-1.6.9p6 October 9, 2007 1
+1.6.9p16 May 8, 2008 1
-1.6.9p6 October 9, 2007 2
+1.6.9p16 May 8, 2008 2
-1.6.9p6 October 9, 2007 3
+1.6.9p16 May 8, 2008 3
-1.6.9p6 October 9, 2007 4
+1.6.9p16 May 8, 2008 4
-1.6.9p6 October 9, 2007 5
+1.6.9p16 May 8, 2008 5
-1.6.9p6 October 9, 2007 6
+1.6.9p16 May 8, 2008 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ If the command matched is A\bAL\bLL\bL, the SETENV tag is implied
+ for that command; this default may be overridden by use of
+ the UNSETENV tag.
+
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob char
causes a match to succeed. It can be used wherever one
might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
or Host_Alias. You should not try to define your own
- _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
- preference to your own. Please note that using A\bAL\bLL\bL can be
- dangerous since in a command context, it allows the user
- to run a\ban\bny\by command on the system.
-1.6.9p6 October 9, 2007 7
+1.6.9p16 May 8, 2008 7
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
+ preference to your own. Please note that using A\bAL\bLL\bL can be
+ dangerous since in a command context, it allows the user
+ to run a\ban\bny\by command on the system.
+
An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
allows one to exclude certain values. Note, however, that
separated list of editors in the editor
variable. v\bvi\bis\bsu\bud\bdo\bo will then only use the
EDITOR or VISUAL if they match a value
- specified in editor. This flag is _\bo_\bf_\bf by
- default.
- env_reset If set, s\bsu\bud\bdo\bo will reset the environment to
- only contain the LOGNAME, SHELL, USER,
-
-1.6.9p6 October 9, 2007 8
+1.6.9p16 May 8, 2008 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ specified in editor. This flag is _\bo_\bf_\bf by
+ default.
+
+ env_reset If set, s\bsu\bud\bdo\bo will reset the environment to
+ only contain the LOGNAME, SHELL, USER,
USERNAME and the SUDO_* variables. Any
variables in the caller's environment that
match the env_keep and env_check lists are
s\bsu\bud\bdo\bo).
ignore_local_sudoers
- If set via LDAP, parsing of
- @sysconfdir@/sudoers will be skipped.
- This is intended for Enterprises that wish
- to prevent the usage of local sudoers
- files so that only LDAP is used. This
- thwarts the efforts of rogue operators who
- would attempt to add roles to
- @sysconfdir@/sudoers. When this option is
- present, @sysconfdir@/sudoers does not
- even need to exist. Since this option
- tells s\bsu\bud\bdo\bo how to behave when no specific
- LDAP entries have been matched, this
+ If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs
+ will be skipped. This is intended for
+ Enterprises that wish to prevent the usage
+ of local sudoers files so that only LDAP
+ is used. This thwarts the efforts of
+ rogue operators who would attempt to add
+ roles to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option
-1.6.9p6 October 9, 2007 9
+1.6.9p16 May 8, 2008 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- sudoOption is only meaningful for the
- cn=defaults section. This flag is _\bo_\bf_\bf by
- default.
+ is present, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even
+ need to exist. Since this option tells
+ s\bsu\bud\bdo\bo how to behave when no specific LDAP
+ entries have been matched, this sudoOption
+ is only meaningful for the cn=defaults
+ section. This flag is _\bo_\bf_\bf by default.
insults If set, s\bsu\bud\bdo\bo will insult users when they
enter an incorrect password. This flag is
noexec If set, all commands run via s\bsu\bud\bdo\bo will
behave as if the NOEXEC tag has been set,
- unless overridden by a EXEC tag. See the
- description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
- well as the "PREVENTING SHELL ESCAPES"
-1.6.9p6 October 9, 2007 10
+1.6.9p16 May 8, 2008 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ unless overridden by a EXEC tag. See the
+ description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
+ well as the "PREVENTING SHELL ESCAPES"
section at the end of this manual. This
flag is _\bo_\bf_\bf by default.
they are not allowed to run it, which can
be confusing. This flag is _\bo_\bn by default.
+ passprompt_override
+ The password prompt specified by
+ _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will normally only be used if
+ the passwod prompt provided by systems
+ such as PAM matches the string "Pass
+ word:". If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set,
+ _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be used. This flag
+ is _\bo_\bf_\bf by default.
+
preserve_groups By default s\bsu\bud\bdo\bo will initialize the group
vector to the list of groups the target
user is in. When _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set,
s\bsu\bud\bdo\boe\bed\bdi\bit\bt. Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no
real additional security; it exists purely
for historical reasons. This flag is _\bo_\bn
+
+
+
+1.6.9p16 May 8, 2008 11
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
by default.
rootpw If set, s\bsu\bud\bdo\bo will prompt for the root
password of the invoking user. This flag
is _\bo_\bf_\bf by default.
-
-
-1.6.9p6 October 9, 2007 11
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs
flag the HOME environment variable will be
set to the home directory of the target
user's /etc/passwd entry if not). This
flag is _\bo_\bf_\bf by default.
+
+
+1.6.9p16 May 8, 2008 12
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the
real and effective UIDs are set to the
target user (root by default). This
run setuid. This option is only effective
on systems with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or
_\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function. This flag is _\bo_\bf_\bf by
-
-
-
-1.6.9p6 October 9, 2007 12
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
default.
targetpw If set, s\bsu\bud\bdo\bo will prompt for the password
prompt times out. The default is 5; set
this to 0 for no password timeout.
