(which specify who may run what).
When multiple entries match for a user, they are applied
- in order. Where there are conflicting values, the last
+ in order. Where there are multiple matches, the last
match is used (which is not necessarily the most specific
match).
ular expressions. Do not, however, confuse them with
"wildcard" characters, which have different meanings.
- ? Means that the preceding symbol (or group of sym
- bols) is optional. That is, it may appear once or
- not at all.
+ ? Means that the preceding symbol (or group of symbols)
+ is optional. That is, it may appear once or not at
+ all.
- * Means that the preceding symbol (or group of sym
- bols) may appear zero or more times.
+ * Means that the preceding symbol (or group of symbols)
+ may appear zero or more times.
- + Means that the preceding symbol (or group of sym
- bols) may appear one or more times.
+ + Means that the preceding symbol (or group of symbols)
+ may appear one or more times.
Parentheses may be used to group symbols together. For
clarity, we will use single quotes ('') to designate what
-1.6.8p9 June, 20 2005 1
+1.6.9p6 October 9, 2007 1
-1.6.8p9 June, 20 2005 2
+1.6.9p6 October 9, 2007 2
addresses, network numbers, netgroups (prefixed with '+')
and other aliases. Again, the value of an item may be
negated with the '!' operator. If you do not specify a
- netmask with a network number, the netmask of the host's
- ethernet interface(s) will be used when matching. The
- netmask may be specified either in dotted quad notation
- (e.g. 255.255.255.0) or CIDR notation (number of bits,
- e.g. 24). A hostname may include shell-style wildcards
- (see the Wildcards section below), but unless the hostname
- command on your machine returns the fully qualified host
- name, you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to
- be useful.
+ netmask along with the network number, s\bsu\bud\bdo\bo will query
+ each of the local host's network interfaces and, if the
+ network number corresponds to one of the hosts's network
+ interfaces, the corresponding netmask will be used. The
+ netmask may be specified either in standard IP address
+ notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
+ CIDR notation (number of bits, e.g. 24 or 64). A hostname
+ may include shell-style wildcards (see the Wildcards sec
+ tion below), but unless the hostname command on your
+ machine returns the fully qualified hostname, you'll need
+ to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
he/she wishes. However, you may also specify command line
arguments (including wildcards). Alternately, you can
specify "" to indicate that the command may only be run
- w\bwi\bit\bth\bho\bou\but\bt command line arguments. A directory is a fully
- qualified pathname ending in a '/'. When you specify a
-1.6.8p9 June, 20 2005 3
+1.6.9p6 October 9, 2007 3
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ w\bwi\bit\bth\bho\bou\but\bt command line arguments. A directory is a fully
+ qualified pathname ending in a '/'. When you specify a
directory in a Cmnd_List, the user will be able to run any
file within that directory (but not in any subdirectories
therein).
as a specific user.
Default_Type ::= 'Defaults' |
- 'Defaults' '@' Host |
- 'Defaults' ':' User |
- 'Defaults' '>' RunasUser
+ 'Defaults' '@' Host_List |
+ 'Defaults' ':' User_List |
+ 'Defaults' '>' Runas_List
Default_Entry ::= Default_Type Parameter_List
respectively. It is not an error to use the -= operator
to remove an element that does not exist in a list.
- F\bFl\bla\bag\bgs\bs:
-
- long_otp_prompt
- When validating with a One Time Password
+ See "SUDOERS OPTIONS" for a list of supported Defaults
+ parameters.
-1.6.8p9 June, 20 2005 4
+1.6.9p6 October 9, 2007 4
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- scheme (S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE), a two-line prompt is
- used to make it easier to cut and paste the
- challenge to a local window. It's not as
- pretty as the default but some people find it
- more convenient. This flag is _\bo_\bf_\bf by default.
-
- ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current
- dir) in the PATH environment variable; the
- PATH itself is not modified. This flag is _\bo_\bf_\bf
- by default. Currently, while it is possible
- to set _\bi_\bg_\bn_\bo_\br_\be_\b__\bd_\bo_\bt in _\bs_\bu_\bd_\bo_\be_\br_\bs, its value is not
- used. This option should be considered read-
- only (it will be fixed in a future version of
- s\bsu\bud\bdo\bo).
-
- mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a
- users runs s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
-
- mail_badpass
- Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user run
- ning sudo does not enter the correct password.
- This flag is _\bo_\bf_\bf by default.
-
- mail_no_user
- If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
- if the invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file. This flag is _\bo_\bn by default.
-
- mail_no_host
- If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
- if the invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file, but is not allowed to run commands on
- the current host. This flag is _\bo_\bf_\bf by
- default.
-
- mail_no_perms
- If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
- if the invoking user is allowed to use s\bsu\bud\bdo\bo
- but the command they are trying is not listed
- in their _\bs_\bu_\bd_\bo_\be_\br_\bs file entry or is explicitly
- denied. This flag is _\bo_\bf_\bf by default.
-
- tty_tickets If set, users must authenticate on a per-tty
- basis. Normally, s\bsu\bud\bdo\bo uses a directory in the
- ticket dir with the same name as the user run
- ning it. With this flag enabled, s\bsu\bud\bdo\bo will
- use a file named for the tty the user is
- logged in on in that directory. This flag is
- _\bo_\bf_\bf by default.
-
- authenticate
- If set, users must authenticate themselves via
- a password (or other means of authentication)
- before they may run commands. This default
-
-
-
-1.6.8p9 June, 20 2005 5
-
-
-
+ U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
+ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
+ (':' Host_List '=' Cmnd_Spec_List)*
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+ Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
- may be overridden via the PASSWD and NOPASSWD
- tags. This flag is _\bo_\bn by default.
-
- root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Dis
- abling this prevents users from "chaining"
- s\bsu\bud\bdo\bo commands to get a root shell by doing
- something like "sudo sudo /bin/sh". Note,
- however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo will also
- prevent root and from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt. Dis
- abling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
- security; it exists purely for historical rea
- sons. This flag is _\bo_\bn by default.
-
- log_host If set, the hostname will be logged in the
- (non-syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf
- by default.
-
- log_year If set, the four-digit year will be logged in
- the (non-syslog) s\bsu\bud\bdo\bo log file. This flag is
- _\bo_\bf_\bf by default.
-
- shell_noargs
- If set and s\bsu\bud\bdo\bo is invoked with no arguments
- it acts as if the -\b-s\bs flag had been given.
- That is, it runs a shell as root (the shell is
- determined by the SHELL environment variable
- if it is set, falling back on the shell listed
- in the invoking user's /etc/passwd entry if
- not). This flag is _\bo_\bf_\bf by default.
-
- set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs flag
- the HOME environment variable will be set to
- the home directory of the target user (which
- is root unless the -\b-u\bu option is used). This
- effectively makes the -\b-s\bs flag imply -\b-H\bH. This
- flag is _\bo_\bf_\bf by default.
-
- always_set_home
- If set, s\bsu\bud\bdo\bo will set the HOME environment
- variable to the home directory of the target
- user (which is root unless the -\b-u\bu option is
- used). This effectively means that the -\b-H\bH
- flag is always implied. This flag is _\bo_\bf_\bf by
- default.
