-1.6.9p8 November 2, 2007 1
+1.6.9p8 December 3, 2007 1
-1.6.9p8 November 2, 2007 2
+1.6.9p8 December 3, 2007 2
-1.6.9p8 November 2, 2007 3
+1.6.9p8 December 3, 2007 3
-1.6.9p8 November 2, 2007 4
+1.6.9p8 December 3, 2007 4
-1.6.9p8 November 2, 2007 5
+1.6.9p8 December 3, 2007 5
-1.6.9p8 November 2, 2007 6
+1.6.9p8 December 3, 2007 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ If the command matched is A\bAL\bLL\bL, the SETENV tag is implied
+ for that command; this default may be overridden by use of
+ the UNSETENV tag.
+
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob char
causes a match to succeed. It can be used wherever one
might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
or Host_Alias. You should not try to define your own
- _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
- preference to your own. Please note that using A\bAL\bLL\bL can be
- dangerous since in a command context, it allows the user
- to run a\ban\bny\by command on the system.
-1.6.9p8 November 2, 2007 7
+1.6.9p8 December 3, 2007 7
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
+ preference to your own. Please note that using A\bAL\bLL\bL can be
+ dangerous since in a command context, it allows the user
+ to run a\ban\bny\by command on the system.
+
An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
allows one to exclude certain values. Note, however, that
separated list of editors in the editor
variable. v\bvi\bis\bsu\bud\bdo\bo will then only use the
EDITOR or VISUAL if they match a value
- specified in editor. This flag is _\bo_\bf_\bf by
- default.
- env_reset If set, s\bsu\bud\bdo\bo will reset the environment to
- only contain the LOGNAME, SHELL, USER,
-
-1.6.9p8 November 2, 2007 8
+1.6.9p8 December 3, 2007 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ specified in editor. This flag is _\bo_\bf_\bf by
+ default.
+
+ env_reset If set, s\bsu\bud\bdo\bo will reset the environment to
+ only contain the LOGNAME, SHELL, USER,
USERNAME and the SUDO_* variables. Any
variables in the caller's environment that
match the env_keep and env_check lists are
files so that only LDAP is used. This
thwarts the efforts of rogue operators who
would attempt to add roles to
- @sysconfdir@/sudoers. When this option is
- present, @sysconfdir@/sudoers does not
- even need to exist. Since this option
- tells s\bsu\bud\bdo\bo how to behave when no specific
- LDAP entries have been matched, this
-1.6.9p8 November 2, 2007 9
+1.6.9p8 December 3, 2007 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ @sysconfdir@/sudoers. When this option is
+ present, @sysconfdir@/sudoers does not
+ even need to exist. Since this option
+ tells s\bsu\bud\bdo\bo how to behave when no specific
+ LDAP entries have been matched, this
sudoOption is only meaningful for the
cn=defaults section. This flag is _\bo_\bf_\bf by
default.
user if the invoking user is not in the
_\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is _\bo_\bn by default.
- noexec If set, all commands run via s\bsu\bud\bdo\bo will
- behave as if the NOEXEC tag has been set,
- unless overridden by a EXEC tag. See the
- description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
- well as the "PREVENTING SHELL ESCAPES"
-1.6.9p8 November 2, 2007 10
+1.6.9p8 December 3, 2007 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ noexec If set, all commands run via s\bsu\bud\bdo\bo will
+ behave as if the NOEXEC tag has been set,
+ unless overridden by a EXEC tag. See the
+ description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
+ well as the "PREVENTING SHELL ESCAPES"
section at the end of this manual. This
flag is _\bo_\bf_\bf by default.
they are not allowed to run it, which can
be confusing. This flag is _\bo_\bn by default.
+ passprompt_override
+ The password prompt specified by
+ _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will normally only be used if
+ the passwod prompt provided by systems
+ such as PAM matches the string "Pass
+ word:". If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set,
+ _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be used. This flag
+ is _\bo_\bf_\bf by default.
+
preserve_groups By default s\bsu\bud\bdo\bo will initialize the group
vector to the list of groups the target
user is in. When _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set,
Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
will also prevent root and from running
s\bsu\bud\bdo\boe\bed\bdi\bit\bt. Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no
+
+
+
+1.6.9p8 December 3, 2007 11
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
real additional security; it exists purely
for historical reasons. This flag is _\bo_\bn
by default.
password of the invoking user. This flag
is _\bo_\bf_\bf by default.
-
-
-1.6.9p8 November 2, 2007 11
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs
flag the HOME environment variable will be
set to the home directory of the target
(the shell is determined by the SHELL
environment variable if it is set, falling
back on the shell listed in the invoking
+
+
+
+1.6.9p8 December 3, 2007 12
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
user's /etc/passwd entry if not). This
flag is _\bo_\bf_\bf by default.
run setuid. This option is only effective
on systems with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or
_\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function. This flag is _\bo_\bf_\bf by
-
-
-
-1.6.9p8 November 2, 2007 12
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
default.
targetpw If set, s\bsu\bud\bdo\bo will prompt for the password
file log. The default is 80 (use 0 or
negate the option to disable word wrap).
+
+
+
+1.6.9p8 December 3, 2007 13
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password
prompt times out. The default is 5; set
this to 0 for no password timeout.
tamps via sudo -v and sudo -k respec
tively.
-
-
-
-1.6.9p8 November 2, 2007 13
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
umask Umask to use when running the command.
