sudoers - list of which users may execute what
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries:
- aliases (basically variables) and user specifications
- (which specify who may run what).
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases
+ (basically variables) and user specifications (which specify who may
+ run what).
- When multiple entries match for a user, they are applied
- in order. Where there are conflicting values, the last
- match is used (which is not necessarily the most specific
- match).
+ When multiple entries match for a user, they are applied in order.
+ Where there are multiple matches, the last match is used (which is not
+ necessarily the most specific match).
- The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended
- Backus-Naur Form (EBNF). Don't despair if you don't know
- what EBNF is; it is fairly simple, and the definitions
- below are annotated.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended Backus-Naur
+ Form (EBNF). Don't despair if you don't know what EBNF is; it is
+ fairly simple, and the definitions below are annotated.
- Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
-
- EBNF is a concise and exact way of describing the grammar
- of a language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\b
- _\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
+ Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
+ EBNF is a concise and exact way of describing the grammar of a
+ language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
symbol ::= definition | alternate1 | alternate2 ...
- Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a
- grammar for the language. EBNF also contains the follow
- ing operators, which many readers will recognize from reg
- ular expressions. Do not, however, confuse them with
- "wildcard" characters, which have different meanings.
+ Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a grammar for
+ the language. EBNF also contains the following operators, which many
+ readers will recognize from regular expressions. Do not, however,
+ confuse them with "wildcard" characters, which have different meanings.
- ? Means that the preceding symbol (or group of sym
- bols) is optional. That is, it may appear once or
- not at all.
+ ? Means that the preceding symbol (or group of symbols) is optional.
+ That is, it may appear once or not at all.
- * Means that the preceding symbol (or group of sym
- bols) may appear zero or more times.
+ * Means that the preceding symbol (or group of symbols) may appear
+ zero or more times.
- + Means that the preceding symbol (or group of sym
- bols) may appear one or more times.
+ + Means that the preceding symbol (or group of symbols) may appear
+ one or more times.
- Parentheses may be used to group symbols together. For
- clarity, we will use single quotes ('') to designate what
- is a verbatim character string (as opposed to a symbol
- name).
+ Parentheses may be used to group symbols together. For clarity, we
+ will use single quotes ('') to designate what is a verbatim character
+ string (as opposed to a symbol name).
- A\bAl\bli\bia\bas\bse\bes\bs
+ A\bAl\bli\bia\bas\bse\bes\bs
+ There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
+ and Cmnd_Alias.
- There are four kinds of aliases: User_Alias, Runas_Alias,
- Host_Alias and Cmnd_Alias.
+ Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
+ 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
+ 'Host_Alias' Host_Alias (':' Host_Alias)* |
+ 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
+ User_Alias ::= NAME '=' User_List
+ Runas_Alias ::= NAME '=' Runas_List
+ Host_Alias ::= NAME '=' Host_List
-1.6.8p12 June, 20 2005 1
+1.7.2p6 April 7, 2010 1
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
- 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
- 'Host_Alias' Host_Alias (':' Host_Alias)* |
- 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
-
- User_Alias ::= NAME '=' User_List
-
- Runas_Alias ::= NAME '=' Runas_List
-
- Host_Alias ::= NAME '=' Host_List
Cmnd_Alias ::= NAME '=' Cmnd_List
Alias_Type NAME = item1, item2, ...
- where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias,
- Host_Alias, or Cmnd_Alias. A NAME is a string of upper
- case letters, numbers, and underscore characters ('_'). A
- NAME m\bmu\bus\bst\bt start with an uppercase letter. It is possible
- to put several alias definitions of the same type on a
- single line, joined by a colon (':'). E.g.,
+ where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias, Host_Alias, or
+ Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
+ underscore characters ('_'). A NAME m\bmu\bus\bst\bt start with an uppercase
+ letter. It is possible to put several alias definitions of the same
+ type on a single line, joined by a colon (':'). E.g.,
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
- The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member
- follow.
+ The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member follow.
User_List ::= User |
User ',' User_List
User ::= '!'* username |
+ '!'* '#'uid |
'!'* '%'group |
'!'* '+'netgroup |
+ '!'* '%:'nonunix_group |
'!'* User_Alias
- A User_List is made up of one or more usernames, system
- groups (prefixed with '%'), netgroups (prefixed with '+')
- and other aliases. Each list item may be prefixed with
- one or more '!' operators. An odd number of '!' operators
- negate the value of the item; an even number just cancel
- each other out.
+ A User_List is made up of one or more usernames, uids (prefixed with
+ '#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
+ and User_Aliases. Each list item may be prefixed with zero or more '!'
+ operators. An odd number of '!' operators negate the value of the
+ item; an even number just cancel each other out.
+
+ A username, group, netgroup and nonunix_groups may be enclosed in
+ double quotes to avoid the need for escaping special characters.
+ Alternately, special characters may be specified in escaped hex mode,
+ e.g. \x20 for space.
+
+ The nonunix_group syntax depends on the underlying implementation. For
+ instance, the QAS AD backend supports the following formats:
- Runas_List ::= Runas_User |
- Runas_User ',' Runas_List
+ +\bo Group in the same domain: "Group Name"
- Runas_User ::= '!'* username |
- '!'* '#'uid |
- '!'* '%'group |
- '!'* +netgroup |
- '!'* Runas_Alias
+ +\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
+ +\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
+ Note that quotes around group names are optional. Unquoted strings
+ must use a backslash (\) to escape spaces and the '@' symbol.
-1.6.8p12 June, 20 2005 2
+ Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
+
+
+
+1.7.2p6 April 7, 2010 2
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- A Runas_List is similar to a User_List except that it can
- also contain uids (prefixed with '#') and instead of
- User_Aliases it can contain Runas_Aliases. Note that
- usernames and groups are matched as strings. In other
- words, two users (groups) with the same uid (gid) are con
- sidered to be distinct. If you wish to match all user
- names with the same uid (e.g. root and toor), you can use
- a uid instead (#0 in the example given).
+
+ Runas_Member ::= '!'* username |
+ '!'* '#'uid |
+ '!'* '%'group |
+ '!'* +netgroup |
+ '!'* Runas_Alias
+
+ A Runas_List is similar to a User_List except that instead of
+ User_Aliases it can contain Runas_Aliases. Note that usernames and
+ groups are matched as strings. In other words, two users (groups) with
+ the same uid (gid) are considered to be distinct. If you wish to match
+ all usernames with the same uid (e.g. root and toor), you can use a uid
+ instead (#0 in the example given).
Host_List ::= Host |
Host ',' Host_List
'!'* '+'netgroup |
'!'* Host_Alias
- A Host_List is made up of one or more hostnames, IP
- addresses, network numbers, netgroups (prefixed with '+')
- and other aliases. Again, the value of an item may be
- negated with the '!' operator. If you do not specify a
- netmask with a network number, the netmask of the host's
- ethernet interface(s) will be used when matching. The
- netmask may be specified either in dotted quad notation
- (e.g. 255.255.255.0) or CIDR notation (number of bits,
- e.g. 24). A hostname may include shell-style wildcards
- (see the Wildcards section below), but unless the hostname
- command on your machine returns the fully qualified host
- name, you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to
- be useful.
+ A Host_List is made up of one or more hostnames, IP addresses, network
+ numbers, netgroups (prefixed with '+') and other aliases. Again, the
+ value of an item may be negated with the '!' operator. If you do not
+ specify a netmask along with the network number, s\bsu\bud\bdo\bo will query each
+ of the local host's network interfaces and, if the network number
+ corresponds to one of the hosts's network interfaces, the corresponding
+ netmask will be used. The netmask may be specified either in standard
+ IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
+ CIDR notation (number of bits, e.g. 24 or 64). A hostname may include
+ shell-style wildcards (see the Wildcards section below), but unless the
+ hostname command on your machine returns the fully qualified hostname,
+ you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
'!'* "sudoedit" |
'!'* Cmnd_Alias
- A Cmnd_List is a list of one or more commandnames, direc
- tories, and other aliases. A commandname is a fully qual
- ified filename which may include shell-style wildcards
- (see the Wildcards section below). A simple filename
- allows the user to run the command with any arguments
- he/she wishes. However, you may also specify command line
- arguments (including wildcards). Alternately, you can
- specify "" to indicate that the command may only be run
- w\bwi\bit\bth\bho\bou\but\bt command line arguments. A directory is a fully
- qualified pathname ending in a '/'. When you specify a
+ A Cmnd_List is a list of one or more commandnames, directories, and
+ other aliases. A commandname is a fully qualified filename which may
+ include shell-style wildcards (see the Wildcards section below). A
+ simple filename allows the user to run the command with any arguments
+ he/she wishes. However, you may also specify command line arguments
+ (including wildcards). Alternately, you can specify "" to indicate
-1.6.8p12 June, 20 2005 3
+1.7.2p6 April 7, 2010 3
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- directory in a Cmnd_List, the user will be able to run any
- file within that directory (but not in any subdirectories
- therein).
-
- If a Cmnd has associated command line arguments, then the
- arguments in the Cmnd must match exactly those given by
- the user on the command line (or match the wildcards if
- there are any). Note that the following characters must
- be escaped with a '\' if they are used in command argu
- ments: ',', ':', '=', '\'. The special command "sudoedit"
- is used to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be flag (or
- as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may take command line arguments just as
- a normal command does.