+ Runas_Spec ::= '(' Runas_List ')'
- path_info Normally, s\bsu\bud\bdo\bo will tell the user when a com
- mand could not be found in their PATH environ
- ment variable. Some sites may wish to disable
- this as it could be used to gather information
- on the location of executables that the normal
- user does not have access to. The disadvan
- tage is that if the executable is simply not
- in the user's PATH, s\bsu\bud\bdo\bo will tell the user
- that they are not allowed to run it, which can
+ Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'SETENV:' | 'NOSETENV:')
+ A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may
+ run (and as what user) on specified hosts. By default,
+ commands are run as r\bro\boo\bot\bt, but this can be changed on a
+ per-command basis.
+ Let's break that down into its constituent parts:
-1.6.8p9 June, 20 2005 6
+ R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
+ A Runas_Spec is simply a Runas_List (as defined above)
+ enclosed in a set of parentheses. If you do not specify a
+ Runas_Spec in the user specification, a default Runas_Spec
+ of r\bro\boo\bot\bt will be used. A Runas_Spec sets the default for
+ commands that follow it. What this means is that for the
+ entry:
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+ The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
+ -- but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+ $ sudo -u operator /bin/ls.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ It is also possible to override a Runas_Spec later on in
+ an entry. If we modify the entry like so:
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
- be confusing. This flag is _\bo_\bf_\bf by default.
-
- preserve_groups
- By default s\bsu\bud\bdo\bo will initialize the group vec
- tor to the list of groups the target user is
- in. When _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's
- existing group vector is left unaltered. The
- real and effective group IDs, however, are
- still set to match the target user. This flag
- is _\bo_\bf_\bf by default.
-
- fqdn Set this flag if you want to put fully quali
- fied hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e.,
- instead of myhost you would use myhost.mydo
- main.edu. You may still use the short form if
- you wish (and even mix the two). Beware that
- turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS
- lookups which may make s\bsu\bud\bdo\bo unusable if DNS
- stops working (for example if the machine is
- not plugged into the network). Also note that
- you must use the host's official name as DNS
- knows it. That is, you may not use a host
- alias (CNAME entry) due to performance issues
- and the fact that there is no way to get all
- aliases from DNS. If your machine's hostname
- (as returned by the hostname command) is
- already fully qualified you shouldn't need to
- set _\bf_\bq_\bd_\bn. This flag is _\bo_\bf_\bf by default.
-
- insults If set, s\bsu\bud\bdo\bo will insult users when they enter
- an incorrect password. This flag is _\bo_\bf_\bf by
- default.
+ Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br,
+ but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
- requiretty If set, s\bsu\bud\bdo\bo will only run when the user is
- logged in to a real tty. This will disallow
- things like "rsh somehost sudo ls" since
- _\br_\bs_\bh(1) does not allocate a tty. Because it is
- not possible to turn off echo when there is no
- tty present, some sites may with to set this
- flag to prevent a user from entering a visible
- password. This flag is _\bo_\bf_\bf by default.
-
- env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDI
- TOR or VISUAL environment variables before
- falling back on the default editor list. Note
- that this may create a security hole as it
- allows the user to run any arbitrary command
- as root without logging. A safer alternative
- is to place a colon-separated list of editors
- in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
- use the EDITOR or VISUAL if they match a value
- specified in editor. This flag is off by
- default.
+ T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
+ A command may have zero or more tags associated with it.
+ There are six possible tag values, NOPASSWD, PASSWD,
+ NOEXEC, EXEC, SETENV and NOSETENV. Once a tag is set on a
+ Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the
+ tag unless it is overridden by the opposite tag (i.e.:
+ PASSWD overrides NOPASSWD and NOEXEC overrides EXEC).
-1.6.8p9 June, 20 2005 7
+1.6.9p6 October 9, 2007 5
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password
- instead of the password of the invoking user.
- This flag is _\bo_\bf_\bf by default.
-
- runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of
- the user defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option
- (defaults to root) instead of the password of
- the invoking user. This flag is _\bo_\bf_\bf by
- default.
-
- targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of
- the user specified by the -\b-u\bu flag (defaults to
- root) instead of the password of the invoking
- user. Note that this precludes the use of a
- uid not listed in the passwd database as an
- argument to the -\b-u\bu flag. This flag is _\bo_\bf_\bf by
- default.
+ _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
- set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME and USER
- environment variables to the name of the tar
- get user (usually root unless the -\b-u\bu flag is
- given). However, since some programs (includ
- ing the RCS revision control system) use LOG
- NAME to determine the real identity of the
- user, it may be desirable to change this
- behavior. This can be done by negating the
- set_logname option.
+ By default, s\bsu\bud\bdo\bo requires that a user authenticate him or
+ herself before running a command. This behavior can be
+ modified via the NOPASSWD tag. Like a Runas_Spec, the
+ NOPASSWD tag sets a default for the commands that follow
+ it in the Cmnd_Spec_List. Conversely, the PASSWD tag can
+ be used to reverse things. For example:
- stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the
- real and effective UIDs are set to the target
- user (root by default). This option changes
- that behavior such that the real UID is left
- as the invoking user's UID. In other words,
- this makes s\bsu\bud\bdo\bo act as a setuid wrapper. This
- can be useful on systems that disable some
- potentially dangerous functionality when a
- program is run setuid. Note, however, that
- this means that sudo will run with the real
- uid of the invoking user which may allow that
- user to kill s\bsu\bud\bdo\bo before it can log a failure,
- depending on how your OS defines the interac
- tion between signals and setuid processes.
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
- env_reset If set, s\bsu\bud\bdo\bo will reset the environment to
- only contain the following variables: HOME,
- LOGNAME, PATH, SHELL, TERM, and USER (in addi
- tion to the SUDO_* variables). Of these, only
- TERM is copied unaltered from the old environ
- ment. The other variables are set to default
- values (possibly modified by the value of the
- _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be option). If s\bsu\bud\bdo\bo was compiled
- with the SECURE_PATH option, its value will be
- used for the PATH environment variable. Other
- variables may be preserved with the _\be_\bn_\bv_\b__\bk_\be_\be_\bp
+ would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as root on the machine rushmore as r\bro\boo\bot\bt
+ without authenticating himself. If we only want r\bra\bay\by to be
+ able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry would
+ be:
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+ Note, however, that the PASSWD tag has no effect on users
+ who are in the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
-1.6.8p9 June, 20 2005 8
+ By default, if the NOPASSWD tag is applied to any of the
+ entries for a user on the current host, he or she will be
+ able to run sudo -l without a password. Additionally, a
+ user may only run sudo -v without a password if the
+ NOPASSWD tag is present for all a user's entries that per
+ tain to the current host. This behavior may be overridden
+ via the verifypw and listpw options.
+ _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
+ underlying operating system supports it, the NOEXEC tag
+ can be used to prevent a dynamically-linked executable
+ from running further commands itself.
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be
+ and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ See the "PREVENTING SHELL ESCAPES" section below for more
+ details on how NOEXEC works and whether or not it will
+ work on your system.
+ _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
- option.
