+++ /dev/null
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
-.\"
-.\" Permission to use, copy, modify, and distribute this software for any
-.\" purpose with or without fee is hereby granted, provided that the above
-.\" copyright notice and this permission notice appear in all copies.
-.\"
-.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" Sponsored in part by the Defense Advanced Research Projects
-.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
-.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
-.\"
-.nr SL @SEMAN@
-.nr BA @BAMAN@
-.nr LC @LCMAN@
-.\"
-.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
-. ds C`
-. ds C'
-'br\}
-.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
-.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD. Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
-..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
-..
-.\}
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "July 21, 2010" "1.7.4" "MAINTENANCE COMMANDS"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
-.nh
-.SH "NAME"
-sudoers \- list of which users may execute what
-.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-The \fIsudoers\fR file is composed of two types of entries: aliases
-(basically variables) and user specifications (which specify who
-may run what).
-.PP
-When multiple entries match for a user, they are applied in order.
-Where there are multiple matches, the last match is used (which is
-not necessarily the most specific match).
-.PP
-The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
-Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
-fairly simple, and the definitions below are annotated.
-.SS "Quick guide to \s-1EBNF\s0"
-.IX Subsection "Quick guide to EBNF"
-\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
-Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
-.PP
-.Vb 1
-\& symbol ::= definition | alternate1 | alternate2 ...
-.Ve
-.PP
-Each \fIproduction rule\fR references others and thus makes up a
-grammar for the language. \s-1EBNF\s0 also contains the following
-operators, which many readers will recognize from regular
-expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
-characters, which have different meanings.
-.ie n .IP "\*(C`?\*(C'" 4
-.el .IP "\f(CW\*(C`?\*(C'\fR" 4
-.IX Item "?"
-Means that the preceding symbol (or group of symbols) is optional.
-That is, it may appear once or not at all.
-.ie n .IP "\*(C`*\*(C'" 4
-.el .IP "\f(CW\*(C`*\*(C'\fR" 4
-.IX Item "*"
-Means that the preceding symbol (or group of symbols) may appear
-zero or more times.
-.ie n .IP "\*(C`+\*(C'" 4
-.el .IP "\f(CW\*(C`+\*(C'\fR" 4
-.IX Item "+"
-Means that the preceding symbol (or group of symbols) may appear
-one or more times.
-.PP
-Parentheses may be used to group symbols together. For clarity,
-we will use single quotes ('') to designate what is a verbatim character
-string (as opposed to a symbol name).
-.SS "Aliases"
-.IX Subsection "Aliases"
-There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
-\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
-.PP
-.Vb 4
-\& Alias ::= \*(AqUser_Alias\*(Aq User_Alias (\*(Aq:\*(Aq User_Alias)* |
-\& \*(AqRunas_Alias\*(Aq Runas_Alias (\*(Aq:\*(Aq Runas_Alias)* |
-\& \*(AqHost_Alias\*(Aq Host_Alias (\*(Aq:\*(Aq Host_Alias)* |
-\& \*(AqCmnd_Alias\*(Aq Cmnd_Alias (\*(Aq:\*(Aq Cmnd_Alias)*
-\&
-\& User_Alias ::= NAME \*(Aq=\*(Aq User_List
-\&
-\& Runas_Alias ::= NAME \*(Aq=\*(Aq Runas_List
-\&
-\& Host_Alias ::= NAME \*(Aq=\*(Aq Host_List
-\&
-\& Cmnd_Alias ::= NAME \*(Aq=\*(Aq Cmnd_List
-\&
-\& NAME ::= [A\-Z]([A\-Z][0\-9]_)*
-.Ve
-.PP
-Each \fIalias\fR definition is of the form
-.PP
-.Vb 1
-\& Alias_Type NAME = item1, item2, ...
-.Ve
-.PP
-where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR,
-or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers,
-and underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an
-uppercase letter. It is possible to put several alias definitions
-of the same type on a single line, joined by a colon (':'). E.g.,
-.PP
-.Vb 1
-\& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
-.Ve
-.PP
-The definitions of what constitutes a valid \fIalias\fR member follow.