-
- D\bDe\bef\bfa\bau\bul\blt\bts\bs
-
- Certain configuration options may be changed from their
- default values at runtime via one or more Default_Entry
- lines. These may affect all users on any host, all users
- on a specific host, a specific user, or commands being run
- as a specific user.
+ that the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A
+ directory is a fully qualified pathname ending in a '/'. When you
+ specify a directory in a Cmnd_List, the user will be able to run any
+ file within that directory (but not in any subdirectories therein).
+
+ If a Cmnd has associated command line arguments, then the arguments in
+ the Cmnd must match exactly those given by the user on the command line
+ (or match the wildcards if there are any). Note that the following
+ characters must be escaped with a '\' if they are used in command
+ arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
+ to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It
+ may take command line arguments just as a normal command does.
+
+ D\bDe\bef\bfa\bau\bul\blt\bts\bs
+ Certain configuration options may be changed from their default values
+ at runtime via one or more Default_Entry lines. These may affect all
+ users on any host, all users on a specific host, a specific user, a
+ specific command, or commands being run as a specific user. Note that
+ per-command entries may not include command line arguments. If you
+ need to specify arguments, define a Cmnd_Alias and reference that
+ instead.
Default_Type ::= 'Defaults' |
- 'Defaults' '@' Host |
- 'Defaults' ':' User |
- 'Defaults' '>' RunasUser
+ 'Defaults' '@' Host_List |
+ 'Defaults' ':' User_List |
+ 'Defaults' '!' Cmnd_List |
+ 'Defaults' '>' Runas_List
Default_Entry ::= Default_Type Parameter_List
Parameter '-=' Value |
'!'* Parameter
- Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or
- l\bli\bis\bst\bts\bs. Flags are implicitly boolean and can be turned off
- via the '!' operator. Some integer, string and list
- parameters may also be used in a boolean context to dis
- able them. Values may be enclosed in double quotes (")
- when they contain multiple words. Special characters may
- be escaped with a backslash (\).
+ Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
+ implicitly boolean and can be turned off via the '!' operator. Some
+ integer, string and list parameters may also be used in a boolean
+ context to disable them. Values may be enclosed in double quotes (")
+ when they contain multiple words. Special characters may be escaped
+ with a backslash (\).
- Lists have two additional assignment operators, += and -=.
- These operators are used to add to and delete from a list
- respectively. It is not an error to use the -= operator
- to remove an element that does not exist in a list.
+ Lists have two additional assignment operators, += and -=. These
+ operators are used to add to and delete from a list respectively. It
+ is not an error to use the -= operator to remove an element that does
+ not exist in a list.
- F\bFl\bla\bag\bgs\bs:
+ Defaults entries are parsed in the following order: generic, host and
+ user Defaults first, then runas Defaults and finally command defaults.
- long_otp_prompt
- When validating with a One Time Password
+ See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
-1.6.8p12 June, 20 2005 4
+1.7.2p6 April 7, 2010 4
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- scheme (S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE), a two-line prompt is
- used to make it easier to cut and paste the
- challenge to a local window. It's not as
- pretty as the default but some people find it
- more convenient. This flag is _\bo_\bf_\bf by default.
+ U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
+ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
+ (':' Host_List '=' Cmnd_Spec_List)*
+
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+
+ Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+
+ Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
+
+ Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'SETENV:' | 'NOSETENV:' )
+
+ A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
+ what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
+ but this can be changed on a per-command basis.
- ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current
- dir) in the PATH environment variable; the
- PATH itself is not modified. This flag is _\bo_\bf_\bf
- by default. Currently, while it is possible
- to set _\bi_\bg_\bn_\bo_\br_\be_\b__\bd_\bo_\bt in _\bs_\bu_\bd_\bo_\be_\br_\bs, its value is not
- used. This option should be considered read-
- only (it will be fixed in a future version of
- s\bsu\bud\bdo\bo).
+ The basic structure of a user specification is `who = where (as_whom)
+ what'. Let's break that down into its constituent parts:
- mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a
- users runs s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
+ R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
+ A Runas_Spec determines the user and/or the group that a command may be
+ run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
+ defined above) separated by a colon (':') and enclosed in a set of
+ parentheses. The first Runas_List indicates which users the command
+ may be run as via s\bsu\bud\bdo\bo's -\b-u\bu option. The second defines a list of
+ groups that can be specified via s\bsu\bud\bdo\bo's -\b-g\bg option. If both Runas_Lists
+ are specified, the command may be run with any combination of users and
+ groups listed in their respective Runas_Lists. If only the first is
+ specified, the command may be run as any user in the list but no -\b-g\bg
+ option may be specified. If the first Runas_List is empty but the
+ second is specified, the command may be run as the invoking user with
+ the group set to any listed in the Runas_List. If no Runas_Spec is
+ specified the command may be run as r\bro\boo\bot\bt and no group may be specified.
- mail_badpass
- Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user run
- ning sudo does not enter the correct password.
- This flag is _\bo_\bf_\bf by default.
+ A Runas_Spec sets the default for the commands that follow it. What
+ this means is that for the entry:
- mail_no_user
- If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
- if the invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file. This flag is _\bo_\bn by default.
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+
+ The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm -- but only
+ as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
- mail_no_host
- If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
- if the invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file, but is not allowed to run commands on
- the current host. This flag is _\bo_\bf_\bf by
- default.
+ $ sudo -u operator /bin/ls.
- mail_no_perms
- If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
- if the invoking user is allowed to use s\bsu\bud\bdo\bo
- but the command they are trying is not listed
- in their _\bs_\bu_\bd_\bo_\be_\br_\bs file entry or is explicitly
- denied. This flag is _\bo_\bf_\bf by default.
+ It is also possible to override a Runas_Spec later on in an entry. If
+ we modify the entry like so:
- tty_tickets If set, users must authenticate on a per-tty
- basis. Normally, s\bsu\bud\bdo\bo uses a directory in the
- ticket dir with the same name as the user run
- ning it. With this flag enabled, s\bsu\bud\bdo\bo will
- use a file named for the tty the user is
- logged in on in that directory. This flag is
- _\bo_\bf_\bf by default.
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
- authenticate
- If set, users must authenticate themselves via
- a password (or other means of authentication)
- before they may run commands. This default
+ Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
+ and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
-1.6.8p12 June, 20 2005 5
+
+1.7.2p6 April 7, 2010 5
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- may be overridden via the PASSWD and NOPASSWD
- tags. This flag is _\bo_\bn by default.
+ We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
+ group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
- root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Dis
- abling this prevents users from "chaining"
- s\bsu\bud\bdo\bo commands to get a root shell by doing
- something like "sudo sudo /bin/sh". Note,
- however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo will also
- prevent root and from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt. Dis
- abling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
- security; it exists purely for historical rea
- sons. This flag is _\bo_\bn by default.
+ dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
+ /usr/bin/lprm
- log_host If set, the hostname will be logged in the
- (non-syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf
- by default.
+ In the following example, user t\btc\bcm\bm may run commands that access a modem
+ device file with the dialer group. Note that in this example only the
+ group will be set, the command still runs as user t\btc\bcm\bm.
- log_year If set, the four-digit year will be logged in
- the (non-syslog) s\bsu\bud\bdo\bo log file. This flag is
- _\bo_\bf_\bf by default.
+ tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
+ /usr/local/bin/minicom
- shell_noargs
- If set and s\bsu\bud\bdo\bo is invoked with no arguments
- it acts as if the -\b-s\bs flag had been given.
- That is, it runs a shell as root (the shell is
- determined by the SHELL environment variable
- if it is set, falling back on the shell listed
- in the invoking user's /etc/passwd entry if
- not). This flag is _\bo_\bf_\bf by default.
+ T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
+ A command may have zero or more tags associated with it. There are
+ eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV and
+ NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in the
+ Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite
+ tag (i.e.: PASSWD overrides NOPASSWD and NOEXEC overrides EXEC).
- set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs flag
- the HOME environment variable will be set to
- the home directory of the target user (which
- is root unless the -\b-u\bu option is used). This
- effectively makes the -\b-s\bs flag imply -\b-H\bH. This
- flag is _\bo_\bf_\bf by default.
+ _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
- always_set_home
- If set, s\bsu\bud\bdo\bo will set the HOME environment
- variable to the home directory of the target
- user (which is root unless the -\b-u\bu option is
- used). This effectively means that the -\b-H\bH
- flag is always implied. This flag is _\bo_\bf_\bf by
- default.
+ By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself
+ before running a command. This behavior can be modified via the
+ NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
+ the commands that follow it in the Cmnd_Spec_List. Conversely, the
+ PASSWD tag can be used to reverse things. For example:
- path_info Normally, s\bsu\bud\bdo\bo will tell the user when a com
- mand could not be found in their PATH environ
- ment variable. Some sites may wish to disable
- this as it could be used to gather information
- on the location of executables that the normal
- user does not have access to. The disadvan
- tage is that if the executable is simply not
- in the user's PATH, s\bsu\bud\bdo\bo will tell the user
- that they are not allowed to run it, which can
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+ would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
+ as r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we
+ only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry
+ would be:
+
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+
+ Note, however, that the PASSWD tag has no effect on users who are in
+ the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
+
+ By default, if the NOPASSWD tag is applied to any of the entries for a
+ user on the current host, he or she will be able to run sudo -l without
+ a password. Additionally, a user may only run sudo -v without a
+ password if the NOPASSWD tag is present for all a user's entries that
+ pertain to the current host. This behavior may be overridden via the
+ verifypw and listpw options.