+ These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a
+ per-command basis. Note that if SETENV has been set for a
+ command, any environment variables set on the command line
+ way are not subject to the restrictions imposed by
+ _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted
+ users should be allowed to set variables in this manner.
- use_loginclass
- If set, s\bsu\bud\bdo\bo will apply the defaults specified
- for the target user's login class if one
- exists. Only available if s\bsu\bud\bdo\bo is configured
- with the --with-logincap option. This flag is
- _\bo_\bf_\bf by default.
- noexec If set, all commands run via sudo will behave
- as if the NOEXEC tag has been set, unless
- overridden by a EXEC tag. See the description
- of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as well as the "PRE
- VENTING SHELL ESCAPES" section at the end of
- this manual. This flag is _\bo_\bf_\bf by default.
- ignore_local_sudoers
- If set via LDAP, parsing of @sysconfdir@/sudo
- ers will be skipped. This is intended for an
- Enterprises that wish to prevent the usage of
- local sudoers files so that only LDAP is used.
- This thwarts the efforts of rogue operators
- who would attempt to add roles to
- @sysconfdir@/sudoers. When this option is
- present, @sysconfdir@/sudoers does not even
- need to exist. Since this options tells sudo
- how to behave when no specific LDAP entries
- have been matched, this sudoOption is only
- meaningful for the cn=defaults section. This
- flag is _\bo_\bf_\bf by default.
+1.6.9p6 October 9, 2007 6
- I\bIn\bnt\bte\beg\bge\ber\brs\bs:
- passwd_tries
- The number of tries a user gets to enter
- his/her password before s\bsu\bud\bdo\bo logs the failure
- and exits. The default is 3.
- I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- loglinelen Number of characters per line for the file
- log. This value is used to decide when to
- wrap lines for nicer log files. This has no
- effect on the syslog log file, only the file
- log. The default is 80 (use 0 or negate the
- option to disable word wrap).
- timestamp_timeout
- Number of minutes that can elapse before s\bsu\bud\bdo\bo
- will ask for a passwd again. The default is
- 5. Set this to 0 to always prompt for a pass
- word. If set to a value less than 0 the
- user's timestamp will never expire. This can
- be used to allow users to create or delete
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
-1.6.8p9 June, 20 2005 9
+ s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob char
+ acters) to be used in pathnames as well as command line
+ arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done
+ via the P\bPO\bOS\bSI\bIX\bX _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routine. Note that these are _\bn_\bo_\bt
+ regular expressions.
+ * Matches any set of zero or more characters.
+ ? Matches any single character.
+ [...] Matches any character in the specified range.
+ [!...] Matches any character n\bno\bot\bt in the specified range.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ \x For any character "x", evaluates to "x". This is
+ used to escape special characters such as: "*",
+ "?", "[", and "}".
+ Note that a forward slash ('/') will n\bno\bot\bt be matched by
+ wildcards used in the pathname. When matching the command
+ line arguments, however, a slash d\bdo\boe\bes\bs get matched by wild
+ cards. This is to make a path like:
- their own timestamps via sudo -v and sudo -k
- respectively.
+ /usr/bin/*
- passwd_timeout
- Number of minutes before the s\bsu\bud\bdo\bo password
- prompt times out. The default is 5, set this
- to 0 for no password timeout.
+ match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
- umask Umask to use when running the command. Negate
- this option or set it to 0777 to preserve the
- user's umask. The default is 0022.
+ E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
- S\bSt\btr\bri\bin\bng\bgs\bs:
+ The following exceptions apply to the above rules:
- mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user.
- The escape %h will expand to the hostname of
- the machine. Default is *** SECURITY informa
- tion for %h ***.
+ "" If the empty string "" is the only command line
+ argument in the _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that com
+ mand is not allowed to be run with a\ban\bny\by arguments.
- badpass_message
- Message that is displayed if a user enters an
- incorrect password. The default is Sorry, try
- again. unless insults are enabled.
+ O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
- timestampdir
- The directory in which s\bsu\bud\bdo\bo stores its times
- tamp files. The default is _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo.
+ The pound sign ('#') is used to indicate a comment (unless
+ it is part of a #include directive or unless it occurs in
+ the context of a user name and is followed by one or more
+ digits, in which case it is treated as a uid). Both the
+ comment character and any text after it, up to the end of
+ the line, are ignored.
- timestampowner
- The owner of the timestamp directory and the
- timestamps stored therein. The default is
- root.
+ The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always
+ causes a match to succeed. It can be used wherever one
+ might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
+ or Host_Alias. You should not try to define your own
+ _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
+ preference to your own. Please note that using A\bAL\bLL\bL can be
+ dangerous since in a command context, it allows the user
+ to run a\ban\bny\by command on the system.
- passprompt The default prompt to use when asking for a
- password; can be overridden via the -\b-p\bp option
- or the SUDO_PROMPT environment variable. The
- following percent (`%') escapes are supported:
- %u expanded to the invoking user's login
- name
- %U expanded to the login name of the user
- the command will be run as (defaults
- to root)
+1.6.9p6 October 9, 2007 7
- %h expanded to the local hostname without
- the domain name
- %H expanded to the local hostname includ
- ing the domain name (on if the
- machine's hostname is fully qualified
- or the _\bf_\bq_\bd_\bn option is set)
- %% two consecutive % characters are
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.6.8p9 June, 20 2005 10
+ An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
+ operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
+ allows one to exclude certain values. Note, however, that
+ using a ! in conjunction with the built-in ALL alias to
+ allow a user to run "all but a few" commands rarely works
+ as intended (see SECURITY NOTES below).
+ Long lines can be continued with a backslash ('\') as the
+ last character on the line.
+ Whitespace between elements in a list as well as special
+ syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
+ '(', ')') is optional.
+ The following characters must be escaped with a backslash
+ ('\') when used as part of a word (e.g. a username or
+ hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
+ s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as
+ explained earlier. A list of all supported Defaults
+ parameters, grouped by type, are listed below.
+ F\bFl\bla\bag\bgs\bs:
- collaped into a single % character
+ always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment
+ variable to the home directory of the tar
+ get user (which is root unless the -\b-u\bu
+ option is used). This effectively means
+ that the -\b-H\bH flag is always implied. This
+ flag is _\bo_\bf_\bf by default.
- The default value is Password:.
+ authenticate If set, users must authenticate themselves
+ via a password (or other means of authen
+ tication) before they may run commands.
+ This default may be overridden via the
+ PASSWD and NOPASSWD tags. This flag is _\bo_\bn
+ by default.
- runas_default
- The default user to run commands as if the -\b-u\bu
- flag is not specified on the command line.
- This defaults to root. Note that if
- _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur before any
- Runas_Alias specifications.
+ env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the
+ EDITOR or VISUAL environment variables
+ before falling back on the default editor
+ list. Note that this may create a secu
+ rity hole as it allows the user to run any
+ arbitrary command as root without logging.
+ A safer alternative is to place a colon-
+ separated list of editors in the editor
+ variable. v\bvi\bis\bsu\bud\bdo\bo will then only use the
+ EDITOR or VISUAL if they match a value
+ specified in editor. This flag is _\bo_\bf_\bf by
+ default.
