-1.6.9p10 December 17, 2007 1
+1.6.9p15 March 23, 2008 1
-1.6.9p10 December 17, 2007 2
+1.6.9p15 March 23, 2008 2
-1.6.9p10 December 17, 2007 3
+1.6.9p15 March 23, 2008 3
-1.6.9p10 December 17, 2007 4
+1.6.9p15 March 23, 2008 4
-1.6.9p10 December 17, 2007 5
+1.6.9p15 March 23, 2008 5
-1.6.9p10 December 17, 2007 6
+1.6.9p15 March 23, 2008 6
-1.6.9p10 December 17, 2007 7
+1.6.9p15 March 23, 2008 7
-1.6.9p10 December 17, 2007 8
+1.6.9p15 March 23, 2008 8
s\bsu\bud\bdo\bo).
ignore_local_sudoers
- If set via LDAP, parsing of
- @sysconfdir@/sudoers will be skipped.
- This is intended for Enterprises that wish
- to prevent the usage of local sudoers
- files so that only LDAP is used. This
- thwarts the efforts of rogue operators who
- would attempt to add roles to
+ If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs
+ will be skipped. This is intended for
+ Enterprises that wish to prevent the usage
+ of local sudoers files so that only LDAP
+ is used. This thwarts the efforts of
+ rogue operators who would attempt to add
+ roles to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option
-1.6.9p10 December 17, 2007 9
+1.6.9p15 March 23, 2008 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- @sysconfdir@/sudoers. When this option is
- present, @sysconfdir@/sudoers does not
- even need to exist. Since this option
- tells s\bsu\bud\bdo\bo how to behave when no specific
- LDAP entries have been matched, this
- sudoOption is only meaningful for the
- cn=defaults section. This flag is _\bo_\bf_\bf by
- default.
+ is present, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even
+ need to exist. Since this option tells
+ s\bsu\bud\bdo\bo how to behave when no specific LDAP
+ entries have been matched, this sudoOption
+ is only meaningful for the cn=defaults
+ section. This flag is _\bo_\bf_\bf by default.
insults If set, s\bsu\bud\bdo\bo will insult users when they
enter an incorrect password. This flag is
user if the invoking user is not in the
_\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is _\bo_\bn by default.
+ noexec If set, all commands run via s\bsu\bud\bdo\bo will
+ behave as if the NOEXEC tag has been set,
-1.6.9p10 December 17, 2007 10
+1.6.9p15 March 23, 2008 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- noexec If set, all commands run via s\bsu\bud\bdo\bo will
- behave as if the NOEXEC tag has been set,
unless overridden by a EXEC tag. See the
description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
well as the "PREVENTING SHELL ESCAPES"
Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
will also prevent root and from running
s\bsu\bud\bdo\boe\bed\bdi\bit\bt. Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no
+ real additional security; it exists purely
+ for historical reasons. This flag is _\bo_\bn
-1.6.9p10 December 17, 2007 11
+1.6.9p15 March 23, 2008 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- real additional security; it exists purely
- for historical reasons. This flag is _\bo_\bn
by default.
rootpw If set, s\bsu\bud\bdo\bo will prompt for the root
(the shell is determined by the SHELL
environment variable if it is set, falling
back on the shell listed in the invoking
+ user's /etc/passwd entry if not). This
+ flag is _\bo_\bf_\bf by default.
-1.6.9p10 December 17, 2007 12
+1.6.9p15 March 23, 2008 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- user's /etc/passwd entry if not). This
- flag is _\bo_\bf_\bf by default.
-
stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the
real and effective UIDs are set to the
target user (root by default). This
file log. The default is 80 (use 0 or
negate the option to disable word wrap).
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password
+ prompt times out. The default is 5; set
+ this to 0 for no password timeout.
-1.6.9p10 December 17, 2007 13
+1.6.9p15 March 23, 2008 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password
- prompt times out. The default is 5; set
- this to 0 for no password timeout.
-
timestamp_timeout
Number of minutes that can elapse before
s\bsu\bud\bdo\bo will ask for a passwd again. The
variable. The following percent (`%')
escapes are supported:
+ %H expanded to the local hostname includ
+ ing the domain name (on if the
+ machine's hostname is fully qualified
+
-1.6.9p10 December 17, 2007 14
+1.6.9p15 March 23, 2008 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- %H expanded to the local hostname includ
- ing the domain name (on if the
- machine's hostname is fully qualified
or the _\bf_\bq_\bd_\bn option is set)
%h expanded to the local hostname without
the domain name
+ %p expanded to the user whose password is
+ being asked for (respects the _\br_\bo_\bo_\bt_\bp_\bw,
+ _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
+
%U expanded to the login name of the user
the command will be run as (defaults
to root)
always Always lecture the user.