-.PP
-.Vb 2
-\& User_List ::= User |
-\& User \*(Aq,\*(Aq User_List
-\&
-\& User ::= \*(Aq!\*(Aq* user name |
-\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
-\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
-\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
-\& \*(Aq!\*(Aq* \*(Aq%:\*(Aqnonunix_group |
-\& \*(Aq!\*(Aq* User_Alias
-.Ve
-.PP
-A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, uids (prefixed
-with '#'), system groups (prefixed with '%'), netgroups (prefixed
-with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with
-zero or more '!' operators. An odd number of '!' operators negate
-the value of the item; an even number just cancel each other out.
-.PP
-A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR or \f(CW\*(C`nonunix_group\*(C'\fR may
-be enclosed in double quotes to avoid the need for escaping special
-characters. Alternately, special characters may be specified in
-escaped hex mode, e.g. \ex20 for space.
-.PP
-The \f(CW\*(C`nonunix_group\*(C'\fR syntax depends on the underlying implementation.
-For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports the following formats:
-.IP "\(bu" 4
-Group in the same domain: \*(L"Group Name\*(R"
-.IP "\(bu" 4
-Group in any domain: \*(L"Group Name@FULLY.QUALIFIED.DOMAIN\*(R"
-.IP "\(bu" 4
-Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
-.PP
-Note that quotes around group names are optional. Unquoted strings must
-use a backslash (\e) to escape spaces and the '@' symbol.
-.PP
-.Vb 2
-\& Runas_List ::= Runas_Member |
-\& Runas_Member \*(Aq,\*(Aq Runas_List
-\&
-\& Runas_Member ::= \*(Aq!\*(Aq* user name |
-\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
-\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
-\& \*(Aq!\*(Aq* +netgroup |
-\& \*(Aq!\*(Aq* Runas_Alias
-.Ve
-.PP
-A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
-of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
-user names and groups are matched as strings. In other words, two
-users (groups) with the same uid (gid) are considered to be distinct.
-If you wish to match all user names with the same uid (e.g.\ root
-and toor), you can use a uid instead (#0 in the example given).
-.PP
-.Vb 2
-\& Host_List ::= Host |
-\& Host \*(Aq,\*(Aq Host_List
-\&
-\& Host ::= \*(Aq!\*(Aq* host name |
-\& \*(Aq!\*(Aq* ip_addr |
-\& \*(Aq!\*(Aq* network(/netmask)? |
-\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
-\& \*(Aq!\*(Aq* Host_Alias
-.Ve
-.PP
-A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses,
-network numbers, netgroups (prefixed with '+') and other aliases.
-Again, the value of an item may be negated with the '!' operator.
-If you do not specify a netmask along with the network number,
-\&\fBsudo\fR will query each of the local host's network interfaces and,
-if the network number corresponds to one of the hosts's network
-interfaces, the corresponding netmask will be used. The netmask
-may be specified either in standard \s-1IP\s0 address notation
-(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
-or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
-include shell-style wildcards (see the Wildcards section below),
-but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
-qualified host name, you'll need to use the \fIfqdn\fR option for
-wildcards to be useful. Note \fBsudo\fR only inspects actual network
-interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will
-never match. Also, the host name \*(L"localhost\*(R" will only match if
-that is the actual host name, which is usually only the case for
-non-networked systems.
-.PP
-.Vb 2
-\& Cmnd_List ::= Cmnd |
-\& Cmnd \*(Aq,\*(Aq Cmnd_List
-\&
-\& commandname ::= file name |
-\& file name args |
-\& file name \*(Aq""\*(Aq
-\&
-\& Cmnd ::= \*(Aq!\*(Aq* commandname |
-\& \*(Aq!\*(Aq* directory |
-\& \*(Aq!\*(Aq* "sudoedit" |
-\& \*(Aq!\*(Aq* Cmnd_Alias
-.Ve
-.PP
-A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
-aliases. A commandname is a fully qualified file name which may include
-shell-style wildcards (see the Wildcards section below). A simple
-file name allows the user to run the command with any arguments he/she
-wishes. However, you may also specify command line arguments (including
-wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
-may only be run \fBwithout\fR command line arguments. A directory is a
-fully qualified path name ending in a '/'. When you specify a directory
-in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
-(but not in any subdirectories therein).
