRELOAD) to an alternate
+ shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality
+ can be used to prevent a program run by s\bsu\bud\bdo\bo from executing
+ any other programs. Note, however, that this applies only to
+ native dynamically-linked executables. Statically-linked
+ executables and foreign executables running under binary
+ emulation are not affected.
+
+ To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run the
+ following as root:
+ sudo -V | grep "dummy exec"
+ If the resulting output contains a line that begins with:
-1.6.9p15 March 23, 2008 22
+ File containing dummy exec functions:
+1.7.4 July 21, 2010 25
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- binary emulation are not affected.
- To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you
- can run the following as root:
- sudo -V | grep "dummy exec"
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- If the resulting output contains a line that
- begins with:
- File containing dummy exec functions:
+ then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
+ in the standard library with its own that simply return an
+ error. Unfortunately, there is no foolproof way to know
+ whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
+ should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
+ MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
+ UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating
+ systems that support the LD_PRELOAD environment variable.
+ Check your operating system's manual pages for the dynamic
+ linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
+ to see if LD_PRELOAD is supported.
- then s\bsu\bud\bdo\bo may be able to replace the exec family
- of functions in the standard library with its
- own that simply return an error. Unfortunately,
- there is no foolproof way to know whether or not
- _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc should
- work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
- UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt
- to work on AIX and UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected
- to work on most operating systems that support
- the LD_PRELOAD environment variable. Check your
- operating system's manual pages for the dynamic
- linker (usually ld.so, ld.so.1, dyld, dld.sl,
- rld, or loader) to see if LD_PRELOAD is sup
- ported.
-
- To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC
- tag as documented in the User Specification sec
- tion above. Here is that example again:
+ To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as
+ documented in the User Specification section above. Here is
+ that example again:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi with _\bn_\bo_\be_\bx_\be_\bc enabled. This will pre
- vent those two commands from executing other
- commands (such as a shell). If you are unsure
- whether or not your system is capable of sup
- porting _\bn_\bo_\be_\bx_\be_\bc you can always just try it out
- and see if it works.
-
- Note that restricting shell escapes is not a panacea.
- Programs running as root are still capable of many poten
- tially hazardous operations (such as changing or overwrit
- ing files) that could lead to unintended privilege escala
- tion. In the specific case of an editor, a safer approach
- is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+ This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
+ with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
+ from executing other commands (such as a shell). If you are
+ unsure whether or not your system is capable of supporting
+ _\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
+
+ Note that restricting shell escapes is not a panacea. Programs running
+ as root are still capable of many potentially hazardous operations
+ (such as changing or overwriting files) that could lead to unintended
+ privilege escalation. In the specific case of an editor, a safer
+ approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
+ _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bg_\bl_\bo_\bb(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo
- command which locks the file and does grammatical
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
+ locks the file and does grammatical checking. It is imperative that
+ _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
+ syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ When using netgroups of machines (as opposed to users), if you store
+ fully qualified host name in the netgroup (as is usually the case), you
+ either need to have the machine's host name be fully qualified as
+ returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
-1.6.9p15 March 23, 2008 23
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+1.7.4 July 21, 2010 26
- checking. It is imperative that _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax
- errors since s\bsu\bud\bdo\bo will not run with a syntactically incor
- rect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
- When using netgroups of machines (as opposed to users), if
- you store fully qualified hostnames in the netgroup (as is
- usually the case), you either need to have the machine's
- hostname be fully qualified as returned by the hostname
- command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
- bug report at http://www.sudo.ws/sudo/bugs/
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mail
- ing list, see http://www.sudo.ws/mail
- man/listinfo/sudo-users to subscribe or search the
- archives.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
- ranties, including, but not limited to, the implied war
- ranties of merchantability and fitness for a particular
- purpose are disclaimed. See the LICENSE file distributed
- with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com
- plete details.
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of
+ merchantability and fitness for a particular purpose are disclaimed.
+ See the LICENSE file distributed with s\bsu\bud\bdo\bo or
+ http://www.sudo.ws/sudo/license.html for complete details.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-1.6.9p15 March 23, 2008 24
+1.7.4 July 21, 2010 27