+
+ _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
+ operating system supports it, the NOEXEC tag can be used to prevent a
+ dynamically-linked executable from running further commands itself.
-1.6.8p12 June, 20 2005 6
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
+
+
+
+1.7.2p6 April 7, 2010 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- be confusing. This flag is _\bo_\bf_\bf by default.
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
- preserve_groups
- By default s\bsu\bud\bdo\bo will initialize the group vec
- tor to the list of groups the target user is
- in. When _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's
- existing group vector is left unaltered. The
- real and effective group IDs, however, are
- still set to match the target user. This flag
- is _\bo_\bf_\bf by default.
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- fqdn Set this flag if you want to put fully quali
- fied hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e.,
- instead of myhost you would use myhost.mydo
- main.edu. You may still use the short form if
- you wish (and even mix the two). Beware that
- turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS
- lookups which may make s\bsu\bud\bdo\bo unusable if DNS
- stops working (for example if the machine is
- not plugged into the network). Also note that
- you must use the host's official name as DNS
- knows it. That is, you may not use a host
- alias (CNAME entry) due to performance issues
- and the fact that there is no way to get all
- aliases from DNS. If your machine's hostname
- (as returned by the hostname command) is
- already fully qualified you shouldn't need to
- set _\bf_\bq_\bd_\bn. This flag is _\bo_\bf_\bf by default.
+ See the "PREVENTING SHELL ESCAPES" section below for more details on
+ how NOEXEC works and whether or not it will work on your system.
- insults If set, s\bsu\bud\bdo\bo will insult users when they enter
- an incorrect password. This flag is _\bo_\bf_\bf by
- default.
+ _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
- requiretty If set, s\bsu\bud\bdo\bo will only run when the user is
- logged in to a real tty. This will disallow
- things like "rsh somehost sudo ls" since
- _\br_\bs_\bh(1) does not allocate a tty. Because it is
- not possible to turn off echo when there is no
- tty present, some sites may with to set this
- flag to prevent a user from entering a visible
- password. This flag is _\bo_\bf_\bf by default.
+ These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
+ basis. Note that if SETENV has been set for a command, any environment
+ variables set on the command line way are not subject to the
+ restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such,
+ only trusted users should be allowed to set variables in this manner.
+ If the command matched is A\bAL\bLL\bL, the SETENV tag is implied for that
+ command; this default may be overridden by use of the UNSETENV tag.
- env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDI
- TOR or VISUAL environment variables before
- falling back on the default editor list. Note
- that this may create a security hole as it
- allows the user to run any arbitrary command
- as root without logging. A safer alternative
- is to place a colon-separated list of editors
- in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
- use the EDITOR or VISUAL if they match a value
- specified in editor. This flag is off by
- default.
+ W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
+ s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
+ used in hostnames, pathnames and command line arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX _\bg_\bl_\bo_\bb(3) and _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
+ routines. Note that these are _\bn_\bo_\bt regular expressions.
+ * Matches any set of zero or more characters.
+ ? Matches any single character.
+ [...] Matches any character in the specified range.
-1.6.8p12 June, 20 2005 7
+ [!...] Matches any character n\bno\bot\bt in the specified range.
+ \x For any character "x", evaluates to "x". This is used to
+ escape special characters such as: "*", "?", "[", and "}".
+ POSIX character classes may also be used if your system's _\bg_\bl_\bo_\bb(3) and
+ _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) functions support them. However, because the ':' character
+ has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
+ /bin/ls [[\:alpha\:]]*
+ Would match any filename beginning with a letter.
+
+ Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
+ in the pathname. When matching the command line arguments, however, a
+ slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
+
+ /usr/bin/*
+
+ match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
+
+ E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
+ The following exceptions apply to the above rules:
+
+ "" If the empty string "" is the only command line argument in the
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password
- instead of the password of the invoking user.
- This flag is _\bo_\bf_\bf by default.
-
- runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of
- the user defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option
- (defaults to root) instead of the password of
- the invoking user. This flag is _\bo_\bf_\bf by
- default.
-
- targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of
- the user specified by the -\b-u\bu flag (defaults to
- root) instead of the password of the invoking
- user. Note that this precludes the use of a
- uid not listed in the passwd database as an
- argument to the -\b-u\bu flag. This flag is _\bo_\bf_\bf by
- default.
-
- set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME and USER
- environment variables to the name of the tar
- get user (usually root unless the -\b-u\bu flag is
- given). However, since some programs (includ
- ing the RCS revision control system) use LOG
- NAME to determine the real identity of the
- user, it may be desirable to change this
- behavior. This can be done by negating the
- set_logname option.
-
- stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the
- real and effective UIDs are set to the target
- user (root by default). This option changes
- that behavior such that the real UID is left
- as the invoking user's UID. In other words,
- this makes s\bsu\bud\bdo\bo act as a setuid wrapper. This
- can be useful on systems that disable some
- potentially dangerous functionality when a
- program is run setuid. Note, however, that
- this means that sudo will run with the real
- uid of the invoking user which may allow that
- user to kill s\bsu\bud\bdo\bo before it can log a failure,
- depending on how your OS defines the interac
- tion between signals and setuid processes.
-
- env_reset If set, s\bsu\bud\bdo\bo will reset the environment to
- only contain the following variables: HOME,
- LOGNAME, PATH, SHELL, TERM, and USER (in addi
- tion to the SUDO_* variables). Of these, only
- TERM is copied unaltered from the old environ
- ment. The other variables are set to default
- values (possibly modified by the value of the
- _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be option). If s\bsu\bud\bdo\bo was compiled
- with the SECURE_PATH option, its value will be
- used for the PATH environment variable. Other
- variables may be preserved with the _\be_\bn_\bv_\b__\bk_\be_\be_\bp
-
-
-
-1.6.8p12 June, 20 2005 8
+1.7.2p6 April 7, 2010 7
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- option.
+ _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
+ with a\ban\bny\by arguments.
- use_loginclass
- If set, s\bsu\bud\bdo\bo will apply the defaults specified
- for the target user's login class if one
- exists. Only available if s\bsu\bud\bdo\bo is configured
- with the --with-logincap option. This flag is
- _\bo_\bf_\bf by default.
+ I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
+ It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file currently being parsed using the #include and #includedir
+ directives.
- noexec If set, all commands run via sudo will behave
- as if the NOEXEC tag has been set, unless
- overridden by a EXEC tag. See the description
- of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as well as the "PRE
- VENTING SHELL ESCAPES" section at the end of
- this manual. This flag is _\bo_\bf_\bf by default.
+ This can be used, for example, to keep a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in
+ addition to a local, per-machine file. For the sake of this example
+ the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will
+ be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from within
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
- ignore_local_sudoers
- If set via LDAP, parsing of @sysconfdir@/sudo
- ers will be skipped. This is intended for an
- Enterprises that wish to prevent the usage of
- local sudoers files so that only LDAP is used.
- This thwarts the efforts of rogue operators
- who would attempt to add roles to
- @sysconfdir@/sudoers. When this option is
- present, @sysconfdir@/sudoers does not even
- need to exist. Since this options tells sudo
- how to behave when no specific LDAP entries
- have been matched, this sudoOption is only
- meaningful for the cn=defaults section. This
- flag is _\bo_\bf_\bf by default.
+ #include /etc/sudoers.local
- I\bIn\bnt\bte\beg\bge\ber\brs\bs:
+ When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
+ file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching
+ the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ processed. Files that are included may themselves include other files.
+ A hard limit of 128 nested include files is enforced to prevent include
+ file loops.
- passwd_tries
- The number of tries a user gets to enter
- his/her password before s\bsu\bud\bdo\bo logs the failure
- and exits. The default is 3.
+ The filename may include the %h escape, signifying the short form of
+ the hostname. I.e., if the machine's hostname is "xerxes", then
- I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ #include /etc/sudoers.%h
- loglinelen Number of characters per line for the file
- log. This value is used to decide when to
- wrap lines for nicer log files. This has no
- effect on the syslog log file, only the file
- log. The default is 80 (use 0 or negate the
- option to disable word wrap).
+ will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
- timestamp_timeout
- Number of minutes that can elapse before s\bsu\bud\bdo\bo
- will ask for a passwd again. The default is
- 5. Set this to 0 to always prompt for a pass
- word. If set to a value less than 0 the
- user's timestamp will never expire. This can
- be used to allow users to create or delete
+ The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
+ the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
+ package installation. For example, given:
+ #includedir /etc/sudoers.d
+ s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
+ end in ~ or contain a . character to avoid causing problems with
+ package manager or editor temporary/backup files. Files are parsed in
+ sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
+ before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
+ lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
+ in the file names can be used to avoid such problems.