-.PP
-If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments
-in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line
-(or match the wildcards if there are any). Note that the following
-characters must be escaped with a '\e' if they are used in command
-arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR
-is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
-as \fBsudoedit\fR). It may take command line arguments just as
-a normal command does.
-.SS "Defaults"
-.IX Subsection "Defaults"
-Certain configuration options may be changed from their default
-values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
-may affect all users on any host, all users on a specific host, a
-specific user, a specific command, or commands being run as a specific user.
-Note that per-command entries may not include command line arguments.
-If you need to specify arguments, define a \f(CW\*(C`Cmnd_Alias\*(C'\fR and reference
-that instead.
-.PP
-.Vb 5
-\& Default_Type ::= \*(AqDefaults\*(Aq |
-\& \*(AqDefaults\*(Aq \*(Aq@\*(Aq Host_List |
-\& \*(AqDefaults\*(Aq \*(Aq:\*(Aq User_List |
-\& \*(AqDefaults\*(Aq \*(Aq!\*(Aq Cmnd_List |
-\& \*(AqDefaults\*(Aq \*(Aq>\*(Aq Runas_List
-\&
-\& Default_Entry ::= Default_Type Parameter_List
-\&
-\& Parameter_List ::= Parameter |
-\& Parameter \*(Aq,\*(Aq Parameter_List
-\&
-\& Parameter ::= Parameter \*(Aq=\*(Aq Value |
-\& Parameter \*(Aq+=\*(Aq Value |
-\& Parameter \*(Aq\-=\*(Aq Value |
-\& \*(Aq!\*(Aq* Parameter
-.Ve
-.PP
-Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
-Flags are implicitly boolean and can be turned off via the '!'
-operator. Some integer, string and list parameters may also be
-used in a boolean context to disable them. Values may be enclosed
-in double quotes (\f(CW\*(C`"\*(C'\fR) when they contain multiple words. Special
-characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR).
-.PP
-Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR.
-These operators are used to add to and delete from a list respectively.
-It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
-that does not exist in a list.
-.PP
-Defaults entries are parsed in the following order: generic, host
-and user Defaults first, then runas Defaults and finally command
-defaults.
-.PP
-See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
-.SS "User Specification"
-.IX Subsection "User Specification"
-.Vb 2
-\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
-\& (\*(Aq:\*(Aq Host_List \*(Aq=\*(Aq Cmnd_Spec_List)*
-\&
-\& Cmnd_Spec_List ::= Cmnd_Spec |
-\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
-\&
-.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
-.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
-\&
-\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
-\&
-.if \n(SL \{\
-\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
-\&
-\}
-\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
-\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq |
-\& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq)
-.Ve
-.PP
-A \fBuser specification\fR determines which commands a user may run
-(and as what user) on specified hosts. By default, commands are
-run as \fBroot\fR, but this can be changed on a per-command basis.
-.PP
-The basic structure of a user specification is `who = where (as_whom)
-what'. Let's break that down into its constituent parts:
-.SS "Runas_Spec"
-.IX Subsection "Runas_Spec"
-A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
-may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
-\&\f(CW\*(C`Runas_List\*(C'\fRs (as defined above) separated by a colon (':') and
-enclosed in a set of parentheses. The first \f(CW\*(C`Runas_List\*(C'\fR indicates
-which users the command may be run as via \fBsudo\fR's \fB\-u\fR option.
-The second defines a list of groups that can be specified via
-\&\fBsudo\fR's \fB\-g\fR option. If both \f(CW\*(C`Runas_List\*(C'\fRs are specified, the
-command may be run with any combination of users and groups listed
-in their respective \f(CW\*(C`Runas_List\*(C'\fRs. If only the first is specified,
-the command may be run as any user in the list but no \fB\-g\fR option
-may be specified. If the first \f(CW\*(C`Runas_List\*(C'\fR is empty but the
-second is specified, the command may be run as the invoking user
-with the group set to any listed in the \f(CW\*(C`Runas_List\*(C'\fR. If no
-\&\f(CW\*(C`Runas_Spec\*(C'\fR is specified the command may be run as \fBroot\fR and
-no group may be specified.
