-1.7.4 January 12, 2011 1
+1.7.6 April 9, 2011 1
User ',' User_List
User ::= '!'* user name |
- '!'* '#'uid |
- '!'* '%'group |
- '!'* '+'netgroup |
- '!'* '%:'nonunix_group |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
'!'* User_Alias
- A User_List is made up of one or more user names, uids (prefixed with
- '#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
- and User_Aliases. Each list item may be prefixed with zero or more '!'
- operators. An odd number of '!' operators negate the value of the
- item; an even number just cancel each other out.
+ A User_List is made up of one or more user names, user ids (prefixed
+ with '#'), system group names and ids (prefixed with '%' and '%#'
+ respectively), netgroups (prefixed with '+'), non-Unix group names and
+ IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
+ list item may be prefixed with zero or more '!' operators. An odd
+ number of '!' operators negate the value of the item; an even number
+ just cancel each other out.
- A user name, group, netgroup or nonunix_group may be enclosed in double
- quotes to avoid the need for escaping special characters. Alternately,
- special characters may be specified in escaped hex mode, e.g. \x20 for
- space.
+ A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
+ may be enclosed in double quotes to avoid the need for escaping special
+ characters. Alternately, special characters may be specified in
+ escaped hex mode, e.g. \x20 for space. When using double quotes, any
+ prefix characters must be included inside the quotes.
- The nonunix_group syntax depends on the underlying implementation. For
- instance, the QAS AD backend supports the following formats:
+ The nonunix_group and nonunix_gid syntax depends on the underlying
+ implementation. For instance, the QAS AD backend supports the
+ following formats:
+\bo Group in the same domain: "Group Name"
+\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
- Note that quotes around group names are optional. Unquoted strings
- must use a backslash (\) to escape spaces and the '@' symbol.
-
- Runas_List ::= Runas_Member |
- Runas_Member ',' Runas_List
-
-1.7.4 January 12, 2011 2
+1.7.6 April 9, 2011 2
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Note that quotes around group names are optional. Unquoted strings
+ must use a backslash (\) to escape spaces and special characters. See
+ "Other special characters and reserved words" for a list of characters
+ that need to be escaped.
+
+ Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
Runas_Member ::= '!'* user name |
- '!'* '#'uid |
- '!'* '%'group |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
'!'* +netgroup |
'!'* Runas_Alias
Host ::= '!'* host name |
'!'* ip_addr |
'!'* network(/netmask)? |
- '!'* '+'netgroup |
+ '!'* +netgroup |
'!'* Host_Alias
A Host_List is made up of one or more host names, IP addresses, network
Cmnd ',' Cmnd_List
commandname ::= file name |
- file name args |
- file name '""'
- Cmnd ::= '!'* commandname |
- '!'* directory |
- '!'* "sudoedit" |
- '!'* Cmnd_Alias
- A Cmnd_List is a list of one or more commandnames, directories, and
- other aliases. A commandname is a fully qualified file name which may
+1.7.6 April 9, 2011 3
-1.7.4 January 12, 2011 3
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ file name args |
+ file name '""'
+ Cmnd ::= '!'* commandname |
+ '!'* directory |
+ '!'* "sudoedit" |
+ '!'* Cmnd_Alias
+ A Cmnd_List is a list of one or more commandnames, directories, and
+ other aliases. A commandname is a fully qualified file name which may
include shell-style wildcards (see the Wildcards section below). A
simple file name allows the user to run the command with any arguments
he/she wishes. However, you may also specify command line arguments
Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
implicitly boolean and can be turned off via the '!' operator. Some
- integer, string and list parameters may also be used in a boolean
- context to disable them. Values may be enclosed in double quotes (")
- when they contain multiple words. Special characters may be escaped
- with a backslash (\).
- Lists have two additional assignment operators, += and -=. These
- operators are used to add to and delete from a list respectively. It
- is not an error to use the -= operator to remove an element that does
- not exist in a list.