-1.6.8p12 June, 20 2005 9
+ Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
+ files in a #includedir directory unless one of them contains a syntax
+ error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
+ files directly.
+ O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
+ The pound sign ('#') is used to indicate a comment (unless it is part
+ of a #include directive or unless it occurs in the context of a user
+ name and is followed by one or more digits, in which case it is treated
+1.7.2p6 April 7, 2010 8
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- their own timestamps via sudo -v and sudo -k
- respectively.
- passwd_timeout
- Number of minutes before the s\bsu\bud\bdo\bo password
- prompt times out. The default is 5, set this
- to 0 for no password timeout.
- umask Umask to use when running the command. Negate
- this option or set it to 0777 to preserve the
- user's umask. The default is 0022.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- S\bSt\btr\bri\bin\bng\bgs\bs:
- mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user.
- The escape %h will expand to the hostname of
- the machine. Default is *** SECURITY informa
- tion for %h ***.
+ as a uid). Both the comment character and any text after it, up to the
+ end of the line, are ignored.
- badpass_message
- Message that is displayed if a user enters an
- incorrect password. The default is Sorry, try
- again. unless insults are enabled.
+ The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
+ succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
+ User_Alias, Runas_Alias, or Host_Alias. You should not try to define
+ your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
+ preference to your own. Please note that using A\bAL\bLL\bL can be dangerous
+ since in a command context, it allows the user to run a\ban\bny\by command on
+ the system.
- timestampdir
- The directory in which s\bsu\bud\bdo\bo stores its times
- tamp files. The default is _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo.
+ An exclamation point ('!') can be used as a logical _\bn_\bo_\bt operator both
+ in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This allows one to exclude certain
+ values. Note, however, that using a ! in conjunction with the built-in
+ ALL alias to allow a user to run "all but a few" commands rarely works
+ as intended (see SECURITY NOTES below).
- timestampowner
- The owner of the timestamp directory and the
- timestamps stored therein. The default is
- root.
+ Long lines can be continued with a backslash ('\') as the last
+ character on the line.
- passprompt The default prompt to use when asking for a
- password; can be overridden via the -\b-p\bp option
- or the SUDO_PROMPT environment variable. The
- following percent (`%') escapes are supported:
+ Whitespace between elements in a list as well as special syntactic
+ characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':', '(', ')') is optional.
- %u expanded to the invoking user's login
- name
+ The following characters must be escaped with a backslash ('\') when
+ used as part of a word (e.g. a username or hostname): '@', '!', '=',
+ ':', ',', '(', ')', '\'.
- %U expanded to the login name of the user
- the command will be run as (defaults
- to root)
+S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
+ s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
+ earlier. A list of all supported Defaults parameters, grouped by type,
+ are listed below.
- %h expanded to the local hostname without
- the domain name
+ F\bFl\bla\bag\bgs\bs:
+
+ always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment variable to
+ the home directory of the target user (which is root
+ unless the -\b-u\bu option is used). This effectively means
+ that the -\b-H\bH option is always implied. This flag is _\bo_\bf_\bf
+ by default.
- %H expanded to the local hostname includ
- ing the domain name (on if the
- machine's hostname is fully qualified
- or the _\bf_\bq_\bd_\bn option is set)
+ authenticate If set, users must authenticate themselves via a
+ password (or other means of authentication) before they
+ may run commands. This default may be overridden via
+ the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
+ default.
- %% two consecutive % characters are
+ closefrom_override
+ If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
+ overrides the default starting point at which s\bsu\bud\bdo\bo
+ begins closing open file descriptors. This flag is _\bo_\bf_\bf
+ by default.
+ env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
+ VISUAL environment variables before falling back on the
-1.6.8p12 June, 20 2005 10
+
+1.7.2p6 April 7, 2010 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- collaped into a single % character
+ default editor list. Note that this may create a
+ security hole as it allows the user to run any
+ arbitrary command as root without logging. A safer
+ alternative is to place a colon-separated list of
+ editors in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
+ use the EDITOR or VISUAL if they match a value
+ specified in editor. This flag is _\bo_\bf_\bf by default.
+
+ env_reset If set, s\bsu\bud\bdo\bo will reset the environment to only contain
+ the LOGNAME, SHELL, USER, USERNAME and the SUDO_*
+ variables. Any variables in the caller's environment
+ that match the env_keep and env_check lists are then
+ added. The default contents of the env_keep and
+ env_check lists are displayed when s\bsu\bud\bdo\bo is run by root
+ with the _\b-_\bV option. If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set,
+ its value will be used for the PATH environment
+ variable. This flag is _\bo_\bn by default.
+
+ fqdn Set this flag if you want to put fully qualified
+ hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost
+ you would use myhost.mydomain.edu. You may still use
+ the short form if you wish (and even mix the two).
+ Beware that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS
+ lookups which may make s\bsu\bud\bdo\bo unusable if DNS stops
+ working (for example if the machine is not plugged into
+ the network). Also note that you must use the host's
+ official name as DNS knows it. That is, you may not
+ use a host alias (CNAME entry) due to performance
+ issues and the fact that there is no way to get all
+ aliases from DNS. If your machine's hostname (as
+ returned by the hostname command) is already fully
+ qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
+ _\bo_\bf_\bf by default.
+
+ ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current dir) in the
+ PATH environment variable; the PATH itself is not
+ modified. This flag is _\bo_\bf_\bf by default.
- The default value is Password:.
+ ignore_local_sudoers
+ If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ skipped. This is intended for Enterprises that wish to
+ prevent the usage of local sudoers files so that only
+ LDAP is used. This thwarts the efforts of rogue
+ operators who would attempt to add roles to
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option is present,
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
+ option tells s\bsu\bud\bdo\bo how to behave when no specific LDAP
+ entries have been matched, this sudoOption is only
+ meaningful for the cn=defaults section. This flag is
+ _\bo_\bf_\bf by default.
- runas_default
- The default user to run commands as if the -\b-u\bu
- flag is not specified on the command line.
- This defaults to root. Note that if
- _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur before any
- Runas_Alias specifications.
+ insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
+ incorrect password. This flag is _\bo_\bf_\bf by default.
- syslog_goodpri
- Syslog priority to use when user authenticates
- successfully. Defaults to notice.
- syslog_badpri
- Syslog priority to use when user authenticates
- unsuccessfully. Defaults to alert.
- editor A colon (':') separated list of editors
- allowed to be used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will
- choose the editor that matches the user's USER
- environment variable if possible, or the first
- editor in the list that exists and is exe
- cutable. The default is the path to vi on
- your system.
- noexec_file Path to a shared library containing dummy ver
- sions of the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b)
- library functions that just return an error.
- This is used to implement the _\bn_\bo_\be_\bx_\be_\bc function
- ality on systems that support LD_PRELOAD or
- its equivalent. Defaults to
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
+1.7.2p6 April 7, 2010 10
- S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- lecture This option controls when a short lecture will
- be printed along with the password prompt. It
- has the following possible values:
- never Never lecture the user.
- once Only lecture the user the first time
- they run s\bsu\bud\bdo\bo.
- always Always lecture the user.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- If no value is specified, a value of _\bo_\bn_\bc_\be is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\bo_\bn_\bc_\be.
+ log_host If set, the hostname will be logged in the (non-syslog)
+ s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
+ log_year If set, the four-digit year will be logged in the (non-
+ syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
+ long_otp_prompt When validating with a One Time Password (OPT) scheme
+ such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
+ make it easier to cut and paste the challenge to a
+ local window. It's not as pretty as the default but
+ some people find it more convenient. This flag is _\bo_\bf_\bf
+ by default.
+ mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
+ s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
-1.6.8p12 June, 20 2005 11
+ mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
+ does not enter the correct password. This flag is _\bo_\bf_\bf
+ by default.
+ mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
+ allowed to run commands on the current host. This flag
+ is _\bo_\bf_\bf by default.
+ mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user is allowed to use s\bsu\bud\bdo\bo but the command
+ they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
+ entry or is explicitly denied. This flag is _\bo_\bf_\bf by
+ default.
+ mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
+ _\bo_\bn by default.
+ noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
+ NOEXEC tag has been set, unless overridden by a EXEC
+ tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
+ well as the "PREVENTING SHELL ESCAPES" section at the
+ end of this manual. This flag is _\bo_\bf_\bf by default.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
+ not be found in their PATH environment variable. Some
+ sites may wish to disable this as it could be used to
+ gather information on the location of executables that
+ the normal user does not have access to. The
+ disadvantage is that if the executable is simply not in
+ the user's PATH, s\bsu\bud\bdo\bo will tell the user that they are
+ not allowed to run it, which can be confusing. This
+ flag is _\bo_\bn by default.
+ passprompt_override
+ The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
+ normally only be used if the passwod prompt provided by
- lecture_file
- Path to a file containing an alternate sudo
- lecture that will be used in place of the
- standard lecture if the named file exists.
- logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log
- file). Setting a path turns on logging to a
- file; negating this option turns it off.
- syslog Syslog facility if syslog is being used for
- logging (negate to disable syslog logging).
- Defaults to local2.