-.PP
-A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for the commands that follow it.
-What this means is that for the entry:
-.PP
-.Vb 1
-\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
-.Ve
-.PP
-The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
-\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
-.PP
-.Vb 1
-\& $ sudo \-u operator /bin/ls.
-.Ve
-.PP
-It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
-entry. If we modify the entry like so:
-.PP
-.Vb 1
-\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
-.Ve
-.PP
-Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
-but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
-.PP
-We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with either
-the user or group set to \fBoperator\fR:
-.PP
-.Vb 2
-\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \e
-\& /usr/bin/lprm
-.Ve
-.PP
-In the following example, user \fBtcm\fR may run commands that access
-a modem device file with the dialer group. Note that in this example
-only the group will be set, the command still runs as user \fBtcm\fR.
-.PP
-.Vb 2
-\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
-\& /usr/local/bin/minicom
-.Ve
-.if \n(SL \{\
-.SS "SELinux_Spec"
-.IX Subsection "SELinux_Spec"
-On systems with SELinux support, \fIsudoers\fR entries may optionally have
-an SELinux role and/or type associated with a command. If a role or
-type is specified with the command it will override any default values
-specified in \fIsudoers\fR. A role or type specified on the command line,
-however, will supercede the values in \fIsudoers\fR.
-\}
-.SS "Tag_Spec"
-.IX Subsection "Tag_Spec"
-A command may have zero or more tags associated with it. There are
-eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
-\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR,
-\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR,
-subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless
-it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides
-\&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR).
-.PP
-\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
-.IX Subsection "NOPASSWD and PASSWD"
-.PP
-By default, \fBsudo\fR requires that a user authenticate him or herself
-before running a command. This behavior can be modified via the
-\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
-a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
-Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
-For example:
-.PP
-.Vb 1
-\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
-.Ve
-.PP
-would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
-\&\fI/usr/bin/lprm\fR as \fBroot\fR on the machine rushmore without
-authenticating himself. If we only want \fBray\fR to be able to
-run \fI/bin/kill\fR without a password the entry would be:
-.PP
-.Vb 1
-\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
-.Ve
-.PP
-Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
-in the group specified by the \fIexempt_group\fR option.
-.PP
-By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
-for a user on the current host, he or she will be able to run
-\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
-\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
-for all a user's entries that pertain to the current host.
-This behavior may be overridden via the verifypw and listpw options.
-.PP
-\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
-.IX Subsection "NOEXEC and EXEC"
-.PP
-If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
-operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
-a dynamically-linked executable from running further commands itself.
-.PP
-In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
-and \fI/usr/bin/vi\fR but shell escapes will be disabled.
-.PP
-.Vb 1
-\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-.Ve
-.PP
-See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
-on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
-.PP
-\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
-.IX Subsection "SETENV and NOSETENV"
-.PP
-These tags override the value of the \fIsetenv\fR option on a per-command
-basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, any
-environment variables set on the command line way are not subject
-to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
-\&\fIenv_keep\fR. As such, only trusted users should be allowed to set
-variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the
-\&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may
-be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
-.PP
-\fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
-.IX Subsection "LOG_INPUT and NOLOG_INPUT"
-.PP
-These tags override the value of the \fIlog_input\fR option on a
-per-command basis. For more information, see the description of
-\&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
-.PP
-\fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR
-.IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT"
-.PP
-These tags override the value of the \fIlog_output\fR option on a
-per-command basis. For more information, see the description of
-\&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
-.SS "Wildcards"
-.IX Subsection "Wildcards"
-\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
-to be used in host names, path names and command line arguments in
-the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
-\&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
-regular expressions.
-.ie n .IP "\*(C`*\*(C'" 8
-.el .IP "\f(CW\*(C`*\*(C'\fR" 8
-.IX Item "*"
-Matches any set of zero or more characters.
-.ie n .IP "\*(C`?\*(C'" 8
-.el .IP "\f(CW\*(C`?\*(C'\fR" 8
-.IX Item "?"
-Matches any single character.
