-1.6.9p12 January 14, 2008 1
+1.6.9p14 February 19, 2008 1
-1.6.9p12 January 14, 2008 2
+1.6.9p14 February 19, 2008 2
-1.6.9p12 January 14, 2008 3
+1.6.9p14 February 19, 2008 3
-1.6.9p12 January 14, 2008 4
+1.6.9p14 February 19, 2008 4
-1.6.9p12 January 14, 2008 5
+1.6.9p14 February 19, 2008 5
-1.6.9p12 January 14, 2008 6
+1.6.9p14 February 19, 2008 6
-1.6.9p12 January 14, 2008 7
+1.6.9p14 February 19, 2008 7
-1.6.9p12 January 14, 2008 8
+1.6.9p14 February 19, 2008 8
s\bsu\bud\bdo\bo).
ignore_local_sudoers
- If set via LDAP, parsing of
- @sysconfdir@/sudoers will be skipped.
- This is intended for Enterprises that wish
- to prevent the usage of local sudoers
- files so that only LDAP is used. This
- thwarts the efforts of rogue operators who
- would attempt to add roles to
+ If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs
+ will be skipped. This is intended for
+ Enterprises that wish to prevent the usage
+ of local sudoers files so that only LDAP
+ is used. This thwarts the efforts of
+ rogue operators who would attempt to add
+ roles to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option
-1.6.9p12 January 14, 2008 9
+1.6.9p14 February 19, 2008 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- @sysconfdir@/sudoers. When this option is
- present, @sysconfdir@/sudoers does not
- even need to exist. Since this option
- tells s\bsu\bud\bdo\bo how to behave when no specific
- LDAP entries have been matched, this
- sudoOption is only meaningful for the
- cn=defaults section. This flag is _\bo_\bf_\bf by
- default.
+ is present, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even
+ need to exist. Since this option tells
+ s\bsu\bud\bdo\bo how to behave when no specific LDAP
+ entries have been matched, this sudoOption
+ is only meaningful for the cn=defaults
+ section. This flag is _\bo_\bf_\bf by default.
insults If set, s\bsu\bud\bdo\bo will insult users when they
enter an incorrect password. This flag is
user if the invoking user is not in the
_\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is _\bo_\bn by default.
+ noexec If set, all commands run via s\bsu\bud\bdo\bo will
+ behave as if the NOEXEC tag has been set,
-1.6.9p12 January 14, 2008 10
+1.6.9p14 February 19, 2008 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- noexec If set, all commands run via s\bsu\bud\bdo\bo will
- behave as if the NOEXEC tag has been set,
unless overridden by a EXEC tag. See the
description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
well as the "PREVENTING SHELL ESCAPES"
Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
will also prevent root and from running
s\bsu\bud\bdo\boe\bed\bdi\bit\bt. Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no
+ real additional security; it exists purely
+ for historical reasons. This flag is _\bo_\bn
-1.6.9p12 January 14, 2008 11
+1.6.9p14 February 19, 2008 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- real additional security; it exists purely
- for historical reasons. This flag is _\bo_\bn
by default.
rootpw If set, s\bsu\bud\bdo\bo will prompt for the root
(the shell is determined by the SHELL
environment variable if it is set, falling
back on the shell listed in the invoking
+ user's /etc/passwd entry if not). This
+ flag is _\bo_\bf_\bf by default.
-1.6.9p12 January 14, 2008 12
+1.6.9p14 February 19, 2008 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- user's /etc/passwd entry if not). This
- flag is _\bo_\bf_\bf by default.
-
stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the
real and effective UIDs are set to the
target user (root by default). This
file log. The default is 80 (use 0 or
negate the option to disable word wrap).
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password
+ prompt times out. The default is 5; set
+ this to 0 for no password timeout.
-1.6.9p12 January 14, 2008 13
+1.6.9p14 February 19, 2008 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password
- prompt times out. The default is 5; set
- this to 0 for no password timeout.
-
timestamp_timeout
Number of minutes that can elapse before
s\bsu\bud\bdo\bo will ask for a passwd again. The
variable. The following percent (`%')
escapes are supported:
+ %H expanded to the local hostname includÂ
+ ing the domain name (on if the
+ machine's hostname is fully qualified
+
-1.6.9p12 January 14, 2008 14
+1.6.9p14 February 19, 2008 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- %H expanded to the local hostname includÂ
- ing the domain name (on if the
- machine's hostname is fully qualified
or the _\bf_\bq_\bd_\bn option is set)
%h expanded to the local hostname without
be printed along with the password prompt. It
has the following possible values:
+ always Always lecture the user.
-1.6.9p12 January 14, 2008 15
+1.6.9p14 February 19, 2008 15
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- always Always lecture the user.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
never Never lecture the user.
mail. Defaults to the path to sendmail found
at configure time.
+ mailto Address to send warning and error mail to.
+ The address should be enclosed in double
-1.6.9p12 January 14, 2008 16
+1.6.9p14 February 19, 2008 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- mailto Address to send warning and error mail to.
- The address should be enclosed in double
quotes (") to protect against s\bsu\bud\bdo\bo interpretÂ
ing the @ sign. Defaults to root.
check is displayed when s\bsu\bud\bdo\bo is run by
root with the _\b-_\bV option.
+ env_delete Environment variables to be removed from
+ the user's environment. The argument may
-1.6.9p12 January 14, 2008 17
+1.6.9p14 February 19, 2008 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- env_delete Environment variables to be removed from
- the user's environment. The argument may
be a double-quoted, space-separated list
or a single value without double-quotes.
The list can be replaced, added to,
and w\bwa\bar\brn\bni\bin\bng\bg.
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+
+ _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
+
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Since the _\bs_\bu_\bd_\bo_\be_\br_\bs file is parsed in a single pass, order
-1.6.9p12 January 14, 2008 18
+1.6.9p14 February 19, 2008 18
-1.6.9p12 January 14, 2008 19
+1.6.9p14 February 19, 2008 19
-1.6.9p12 January 14, 2008 20
+1.6.9p14 February 19, 2008 20
-1.6.9p12 January 14, 2008 21
+1.6.9p14 February 19, 2008 21
-1.6.9p12 January 14, 2008 22
+1.6.9p14 February 19, 2008 22
-1.6.9p12 January 14, 2008 23
+1.6.9p14 February 19, 2008 23
-1.6.9p12 January 14, 2008 24
+1.6.9p14 February 19, 2008 24