-1.7.0 December 3, 2008 1
+1.7.2p1 June 30, 2009 1
'!'* '#'uid |
'!'* '%'group |
'!'* '+'netgroup |
+ '!'* '%:'nonunix_group |
'!'* User_Alias
A User_List is made up of one or more usernames, uids (prefixed with
operators. An odd number of '!' operators negate the value of the
item; an even number just cancel each other out.
+ A username, group, netgroup and nonunix_groups may be enclosed in
+ double quotes to avoid the need for escaping special characters.
+ Alternately, special characters may be specified in escaped hex mode,
+ e.g. \x20 for space.
+
+ The nonunix_group syntax depends on the underlying implementation. For
+ instance, the QAS AD backend supports the following formats:
+
+ +\bo Group in the same domain: "Group Name"
+
+ +\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
+
+ +\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
+
+ Note that quotes around group names are optional. Unquoted strings
+ must use a backslash (\) to escape spaces and the '@' symbol.
+
+
+
+
+1.7.2p1 June 30, 2009 2
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
Runas_List ::= Runas_Member |
Runas_Member ',' Runas_List
Host_List ::= Host |
Host ',' Host_List
-
-
-1.7.0 December 3, 2008 2
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
-
Host ::= '!'* hostname |
'!'* ip_addr |
'!'* network(/netmask)? |
other aliases. A commandname is a fully qualified filename which may
include shell-style wildcards (see the Wildcards section below). A
simple filename allows the user to run the command with any arguments
+
+
+
+1.7.2p1 June 30, 2009 3
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
he/she wishes. However, you may also specify command line arguments
(including wildcards). Alternately, you can specify "" to indicate
that the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A
to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It
may take command line arguments just as a normal command does.
-
-
-
-
-
-
-1.7.0 December 3, 2008 3
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
D\bDe\bef\bfa\bau\bul\blt\bts\bs
Certain configuration options may be changed from their default values
not exist in a list.
Defaults entries are parsed in the following order: generic, host and
- user Defaults first, then runas Defaults and finally command defaults.
- See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
- U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
- User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
- (':' Host_List '=' Cmnd_Spec_List)*
+1.7.2p1 June 30, 2009 4
- Cmnd_Spec_List ::= Cmnd_Spec |
- Cmnd_Spec ',' Cmnd_Spec_List
- Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
- Runas_Spec ::= '(' Runas_List? (: Runas_List)? ')'
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.7.0 December 3, 2008 4
+ user Defaults first, then runas Defaults and finally command defaults.
+ See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
+ U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
+ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
+ (':' Host_List '=' Cmnd_Spec_List)*
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+ Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+ Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:' )
what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
but this can be changed on a per-command basis.
- Let's break that down into its constituent parts:
+ The basic structure of a user specification is `who = where (as_whom)
+ what'. Let's break that down into its constituent parts:
R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
It is also possible to override a Runas_Spec later on in an entry. If
we modify the entry like so:
+
+
+1.7.2p1 June 30, 2009 5
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
device file with the dialer group. Note that in this example only the
group will be set, the command still runs as user t\btc\bcm\bm.
-
-
-
-1.7.0 December 3, 2008 5
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
_\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
- operating system supports it, the NOEXEC tag can be used to prevent a
- dynamically-linked executable from running further commands itself.
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+1.7.2p1 June 30, 2009 6
- See the "PREVENTING SHELL ESCAPES" section below for more details on
- how NOEXEC works and whether or not it will work on your system.
- _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
-
-1.7.0 December 3, 2008 6
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
+ operating system supports it, the NOEXEC tag can be used to prevent a
+ dynamically-linked executable from running further commands itself.
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ See the "PREVENTING SHELL ESCAPES" section below for more details on
+ how NOEXEC works and whether or not it will work on your system.
+ _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
basis. Note that if SETENV has been set for a command, any environment
s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
used in hostnames, pathnames and command line arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routine.
- Note that these are _\bn_\bo_\bt regular expressions.
+ file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX _\bg_\bl_\bo_\bb(3) and _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
+ routines. Note that these are _\bn_\bo_\bt regular expressions.
* Matches any set of zero or more characters.
\x For any character "x", evaluates to "x". This is used to
escape special characters such as: "*", "?", "[", and "}".