-.ie n .IP "\*(C`[...]\*(C'" 8
-.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
-.IX Item "[...]"
-Matches any character in the specified range.
-.ie n .IP "\*(C`[!...]\*(C'" 8
-.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
-.IX Item "[!...]"
-Matches any character \fBnot\fR in the specified range.
-.ie n .IP "\*(C`\ex\*(C'" 8
-.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
-.IX Item "x"
-For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
-escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
-.PP
-\&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3)
-and \fIfnmatch\fR\|(3) functions support them. However, because the
-\&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must be
-escaped. For example:
-.PP
-.Vb 1
-\& /bin/ls [[\e:alpha\e:]]*
-.Ve
-.PP
-Would match any file name beginning with a letter.
-.PP
-Note that a forward slash ('/') will \fBnot\fR be matched by
-wildcards used in the path name. When matching the command
-line arguments, however, a slash \fBdoes\fR get matched by
-wildcards. This is to make a path like:
-.PP
-.Vb 1
-\& /usr/bin/*
-.Ve
-.PP
-match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
-.SS "Exceptions to wildcard rules"
-.IX Subsection "Exceptions to wildcard rules"
-The following exceptions apply to the above rules:
-.ie n .IP """""" 8
-.el .IP "\f(CW``''\fR" 8
-.IX Item """"""
-If the empty string \f(CW""\fR is the only command line argument in the
-\&\fIsudoers\fR entry it means that command is not allowed to be run
-with \fBany\fR arguments.
-.SS "Including other files from within sudoers"
-.IX Subsection "Including other files from within sudoers"
-It is possible to include other \fIsudoers\fR files from within the
-\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and
-\&\f(CW\*(C`#includedir\*(C'\fR directives.
-.PP
-This can be used, for example, to keep a site-wide \fIsudoers\fR file
-in addition to a local, per-machine file. For the sake of this
-example the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the
-per-machine one will be \fI/etc/sudoers.local\fR. To include
-\&\fI/etc/sudoers.local\fR from within \fI/etc/sudoers\fR we would use the
-following line in \fI/etc/sudoers\fR:
-.Sp
-.RS 4
-\&\f(CW\*(C`#include /etc/sudoers.local\*(C'\fR
-.RE
-.PP
-When \fBsudo\fR reaches this line it will suspend processing of the
-current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
-Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
-\&\fI/etc/sudoers\fR will be processed. Files that are included may
-themselves include other files. A hard limit of 128 nested include
-files is enforced to prevent include file loops.
-.PP
-The file name may include the \f(CW%h\fR escape, signifying the short form
-of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
-.PP
-\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
-.PP
-will cause \fBsudo\fR to include the file \fI/etc/sudoers.xerxes\fR.
-.PP
-The \f(CW\*(C`#includedir\*(C'\fR directive can be used to create a \fIsudo.d\fR
-directory that the system package manager can drop \fIsudoers\fR rules
-into as part of package installation. For example, given:
-.PP
-\&\f(CW\*(C`#includedir /etc/sudoers.d\*(C'\fR
-.PP
-\&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping file
-names that end in \f(CW\*(C`~\*(C'\fR or contain a \f(CW\*(C`.\*(C'\fR character to avoid causing
-problems with package manager or editor temporary/backup files.
-Files are parsed in sorted lexical order. That is,
-\&\fI/etc/sudoers.d/01_first\fR will be parsed before
-\&\fI/etc/sudoers.d/10_second\fR. Be aware that because the sorting is
-lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR would be loaded
-\&\fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a consistent number
-of leading zeroes in the file names can be used to avoid such
-problems.
-.PP
-Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not
-edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
-contains a syntax error. It is still possible to run \fBvisudo\fR
-with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly.
-.SS "Other special characters and reserved words"
-.IX Subsection "Other special characters and reserved words"
-The pound sign ('#') is used to indicate a comment (unless it is
-part of a #include directive or unless it occurs in the context of
-a user name and is followed by one or more digits, in which case
-it is treated as a uid). Both the comment character and any text
-after it, up to the end of the line, are ignored.
-.PP
-The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
-a match to succeed. It can be used wherever one might otherwise
-use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
-You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
-built-in alias will be used in preference to your own. Please note
-that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
-allows the user to run \fBany\fR command on the system.