- syslog_goodpri
- Syslog priority to use when user authenticates
- successfully. Defaults to notice.
+ env_reset If set, s\bsu\bud\bdo\bo will reset the environment to
+ only contain the LOGNAME, SHELL, USER,
- syslog_badpri
- Syslog priority to use when user authenticates
- unsuccessfully. Defaults to alert.
- editor A colon (':') separated list of editors
- allowed to be used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will
- choose the editor that matches the user's USER
- environment variable if possible, or the first
- editor in the list that exists and is exe
- cutable. The default is the path to vi on
- your system.
- noexec_file Path to a shared library containing dummy ver
- sions of the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b)
- library functions that just return an error.
- This is used to implement the _\bn_\bo_\be_\bx_\be_\bc function
- ality on systems that support LD_PRELOAD or
- its equivalent. Defaults to
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
+1.6.9p6 October 9, 2007 8
- S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- lecture This option controls when a short lecture will
- be printed along with the password prompt. It
- has the following possible values:
- never Never lecture the user.
- once Only lecture the user the first time
- they run s\bsu\bud\bdo\bo.
- always Always lecture the user.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- If no value is specified, a value of _\bo_\bn_\bc_\be is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\bo_\bn_\bc_\be.
+ USERNAME and the SUDO_* variables. Any
+ variables in the caller's environment that
+ match the env_keep and env_check lists are
+ then added. The default contents of the
+ env_keep and env_check lists are displayed
+ when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV
+ option. If s\bsu\bud\bdo\bo was compiled with the
+ SECURE_PATH option, its value will be used
+ for the PATH environment variable. This
+ flag is _\bo_\bn by default.
+
+ fqdn Set this flag if you want to put fully
+ qualified hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ I.e., instead of myhost you would use
+ myhost.mydomain.edu. You may still use
+ the short form if you wish (and even mix
+ the two). Beware that turning on _\bf_\bq_\bd_\bn
+ requires s\bsu\bud\bdo\bo to make DNS lookups which
+ may make s\bsu\bud\bdo\bo unusable if DNS stops work
+ ing (for example if the machine is not
+ plugged into the network). Also note that
+ you must use the host's official name as
+ DNS knows it. That is, you may not use a
+ host alias (CNAME entry) due to perfor
+ mance issues and the fact that there is no
+ way to get all aliases from DNS. If your
+ machine's hostname (as returned by the
+ hostname command) is already fully quali
+ fied you shouldn't need to set _\bf_\bq_\bd_\bn. This
+ flag is _\bo_\bf_\bf by default.
+
+ ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (cur
+ rent dir) in the PATH environment vari
+ able; the PATH itself is not modified.
+ This flag is _\bo_\bf_\bf by default. Currently,
+ while it is possible to set _\bi_\bg_\bn_\bo_\br_\be_\b__\bd_\bo_\bt in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs, its value is not used. This
+ option should be considered read-only (it
+ will be fixed in a future version of
+ s\bsu\bud\bdo\bo).
+ ignore_local_sudoers
+ If set via LDAP, parsing of
+ @sysconfdir@/sudoers will be skipped.
+ This is intended for Enterprises that wish
+ to prevent the usage of local sudoers
+ files so that only LDAP is used. This
+ thwarts the efforts of rogue operators who
+ would attempt to add roles to
+ @sysconfdir@/sudoers. When this option is
+ present, @sysconfdir@/sudoers does not
+ even need to exist. Since this option
+ tells s\bsu\bud\bdo\bo how to behave when no specific
+ LDAP entries have been matched, this
-1.6.8p9 June, 20 2005 11
+1.6.9p6 October 9, 2007 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- lecture_file
- Path to a file containing an alternate sudo
- lecture that will be used in place of the
- standard lecture if the named file exists.
+ sudoOption is only meaningful for the
+ cn=defaults section. This flag is _\bo_\bf_\bf by
+ default.
- logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log
- file). Setting a path turns on logging to a
- file; negating this option turns it off.
+ insults If set, s\bsu\bud\bdo\bo will insult users when they
+ enter an incorrect password. This flag is
+ _\bo_\bf_\bf by default.
- syslog Syslog facility if syslog is being used for
- logging (negate to disable syslog logging).
- Defaults to local2.
+ log_host If set, the hostname will be logged in the
+ (non-syslog) s\bsu\bud\bdo\bo log file. This flag is
+ _\bo_\bf_\bf by default.
- mailerpath Path to mail program used to send warning
- mail. Defaults to the path to sendmail found
- at configure time.
+ log_year If set, the four-digit year will be logged
+ in the (non-syslog) s\bsu\bud\bdo\bo log file. This
+ flag is _\bo_\bf_\bf by default.
- mailerflags Flags to use when invoking mailer. Defaults to
- -\b-t\bt.
+ long_otp_prompt When validating with a One Time Password
+ (OPT) scheme such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-
+ line prompt is used to make it easier to
+ cut and paste the challenge to a local
+ window. It's not as pretty as the default
+ but some people find it more convenient.
+ This flag is _\bo_\bf_\bf by default.
- mailto Address to send warning and error mail to.
- The address should be enclosed in double
- quotes (") to protect against sudo interpret
- ing the @ sign. Defaults to root.
+ mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a
+ users runs s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by
+ default.
- exempt_group
- Users in this group are exempt from password
- and PATH requirements. This is not set by
- default.
+ mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user
+ running s\bsu\bud\bdo\bo does not enter the correct
+ password. This flag is _\bo_\bf_\bf by default.
- verifypw This option controls when a password will be
- required when a user runs s\bsu\bud\bdo\bo with the -\b-v\bv
- flag. It has the following possible values:
+ mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo
+ user if the invoking user exists in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not allowed to run
+ commands on the current host. This flag
+ is _\bo_\bf_\bf by default.
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD
- flag set to avoid entering a password.
+ mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo
+ user if the invoking user is allowed to
+ use s\bsu\bud\bdo\bo but the command they are trying
+ is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file entry
+ or is explicitly denied. This flag is _\bo_\bf_\bf
+ by default.
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
- entries for the current host must have
- the NOPASSWD flag set to avoid enter
- ing a password.
+ mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo
+ user if the invoking user is not in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is _\bo_\bn by default.
- never The user need never enter a password
- to use the -\b-v\bv flag.
+ noexec If set, all commands run via s\bsu\bud\bdo\bo will
+ behave as if the NOEXEC tag has been set,
+ unless overridden by a EXEC tag. See the
+ description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
+ well as the "PREVENTING SHELL ESCAPES"
- always The user must always enter a password
- to use the -\b-v\bv flag.
- If no value is specified, a value of _\ba_\bl_\bl is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\ba_\bl_\bl.
+1.6.9p6 October 9, 2007 10
-1.6.8p9 June, 20 2005 12
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ section at the end of this manual. This
+ flag is _\bo_\bf_\bf by default.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ path_info Normally, s\bsu\bud\bdo\bo will tell the user when a
+ command could not be found in their PATH
+ environment variable. Some sites may wish
+ to disable this as it could be used to
+ gather information on the location of exe
+ cutables that the normal user does not
+ have access to. The disadvantage is that
+ if the executable is simply not in the
+ user's PATH, s\bsu\bud\bdo\bo will tell the user that
+ they are not allowed to run it, which can
+ be confusing. This flag is _\bo_\bn by default.