- POSIX character classes may also be used if your system's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
- function supports them. However, because the ':' character has special
- meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
+ POSIX character classes may also be used if your system's _\bg_\bl_\bo_\bb(3) and
+ _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) functions support them. However, because the ':' character
+ has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
/bin/ls [[\:alpha\:]]*
/usr/bin/*
+
+
+
+1.7.2p1 June 30, 2009 7
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file currently being parsed using the #include directive, similar to
+ file currently being parsed using the #include and #includedir
+ directives.
+ This can be used, for example, to keep a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in
+ addition to a local, per-machine file. For the sake of this example
+ the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will
+ be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from within
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
+ #include /etc/sudoers.local
-1.7.0 December 3, 2008 7
+ When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
+ file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching
+ the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ processed. Files that are included may themselves include other files.
+ A hard limit of 128 nested include files is enforced to prevent include
+ file loops.
+ The filename may include the %h escape, signifying the short form of
+ the hostname. I.e., if the machine's hostname is "xerxes", then
+ #include /etc/sudoers.%h
+ will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
+ The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
+ the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
+ package installation. For example, given:
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ #includedir /etc/sudoers.d
+ s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
+ end in ~ or contain a . character to avoid causing problems with
+ package manager or editor temporary/backup files. Files are parsed in
+ sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
+ before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
+ lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
+ in the file names can be used to avoid such problems.
- the one used by the C preprocessor. This is useful, for example, for
- keeping a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in addition to a per-machine local
- one. For the sake of this example the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To
- include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following
- line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
+ Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
- #include /etc/sudoers.local
- When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
- file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching
- the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
- processed. Files that are included may themselves include other files.
- A hard limit of 128 nested include files is enforced to prevent include
- file loops.
+
+1.7.2p1 June 30, 2009 8
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ files in a #includedir directory unless one of them contains a syntax
+ error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
+ files directly.
O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
F\bFl\bla\bag\bgs\bs:
-
-
-1.7.0 December 3, 2008 8
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment variable to
the home directory of the target user (which is root
unless the -\b-u\bu option is used). This effectively means
the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
default.
+
+
+1.7.2p1 June 30, 2009 9
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
closefrom_override
If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
overrides the default starting point at which s\bsu\bud\bdo\bo
qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
_\bo_\bf_\bf by default.
-
-
-
-1.7.0 December 3, 2008 9
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current dir) in the
PATH environment variable; the PATH itself is not
modified. This flag is _\bo_\bf_\bf by default.
operators who would attempt to add roles to
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option is present,
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
+
+
+
+1.7.2p1 June 30, 2009 10
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
option tells s\bsu\bud\bdo\bo how to behave when no specific LDAP
entries have been matched, this sudoOption is only
meaningful for the cn=defaults section. This flag is
invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
_\bo_\bn by default.
-
-
-1.7.0 December 3, 2008 10
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
NOEXEC tag has been set, unless overridden by a EXEC
tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
sites may wish to disable this as it could be used to
gather information on the location of executables that
the normal user does not have access to. The
+
+
+
+1.7.2p1 June 30, 2009 11
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
disadvantage is that if the executable is simply not in
the user's PATH, s\bsu\bud\bdo\bo will tell the user that they are
not allowed to run it, which can be confusing. This
_\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be
used. This flag is _\bo_\bf_\bf by default.
- preserve_groups By default s\bsu\bud\bdo\bo will initialize the group vector to the
- list of groups the target user is in. When
+ preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
+ the list of groups the target user is in. When
_\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
vector is left unaltered. The real and effective group
IDs, however, are still set to match the target user.
This flag is _\bo_\bf_\bf by default.
+ pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
+ Unix programs, by turning off echo until the user hits
+ the return (or enter) key. Some users become confused
+ by this as it appears to them that s\bsu\bud\bdo\bo has hung at
+ this point. When _\bp_\bw_\bf_\be_\be_\bd_\bb_\ba_\bc_\bk is set, s\bsu\bud\bdo\bo will provide
+ visual feedback when the user presses a key. Note that
+ this does have a security impact as an onlooker may be
+ able to determine the length of the password being
+ entered. This flag is _\bo_\bf_\bf by default.
+
requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
run from a login session and not via other means such
instead of the password of the invoking user. This
flag is _\bo_\bf_\bf by default.
