-1.7.2p2 November 24, 2009 1
+1.7.2p6 April 7, 2010 1
-1.7.2p2 November 24, 2009 2
+1.7.2p6 April 7, 2010 2
-1.7.2p2 November 24, 2009 3
+1.7.2p6 April 7, 2010 3
-1.7.2p2 November 24, 2009 4
+1.7.2p6 April 7, 2010 4
-1.7.2p2 November 24, 2009 5
+1.7.2p6 April 7, 2010 5
-1.7.2p2 November 24, 2009 6
+1.7.2p6 April 7, 2010 6
-1.7.2p2 November 24, 2009 7
+1.7.2p6 April 7, 2010 7
-1.7.2p2 November 24, 2009 8
+1.7.2p6 April 7, 2010 8
-1.7.2p2 November 24, 2009 9
+1.7.2p6 April 7, 2010 9
-1.7.2p2 November 24, 2009 10
+1.7.2p6 April 7, 2010 10
-1.7.2p2 November 24, 2009 11
+1.7.2p6 April 7, 2010 11
-1.7.2p2 November 24, 2009 12
+1.7.2p6 April 7, 2010 12
causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function, which does
not access the file system to do its matching. The
disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is unable to match
- relative pathnames such as _\b._\b/_\bl_\bs or _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This
- flag is _\bo_\bf_\bf by default.
+ relative pathnames such as _\b._\b/_\bl_\bs or _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has
+ security implications when path names that include
+ globbing characters are used with the negation
+ operator, '!', as such rules can be trivially bypassed.
+ As such, this option should not be used when _\bs_\bu_\bd_\bo_\be_\br_\bs
+ contains rules that contain negated path names which
+ include globbing characters. This flag is _\bo_\bf_\bf by
+ default.
stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
effective UIDs are set to the target user (root by
targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
specified by the -\b-u\bu option (defaults to root) instead
- of the password of the invoking user. Note that this
- precludes the use of a uid not listed in the passwd
- database as an argument to the -\b-u\bu option. This flag is
- _\bo_\bf_\bf by default.
-
- tty_tickets If set, users must authenticate on a per-tty basis.
-1.7.2p2 November 24, 2009 13
+1.7.2p6 April 7, 2010 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ of the password of the invoking user. Note that this
+ precludes the use of a uid not listed in the passwd
+ database as an argument to the -\b-u\bu option. This flag is
+ _\bo_\bf_\bf by default.
+
+ tty_tickets If set, users must authenticate on a per-tty basis.
Normally, s\bsu\bud\bdo\bo uses a directory in the ticket dir with
the same name as the user running it. With this flag
enabled, s\bsu\bud\bdo\bo will use a file named for the tty the
only the file log. The default is 80 (use 0 or negate
the option to disable word wrap).
- passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
- out. The default is 5; set this to 0 for no password
- timeout.
- timestamp_timeout
- Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
-
-1.7.2p2 November 24, 2009 14
+1.7.2p6 April 7, 2010 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
+ out. The default is 5; set this to 0 for no password
+ timeout.
+
+ timestamp_timeout
+ Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
for a passwd again. The default is 5. Set this to 0
to always prompt for a password. If set to a value
less than 0 the user's timestamp will never expire.
name (on if the machine's hostname is fully
qualified or the _\bf_\bq_\bd_\bn option is set)
- %h expanded to the local hostname without the domain
- name
-
- %p expanded to the user whose password is being asked
- for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
-
-1.7.2p2 November 24, 2009 15
+1.7.2p6 April 7, 2010 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ %h expanded to the local hostname without the domain
+ name
+
+ %p expanded to the user whose password is being asked
+ for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
%U expanded to the login name of the user the command
a file containing variables to be set in the environment of
the program being run. Entries in this file should either
be of the form VARIABLE=value or export VARIABLE=value.
- The value may optionally be surrounded by single or double
- quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
- environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
-
-
-1.7.2p2 November 24, 2009 16
+1.7.2p6 April 7, 2010 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The value may optionally be surrounded by single or double
+ quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
+ environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
+
exempt_group
Users in this group are exempt from password and PATH
requirements. This is not set by default.
mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
- mailerpath Path to mail program used to send warning mail. Defaults
- to the path to sendmail found at configure time.