+ preserve_groups By default s\bsu\bud\bdo\bo will initialize the group
+ vector to the list of groups the target
+ user is in. When _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set,
+ the user's existing group vector is left
+ unaltered. The real and effective group
+ IDs, however, are still set to match the
+ target user. This flag is _\bo_\bf_\bf by default.
- listpw This option controls when a password will be
- required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
- flag. It has the following possible values:
+ requiretty If set, s\bsu\bud\bdo\bo will only run when the user
+ is logged in to a real tty. This will
+ disallow things like "rsh somehost sudo
+ ls" since _\br_\bs_\bh(1) does not allocate a tty.
+ Because it is not possible to turn off
+ echo when there is no tty present, some
+ sites may wish to set this flag to prevent
+ a user from entering a visible password.
+ This flag is _\bo_\bf_\bf by default.
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD
- flag set to avoid entering a password.
+ root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too.
+ Disabling this prevents users from "chain
+ ing" s\bsu\bud\bdo\bo commands to get a root shell by
+ doing something like "sudo sudo /bin/sh".
+ Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
+ will also prevent root and from running
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt. Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no
+ real additional security; it exists purely
+ for historical reasons. This flag is _\bo_\bn
+ by default.
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
- entries for the current host must have
- the NOPASSWD flag set to avoid enter
- ing a password.
+ rootpw If set, s\bsu\bud\bdo\bo will prompt for the root
+ password instead of the password of the
+ invoking user. This flag is _\bo_\bf_\bf by
+ default.
- never The user need never enter a password
- to use the -\b-l\bl flag.
+ runaspw If set, s\bsu\bud\bdo\bo will prompt for the password
+ of the user defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt
+ option (defaults to root) instead of the
+ password of the invoking user. This flag
+ is _\bo_\bf_\bf by default.
- always The user must always enter a password
- to use the -\b-l\bl flag.
- If no value is specified, a value of _\ba_\bn_\by is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\ba_\bn_\by.
- L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+1.6.9p6 October 9, 2007 11
+
- env_check Environment variables to be removed from the
- user's environment if the variable's value
- contains % or / characters. This can be used
- to guard against printf-style format vulnera
- bilities in poorly-written programs. The
- argument may be a double-quoted, space-sepa
- rated list or a single value without dou
- ble-quotes. The list can be replaced, added
- to, deleted from, or disabled by using the =,
- +=, -=, and ! operators respectively. The
- default list of environment variables to check
- is printed when s\bsu\bud\bdo\bo is run by root with the
- _\b-_\bV option.
- env_delete Environment variables to be removed from the
- user's environment. The argument may be a
- double-quoted, space-separated list or a sin
- gle value without double-quotes. The list can
- be replaced, added to, deleted from, or dis
- abled by using the =, +=, -=, and ! operators
- respectively. The default list of environment
- variables to remove is printed when s\bsu\bud\bdo\bo is
- run by root with the _\b-_\bV option. Note that
- many operating systems will remove potentially
- dangerous variables from the environment of
- any setuid process (such as s\bsu\bud\bdo\bo).
- env_keep Environment variables to be preserved in the
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.6.8p9 June, 20 2005 13
+ set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs
+ flag the HOME environment variable will be
+ set to the home directory of the target
+ user (which is root unless the -\b-u\bu option
+ is used). This effectively makes the -\b-s\bs
+ flag imply -\b-H\bH. This flag is _\bo_\bf_\bf by
+ default.
+
+ set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER
+ and USERNAME environment variables to the
+ name of the target user (usually root
+ unless the -\b-u\bu flag is given). However,
+ since some programs (including the RCS
+ revision control system) use LOGNAME to
+ determine the real identity of the user,
+ it may be desirable to change this behav
+ ior. This can be done by negating the
+ set_logname option. Note that if the
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been disabled,
+ entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
+ the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is
+ _\bo_\bf_\bf by default.
+
+ setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt
+ option from the command line. Addition
+ ally, environment variables set via the
+ command line are not subject to the
+ restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk,
+ _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only
+ trusted users should be allowed to set
+ variables in this manner. This flag is
+ _\bo_\bf_\bf by default.
+
+ shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no argu
+ ments it acts as if the -\b-s\bs flag had been
+ given. That is, it runs a shell as root
+ (the shell is determined by the SHELL
+ environment variable if it is set, falling
+ back on the shell listed in the invoking
+ user's /etc/passwd entry if not). This
+ flag is _\bo_\bf_\bf by default.
+
+ stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the
+ real and effective UIDs are set to the
+ target user (root by default). This
+ option changes that behavior such that the
+ real UID is left as the invoking user's
+ UID. In other words, this makes s\bsu\bud\bdo\bo act
+ as a setuid wrapper. This can be useful
+ on systems that disable some potentially
+ dangerous functionality when a program is
+ run setuid. This option is only effective
+ on systems with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or
+ _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function. This flag is _\bo_\bf_\bf by
+
+
+
+1.6.9p6 October 9, 2007 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option
- is in effect. This allows fine-grained con
- trol over the environment s\bsu\bud\bdo\bo-spawned pro
- cesses will receive. The argument may be a
- double-quoted, space-separated list or a sin
- gle value without double-quotes. The list can
- be replaced, added to, deleted from, or dis
- abled by using the =, +=, -=, and ! operators
- respectively. This list has no default mem
- bers.
+ default.
- When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following
- values for the syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg
- Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your OS supports it), a\bau\but\bth\bh, d\bda\bae\be\b
- m\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3, l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5,
- l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities are
- supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be,
- and w\bwa\bar\brn\bni\bin\bng\bg.
+ targetpw If set, s\bsu\bud\bdo\bo will prompt for the password
+ of the user specified by the -\b-u\bu flag
+ (defaults to root) instead of the password
+ of the invoking user. Note that this pre
+ cludes the use of a uid not listed in the
+ passwd database as an argument to the -\b-u\bu
+ flag. This flag is _\bo_\bf_\bf by default.
- U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
+ tty_tickets If set, users must authenticate on a per-
+ tty basis. Normally, s\bsu\bud\bdo\bo uses a direc
+ tory in the ticket dir with the same name
+ as the user running it. With this flag
+ enabled, s\bsu\bud\bdo\bo will use a file named for
+ the tty the user is logged in on in that
+ directory. This flag is _\bo_\bf_\bf by default.
- User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
- (':' Host_List '=' Cmnd_Spec_List)*
+ use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults spec
+ ified for the target user's login class if
+ one exists. Only available if s\bsu\bud\bdo\bo is
+ configured with the --with-logincap
+ option. This flag is _\bo_\bf_\bf by default.
- Cmnd_Spec_List ::= Cmnd_Spec |
- Cmnd_Spec ',' Cmnd_Spec_List
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs:
- Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+ passwd_tries The number of tries a user gets to enter
+ his/her password before s\bsu\bud\bdo\bo logs the
+ failure and exits. The default is 3.