+1.7.6 April 9, 2011 4
-1.7.4 January 12, 2011 4
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ integer, string and list parameters may also be used in a boolean
+ context to disable them. Values may be enclosed in double quotes (")
+ when they contain multiple words. Special characters may be escaped
+ with a backslash (\).
+ Lists have two additional assignment operators, += and -=. These
+ operators are used to add to and delete from a list respectively. It
+ is not an error to use the -= operator to remove an element that does
+ not exist in a list.
Defaults entries are parsed in the following order: generic, host and
user Defaults first, then runas Defaults and finally command defaults.
what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
but this can be changed on a per-command basis.
- The basic structure of a user specification is `who = where (as_whom)
+ The basic structure of a user specification is `who where = (as_whom)
what'. Let's break that down into its constituent parts:
R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
the group set to any listed in the Runas_List. If no Runas_Spec is
specified the command may be run as r\bro\boo\bot\bt and no group may be specified.
- A Runas_Spec sets the default for the commands that follow it. What
- this means is that for the entry:
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
- The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm -- but only
- as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
- $ sudo -u operator /bin/ls.
+1.7.6 April 9, 2011 5
-1.7.4 January 12, 2011 5
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ A Runas_Spec sets the default for the commands that follow it. What
+ this means is that for the entry:
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm -- but only
+ as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+ $ sudo -u operator /bin/ls
It is also possible to override a Runas_Spec later on in an entry. If
we modify the entry like so:
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
/usr/bin/lprm
+ Note that while the group portion of the Runas_Spec permits the user to
+ run as command with that group, it does not force the user to do so.
+ If no group is specified on the command line, the command will run with
+ the group listed in the target user's password database entry. The
+ following would all be permitted by the sudoers entry above:
+
+ $ sudo -u operator /bin/ls
+ $ sudo -u operator -g operator /bin/ls
+ $ sudo -g operator /bin/ls
+
In the following example, user t\btc\bcm\bm may run commands that access a modem
- device file with the dialer group. Note that in this example only the
- group will be set, the command still runs as user t\btc\bcm\bm.
+ device file with the dialer group.
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
+ Note that in this example only the group will be set, the command still
+ runs as user t\btc\bcm\bm. E.g.
+
+ $ sudo -g dialer /usr/bin/cu
+
+ Multiple users and groups may be present in a Runas_Spec, in which case
+ the user may select any combination of users and groups via the -\b-u\bu and
+ -\b-g\bg options. In this example:
+
+ alan ALL = (root, bin : operator, system) ALL
+
+ user a\bal\bla\ban\bn may run any command as either user root or bin, optionally
+ setting the group to operator or system.
+
+
+
+
+1.7.6 April 9, 2011 6
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
SELinux role and/or type associated with a command. If a role or type
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note, however, that the PASSWD tag has no effect on users who are in
-
-
-
-1.7.4 January 12, 2011 6
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
By default, if the NOPASSWD tag is applied to any of the entries for a
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more details on
+
+
+
+1.7.6 April 9, 2011 7
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
how NOEXEC works and whether or not it will work on your system.
_\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
- basis. Note that if SETENV has been set for a command, any environment
- variables set on the command line way are not subject to the
- restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such,
- only trusted users should be allowed to set variables in this manner.
- If the command matched is A\bAL\bLL\bL, the SETENV tag is implied for that
- command; this default may be overridden by use of the NOSETENV tag.
+ basis. Note that if SETENV has been set for a command, the user may
+ disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
+ Additionally, environment variables set on the command line are not
+ subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set
+ variables in this manner. If the command matched is A\bAL\bLL\bL, the SETENV
+ tag is implied for that command; this default may be overridden by use
+ of the NOSETENV tag.
_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
? Matches any single character.
-
-
-1.7.4 January 12, 2011 7
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
[...] Matches any character in the specified range.
[!...] Matches any character n\bno\bot\bt in the specified range.
in the path name. When matching the command line arguments, however, a
slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
+
+
+1.7.6 April 9, 2011 8
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
/usr/bin/*
match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
#include /etc/sudoers.%h
-
-
-1.7.4 January 12, 2011 8
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
in the file names can be used to avoid such problems.
Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
+
+
+
+1.7.6 April 9, 2011 9
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
files in a #includedir directory unless one of them contains a syntax
error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
files directly.
characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':', '(', ')') is optional.
The following characters must be escaped with a backslash ('\') when
- used as part of a word (e.g. a user name or host name): '@', '!', '=',
- ':', ',', '(', ')', '\'.
-
-
-
-
-
-1.7.4 January 12, 2011 9
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
+ used as part of a word (e.g. a user name or host name): '!', '=', ':',
+ ',', '(', ')', '\'.
S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
that the -\b-H\bH option is always implied. Note that HOME
is already set when the the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is
enabled, so _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be is only effective for
- configurations where _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled. This flag
- is _\bo_\bf_\bf by default.
+ configurations where either _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled or
+ HOME is present in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This flag is _\bo_\bf_\bf
+ by default.
authenticate If set, users must authenticate themselves via a
password (or other means of authentication) before they
+
+
+
+1.7.6 April 9, 2011 10
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
may run commands. This default may be overridden via
the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
default.
variable. This flag is _\bo_\bn by default.
fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
-
-
-
-1.7.4 January 12, 2011 10
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
style globbing when matching path names. However,
since it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a
long time to complete for some patterns, especially
flag is _\bo_\bf_\bf by default.
fqdn Set this flag if you want to put fully qualified host
+
+
+
+1.7.6 April 9, 2011 11
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
would use myhost.mydomain.edu. You may still use the
short form if you wish (and even mix the two). Beware
incorrect password. This flag is _\bo_\bf_\bf by default.
log_host If set, the host name will be logged in the (non-
+ syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
+ log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log all user input. If the standard input is not
+ connected to the user's tty, due to I/O redirection or
+ because the command is part of a pipeline, that input
+ is also captured and stored in a separate log file.
+
+ Input is logged to the directory specified by the
+ _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
+ unique session ID that is included in the normal s\bsu\bud\bdo\bo
+ log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
+ Note that user input may contain sensitive information
+ such as passwords (even if they are not echoed to the
+ screen), which will be stored in the log file
+ unencrypted. In most cases, logging the command output
+ via _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt is all that is required.
-1.7.4 January 12, 2011 11
+
+
+1.7.6 April 9, 2011 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
+ log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log all output that is sent to the screen, similar to
+ the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
+ standard error is not connected to the user's tty, due
+ to I/O redirection or because the command is part of a
+ pipeline, that output is also captured and stored in
+ separate log files.
+
+ Output is logged to the directory specified by the
+ _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
+ unique session ID that is included in the normal s\bsu\bud\bdo\bo
+ log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
+
+ Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
+ utility, which can also be used to list or search the
+ available logs.
log_year If set, the four-digit year will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
well as the "PREVENTING SHELL ESCAPES" section at the
end of this manual. This flag is _\bo_\bf_\bf by default.
+
+
+1.7.6 April 9, 2011 13
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
not be found in their PATH environment variable. Some
sites may wish to disable this as it could be used to
The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
normally only be used if the password prompt provided
by systems such as PAM matches the string "Password:".
-
-
-
-1.7.4 January 12, 2011 12
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always
be used. This flag is _\bo_\bf_\bf by default.
by default.
runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
- defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option (defaults to root)
- instead of the password of the invoking user. This
- flag is _\bo_\bf_\bf by default.
- set_home If enabled and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the
- HOME environment variable will be set to the home
- directory of the target user (which is root unless the
- -\b-u\bu option is used). This effectively makes the -\b-s\bs
- option imply -\b-H\bH. Note that HOME is already set when
- the the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled, so _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is
- only effective for configurations where _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is
- disabled. This flag is _\bo_\bf_\bf by default.
- set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and USERNAME
+1.7.6 April 9, 2011 14
-1.7.4 January 12, 2011 13
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option (defaults to root)
+ instead of the password of the invoking user. This
+ flag is _\bo_\bf_\bf by default.