+ set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the HOME
-1.7.0 December 3, 2008 11
+1.7.2p1 June 30, 2009 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the HOME
environment variable will be set to the home directory
of the target user (which is root unless the -\b-u\bu option
is used). This effectively makes the -\b-s\bs option imply
shell listed in the invoking user's /etc/passwd entry
if not). This flag is _\bo_\bf_\bf by default.
+ fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
+ style globbing when matching pathnames. However, since
+ it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a long
+ time to complete for some patterns, especially when the
+ pattern references a network file system that is
+ mounted on demand (automounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option
+ causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function, which does
+ not access the file system to do its matching. The
+ disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is unable to match
+ relative pathnames such as _\b._\b/_\bl_\bs or _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This
+ flag is _\bo_\bf_\bf by default.
+
stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
effective UIDs are set to the target user (root by
default). This option changes that behavior such that
with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
This flag is _\bo_\bf_\bf by default.
- targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
- specified by the -\b-u\bu option (defaults to root) instead
- of the password of the invoking user. Note that this
- precludes the use of a uid not listed in the passwd
- database as an argument to the -\b-u\bu option. This flag is
- _\bo_\bf_\bf by default.
- tty_tickets If set, users must authenticate on a per-tty basis.
- Normally, s\bsu\bud\bdo\bo uses a directory in the ticket dir with
- the same name as the user running it. With this flag
- enabled, s\bsu\bud\bdo\bo will use a file named for the tty the
-
-1.7.0 December 3, 2008 12
+1.7.2p1 June 30, 2009 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ specified by the -\b-u\bu option (defaults to root) instead
+ of the password of the invoking user. Note that this
+ precludes the use of a uid not listed in the passwd
+ database as an argument to the -\b-u\bu option. This flag is
+ _\bo_\bf_\bf by default.
+
+ tty_tickets If set, users must authenticate on a per-tty basis.
+ Normally, s\bsu\bud\bdo\bo uses a directory in the ticket dir with
+ the same name as the user running it. With this flag
+ enabled, s\bsu\bud\bdo\bo will use a file named for the tty the
user is logged in on in that directory. This flag is
_\bo_\bf_\bf by default.
+ umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
+ without modification. This makes it possible to
+ specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
+ user's own umask and matches historical behavior. If
+ _\bu_\bm_\ba_\bs_\bk_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is not set, s\bsu\bud\bdo\bo will set the umask to
+ be the union of the user's umask and what is specified
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
+
use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
target user's login class if one exists. Only
available if s\bsu\bud\bdo\bo is configured with the
value is used to decide when to wrap lines for nicer
log files. This has no effect on the syslog log file,
only the file log. The default is 80 (use 0 or negate
+
+
+
+1.7.2p1 June 30, 2009 14
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
the option to disable word wrap).
passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
option or set it to 0777 to preserve the user's umask.
The actual umask that is used will be the union of the
user's umask and 0022. This guarantees that s\bsu\bud\bdo\bo never
-
-
-
-1.7.0 December 3, 2008 13
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
lowers the umask when running a command. Note on
systems that use PAM, the default PAM configuration may
specify its own umask which will override the value set
escapes are supported:
%H expanded to the local hostname including the domain
+
+
+
+1.7.2p1 June 30, 2009 15
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
name (on if the machine's hostname is fully
qualified or the _\bf_\bq_\bd_\bn option is set)
The default value is Password:.
-
-
-1.7.0 December 3, 2008 14
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
runas_default The default user to run commands as if the -\b-u\bu option is
not specified on the command line. This defaults to
root. Note that if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
variable.
env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be options specifies the fully qualified path to
- a file containing variables to be set in the environment of
- the program being run. Entries in this file should be of
- the form VARIABLE=value. Variables in this file are
- subject to other s\bsu\bud\bdo\bo environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp
- and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
- exempt_group
- Users in this group are exempt from password and PATH
- requirements. This is not set by default.
- lecture This option controls when a short lecture will be printed
- along with the password prompt. It has the following
- possible values:
- always Always lecture the user.
+1.7.2p1 June 30, 2009 16
- never Never lecture the user.
- once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.7.0 December 3, 2008 15
+ a file containing variables to be set in the environment of
+ the program being run. Entries in this file should either
+ be of the form VARIABLE=value or export VARIABLE=value.
+ The value may optionally be surrounded by single or double
+ quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
+ environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
+ exempt_group
+ Users in this group are exempt from password and PATH
+ requirements. This is not set by default.