- Runas_Spec ::= '(' Runas_List ')'
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:')
+ loglinelen Number of characters per line for the file
+ log. This value is used to decide when to
+ wrap lines for nicer log files. This has
+ no effect on the syslog log file, only the
+ file log. The default is 80 (use 0 or
+ negate the option to disable word wrap).
- A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may
- run (and as what user) on specified hosts. By default,
- commands are run as r\bro\boo\bot\bt, but this can be changed on a
- per-command basis.
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password
+ prompt times out. The default is 5; set
+ this to 0 for no password timeout.
- Let's break that down into its constituent parts:
+ timestamp_timeout
+ Number of minutes that can elapse before
+ s\bsu\bud\bdo\bo will ask for a passwd again. The
+ default is 5. Set this to 0 to always
+ prompt for a password. If set to a value
+ less than 0 the user's timestamp will
+ never expire. This can be used to allow
+ users to create or delete their own times
+ tamps via sudo -v and sudo -k respec
+ tively.
- R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
- A Runas_Spec is simply a Runas_List (as defined above)
- enclosed in a set of parentheses. If you do not specify a
- Runas_Spec in the user specification, a default Runas_Spec
- of r\bro\boo\bot\bt will be used. A Runas_Spec sets the default for
- commands that follow it. What this means is that for the
- entry:
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
- The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
- -- but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+1.6.9p6 October 9, 2007 13
-1.6.8p9 June, 20 2005 14
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ umask Umask to use when running the command.
+ Negate this option or set it to 0777 to
+ preserve the user's umask. The default is
+ 0022.
+ S\bSt\btr\bri\bin\bng\bgs\bs:
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ badpass_message Message that is displayed if a user enters
+ an incorrect password. The default is
+ Sorry, try again. unless insults are
+ enabled.
+
+ editor A colon (':') separated list of editors
+ allowed to be used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo
+ will choose the editor that matches the
+ user's EDITOR environment variable if pos
+ sible, or the first editor in the list
+ that exists and is executable. The
+ default is the path to vi on your system.
+
+ mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo
+ user. The escape %h will expand to the
+ hostname of the machine. Default is ***
+ SECURITY information for %h ***.
+
+ noexec_file Path to a shared library containing dummy
+ versions of the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\b
+ _\be_\bc_\bv_\be_\b(_\b) library functions that just return
+ an error. This is used to implement the
+ _\bn_\bo_\be_\bx_\be_\bc functionality on systems that sup
+ port LD_PRELOAD or its equivalent.
+ Defaults to
+ _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
+
+ passprompt The default prompt to use when asking for
+ a password; can be overridden via the -\b-p\bp
+ option or the SUDO_PROMPT environment
+ variable. The following percent (`%')
+ escapes are supported:
+
+ %H expanded to the local hostname includ
+ ing the domain name (on if the
+ machine's hostname is fully qualified
+ or the _\bf_\bq_\bd_\bn option is set)
+ %h expanded to the local hostname without
+ the domain name
- $ sudo -u operator /bin/ls.
+ %U expanded to the login name of the user
+ the command will be run as (defaults
+ to root)
- It is also possible to override a Runas_Spec later on in
- an entry. If we modify the entry like so:
+ %u expanded to the invoking user's login
+ name
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
- Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br,
- but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
- T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
+1.6.9p6 October 9, 2007 14
- A command may have zero or more tags associated with it.
- There are four possible tag values, NOPASSWD, PASSWD,
- NOEXEC, EXEC. Once a tag is set on a Cmnd, subsequent
- Cmnds in the Cmnd_Spec_List, inherit the tag unless it is
- overridden by the opposite tag (ie: PASSWD overrides
- NOPASSWD and EXEC overrides NOEXEC).
- _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
- By default, s\bsu\bud\bdo\bo requires that a user authenticate him or
- herself before running a command. This behavior can be
- modified via the NOPASSWD tag. Like a Runas_Spec, the
- NOPASSWD tag sets a default for the commands that follow
- it in the Cmnd_Spec_List. Conversely, the PASSWD tag can
- be used to reverse things. For example:
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
- would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as root on the machine rushmore as r\bro\boo\bot\bt
- without authenticating himself. If we only want r\bra\bay\by to be
- able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry would
- be:
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
- Note, however, that the PASSWD tag has no effect on users
- who are in the group specified by the exempt_group option.
+ %% two consecutive % characters are col
+ lapsed into a single % character
- By default, if the NOPASSWD tag is applied to any of the
- entries for a user on the current host, he or she will be
- able to run sudo -l without a password. Additionally, a
- user may only run sudo -v without a password if the
- NOPASSWD tag is present for all a user's entries that per
- tain to the current host. This behavior may be overridden
- via the verifypw and listpw options.
+ The default value is Password:.
- _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+ runas_default The default user to run commands as if the
+ -\b-u\bu flag is not specified on the command
+ line. This defaults to root. Note that
+ if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
+ before any Runas_Alias specifications.
- If sudo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
- underlying operating system support it, the NOEXEC tag can
- be used to prevent a dynamically-linked executable from
+ syslog_badpri Syslog priority to use when user authenti
+ cates unsuccessfully. Defaults to alert.
+ syslog_goodpri Syslog priority to use when user authenti
+ cates successfully. Defaults to notice.
+ timestampdir The directory in which s\bsu\bud\bdo\bo stores its
+ timestamp files. The default is
+ _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo.
-1.6.8p9 June, 20 2005 15
+ timestampowner The owner of the timestamp directory and
+ the timestamps stored therein. The
+ default is root.
+ S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ exempt_group
+ Users in this group are exempt from password
+ and PATH requirements. This is not set by
+ default.
+ lecture This option controls when a short lecture will
+ be printed along with the password prompt. It
+ has the following possible values:
+ always Always lecture the user.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ never Never lecture the user.
+ once Only lecture the user the first time
+ they run s\bsu\bud\bdo\bo.
- running further commands itself.
+ If no value is specified, a value of _\bo_\bn_\bc_\be is
+ implied. Negating the option results in a
+ value of _\bn_\be_\bv_\be_\br being used. The default value
+ is _\bo_\bn_\bc_\be.
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be
- and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+ lecture_file
+ Path to a file containing an alternate s\bsu\bud\bdo\bo
+ lecture that will be used in place of the
+ standard lecture if the named file exists. By
+ default, s\bsu\bud\bdo\bo uses a built-in lecture.
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- See the "PREVENTING SHELL ESCAPES" section below for more
- details on how _\bn_\bo_\be_\bx_\be_\bc works and whether or not it will
- work on your system.
- W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
- s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob char
- acters) to be used in pathnames as well as command line
- arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done
- via the P\bPO\bOS\bSI\bIX\bX _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routine. Note that these are _\bn_\bo_\bt
- regular expressions.
+1.6.9p6 October 9, 2007 15
- * Matches any set of zero or more characters.
- ? Matches any single character.
- [...] Matches any character in the specified range.
- [!...] Matches any character n\bno\bot\bt in the specified range.
- \x For any character "x", evaluates to "x". This is
- used to escape special characters such as: "*",
- "?", "[", and "}".