+1.7.2p6 April 7, 2010 11
- mailerpath Path to mail program used to send warning
- mail. Defaults to the path to sendmail found
- at configure time.
- mailerflags Flags to use when invoking mailer. Defaults to
- -\b-t\bt.
- mailto Address to send warning and error mail to.
- The address should be enclosed in double
- quotes (") to protect against sudo interpret
- ing the @ sign. Defaults to root.
- exempt_group
- Users in this group are exempt from password
- and PATH requirements. This is not set by
- default.
- verifypw This option controls when a password will be
- required when a user runs s\bsu\bud\bdo\bo with the -\b-v\bv
- flag. It has the following possible values:
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD
- flag set to avoid entering a password.
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
- entries for the current host must have
- the NOPASSWD flag set to avoid enter
- ing a password.
+ systems such as PAM matches the string "Password:". If
+ _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be
+ used. This flag is _\bo_\bf_\bf by default.
- never The user need never enter a password
- to use the -\b-v\bv flag.
+ preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
+ the list of groups the target user is in. When
+ _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
+ vector is left unaltered. The real and effective group
+ IDs, however, are still set to match the target user.
+ This flag is _\bo_\bf_\bf by default.
- always The user must always enter a password
- to use the -\b-v\bv flag.
+ pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
+ Unix programs, by turning off echo until the user hits
+ the return (or enter) key. Some users become confused
+ by this as it appears to them that s\bsu\bud\bdo\bo has hung at
+ this point. When _\bp_\bw_\bf_\be_\be_\bd_\bb_\ba_\bc_\bk is set, s\bsu\bud\bdo\bo will provide
+ visual feedback when the user presses a key. Note that
+ this does have a security impact as an onlooker may be
+ able to determine the length of the password being
+ entered. This flag is _\bo_\bf_\bf by default.
- If no value is specified, a value of _\ba_\bl_\bl is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\ba_\bl_\bl.
+ requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
+ to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
+ run from a login session and not via other means such
+ as _\bc_\br_\bo_\bn(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
+ default.
+ root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
+ this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
+ get a root shell by doing something like "sudo sudo
+ /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
+ will also prevent root and from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+ Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
+ security; it exists purely for historical reasons.
+ This flag is _\bo_\bn by default.
+ rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
+ of the password of the invoking user. This flag is _\bo_\bf_\bf
+ by default.
+ runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option (defaults to root)
+ instead of the password of the invoking user. This
+ flag is _\bo_\bf_\bf by default.
-1.6.8p12 June, 20 2005 12
+ set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the HOME
+ environment variable will be set to the home directory
+ of the target user (which is root unless the -\b-u\bu option
+ is used). This effectively makes the -\b-s\bs option imply
+ -\b-H\bH. This flag is _\bo_\bf_\bf by default.
+ set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and USERNAME
+ environment variables to the name of the target user
+ (usually root unless the -\b-u\bu option is given). However,
+1.7.2p6 April 7, 2010 12
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- listpw This option controls when a password will be
- required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
- flag. It has the following possible values:
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD
- flag set to avoid entering a password.
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
- entries for the current host must have
- the NOPASSWD flag set to avoid enter
- ing a password.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- never The user need never enter a password
- to use the -\b-l\bl flag.
- always The user must always enter a password
- to use the -\b-l\bl flag.
+ since some programs (including the RCS revision control
+ system) use LOGNAME to determine the real identity of
+ the user, it may be desirable to change this behavior.
+ This can be done by negating the set_logname option.
+ Note that if the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been
+ disabled, entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
+ the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bf_\bf by default.
+
+ setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
+ command line. Additionally, environment variables set
+ via the command line are not subject to the
+ restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be
+ allowed to set variables in this manner. This flag is
+ _\bo_\bf_\bf by default.
+
+ shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
+ if the -\b-s\bs option had been given. That is, it runs a
+ shell as root (the shell is determined by the SHELL
+ environment variable if it is set, falling back on the
+ shell listed in the invoking user's /etc/passwd entry
+ if not). This flag is _\bo_\bf_\bf by default.
+
+ fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
+ style globbing when matching pathnames. However, since
+ it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a long
+ time to complete for some patterns, especially when the
+ pattern references a network file system that is
+ mounted on demand (automounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option
+ causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function, which does
+ not access the file system to do its matching. The
+ disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is unable to match
+ relative pathnames such as _\b._\b/_\bl_\bs or _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has
+ security implications when path names that include
+ globbing characters are used with the negation
+ operator, '!', as such rules can be trivially bypassed.
+ As such, this option should not be used when _\bs_\bu_\bd_\bo_\be_\br_\bs
+ contains rules that contain negated path names which
+ include globbing characters. This flag is _\bo_\bf_\bf by
+ default.
+
+ stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
+ effective UIDs are set to the target user (root by
+ default). This option changes that behavior such that
+ the real UID is left as the invoking user's UID. In
+ other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
+ This can be useful on systems that disable some
+ potentially dangerous functionality when a program is
+ run setuid. This option is only effective on systems
+ with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
+ This flag is _\bo_\bf_\bf by default.
+
+ targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ specified by the -\b-u\bu option (defaults to root) instead
+
+
+
+1.7.2p6 April 7, 2010 13
- If no value is specified, a value of _\ba_\bn_\by is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\ba_\bn_\by.
- L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- env_check Environment variables to be removed from the
- user's environment if the variable's value
- contains % or / characters. This can be used
- to guard against printf-style format vulnera
- bilities in poorly-written programs. The
- argument may be a double-quoted, space-sepa
- rated list or a single value without dou
- ble-quotes. The list can be replaced, added
- to, deleted from, or disabled by using the =,
- +=, -=, and ! operators respectively. The
- default list of environment variables to check
- is printed when s\bsu\bud\bdo\bo is run by root with the
- _\b-_\bV option.
- env_delete Environment variables to be removed from the
- user's environment. The argument may be a
- double-quoted, space-separated list or a sin
- gle value without double-quotes. The list can
- be replaced, added to, deleted from, or dis
- abled by using the =, +=, -=, and ! operators
- respectively. The default list of environment
- variables to remove is printed when s\bsu\bud\bdo\bo is
- run by root with the _\b-_\bV option. Note that
- many operating systems will remove potentially
- dangerous variables from the environment of
- any setuid process (such as s\bsu\bud\bdo\bo).
- env_keep Environment variables to be preserved in the
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ of the password of the invoking user. Note that this
+ precludes the use of a uid not listed in the passwd
+ database as an argument to the -\b-u\bu option. This flag is
+ _\bo_\bf_\bf by default.
+
+ tty_tickets If set, users must authenticate on a per-tty basis.
+ Normally, s\bsu\bud\bdo\bo uses a directory in the ticket dir with
+ the same name as the user running it. With this flag
+ enabled, s\bsu\bud\bdo\bo will use a file named for the tty the
+ user is logged in on in that directory. This flag is
+ _\bo_\bf_\bf by default.
+
+ umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
+ without modification. This makes it possible to
+ specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
+ user's own umask and matches historical behavior. If
+ _\bu_\bm_\ba_\bs_\bk_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is not set, s\bsu\bud\bdo\bo will set the umask to
+ be the union of the user's umask and what is specified
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
+
+ use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
+ target user's login class if one exists. Only
+ available if s\bsu\bud\bdo\bo is configured with the
+ --with-logincap option. This flag is _\bo_\bf_\bf by default.
+
+ visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
+ enter a password but it is not possible to disable echo
+ on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
+ will prompt for a password even when it would be
+ visible on the screen. This makes it possible to run
+ things like "rsh somehost sudo ls" since _\br_\bs_\bh(1) does
+ not allocate a tty. This flag is _\bo_\bf_\bf by default.
-1.6.8p12 June, 20 2005 13
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs:
+ closefrom Before it executes a command, s\bsu\bud\bdo\bo will close all open
+ file descriptors other than standard input, standard
+ output and standard error (ie: file descriptors 0-2).
+ The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to specify a different
+ file descriptor at which to start closing. The default
+ is 3.
+ passwd_tries The number of tries a user gets to enter his/her
+ password before s\bsu\bud\bdo\bo logs the failure and exits. The
+ default is 3.
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ loglinelen Number of characters per line for the file log. This
+ value is used to decide when to wrap lines for nicer
+ log files. This has no effect on the syslog log file,
+ only the file log. The default is 80 (use 0 or negate
+ the option to disable word wrap).
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option
- is in effect. This allows fine-grained con
- trol over the environment s\bsu\bud\bdo\bo-spawned pro
- cesses will receive. The argument may be a
- double-quoted, space-separated list or a sin
- gle value without double-quotes. The list can
- be replaced, added to, deleted from, or dis
- abled by using the =, +=, -=, and ! operators
- respectively. This list has no default mem
- bers.
- When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following
- values for the syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg
- Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your OS supports it), a\bau\but\bth\bh, d\bda\bae\be\b
- m\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3, l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5,
- l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities are
- supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be,
- and w\bwa\bar\brn\bni\bin\bng\bg.