+
+
+1.6.9p16 May 8, 2008 13
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
timestamp_timeout
Number of minutes that can elapse before
s\bsu\bud\bdo\bo will ask for a passwd again. The
tamps via sudo -v and sudo -k respec
tively.
-
-
-
-1.6.9p6 October 9, 2007 13
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
umask Umask to use when running the command.
Negate this option or set it to 0777 to
preserve the user's umask. The default is
%H expanded to the local hostname includ
ing the domain name (on if the
machine's hostname is fully qualified
- or the _\bf_\bq_\bd_\bn option is set)
- %h expanded to the local hostname without
- the domain name
- %U expanded to the login name of the user
- the command will be run as (defaults
- to root)
- %u expanded to the invoking user's login
- name
+1.6.9p16 May 8, 2008 14
-1.6.9p6 October 9, 2007 14
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ or the _\bf_\bq_\bd_\bn option is set)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ %h expanded to the local hostname without
+ the domain name
+
+ %p expanded to the user whose password is
+ being asked for (respects the _\br_\bo_\bo_\bt_\bp_\bw,
+ _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
+
+ %U expanded to the login name of the user
+ the command will be run as (defaults
+ to root)
+ %u expanded to the invoking user's login
+ name
%% two consecutive % characters are col
lapsed into a single % character
always Always lecture the user.
+
+
+
+1.6.9p16 May 8, 2008 15
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
never Never lecture the user.
once Only lecture the user the first time
standard lecture if the named file exists. By
default, s\bsu\bud\bdo\bo uses a built-in lecture.
-
-
-
-1.6.9p6 October 9, 2007 15
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
listpw This option controls when a password will be
required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
flag. It has the following possible values:
mailto Address to send warning and error mail to.
The address should be enclosed in double
+
+
+
+1.6.9p16 May 8, 2008 16
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
quotes (") to protect against s\bsu\bud\bdo\bo interpret
ing the @ sign. Defaults to root.
flag set to avoid entering a password.
always The user must always enter a password
-
-
-
-1.6.9p6 October 9, 2007 16
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
to use the -\b-v\bv flag.
any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
env_delete Environment variables to be removed from
the user's environment. The argument may
+
+
+
+1.6.9p16 May 8, 2008 17
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
be a double-quoted, space-separated list
or a single value without double-quotes.
The list can be replaced, added to,
the user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt
option is in effect. This allows fine-
grained control over the environment
-
-
-
-1.6.9p6 October 9, 2007 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
s\bsu\bud\bdo\bo-spawned processes will receive. The
argument may be a double-quoted, space-
separated list or a single value without
and w\bwa\bar\brn\bni\bin\bng\bg.
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+
+ _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
+
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Since the _\bs_\bu_\bd_\bo_\be_\br_\bs file is parsed in a single pass, order
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
these are a bit contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+
+
+
+
+1.6.9p16 May 8, 2008 18
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
-
-
-
-1.6.9p6 October 9, 2007 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
Defaults!PAGERS noexec
+
+
+
+1.6.9p16 May 8, 2008 19
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter
mines who may run what.
any command on any host but they must authenticate them
selves first (since the entry lacks the NOPASSWD tag).
-
-
-1.6.9p6 October 9, 2007 19
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
jack CSNETS = ALL
The user j\bja\bac\bck\bk may run any command on the machines in the
bob SPARC = (OP) ALL : SGI = (OP) ALL
+
+
+1.6.9p16 May 8, 2008 20
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
machines as any user listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt
and o\bop\bpe\ber\bra\bat\bto\bor\br).
fred ALL = (DB) NOPASSWD: ALL
The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
-
-
-
-1.6.9p6 October 9, 2007 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
Runas_Alias (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
(will, wendy, and wim), may run any command as user www
(which owns the web pages) or simply _\bs_\bu(1) to www.
+
+
+
+1.6.9p16 May 8, 2008 21
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent b\bbi\bil\bll\bl from running the commands
- listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those
-
-
-
-1.6.9p6 October 9, 2007 21
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- commands to a different name, or use a shell escape from
- an editor or other program. Therefore, these kind of
+ listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those com
+ mands to a different name, or use a shell escape from an
+ editor or other program. Therefore, these kind of
restrictions should be considered advisory at best (and
reinforced by policy).
that this applies only to native dynamically-
linked executables. Statically-linked executa
bles and foreign executables running under
+
+
+
+1.6.9p16 May 8, 2008 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
binary emulation are not affected.
To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you
_\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc should
work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt
-
-
-
-1.6.9p6 October 9, 2007 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
to work on AIX and UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected
to work on most operating systems that support
the LD_PRELOAD environment variable. Check your
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo
- command which locks the file and does grammatical check
- ing. It is imperative that _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax
+ command which locks the file and does grammatical
+
+
+
+1.6.9p16 May 8, 2008 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ checking. It is imperative that _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax
errors since s\bsu\bud\bdo\bo will not run with a syntactically incor
rect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
man/listinfo/sudo-users to subscribe or search the
archives.
-
-
-1.6.9p6 October 9, 2007 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
ranties, including, but not limited to, the implied war
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.6.9p6 October 9, 2007 24
+1.6.9p16 May 8, 2008 24