+ lecture This option controls when a short lecture will be printed
+ along with the password prompt. It has the following
+ possible values:
+ always Always lecture the user.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ never Never lecture the user.
+ once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
Setting a path turns on logging to a file; negating this
+
+
+
+1.7.2p1 June 30, 2009 17
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
environment variable you may want to use this. Another use
is if you want to have the "root path" be separate from the
"user path." Users in the group specified by the
-
-
-
-1.7.0 December 3, 2008 16
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
_\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
is not set by default.
env_check Environment variables to be removed from the user's
environment if the variable's value contains % or /
characters. This can be used to guard against printf-
+
+
+
+1.7.2p1 June 30, 2009 18
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
style format vulnerabilities in poorly-written
programs. The argument may be a double-quoted, space-
separated list or a single value without double-quotes.
is run by root with the _\b-_\bV option.
env_delete Environment variables to be removed from the user's
- environment. The argument may be a double-quoted,
- space-separated list or a single value without double-
- quotes. The list can be replaced, added to, deleted
- from, or disabled by using the =, +=, -=, and !
- operators respectively. The default list of
- environment variables to remove is displayed when s\bsu\bud\bdo\bo
- is run by root with the _\b-_\bV option. Note that many
- operating systems will remove potentially dangerous
-
-
-
-1.7.0 December 3, 2008 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- variables from the environment of any setuid process
- (such as s\bsu\bud\bdo\bo).
+ environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
+ The argument may be a double-quoted, space-separated
+ list or a single value without double-quotes. The list
+ can be replaced, added to, deleted from, or disabled by
+ using the =, +=, -=, and ! operators respectively. The
+ default list of environment variables to remove is
+ displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
+ Note that many operating systems will remove
+ potentially dangerous variables from the environment of
+ any setuid process (such as s\bsu\bud\bdo\bo).
env_keep Environment variables to be preserved in the user's
environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+
+
+
+
+1.7.2p1 June 30, 2009 19
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
+ Runas_Alias ADMINGRP = adm, oper
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
-
-
-
-1.7.0 December 3, 2008 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Defaults!PAGERS noexec
The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
+
+
+
+1.7.2p1 June 30, 2009 20
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
what.
root ALL = (ALL) ALL
The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
-
-
-
-1.7.0 December 3, 2008 19
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
those networks, only 128.138.204.0 has an explicit netmask (in CIDR
notation) indicating it is a class C network. For the other networks
in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be used during matching.
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+ %opers ALL = (: ADMINGRP) /usr/sbin/
+
+ Users in the o\bop\bpe\ber\brs\bs group may run commands in _\b/_\bu_\bs_\br_\b/_\bs_\bb_\bi_\bn_\b/ as themselves
+ with any group in the _\bA_\bD_\bM_\bI_\bN_\bG_\bR_\bP Runas_Alias (the a\bad\bdm\bm and o\bop\bpe\ber\br groups).
+
The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
multiple usernames on the command line.
+
+
+1.7.2p1 June 30, 2009 21
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
bob SPARC = (OP) ALL : SGI = (OP) ALL
The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
jen ALL, !SERVERS = ALL
-
-
-1.7.0 December 3, 2008 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
The user j\bje\ben\bn may run any command on any machine except for those in the
_\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and ns).
and wim), may run any command as user www (which owns the web pages) or
simply _\bs_\bu(1) to www.
+
+
+
+
+1.7.2p1 June 30, 2009 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
that permit shell escapes include shells (obviously), editors,
paginators, mail and terminal programs.
-
-
-1.7.0 December 3, 2008 21
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
There are two basic approaches to this problem:
restrict Avoid giving users access to commands that allow the user to
sudo -V | grep "dummy exec"
+
+
+
+1.7.2p1 June 30, 2009 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
If the resulting output contains a line that begins with:
File containing dummy exec functions:
Note that restricting shell escapes is not a panacea. Programs running
as root are still capable of many potentially hazardous operations
-
-
-
-1.7.0 December 3, 2008 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
(such as changing or overwriting files) that could lead to unintended
privilege escalation. In the specific case of an editor, a safer
approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
+ _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bg_\bl_\bo_\bb(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
Limited free support is available via the sudo-users mailing list, see
+
+
+
+1.7.2p1 June 30, 2009 24
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-1.7.0 December 3, 2008 23
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1.7.2p1 June 30, 2009 25