+1.7.2p6 April 7, 2010 14
- U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
- User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
- (':' Host_List '=' Cmnd_Spec_List)*
- Cmnd_Spec_List ::= Cmnd_Spec |
- Cmnd_Spec ',' Cmnd_Spec_List
- Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
- Runas_Spec ::= '(' Runas_List ')'
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:')
- A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may
- run (and as what user) on specified hosts. By default,
- commands are run as r\bro\boo\bot\bt, but this can be changed on a
- per-command basis.
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
+ out. The default is 5; set this to 0 for no password
+ timeout.
- Let's break that down into its constituent parts:
+ timestamp_timeout
+ Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
+ for a passwd again. The default is 5. Set this to 0
+ to always prompt for a password. If set to a value
+ less than 0 the user's timestamp will never expire.
+ This can be used to allow users to create or delete
+ their own timestamps via sudo -v and sudo -k
+ respectively.
+
+ umask Umask to use when running the command. Negate this
+ option or set it to 0777 to preserve the user's umask.
+ The actual umask that is used will be the union of the
+ user's umask and 0022. This guarantees that s\bsu\bud\bdo\bo never
+ lowers the umask when running a command. Note on
+ systems that use PAM, the default PAM configuration may
+ specify its own umask which will override the value set
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+ S\bSt\btr\bri\bin\bng\bgs\bs:
- R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
+ badpass_message Message that is displayed if a user enters an incorrect
+ password. The default is Sorry, try again. unless
+ insults are enabled.
- A Runas_Spec is simply a Runas_List (as defined above)
- enclosed in a set of parentheses. If you do not specify a
- Runas_Spec in the user specification, a default Runas_Spec
- of r\bro\boo\bot\bt will be used. A Runas_Spec sets the default for
- commands that follow it. What this means is that for the
- entry:
+ editor A colon (':') separated list of editors allowed to be
+ used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will choose the editor that
+ matches the user's EDITOR environment variable if
+ possible, or the first editor in the list that exists
+ and is executable. The default is the path to vi on
+ your system.
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+ mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
+ %h will expand to the hostname of the machine. Default
+ is *** SECURITY information for %h ***.
- The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
- -- but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+ noexec_file Path to a shared library containing dummy versions of
+ the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b) library functions
+ that just return an error. This is used to implement
+ the _\bn_\bo_\be_\bx_\be_\bc functionality on systems that support
+ LD_PRELOAD or its equivalent. Defaults to
+ _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
+ passprompt The default prompt to use when asking for a password;
+ can be overridden via the -\b-p\bp option or the SUDO_PROMPT
+ environment variable. The following percent (`%')
+ escapes are supported:
+ %H expanded to the local hostname including the domain
+ name (on if the machine's hostname is fully
+ qualified or the _\bf_\bq_\bd_\bn option is set)
-1.6.8p12 June, 20 2005 14
+
+1.7.2p6 April 7, 2010 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- $ sudo -u operator /bin/ls.
+ %h expanded to the local hostname without the domain
+ name
- It is also possible to override a Runas_Spec later on in
- an entry. If we modify the entry like so:
+ %p expanded to the user whose password is being asked
+ for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
+ flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+ %U expanded to the login name of the user the command
+ will be run as (defaults to root)
- Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br,
- but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
+ %u expanded to the invoking user's login name
- T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
+ %% two consecutive % characters are collapsed into a
+ single % character
- A command may have zero or more tags associated with it.
- There are four possible tag values, NOPASSWD, PASSWD,
- NOEXEC, EXEC. Once a tag is set on a Cmnd, subsequent
- Cmnds in the Cmnd_Spec_List, inherit the tag unless it is
- overridden by the opposite tag (ie: PASSWD overrides
- NOPASSWD and EXEC overrides NOEXEC).
+ The default value is Password:.
- _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
+ runas_default The default user to run commands as if the -\b-u\bu option is
+ not specified on the command line. This defaults to
+ root. Note that if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
+ before any Runas_Alias specifications.
- By default, s\bsu\bud\bdo\bo requires that a user authenticate him or
- herself before running a command. This behavior can be
- modified via the NOPASSWD tag. Like a Runas_Spec, the
- NOPASSWD tag sets a default for the commands that follow
- it in the Cmnd_Spec_List. Conversely, the PASSWD tag can
- be used to reverse things. For example:
+ syslog_badpri Syslog priority to use when user authenticates
+ unsuccessfully. Defaults to alert.
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+ syslog_goodpri Syslog priority to use when user authenticates
+ successfully. Defaults to notice.
- would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as root on the machine rushmore as r\bro\boo\bot\bt
- without authenticating himself. If we only want r\bra\bay\by to be
- able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry would
- be:
+ sudoers_locale Locale to use when parsing the sudoers file. Note that
+ changing the locale may affect how sudoers is
+ interpreted. Defaults to "C".
- ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+ timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
+ The default is _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo.
- Note, however, that the PASSWD tag has no effect on users
- who are in the group specified by the exempt_group option.
+ timestampowner The owner of the timestamp directory and the timestamps
+ stored therein. The default is root.
- By default, if the NOPASSWD tag is applied to any of the
- entries for a user on the current host, he or she will be
- able to run sudo -l without a password. Additionally, a
- user may only run sudo -v without a password if the
- NOPASSWD tag is present for all a user's entries that per
- tain to the current host. This behavior may be overridden
- via the verifypw and listpw options.
+ S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+ askpass The _\ba_\bs_\bk_\bp_\ba_\bs_\bs option specifies the fully qualified path to a
+ helper program used to read the user's password when no
+ terminal is available. This may be the case when s\bsu\bud\bdo\bo is
+ executed from a graphical (as opposed to text-based)
+ application. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs should
+ display the argument passed to it as the prompt and write
+ the user's password to the standard output. The value of
+ _\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
+ variable.
- If sudo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
- underlying operating system support it, the NOEXEC tag can
- be used to prevent a dynamically-linked executable from
+ env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be options specifies the fully qualified path to
+ a file containing variables to be set in the environment of
+ the program being run. Entries in this file should either
+ be of the form VARIABLE=value or export VARIABLE=value.
-1.6.8p12 June, 20 2005 15
+1.7.2p6 April 7, 2010 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- running further commands itself.
+ The value may optionally be surrounded by single or double
+ quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
+ environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be
- and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+ exempt_group
+ Users in this group are exempt from password and PATH
+ requirements. This is not set by default.
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+ lecture This option controls when a short lecture will be printed
+ along with the password prompt. It has the following
+ possible values:
- See the "PREVENTING SHELL ESCAPES" section below for more
- details on how _\bn_\bo_\be_\bx_\be_\bc works and whether or not it will
- work on your system.
+ always Always lecture the user.
- W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
+ never Never lecture the user.
- s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob char
- acters) to be used in pathnames as well as command line
- arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done
- via the P\bPO\bOS\bSI\bIX\bX _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routine. Note that these are _\bn_\bo_\bt
- regular expressions.
+ once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
- * Matches any set of zero or more characters.
+ If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\bo_\bn_\bc_\be.
- ? Matches any single character.
+ lecture_file
+ Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
+ will be used in place of the standard lecture if the named
+ file exists. By default, s\bsu\bud\bdo\bo uses a built-in lecture.
- [...] Matches any character in the specified range.
+ listpw This option controls when a password will be required when
+ a user runs s\bsu\bud\bdo\bo with the -\b-l\bl option. It has the following
+ possible values:
- [!...] Matches any character n\bno\bot\bt in the specified range.
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
+ must have the NOPASSWD flag set to avoid entering a
+ password.
- \x For any character "x", evaluates to "x". This is
- used to escape special characters such as: "*",
- "?", "[", and "}".
+ always The user must always enter a password to use the -\b-l\bl
+ option.
- Note that a forward slash ('/') will n\bno\bot\bt be matched by
- wildcards used in the pathname. When matching the command
- line arguments, however, a slash d\bdo\boe\bes\bs get matched by wild
- cards. This is to make a path like:
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ current host must have the NOPASSWD flag set to
+ avoid entering a password.
- /usr/bin/*
+ never The user need never enter a password to use the -\b-l\bl
+ option.
- match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
+ If no value is specified, a value of _\ba_\bn_\by is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\ba_\bn_\by.
- WARNING: a pathname with wildcards will n\bno\bot\bt match a user
- command that consists of a relative path. In other words,
- given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
+ logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
+ Setting a path turns on logging to a file; negating this
+ option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
- billy workstation = /usr/bin/*
+ mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
- user billy will be able to run any command in /usr/bin as
- root, such as _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw. The following two command will
- be allowed (the first assumes that _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn is in the
- user's path):
- $ sudo w
- $ sudo /usr/bin/w
+1.7.2p6 April 7, 2010 17
-1.6.8p12 June, 20 2005 16
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ mailerpath Path to mail program used to send warning mail. Defaults
+ to the path to sendmail found at configure time.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ mailfrom Address to use for the "from" address when sending warning
+ and error mail. The address should be enclosed in double
+ quotes (") to protect against s\bsu\bud\bdo\bo interpreting the @ sign.
+ Defaults to the name of the user running s\bsu\bud\bdo\bo.