-.PP
-An exclamation point ('!') can be used as a logical \fInot\fR operator
-both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
-exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
-conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
-run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
-\&\s-1NOTES\s0 below).
-.PP
-Long lines can be continued with a backslash ('\e') as the last
-character on the line.
-.PP
-Whitespace between elements in a list as well as special syntactic
-characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
-.PP
-The following characters must be escaped with a backslash ('\e') when
-used as part of a word (e.g.\ a user name or host name):
-\&'@', '!', '=', ':', ',', '(', ')', '\e'.
-.SH "SUDOERS OPTIONS"
-.IX Header "SUDOERS OPTIONS"
-\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
-explained earlier. A list of all supported Defaults parameters,
-grouped by type, are listed below.
-.PP
-\&\fBBoolean Flags\fR:
-.IP "always_set_home" 16
-.IX Item "always_set_home"
-If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the
-home directory of the target user (which is root unless the \fB\-u\fR
-option is used). This effectively means that the \fB\-H\fR option is
-always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the
-\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only
-effective for configurations where \fIenv_reset\fR is disabled.
-This flag is \fIoff\fR by default.
-.IP "authenticate" 16
-.IX Item "authenticate"
-If set, users must authenticate themselves via a password (or other
-means of authentication) before they may run commands. This default
-may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
-This flag is \fIon\fR by default.
-.IP "closefrom_override" 16
-.IX Item "closefrom_override"
-If set, the user may use \fBsudo\fR's \fB\-C\fR option which
-overrides the default starting point at which \fBsudo\fR begins
-closing open file descriptors. This flag is \fIoff\fR by default.
-.IP "compress_io" 16
-.IX Item "compress_io"
-If set, and \fBsudo\fR is configured to log a command's input or output,
-the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR
-by default when \fBsudo\fR is compiled with \fBzlib\fR support.
-.IP "env_editor" 16
-.IX Item "env_editor"
-If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
-environment variables before falling back on the default editor list.
-Note that this may create a security hole as it allows the user to
-run any arbitrary command as root without logging. A safer alternative
-is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
-variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
-they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fI@env_editor@\fR by
-default.
-.IP "env_reset" 16
-.IX Item "env_reset"
-If set, \fBsudo\fR will reset the environment to only contain the
-\&\s-1LOGNAME\s0, \s-1MAIL\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
-variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
-and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the
-\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is
-run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option
-is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
-This flag is \fIon\fR by default.
-.IP "fast_glob" 16
-.IX Item "fast_glob"
-Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
-globbing when matching path names. However, since it accesses the
-file system, \fIglob\fR\|(3) can take a long time to complete for some
-patterns, especially when the pattern references a network file
-system that is mounted on demand (automounted). The \fIfast_glob\fR
-option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
-not access the file system to do its matching. The disadvantage
-of \fIfast_glob\fR is that it is unable to match relative path names
-such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
-when path names that include globbing characters are used with the
-negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
-As such, this option should not be used when \fIsudoers\fR contains rules
-that contain negated path names which include globbing characters.
-This flag is \fIoff\fR by default.
-.IP "fqdn" 16
-.IX Item "fqdn"
-Set this flag if you want to put fully qualified host names in the
-\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
-You may still use the short form if you wish (and even mix the two).
-Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
-which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
-if the machine is not plugged into the network). Also note that
-you must use the host's official name as \s-1DNS\s0 knows it. That is,
-you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
-issues and the fact that there is no way to get all aliases from
-\&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR
-command) is already fully qualified you shouldn't need to set
-\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
-.IP "ignore_dot" 16
-.IX Item "ignore_dot"
-If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
-environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
-flag is \fI@ignore_dot@\fR by default.
-.IP "ignore_local_sudoers" 16
-.IX Item "ignore_local_sudoers"
-If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped.
-This is intended for Enterprises that wish to prevent the usage of local
-sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
-rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR.
-When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to
-exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0
-entries have been matched, this sudoOption is only meaningful for the
-\&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default.