- never Never lecture the user.
-1.6.9p10 December 17, 2007 15
+1.6.9p15 March 23, 2008 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ never Never lecture the user.
+
once Only lecture the user the first time
they run s\bsu\bud\bdo\bo.
mailto Address to send warning and error mail to.
The address should be enclosed in double
- quotes (") to protect against s\bsu\bud\bdo\bo interpret
- ing the @ sign. Defaults to root.
-1.6.9p10 December 17, 2007 16
+1.6.9p15 March 23, 2008 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ quotes (") to protect against s\bsu\bud\bdo\bo interpret
+ ing the @ sign. Defaults to root.
+
syslog Syslog facility if syslog is being used for
logging (negate to disable syslog logging).
Defaults to local2.
env_delete Environment variables to be removed from
the user's environment. The argument may
- be a double-quoted, space-separated list
- or a single value without double-quotes.
- The list can be replaced, added to,
-1.6.9p10 December 17, 2007 17
+1.6.9p15 March 23, 2008 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ be a double-quoted, space-separated list
+ or a single value without double-quotes.
+ The list can be replaced, added to,
deleted from, or disabled by using the =,
+=, -=, and ! operators respectively. The
default list of environment variables to
and w\bwa\bar\brn\bni\bin\bng\bg.
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+
+ _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
+
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Since the _\bs_\bu_\bd_\bo_\be_\br_\bs file is parsed in a single pass, order
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
these are a bit contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
- # User alias specification
- User_Alias FULLTIMERS = millert, mikef, dowdy
- User_Alias PARTTIMERS = bostley, jwfox, crawl
- User_Alias WEBMASTERS = will, wendy, wim
-
-1.6.9p10 December 17, 2007 18
+1.6.9p15 March 23, 2008 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ # User alias specification
+ User_Alias FULLTIMERS = millert, mikef, dowdy
+ User_Alias PARTTIMERS = bostley, jwfox, crawl
+ User_Alias WEBMASTERS = will, wendy, wim
+
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
Defaults!PAGERS noexec
- The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter
- mines who may run what.
-
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
-1.6.9p10 December 17, 2007 19
+1.6.9p15 March 23, 2008 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter
+ mines who may run what.
+
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
+
We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on
any host as any user.
bob SPARC = (OP) ALL : SGI = (OP) ALL
- The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
- machines as any user listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt
- and o\bop\bpe\ber\bra\bat\bto\bor\br).
- jim +biglab = ALL
+1.6.9p15 March 23, 2008 20
-1.6.9p10 December 17, 2007 20
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
+ machines as any user listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt
+ and o\bop\bpe\ber\bra\bat\bto\bor\br).
+ jim +biglab = ALL
The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb
netgroup. s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to
(will, wendy, and wim), may run any command as user www
(which owns the web pages) or simply _\bs_\bu(1) to www.
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
-
- Any user may mount or unmount a CD-ROM on the machines in
- the CDROM Host_Alias (orion, perseus, hercules) without
- entering a password. This is a bit tedious for users to
-1.6.9p10 December 17, 2007 21
+1.6.9p15 March 23, 2008 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+
+ Any user may mount or unmount a CD-ROM on the machines in
+ the CDROM Host_Alias (orion, perseus, hercules) without
+ entering a password. This is a bit tedious for users to
type, so it is a prime candidate for encapsulating in a
shell script.
that this applies only to native dynamically-
linked executables. Statically-linked executa
bles and foreign executables running under
- binary emulation are not affected.
- To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you
- can run the following as root:
- sudo -V | grep "dummy exec"
+1.6.9p15 March 23, 2008 22
-1.6.9p10 December 17, 2007 22
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ binary emulation are not affected.
+ To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you
+ can run the following as root:
+
+ sudo -V | grep "dummy exec"
If the resulting output contains a line that
begins with:
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo
- command which locks the file and does grammatical check
- ing. It is imperative that _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax
- errors since s\bsu\bud\bdo\bo will not run with a syntactically incor
- rect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ command which locks the file and does grammatical
- When using netgroups of machines (as opposed to users), if
- you store fully qualified hostnames in the netgroup (as is
- usually the case), you either need to have the machine's
-
-1.6.9p10 December 17, 2007 23
+1.6.9p15 March 23, 2008 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ checking. It is imperative that _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax
+ errors since s\bsu\bud\bdo\bo will not run with a syntactically incor
+ rect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+
+ When using netgroups of machines (as opposed to users), if
+ you store fully qualified hostnames in the netgroup (as is
+ usually the case), you either need to have the machine's
hostname be fully qualified as returned by the hostname
command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
-
-
-
-
-
-
-1.6.9p10 December 17, 2007 24
+1.6.9p15 March 23, 2008 24