+ set_home If enabled and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the
+ HOME environment variable will be set to the home
+ directory of the target user (which is root unless the
+ -\b-u\bu option is used). This effectively makes the -\b-s\bs
+ option imply -\b-H\bH. Note that HOME is already set when
+ the the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled, so _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is
+ only effective for configurations where either
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled or HOME is present in the
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This flag is _\bo_\bf_\bf by default.
+ set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and USERNAME
environment variables to the name of the target user
(usually root unless the -\b-u\bu option is given). However,
since some programs (including the RCS revision control
targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
specified by the -\b-u\bu option (defaults to root) instead
of the password of the invoking user. In addition, the
- timestamp file name will include the target user's
- name. Note that this flag precludes the use of a uid
- not listed in the passwd database as an argument to the
- -\b-u\bu option. This flag is _\bo_\bf_\bf by default.
-
- log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
- log all user input. If the standard input is not
- connected to the user's tty, due to I/O redirection or
- because the command is part of a pipeline, that input
- is also captured and stored in a separate log file.
-
- Input is logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo directory using
- a unique session ID that is included in the normal s\bsu\bud\bdo\bo
- log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
-
-1.7.4 January 12, 2011 14
+1.7.6 April 9, 2011 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
- log all output that is sent to the screen, similar to
- the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
- standard error is not connected to the user's tty, due
- to I/O redirection or because the command is part of a
- pipeline, that output is also captured and stored in
- separate log files.
-
- Output is logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo directory
- using a unique session ID that is included in the
- normal s\bsu\bud\bdo\bo log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
-
- Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
- utility, which can also be used to list or search the
- available logs.
+ timestamp file name will include the target user's
+ name. Note that this flag precludes the use of a uid
+ not listed in the passwd database as an argument to the
+ -\b-u\bu option. This flag is _\bo_\bf_\bf by default.
tty_tickets If set, users must authenticate on a per-tty basis.
With this flag enabled, s\bsu\bud\bdo\bo will use a file named for
closefrom Before it executes a command, s\bsu\bud\bdo\bo will close all open
file descriptors other than standard input, standard
+ output and standard error (ie: file descriptors 0-2).
+ The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to specify a different
+ file descriptor at which to start closing. The default
+ is 3.
+ passwd_tries The number of tries a user gets to enter his/her
+ password before s\bsu\bud\bdo\bo logs the failure and exits. The
+ default is 3.
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
-1.7.4 January 12, 2011 15
+1.7.6 April 9, 2011 16
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- output and standard error (ie: file descriptors 0-2).
- The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to specify a different
- file descriptor at which to start closing. The default
- is 3.
- passwd_tries The number of tries a user gets to enter his/her
- password before s\bsu\bud\bdo\bo logs the failure and exits. The
- default is 3.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
loglinelen Number of characters per line for the file log. This
value is used to decide when to wrap lines for nicer
possible, or the first editor in the list that exists
and is executable. The default is "vi".
+ iolog_dir The directory in which to store input/output logs when
+ the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt options are enabled or when
+ the LOG_INPUT or LOG_OUTPUT tags are present for a
+ command. The default is "/var/log/sudo-io".
+ mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
+ %h will expand to the host name of the machine.
+ Default is *** SECURITY information for %h ***.
-1.7.4 January 12, 2011 16
+ noexec_file Path to a shared library containing dummy versions of
+1.7.6 April 9, 2011 17
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
- %h will expand to the host name of the machine.
- Default is *** SECURITY information for %h ***.
- noexec_file Path to a shared library containing dummy versions of
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b) library functions
that just return an error. This is used to implement
the _\bn_\bo_\be_\bx_\be_\bc functionality on systems that support
syslog_goodpri Syslog priority to use when user authenticates
successfully. Defaults to notice.
+ sudoers_locale Locale to use when parsing the sudoers file, logging
+ commands, and sending email. Note that changing the
+ locale may affect how sudoers is interpreted. Defaults
+ to "C".
-1.7.4 January 12, 2011 17
+1.7.6 April 9, 2011 18
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- sudoers_locale Locale to use when parsing the sudoers file. Note that
- changing the locale may affect how sudoers is
- interpreted. Defaults to "C".
timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\bo_\bn_\bc_\be.