-.IP "insults" 16
-.IX Item "insults"
-If set, \fBsudo\fR will insult users when they enter an incorrect
-password. This flag is \fI@insults@\fR by default.
-.IP "log_host" 16
-.IX Item "log_host"
-If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
-This flag is \fIoff\fR by default.
-.IP "log_year" 16
-.IX Item "log_year"
-If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
-This flag is \fIoff\fR by default.
-.IP "long_otp_prompt" 16
-.IX Item "long_otp_prompt"
-When validating with a One Time Password (\s-1OPT\s0) scheme such as
-\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
-to cut and paste the challenge to a local window. It's not as
-pretty as the default but some people find it more convenient. This
-flag is \fI@long_otp_prompt@\fR by default.
-.IP "mail_always" 16
-.IX Item "mail_always"
-Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
-This flag is \fIoff\fR by default.
-.IP "mail_badpass" 16
-.IX Item "mail_badpass"
-Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not
-enter the correct password. This flag is \fIoff\fR by default.
-.IP "mail_no_host" 16
-.IX Item "mail_no_host"
-If set, mail will be sent to the \fImailto\fR user if the invoking
-user exists in the \fIsudoers\fR file, but is not allowed to run
-commands on the current host. This flag is \fI@mail_no_host@\fR by default.
-.IP "mail_no_perms" 16
-.IX Item "mail_no_perms"
-If set, mail will be sent to the \fImailto\fR user if the invoking
-user is allowed to use \fBsudo\fR but the command they are trying is not
-listed in their \fIsudoers\fR file entry or is explicitly denied.
-This flag is \fI@mail_no_perms@\fR by default.
-.IP "mail_no_user" 16
-.IX Item "mail_no_user"
-If set, mail will be sent to the \fImailto\fR user if the invoking
-user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR
-by default.
-.IP "noexec" 16
-.IX Item "noexec"
-If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
-tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
-description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0
-\&\s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
-.IP "path_info" 16
-.IX Item "path_info"
-Normally, \fBsudo\fR will tell the user when a command could not be
-found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish
-to disable this as it could be used to gather information on the
-location of executables that the normal user does not have access
-to. The disadvantage is that if the executable is simply not in
-the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
-allowed to run it, which can be confusing. This flag is \fI@path_info@\fR
-by default.
-.IP "passprompt_override" 16
-.IX Item "passprompt_override"
-The password prompt specified by \fIpassprompt\fR will normally only
-be used if the password prompt provided by systems such as \s-1PAM\s0 matches
-the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR
-will always be used. This flag is \fIoff\fR by default.
-.IP "preserve_groups" 16
-.IX Item "preserve_groups"
-By default, \fBsudo\fR will initialize the group vector to the list of
-groups the target user is in. When \fIpreserve_groups\fR is set, the
-user's existing group vector is left unaltered. The real and
-effective group IDs, however, are still set to match the target
-user. This flag is \fIoff\fR by default.
-.IP "pwfeedback" 16
-.IX Item "pwfeedback"
-By default, \fBsudo\fR reads the password like most other Unix programs,
-by turning off echo until the user hits the return (or enter) key.
-Some users become confused by this as it appears to them that \fBsudo\fR
-has hung at this point. When \fIpwfeedback\fR is set, \fBsudo\fR will
-provide visual feedback when the user presses a key. Note that
-this does have a security impact as an onlooker may be able to
-determine the length of the password being entered.
-This flag is \fIoff\fR by default.
-.IP "requiretty" 16
-.IX Item "requiretty"
-If set, \fBsudo\fR will only run when the user is logged in to a real
-tty. When this flag is set, \fBsudo\fR can only be run from a login
-session and not via other means such as \fIcron\fR\|(@mansectsu@) or cgi-bin scripts.
-This flag is \fIoff\fR by default.
-.IP "root_sudo" 16
-.IX Item "root_sudo"
-If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
-from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
-like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
-will also prevent root from running \fBsudoedit\fR.
-Disabling \fIroot_sudo\fR provides no real additional security; it
-exists purely for historical reasons.
-This flag is \fI@root_sudo@\fR by default.
-.IP "rootpw" 16
-.IX Item "rootpw"
-If set, \fBsudo\fR will prompt for the root password instead of the password
-of the invoking user. This flag is \fIoff\fR by default.