-
-
-1.7.2p2 November 24, 2009 17
+1.7.2p6 April 7, 2010 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ mailerpath Path to mail program used to send warning mail. Defaults
+ to the path to sendmail found at configure time.
+
mailfrom Address to use for the "from" address when sending warning
and error mail. The address should be enclosed in double
quotes (") to protect against s\bsu\bud\bdo\bo interpreting the @ sign.
programs. The argument may be a double-quoted, space-
separated list or a single value without double-quotes.
The list can be replaced, added to, deleted from, or
- disabled by using the =, +=, -=, and ! operators
- respectively. Regardless of whether the env_reset
- option is enabled or disabled, variables specified by
-1.7.2p2 November 24, 2009 18
+1.7.2p6 April 7, 2010 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ disabled by using the =, +=, -=, and ! operators
+ respectively. Regardless of whether the env_reset
+ option is enabled or disabled, variables specified by
env_check will be preserved in the environment if they
pass the aforementioned check. The default list of
environment variables to check is displayed when s\bsu\bud\bdo\bo
User_Alias PARTTIMERS = bostley, jwfox, crawl
User_Alias WEBMASTERS = will, wendy, wim
- # Runas alias specification
- Runas_Alias OP = root, operator
- Runas_Alias DB = oracle, sybase
-1.7.2p2 November 24, 2009 19
+1.7.2p6 April 7, 2010 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ # Runas alias specification
+ Runas_Alias OP = root, operator
+ Runas_Alias DB = oracle, sybase
Runas_Alias ADMINGRP = adm, oper
# Host alias specification
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
- We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
- any user.
-
-1.7.2p2 November 24, 2009 20
+1.7.2p6 April 7, 2010 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
+ any user.
+
FULLTIMERS ALL = NOPASSWD: ALL
Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
- jim +biglab = ALL
-
-
-1.7.2p2 November 24, 2009 21
+1.7.2p6 April 7, 2010 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ jim +biglab = ALL
+
The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
Any user may mount or unmount a CD-ROM on the machines in the CDROM
Host_Alias (orion, perseus, hercules) without entering a password.
This is a bit tedious for users to type, so it is a prime candidate for
- encapsulating in a shell script.
-
-1.7.2p2 November 24, 2009 22
+1.7.2p6 April 7, 2010 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ encapsulating in a shell script.
+
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
It is generally not effective to "subtract" commands from ALL using the
'!' operator. A user can trivially circumvent this by copying the
kind of restrictions should be considered advisory at best (and
reinforced by policy).
+ Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
+ reliably negate commands where the path name includes globbing (aka
+ wildcard) characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
+ function cannot resolve relative paths. While this is typically only
+ an inconvenience for rules that grant privileges, it can result in a
+ security issue for rules that subtract or revoke privileges.
+
+ For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+ User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
+ changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
+
P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
pleases, including run other programs. This can be a security issue
shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality
can be used to prevent a program run by s\bsu\bud\bdo\bo from executing
any other programs. Note, however, that this applies only to
+
+
+
+1.7.2p6 April 7, 2010 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
native dynamically-linked executables. Statically-linked
executables and foreign executables running under binary
emulation are not affected.
in the standard library with its own that simply return an
error. Unfortunately, there is no foolproof way to know
whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
-
-
-
-1.7.2p2 November 24, 2009 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating
When using netgroups of machines (as opposed to users), if you store
fully qualified hostnames in the netgroup (as is usually the case), you
+
+
+
+1.7.2p6 April 7, 2010 24
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
either need to have the machine's hostname be fully qualified as
returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
See the LICENSE file distributed with s\bsu\bud\bdo\bo or
-
-
-
-1.7.2p2 November 24, 2009 24
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
http://www.sudo.ws/sudo/license.html for complete details.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.2p2 November 24, 2009 25
+1.7.2p6 April 7, 2010 25