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Note that a forward slash ('/') will n\bno\bot\bt be matched by
- wildcards used in the pathname. When matching the command
- line arguments, however, a slash d\bdo\boe\bes\bs get matched by wild
- cards. This is to make a path like:
- /usr/bin/*
+ listpw This option controls when a password will be
+ required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
+ flag. It has the following possible values:
- match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ current host must have the NOPASSWD
+ flag set to avoid entering a password.
- WARNING: a pathname with wildcards will n\bno\bot\bt match a user
- command that consists of a relative path. In other words,
- given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
+ always The user must always enter a password
+ to use the -\b-l\bl flag.
- billy workstation = /usr/bin/*
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
+ entries for the current host must have
+ the NOPASSWD flag set to avoid enter
+ ing a password.
- user billy will be able to run any command in /usr/bin as
- root, such as _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw. The following two command will
- be allowed (the first assumes that _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn is in the
- user's path):
+ never The user need never enter a password
+ to use the -\b-l\bl flag.
- $ sudo w
- $ sudo /usr/bin/w
+ If no value is specified, a value of _\ba_\bn_\by is
+ implied. Negating the option results in a
+ value of _\bn_\be_\bv_\be_\br being used. The default value
+ is _\ba_\bn_\by.
+ logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log
+ file). Setting a path turns on logging to a
+ file; negating this option turns it off. By
+ default, s\bsu\bud\bdo\bo logs via syslog.
+ mailerflags Flags to use when invoking mailer. Defaults to
+ -\b-t\bt.
+ mailerpath Path to mail program used to send warning
+ mail. Defaults to the path to sendmail found
+ at configure time.
-1.6.8p9 June, 20 2005 16
+ mailto Address to send warning and error mail to.
+ The address should be enclosed in double
+ quotes (") to protect against s\bsu\bud\bdo\bo interpret
+ ing the @ sign. Defaults to root.
+ syslog Syslog facility if syslog is being used for
+ logging (negate to disable syslog logging).
+ Defaults to local2.
+ verifypw This option controls when a password will be
+ required when a user runs s\bsu\bud\bdo\bo with the -\b-v\bv
+ flag. It has the following possible values:
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ current host must have the NOPASSWD
+ flag set to avoid entering a password.
+ always The user must always enter a password
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- However, this will not:
+1.6.9p6 October 9, 2007 16
- $ cd /usr/bin
- $ sudo ./w
- For this reason you should only g\bgr\bra\ban\bnt\bt access to commands
- using wildcards and never r\bre\bes\bst\btr\bri\bic\bct\bt access using them.
- This limitation will be removed in a future version of
- s\bsu\bud\bdo\bo.
- E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
- The following exceptions apply to the above rules:
- "" If the empty string "" is the only command line
- argument in the _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that com
- mand is not allowed to be run with a\ban\bny\by arguments.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
- The pound sign ('#') is used to indicate a comment (unless
- it occurs in the context of a user name and is followed by
- one or more digits, in which case it is treated as a uid).
- Both the comment character and any text after it, up to
- the end of the line, are ignored.
+ to use the -\b-v\bv flag.
- The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always
- causes a match to succeed. It can be used wherever one
- might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
- or Host_Alias. You should not try to define your own
- _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
- preference to your own. Please note that using A\bAL\bLL\bL can be
- dangerous since in a command context, it allows the user
- to run a\ban\bny\by command on the system.
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
+ entries for the current host must have
+ the NOPASSWD flag set to avoid enter
+ ing a password.
- An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
- operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
- allows one to exclude certain values. Note, however, that
- using a ! in conjunction with the built-in ALL alias to
- allow a user to run "all but a few" commands rarely works
- as intended (see SECURITY NOTES below).
+ never The user need never enter a password
+ to use the -\b-v\bv flag.
- Long lines can be continued with a backslash ('\') as the
- last character on the line.
+ If no value is specified, a value of _\ba_\bl_\bl is
+ implied. Negating the option results in a
+ value of _\bn_\be_\bv_\be_\br being used. The default value
+ is _\ba_\bl_\bl.
- Whitespace between elements in a list as well as special
- syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
- '(', ')') is optional.
+ L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- The following characters must be escaped with a backslash
- ('\') when used as part of a word (e.g. a username or
- hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
+ env_check Environment variables to be removed from
+ the user's environment if the variable's
+ value contains % or / characters. This
+ can be used to guard against printf-style
+ format vulnerabilities in poorly-written
+ programs. The argument may be a dou
+ ble-quoted, space-separated list or a sin
+ gle value without double-quotes. The list
+ can be replaced, added to, deleted from,
+ or disabled by using the =, +=, -=, and !
+ operators respectively. Regardless of
+ whether the env_reset option is enabled or
+ disabled, variables specified by env_check
+ will be preserved in the environment if
+ they pass the aforementioned check. The
+ default list of environment variables to
+ check is displayed when s\bsu\bud\bdo\bo is run by
+ root with the _\b-_\bV option.
+ env_delete Environment variables to be removed from
+ the user's environment. The argument may
+ be a double-quoted, space-separated list
+ or a single value without double-quotes.
+ The list can be replaced, added to,
+ deleted from, or disabled by using the =,
+ +=, -=, and ! operators respectively. The
+ default list of environment variables to
+ remove is displayed when s\bsu\bud\bdo\bo is run by
+ root with the _\b-_\bV option. Note that many
+ operating systems will remove potentially
+ dangerous variables from the environment
+ of any setuid process (such as s\bsu\bud\bdo\bo).
+ env_keep Environment variables to be preserved in
+ the user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt
+ option is in effect. This allows fine-
+ grained control over the environment
-1.6.8p9 June, 20 2005 17
+1.6.9p6 October 9, 2007 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ s\bsu\bud\bdo\bo-spawned processes will receive. The
+ argument may be a double-quoted, space-
+ separated list or a single value without
+ double-quotes. The list can be replaced,
+ added to, deleted from, or disabled by
+ using the =, +=, -=, and ! operators
+ respectively. The default list of vari
+ ables to keep is displayed when s\bsu\bud\bdo\bo is
+ run by root with the _\b-_\bV option.
+
+ When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following
+ values for the syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg
+ Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your OS supports it), a\bau\but\bth\bh, d\bda\bae\be\b
+ m\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3, l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5,
+ l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities are
+ supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be,
+ and w\bwa\bar\brn\bni\bin\bng\bg.
+
F\bFI\bIL\bLE\bES\bS
- /etc/sudoers List of who can run what
- /etc/group Local groups file
- /etc/netgroup List of network groups
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+ _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Since the _\bs_\bu_\bd_\bo_\be_\br_\bs file is parsed in a single pass, order
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
+
+
+
+1.6.9p6 October 9, 2007 18
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
+ Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
Here we override some of the compiled in default values.
We want s\bsu\bud\bdo\bo to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility
in all cases. We don't want to subject the full time
staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt need not give a
- password, and we don't want to reset the LOGNAME or USER
-
-
-
-1.6.8p9 June, 20 2005 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- environment variables when running commands as root.
- Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias,
- we keep an additional local log file and make sure we log
- the year in each log line since the log entries will be
- kept around for several years.