+ mailto Address to send warning and error mail to. The address
+ should be enclosed in double quotes (") to protect against
+ s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
- However, this will not:
+ secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
+ trust the people running s\bsu\bud\bdo\bo to have a sane PATH
+ environment variable you may want to use this. Another use
+ is if you want to have the "root path" be separate from the
+ "user path." Users in the group specified by the
+ _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
+ option is not set by default.
- $ cd /usr/bin
- $ sudo ./w
+ syslog Syslog facility if syslog is being used for logging (negate
+ to disable syslog logging). Defaults to local2.
- For this reason you should only g\bgr\bra\ban\bnt\bt access to commands
- using wildcards and never r\bre\bes\bst\btr\bri\bic\bct\bt access using them.
- This limitation will be removed in a future version of
- s\bsu\bud\bdo\bo.
+ verifypw This option controls when a password will be required when
+ a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
+ possible values:
- E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
+ must have the NOPASSWD flag set to avoid entering a
+ password.
- The following exceptions apply to the above rules:
-
- "" If the empty string "" is the only command line
- argument in the _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that com
- mand is not allowed to be run with a\ban\bny\by arguments.
-
- O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
-
- The pound sign ('#') is used to indicate a comment (unless
- it occurs in the context of a user name and is followed by
- one or more digits, in which case it is treated as a uid).
- Both the comment character and any text after it, up to
- the end of the line, are ignored.
-
- The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always
- causes a match to succeed. It can be used wherever one
- might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
- or Host_Alias. You should not try to define your own
- _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
- preference to your own. Please note that using A\bAL\bLL\bL can be
- dangerous since in a command context, it allows the user
- to run a\ban\bny\by command on the system.
-
- An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
- operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
- allows one to exclude certain values. Note, however, that
- using a ! in conjunction with the built-in ALL alias to
- allow a user to run "all but a few" commands rarely works
- as intended (see SECURITY NOTES below).
+ always The user must always enter a password to use the -\b-v\bv
+ option.
- Long lines can be continued with a backslash ('\') as the
- last character on the line.
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ current host must have the NOPASSWD flag set to
+ avoid entering a password.
- Whitespace between elements in a list as well as special
- syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
- '(', ')') is optional.
+ never The user need never enter a password to use the -\b-v\bv
+ option.
- The following characters must be escaped with a backslash
- ('\') when used as part of a word (e.g. a username or
- hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
+ If no value is specified, a value of _\ba_\bl_\bl is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\ba_\bl_\bl.
+ L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ env_check Environment variables to be removed from the user's
+ environment if the variable's value contains % or /
+ characters. This can be used to guard against printf-
+ style format vulnerabilities in poorly-written
+ programs. The argument may be a double-quoted, space-
+ separated list or a single value without double-quotes.
+ The list can be replaced, added to, deleted from, or
-1.6.8p12 June, 20 2005 17
+1.7.2p6 April 7, 2010 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ disabled by using the =, +=, -=, and ! operators
+ respectively. Regardless of whether the env_reset
+ option is enabled or disabled, variables specified by
+ env_check will be preserved in the environment if they
+ pass the aforementioned check. The default list of
+ environment variables to check is displayed when s\bsu\bud\bdo\bo
+ is run by root with the _\b-_\bV option.
+
+ env_delete Environment variables to be removed from the user's
+ environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
+ The argument may be a double-quoted, space-separated
+ list or a single value without double-quotes. The list
+ can be replaced, added to, deleted from, or disabled by
+ using the =, +=, -=, and ! operators respectively. The
+ default list of environment variables to remove is
+ displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
+ Note that many operating systems will remove
+ potentially dangerous variables from the environment of
+ any setuid process (such as s\bsu\bud\bdo\bo).
+
+ env_keep Environment variables to be preserved in the user's
+ environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
+ This allows fine-grained control over the environment
+ s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
+ be a double-quoted, space-separated list or a single
+ value without double-quotes. The list can be replaced,
+ added to, deleted from, or disabled by using the =, +=,
+ -=, and ! operators respectively. The default list of
+ variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
+ with the _\b-_\bV option.
+
+ When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following values for the
+ syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your
+ OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3,
+ l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities
+ are supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be, and
+ w\bwa\bar\brn\bni\bin\bng\bg.
+
F\bFI\bIL\bLE\bES\bS
- /etc/sudoers List of who can run what
- /etc/group Local groups file
- /etc/netgroup List of network groups
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Since the _\bs_\bu_\bd_\bo_\be_\br_\bs file is parsed in a single pass, order
- is important. In general, you should structure _\bs_\bu_\bd_\bo_\be_\br_\bs
- such that the Host_Alias, User_Alias, and Cmnd_Alias spec
- ifications come first, followed by any Default_Entry
- lines, and finally the Runas_Alias and user specifica
- tions. The basic rule of thumb is you cannot reference an
- Alias that has not already been defined.
+ _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
- Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
- these are a bit contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
+
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
+ contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
+
+
+
+1.7.2p6 April 7, 2010 19
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
+ Runas_Alias ADMINGRP = adm, oper
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
+ Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+
+ Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo
+ to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't
+ want to subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt
+ need not give a password, and we don't want to reset the LOGNAME, USER
+ or USERNAME environment variables when running commands as root.
+ Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an
+ additional local log file and make sure we log the year in each log
+ line since the log entries will be kept around for several years.
+ Lastly, we disable shell escapes for the commands in the PAGERS
+ Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
- Here we override some of the compiled in default values.
- We want s\bsu\bud\bdo\bo to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility
- in all cases. We don't want to subject the full time
- staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt need not give a
- password, and we don't want to reset the LOGNAME or USER
-
+ # Override built-in defaults
+ Defaults syslog=auth
+ Defaults>root !set_logname
+ Defaults:FULLTIMERS !lecture
+ Defaults:millert !authenticate
+ Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+ Defaults!PAGERS noexec
+ The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
+ what.
-1.6.8p12 June, 20 2005 18
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
+1.7.2p6 April 7, 2010 20
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- environment variables when running commands as root.
- Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias,
- we keep an additional local log file and make sure we log
- the year in each log line since the log entries will be
- kept around for several years.
- # Override built-in defaults
- Defaults syslog=auth
- Defaults>root !set_logname
- Defaults:FULLTIMERS !lecture
- Defaults:millert !authenticate
- Defaults@SERVERS log_year, logfile=/var/log/sudo.log
- The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter
- mines who may run what.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
- We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on
- any host as any user.
+ We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
+ any user.
FULLTIMERS ALL = NOPASSWD: ALL
- Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run
- any command on any host without authenticating themselves.
+ Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
+ any host without authenticating themselves.
PARTTIMERS ALL = ALL
- Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run
- any command on any host but they must authenticate them
- selves first (since the entry lacks the NOPASSWD tag).
+ Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
+ any host but they must authenticate themselves first (since the entry
+ lacks the NOPASSWD tag).
jack CSNETS = ALL
- The user j\bja\bac\bck\bk may run any command on the machines in the
- _\bC_\bS_\bN_\bE_\bT_\bS alias (the networks 128.138.243.0, 128.138.204.0,
- and 128.138.242.0). Of those networks, only 128.138.204.0
- has an explicit netmask (in CIDR notation) indicating it
- is a class C network. For the other networks in _\bC_\bS_\bN_\bE_\bT_\bS,
- the local machine's netmask will be used during matching.
+ The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
+ (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
+ those networks, only 128.138.204.0 has an explicit netmask (in CIDR
+ notation) indicating it is a class C network. For the other networks
+ in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be used during matching.
lisa CUNETS = ALL
- The user l\bli\bis\bsa\ba may run any command on any host in the
- _\bC_\bU_\bN_\bE_\bT_\bS alias (the class B network 128.138.0.0).
+ The user l\bli\bis\bsa\ba may run any command on any host in the _\bC_\bU_\bN_\bE_\bT_\bS alias (the
+ class B network 128.138.0.0).
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
- The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple main
- tenance. Here, those are commands related to backups,
- killing processes, the printing system, shutting down the
- system, and any commands in the directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
+ The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance.
+ Here, those are commands related to backups, killing processes, the
+ printing system, shutting down the system, and any commands in the
+ directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
+ joe ALL = /usr/bin/su operator
+ The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
-1.6.8p12 June, 20 2005 19
+ pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+ %opers ALL = (: ADMINGRP) /usr/sbin/
+ Users in the o\bop\bpe\ber\brs\bs group may run commands in _\b/_\bu_\bs_\br_\b/_\bs_\bb_\bi_\bn_\b/ as themselves
+ with any group in the _\bA_\bD_\bM_\bI_\bN_\bG_\bR_\bP Runas_Alias (the a\bad\bdm\bm and o\bop\bpe\ber\br groups).
+ The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
+ the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
+ multiple usernames on the command line.
+ bob SPARC = (OP) ALL : SGI = (OP) ALL
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
+ listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
- joe ALL = /usr/bin/su operator
- The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
+1.7.2p6 April 7, 2010 21
- pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
- The user p\bpe\bet\bte\be is allowed to change anyone's password
- except for root on the _\bH_\bP_\bP_\bA machines. Note that this
- assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take multiple usernames on the
- command line.