+ lecture_file
+ Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
+ will be used in place of the standard lecture if the named
+ file exists. By default, s\bsu\bud\bdo\bo uses a built-in lecture.
-1.7.4 January 12, 2011 18
+1.7.6 April 9, 2011 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- lecture_file
- Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
- will be used in place of the standard lecture if the named
- file exists. By default, s\bsu\bud\bdo\bo uses a built-in lecture.
-
listpw This option controls when a password will be required when
a user runs s\bsu\bud\bdo\bo with the -\b-l\bl option. It has the following
possible values:
option is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
+ to disable syslog logging). Defaults to auth.
+ verifypw This option controls when a password will be required when
+ a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
+ possible values:
-1.7.4 January 12, 2011 19
-
+1.7.6 April 9, 2011 20
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- to disable syslog logging). Defaults to auth.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- verifypw This option controls when a password will be required when
- a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
- possible values:
all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
must have the NOPASSWD flag set to avoid entering a
any setuid process (such as s\bsu\bud\bdo\bo).
env_keep Environment variables to be preserved in the user's
+ environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
+ This allows fine-grained control over the environment
+ s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
+ be a double-quoted, space-separated list or a single
+ value without double-quotes. The list can be replaced,
+ added to, deleted from, or disabled by using the =, +=,
-1.7.4 January 12, 2011 20
+1.7.6 April 9, 2011 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
- This allows fine-grained control over the environment
- s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
- be a double-quoted, space-separated list or a single
- value without double-quotes. The list can be replaced,
- added to, deleted from, or disabled by using the =, +=,
-=, and ! operators respectively. The default list of
variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
with the _\b-_\bV option.
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
+ # Cmnd alias specification
+ Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
+ /usr/sbin/restore, /usr/sbin/rrestore
+ Cmnd_Alias KILL = /usr/bin/kill
-1.7.4 January 12, 2011 21
+1.7.6 April 9, 2011 22
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Host_Alias CDROM = orion, perseus, hercules
- # Cmnd alias specification
- Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
- /usr/sbin/restore, /usr/sbin/rrestore
- Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
any host but they must authenticate themselves first (since the entry
lacks the NOPASSWD tag).
+ jack CSNETS = ALL
+ The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
+ (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
+ those networks, only 128.138.204.0 has an explicit netmask (in CIDR
-1.7.4 January 12, 2011 22
+1.7.6 April 9, 2011 23
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- jack CSNETS = ALL
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
- The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
- (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
- those networks, only 128.138.204.0 has an explicit netmask (in CIDR
notation) indicating it is a class C network. For the other networks
in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be used during matching.
fred ALL = (DB) NOPASSWD: ALL
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
+ (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
+ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
-1.7.4 January 12, 2011 23
+1.7.6 April 9, 2011 24
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
- (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
not allowed to specify any options to the _\bs_\bu(1) command.
Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
_\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
use a shell escape from an editor or other program. Therefore, these
+ kind of restrictions should be considered advisory at best (and
+ reinforced by policy).
+ Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
+ reliably negate commands where the path name includes globbing (aka
-1.7.4 January 12, 2011 24
+
+1.7.6 April 9, 2011 25
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- kind of restrictions should be considered advisory at best (and
- reinforced by policy).
-
- Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
- reliably negate commands where the path name includes globbing (aka
wildcard) characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
function cannot resolve relative paths. While this is typically only
an inconvenience for rules that grant privileges, it can result in a
File containing dummy exec functions:
+ then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
+ in the standard library with its own that simply return an
+ error. Unfortunately, there is no foolproof way to know
+ whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
+ should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
-1.7.4 January 12, 2011 25
+1.7.6 April 9, 2011 26
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
- in the standard library with its own that simply return an
- error. Unfortunately, there is no foolproof way to know
- whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
- should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating
systems that support the LD_PRELOAD environment variable.
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-
-
-
-
-1.7.4 January 12, 2011 26
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.4 January 12, 2011 27
+1.7.6 April 9, 2011 27