+ password, and we don't want to reset the LOGNAME, USER or
+ USERNAME environment variables when running commands as
+ root. Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS
+ Host_Alias, we keep an additional local log file and make
+ sure we log the year in each log line since the log
+ entries will be kept around for several years. Lastly, we
+ disable shell escapes for the commands in the PAGERS
+ Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
# Override built-in defaults
Defaults syslog=auth
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+ Defaults!PAGERS noexec
The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter
mines who may run what.
any command on any host but they must authenticate them
selves first (since the entry lacks the NOPASSWD tag).
+
+
+1.6.9p6 October 9, 2007 19
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
jack CSNETS = ALL
The user j\bja\bac\bck\bk may run any command on the machines in the
killing processes, the printing system, shutting down the
system, and any commands in the directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
-
-
-1.6.8p9 June, 20 2005 19
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
joe ALL = /usr/bin/su operator
The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
jim +biglab = ALL
The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb
- netgroup. S\bSu\bud\bdo\bo knows that "biglab" is a netgroup due to
+ netgroup. s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to
the '+' prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
fred ALL = (DB) NOPASSWD: ALL
The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
+
+
+
+1.6.9p6 October 9, 2007 20
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
Runas_Alias (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
jill SERVERS = /usr/bin/, !SU, !SHELLS
For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run
- any commands in the directory /usr/bin/ except for those
+ any commands in the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those
commands belonging to the _\bS_\bU and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
steve CSNETS = (operator) /usr/local/op_commands/
The user s\bst\bte\bev\bve\be may run any command in the directory
-
-
-
-1.6.8p9 June, 20 2005 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
/usr/local/op_commands/ but only as user operator.
matt valkyrie = KILL
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent b\bbi\bil\bll\bl from running the commands
- listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those com
- mands to a different name, or use a shell escape from an
- editor or other program. Therefore, these kind of
+ listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those
+
+
+
+1.6.9p6 October 9, 2007 21
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ commands to a different name, or use a shell escape from
+ an editor or other program. Therefore, these kind of
restrictions should be considered advisory at best (and
reinforced by policy).
whatever it pleases, including run other programs. This
can be a security issue since it is not uncommon for a
program to allow shell escapes, which lets a user bypass
- s\bsu\bud\bdo\bo's restrictions. Common programs that permit shell
- escapes include shells (obviously), editors, paginators,
- mail and terminal programs.
+ s\bsu\bud\bdo\bo's access control and logging. Common programs that
+ permit shell escapes include shells (obviously), editors,
+ paginators, mail and terminal programs.
- Many systems that support shared libraries have the abil
- ity to override default library functions by pointing an
- environment variable (usually LD_PRELOAD) to an alternate
- shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc function
- ality can be used to prevent a program run by sudo from
- executing any other programs. Note, however, that this
- applies only to native dynamically-linked executables.
- Statically-linked executables and foreign executables
+ There are two basic approaches to this problem:
+ restrict Avoid giving users access to commands that allow
+ the user to run arbitrary commands. Many edi
+ tors have a restricted mode where shell escapes
+ are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better solu
+ tion to running editors via s\bsu\bud\bdo\bo. Due to the
+ large number of programs that offer shell
+ escapes, restricting users to the set of pro
+ grams that do not if often unworkable.
+ noexec Many systems that support shared libraries have
+ the ability to override default library func
+ tions by pointing an environment variable (usu
+ ally LD_PRELOAD) to an alternate shared library.
+ On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality can
+ be used to prevent a program run by s\bsu\bud\bdo\bo from
+ executing any other programs. Note, however,
+ that this applies only to native dynamically-
+ linked executables. Statically-linked executa
+ bles and foreign executables running under
+ binary emulation are not affected.
-1.6.8p9 June, 20 2005 21
+ To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you
+ can run the following as root:
+ sudo -V | grep "dummy exec"
+ If the resulting output contains a line that
+ begins with:
+ File containing dummy exec functions:
+
+ then s\bsu\bud\bdo\bo may be able to replace the exec family
+ of functions in the standard library with its
+ own that simply return an error. Unfortunately,
+ there is no foolproof way to know whether or not
+ _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc should
+ work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
+ UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+1.6.9p6 October 9, 2007 22
- running under binary emulation are not affected.
- To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run
- the following as root:
- sudo -V | grep "dummy exec"
- If the resulting output contains a line that begins with:
- File containing dummy exec functions:
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- then s\bsu\bud\bdo\bo may be able to replace the exec family of func
- tions in the standard library with its own that simply
- return an error. Unfortunately, there is no foolproof way
- to know whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time.
- _\bN_\bo_\be_\bx_\be_\bc should work on SunOS, Solaris, *BSD, Linux, IRIX,
- Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to
- work on AIX and UnixWare. _\bN_\bo_\be_\bx_\be_\bc is expected to work on
- most operating systems that support the LD_PRELOAD envi
- ronment variable. Check your operating system's manual
- pages for the dynamic linker (usually ld.so, ld.so.1,
- dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is sup
- ported.
- To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as doc
- umented in the User Specification section above. Here is
- that example again:
+ to work on AIX and UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected
+ to work on most operating systems that support
+ the LD_PRELOAD environment variable. Check your
+ operating system's manual pages for the dynamic
+ linker (usually ld.so, ld.so.1, dyld, dld.sl,
+ rld, or loader) to see if LD_PRELOAD is sup
+ ported.
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+ To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC
+ tag as documented in the User Specification sec
+ tion above. Here is that example again:
- This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those
- two commands from executing other commands (such as a
- shell). If you are unsure whether or not your system is
- capable of supporting _\bn_\bo_\be_\bx_\be_\bc you can always just try it
- out and see if it works.
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- Note that disabling shell escapes is not a panacea. Pro
- grams running as root are still capable of many poten
+ This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi with _\bn_\bo_\be_\bx_\be_\bc enabled. This will pre
+ vent those two commands from executing other
+ commands (such as a shell). If you are unsure
+ whether or not your system is capable of sup
+ porting _\bn_\bo_\be_\bx_\be_\bc you can always just try it out
+ and see if it works.
+
+ Note that restricting shell escapes is not a panacea.
+ Programs running as root are still capable of many poten
tially hazardous operations (such as changing or overwrit
ing files) that could lead to unintended privilege escala
tion. In the specific case of an editor, a safer approach
is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), sudo(1m), visudo(1m)
+ _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo
errors since s\bsu\bud\bdo\bo will not run with a syntactically incor
rect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
-
-
-1.6.8p9 June, 20 2005 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
When using netgroups of machines (as opposed to users), if
you store fully qualified hostnames in the netgroup (as is
usually the case), you either need to have the machine's
bug report at http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Commercial support is available for s\bsu\bud\bdo\bo, see
- http://www.sudo.ws/sudo/support.html for details.
-
Limited free support is available via the sudo-users mail
ing list, see http://www.sudo.ws/mail
man/listinfo/sudo-users to subscribe or search the
archives.
+
+
+1.6.9p6 October 9, 2007 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- S\bSu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
ranties, including, but not limited to, the implied war
ranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed
-1.6.8p9 June, 20 2005 23
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1.6.9p6 October 9, 2007 24