- bob SPARC = (OP) ALL : SGI = (OP) ALL
- The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
- machines as any user listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt
- and o\bop\bpe\ber\bra\bat\bto\bor\br).
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
jim +biglab = ALL
- The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb
- netgroup. S\bSu\bud\bdo\bo knows that "biglab" is a netgroup due to
- the '+' prefix.
+ The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
+ s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the
- printers as well as add and remove users, so they are
- allowed to run those commands on all machines.
+ Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
+ well as add and remove users, so they are allowed to run those commands
+ on all machines.
fred ALL = (DB) NOPASSWD: ALL
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
- Runas_Alias (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
+ (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
- On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except
- root but he is not allowed to give _\bs_\bu(1) any flags.
+ On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
+ not allowed to specify any options to the _\bs_\bu(1) command.
jen ALL, !SERVERS = ALL
- The user j\bje\ben\bn may run any command on any machine except for
- those in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and
- ns).
+ The user j\bje\ben\bn may run any command on any machine except for those in the
+ _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and ns).
jill SERVERS = /usr/bin/, !SU, !SHELLS
- For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run
- any commands in the directory /usr/bin/ except for those
- commands belonging to the _\bS_\bU and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
+ For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
+ the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU
+ and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
steve CSNETS = (operator) /usr/local/op_commands/
The user s\bst\bte\bev\bve\be may run any command in the directory
+ /usr/local/op_commands/ but only as user operator.
+ matt valkyrie = KILL
+ On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be able to kill
+ hung processes.
-1.6.8p12 June, 20 2005 20
+ WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+ On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias (will, wendy,
+ and wim), may run any command as user www (which owns the web pages) or
+ simply _\bs_\bu(1) to www.
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+ Any user may mount or unmount a CD-ROM on the machines in the CDROM
+ Host_Alias (orion, perseus, hercules) without entering a password.
+ This is a bit tedious for users to type, so it is a prime candidate for
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+1.7.2p6 April 7, 2010 22
- /usr/local/op_commands/ but only as user operator.
- matt valkyrie = KILL
- On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be
- able to kill hung processes.
- WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
- On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias
- (will, wendy, and wim), may run any command as user www
- (which owns the web pages) or simply _\bs_\bu(1) to www.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
- Any user may mount or unmount a CD-ROM on the machines in
- the CDROM Host_Alias (orion, perseus, hercules) without
- entering a password. This is a bit tedious for users to
- type, so it is a prime candidate for encapsulating in a
- shell script.
+ encapsulating in a shell script.
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- It is generally not effective to "subtract" commands from
- ALL using the '!' operator. A user can trivially circum
- vent this by copying the desired command to a different
- name and then executing that. For example:
+ It is generally not effective to "subtract" commands from ALL using the
+ '!' operator. A user can trivially circumvent this by copying the
+ desired command to a different name and then executing that. For
+ example:
bill ALL = ALL, !SU, !SHELLS
- Doesn't really prevent b\bbi\bil\bll\bl from running the commands
- listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those com
- mands to a different name, or use a shell escape from an
- editor or other program. Therefore, these kind of
- restrictions should be considered advisory at best (and
+ Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
+ _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
+ use a shell escape from an editor or other program. Therefore, these
+ kind of restrictions should be considered advisory at best (and
reinforced by policy).
+ Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
+ reliably negate commands where the path name includes globbing (aka
+ wildcard) characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
+ function cannot resolve relative paths. While this is typically only
+ an inconvenience for rules that grant privileges, it can result in a
+ security issue for rules that subtract or revoke privileges.
+
+ For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+ User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
+ changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
+
P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
- Once s\bsu\bud\bdo\bo executes a program, that program is free to do
- whatever it pleases, including run other programs. This
- can be a security issue since it is not uncommon for a
- program to allow shell escapes, which lets a user bypass
- s\bsu\bud\bdo\bo's restrictions. Common programs that permit shell
- escapes include shells (obviously), editors, paginators,
- mail and terminal programs.
+ Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
+ pleases, including run other programs. This can be a security issue
+ since it is not uncommon for a program to allow shell escapes, which
+ lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
+ that permit shell escapes include shells (obviously), editors,
+ paginators, mail and terminal programs.
- Many systems that support shared libraries have the abil
- ity to override default library functions by pointing an
- environment variable (usually LD_PRELOAD) to an alternate
- shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc function
- ality can be used to prevent a program run by sudo from
- executing any other programs. Note, however, that this
- applies only to native dynamically-linked executables.
- Statically-linked executables and foreign executables
+ There are two basic approaches to this problem:
+ restrict Avoid giving users access to commands that allow the user to
+ run arbitrary commands. Many editors have a restricted mode
+ where shell escapes are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better
+ solution to running editors via s\bsu\bud\bdo\bo. Due to the large
+ number of programs that offer shell escapes, restricting
+ users to the set of programs that do not if often unworkable.
+ noexec Many systems that support shared libraries have the ability
+ to override default library functions by pointing an
+ environment variable (usually LD_PRELOAD) to an alternate
+ shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality
+ can be used to prevent a program run by s\bsu\bud\bdo\bo from executing
+ any other programs. Note, however, that this applies only to
-1.6.8p12 June, 20 2005 21
+
+
+1.7.2p6 April 7, 2010 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- running under binary emulation are not affected.
+ native dynamically-linked executables. Statically-linked
+ executables and foreign executables running under binary
+ emulation are not affected.
- To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run
- the following as root:
+ To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run the
+ following as root:
- sudo -V | grep "dummy exec"
+ sudo -V | grep "dummy exec"
- If the resulting output contains a line that begins with:
+ If the resulting output contains a line that begins with:
- File containing dummy exec functions:
+ File containing dummy exec functions:
- then s\bsu\bud\bdo\bo may be able to replace the exec family of func
- tions in the standard library with its own that simply
- return an error. Unfortunately, there is no foolproof way
- to know whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time.
- _\bN_\bo_\be_\bx_\be_\bc should work on SunOS, Solaris, *BSD, Linux, IRIX,
- Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to
- work on AIX and UnixWare. _\bN_\bo_\be_\bx_\be_\bc is expected to work on
- most operating systems that support the LD_PRELOAD envi
- ronment variable. Check your operating system's manual
- pages for the dynamic linker (usually ld.so, ld.so.1,
- dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is sup
- ported.
+ then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
+ in the standard library with its own that simply return an
+ error. Unfortunately, there is no foolproof way to know
+ whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
+ should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
+ MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
+ UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating
+ systems that support the LD_PRELOAD environment variable.
+ Check your operating system's manual pages for the dynamic
+ linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
+ to see if LD_PRELOAD is supported.
- To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as doc
- umented in the User Specification section above. Here is
- that example again:
+ To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as
+ documented in the User Specification section above. Here is
+ that example again:
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those
- two commands from executing other commands (such as a
- shell). If you are unsure whether or not your system is
- capable of supporting _\bn_\bo_\be_\bx_\be_\bc you can always just try it
- out and see if it works.
+ This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
+ with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
+ from executing other commands (such as a shell). If you are
+ unsure whether or not your system is capable of supporting
+ _\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
- Note that disabling shell escapes is not a panacea. Pro
- grams running as root are still capable of many poten
- tially hazardous operations (such as changing or overwrit
- ing files) that could lead to unintended privilege escala
- tion. In the specific case of an editor, a safer approach
- is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+ Note that restricting shell escapes is not a panacea. Programs running
+ as root are still capable of many potentially hazardous operations
+ (such as changing or overwriting files) that could lead to unintended
+ privilege escalation. In the specific case of an editor, a safer
+ approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), sudo(1m), visudo(1m)
+ _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bg_\bl_\bo_\bb(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo
- command which locks the file and does grammatical check
- ing. It is imperative that _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax
- errors since s\bsu\bud\bdo\bo will not run with a syntactically incor
- rect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
+ locks the file and does grammatical checking. It is imperative that
+ _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
+ syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ When using netgroups of machines (as opposed to users), if you store
+ fully qualified hostnames in the netgroup (as is usually the case), you
-1.6.8p12 June, 20 2005 22
+1.7.2p6 April 7, 2010 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- When using netgroups of machines (as opposed to users), if
- you store fully qualified hostnames in the netgroup (as is
- usually the case), you either need to have the machine's
- hostname be fully qualified as returned by the hostname
- command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ either need to have the machine's hostname be fully qualified as
+ returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
- bug report at http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Commercial support is available for s\bsu\bud\bdo\bo, see
- http://www.sudo.ws/sudo/support.html for details.
-
- Limited free support is available via the sudo-users mail
- ing list, see http://www.sudo.ws/mail
- man/listinfo/sudo-users to subscribe or search the
- archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- S\bSu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
- ranties, including, but not limited to, the implied war
- ranties of merchantability and fitness for a particular
- purpose are disclaimed. See the LICENSE file distributed
- with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com
- plete details.
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of
+ merchantability and fitness for a particular purpose are disclaimed.
+ See the LICENSE file distributed with s\bsu\bud\bdo\bo or
+ http://www.sudo.ws/sudo/license.html for complete details.
+
+
+
+
+
+
+
+
-1.6.8p12 June, 20 2005 23
+1.7.2p6 April 7, 2010 25