Negate this option or set it to 0777 to
preserve the user's umask. The default is
variable. The following percent (`%')
escapes are supported:
+
+
+1.6.9p8 December 3, 2007 14
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
%H expanded to the local hostname includ
ing the domain name (on if the
machine's hostname is fully qualified
%u expanded to the invoking user's login
name
-
-
-1.6.9p8 November 2, 2007 14
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
%% two consecutive % characters are col
lapsed into a single % character
never Never lecture the user.
+
+
+1.6.9p8 December 3, 2007 15
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
once Only lecture the user the first time
they run s\bsu\bud\bdo\bo.
standard lecture if the named file exists. By
default, s\bsu\bud\bdo\bo uses a built-in lecture.
-
-
-
-1.6.9p8 November 2, 2007 15
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
listpw This option controls when a password will be
required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
flag. It has the following possible values:
quotes (") to protect against s\bsu\bud\bdo\bo interpret
ing the @ sign. Defaults to root.
+
+
+1.6.9p8 December 3, 2007 16
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
syslog Syslog facility if syslog is being used for
logging (negate to disable syslog logging).
Defaults to local2.
flag set to avoid entering a password.
always The user must always enter a password
-
-
-
-1.6.9p8 November 2, 2007 16
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
to use the -\b-v\bv flag.
any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
be a double-quoted, space-separated list
or a single value without double-quotes.
The list can be replaced, added to,
+
+
+
+1.6.9p8 December 3, 2007 17
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
deleted from, or disabled by using the =,
+=, -=, and ! operators respectively. The
default list of environment variables to
the user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt
option is in effect. This allows fine-
grained control over the environment
-
-
-
-1.6.9p8 November 2, 2007 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
s\bsu\bud\bdo\bo-spawned processes will receive. The
argument may be a double-quoted, space-
separated list or a single value without
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
+
+
+
+
+1.6.9p8 December 3, 2007 18
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
-
-
-
-1.6.9p8 November 2, 2007 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
- We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on
- any host as any user.
- FULLTIMERS ALL = NOPASSWD: ALL
- Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run
- any command on any host without authenticating themselves.
+1.6.9p8 December 3, 2007 19
- PARTTIMERS ALL = ALL
- Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run
- any command on any host but they must authenticate them
- selves first (since the entry lacks the NOPASSWD tag).
-1.6.9p8 November 2, 2007 19
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on
+ any host as any user.
+ FULLTIMERS ALL = NOPASSWD: ALL
+ Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run
+ any command on any host without authenticating themselves.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ PARTTIMERS ALL = ALL
+ Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run
+ any command on any host but they must authenticate them
+ selves first (since the entry lacks the NOPASSWD tag).
jack CSNETS = ALL
jim +biglab = ALL
- The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb
- netgroup. s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to
- the '+' prefix.
-
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the
- printers as well as add and remove users, so they are
- allowed to run those commands on all machines.
- fred ALL = (DB) NOPASSWD: ALL
+1.6.9p8 December 3, 2007 20
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
-1.6.9p8 November 2, 2007 20
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb
+ netgroup. s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to
+ the '+' prefix.
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the
+ printers as well as add and remove users, so they are
+ allowed to run those commands on all machines.
+ fred ALL = (DB) NOPASSWD: ALL
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
Runas_Alias (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
Any user may mount or unmount a CD-ROM on the machines in
the CDROM Host_Alias (orion, perseus, hercules) without
entering a password. This is a bit tedious for users to
- type, so it is a prime candidate for encapsulating in a
- shell script.
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- It is generally not effective to "subtract" commands from
- ALL using the '!' operator. A user can trivially circum
- vent this by copying the desired command to a different
- name and then executing that. For example:
- bill ALL = ALL, !SU, !SHELLS
- Doesn't really prevent b\bbi\bil\bll\bl from running the commands
- listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those
+1.6.9p8 December 3, 2007 21
-1.6.9p8 November 2, 2007 21
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ type, so it is a prime candidate for encapsulating in a
+ shell script.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ It is generally not effective to "subtract" commands from
+ ALL using the '!' operator. A user can trivially circum
+ vent this by copying the desired command to a different
+ name and then executing that. For example:
+ bill ALL = ALL, !SU, !SHELLS
- commands to a different name, or use a shell escape from
- an editor or other program. Therefore, these kind of
+ Doesn't really prevent b\bbi\bil\bll\bl from running the commands
+ listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those com
+ mands to a different name, or use a shell escape from an
+ editor or other program. Therefore, these kind of
restrictions should be considered advisory at best (and
reinforced by policy).
sudo -V | grep "dummy exec"
+
+
+1.6.9p8 December 3, 2007 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
If the resulting output contains a line that
begins with:
_\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc should
work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt
-
-
-
-1.6.9p8 November 2, 2007 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
to work on AIX and UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected
to work on most operating systems that support
the LD_PRELOAD environment variable. Check your
When using netgroups of machines (as opposed to users), if
you store fully qualified hostnames in the netgroup (as is
usually the case), you either need to have the machine's
+
+
+
+1.6.9p8 December 3, 2007 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
hostname be fully qualified as returned by the hostname
command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
man/listinfo/sudo-users to subscribe or search the
archives.
-
-
-1.6.9p8 November 2, 2007 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
ranties, including, but not limited to, the implied war
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.6.9p8 November 2, 2007 24
+1.6.9p8 December 3, 2007 24