-.IP "runaspw" 16
-.IX Item "runaspw"
-If set, \fBsudo\fR will prompt for the password of the user defined by the
-\&\fIrunas_default\fR option (defaults to \f(CW\*(C`@runas_default@\*(C'\fR) instead of the
-password of the invoking user. This flag is \fIoff\fR by default.
-.IP "set_home" 16
-.IX Item "set_home"
-If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
-environment variable will be set to the home directory of the target
-user (which is root unless the \fB\-u\fR option is used). This effectively
-makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already
-set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is
-only effective for configurations where \fIenv_reset\fR is disabled.
-This flag is \fIoff\fR by default.
-.IP "set_logname" 16
-.IX Item "set_logname"
-Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
-environment variables to the name of the target user (usually root
-unless the \fB\-u\fR option is given). However, since some programs
-(including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to
-determine the real identity of the user, it may be desirable to
-change this behavior. This can be done by negating the set_logname
-option. Note that if the \fIenv_reset\fR option has not been disabled,
-entries in the \fIenv_keep\fR list will override the value of
-\&\fIset_logname\fR. This flag is \fIon\fR by default.
-.IP "setenv" 16
-.IX Item "setenv"
-Allow the user to disable the \fIenv_reset\fR option from the command
-line. Additionally, environment variables set via the command line
-are not subject to the restrictions imposed by \fIenv_check\fR,
-\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
-be allowed to set variables in this manner. This flag is \fIoff\fR
-by default.
-.IP "shell_noargs" 16
-.IX Item "shell_noargs"
-If set and \fBsudo\fR is invoked with no arguments it acts as if the
-\&\fB\-s\fR option had been given. That is, it runs a shell as root (the
-shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
-set, falling back on the shell listed in the invoking user's
-/etc/passwd entry if not). This flag is \fIoff\fR by default.
-.IP "stay_setuid" 16
-.IX Item "stay_setuid"
-Normally, when \fBsudo\fR executes a command the real and effective
-UIDs are set to the target user (root by default). This option
-changes that behavior such that the real \s-1UID\s0 is left as the invoking
-user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
-wrapper. This can be useful on systems that disable some potentially
-dangerous functionality when a program is run setuid. This option
-is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR
-function. This flag is \fIoff\fR by default.
-.IP "targetpw" 16
-.IX Item "targetpw"
-If set, \fBsudo\fR will prompt for the password of the user specified
-by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
-of the invoking user. In addition, the timestamp file name will
-include the target user's name. Note that this flag precludes the
-use of a uid not listed in the passwd database as an argument to
-the \fB\-u\fR option. This flag is \fIoff\fR by default.
-.IP "log_input" 16
-.IX Item "log_input"
-If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
-user input.
-If the standard input is not connected to the user's tty, due to
-I/O redirection or because the command is part of a pipeline, that
-input is also captured and stored in a separate log file.
-.Sp
-Input is logged to the \fI/var/log/sudo\-io\fR directory using a unique
-session \s-1ID\s0 that is included in the normal \fBsudo\fR log line, prefixed
-with \fITSID=\fR.
-.IP "log_output" 16
-.IX Item "log_output"
-If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
-output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
-If the standard output or standard error is not connected to the
-user's tty, due to I/O redirection or because the command is part
-of a pipeline, that output is also captured and stored in separate
-log files.
-.Sp
-Output is logged to the
-\&\fI/var/log/sudo\-io\fR directory using a unique session \s-1ID\s0 that is
-included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
-.Sp
-Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
-can also be used to list or search the available logs.
-.IP "tty_tickets" 16
-.IX Item "tty_tickets"
-If set, users must authenticate on a per-tty basis. With this flag
-enabled, \fBsudo\fR will use a file named for the tty the user is
-logged in on in the user's time stamp directory. If disabled, the
-time stamp of the directory is used instead. This flag is
-\&\fI@tty_tickets@\fR by default.
-.IP "umask_override" 16
-.IX Item "umask_override"
-If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without
-modification. This makes it possible to specify a more permissive
-umask in \fIsudoers\fR than the user's own umask and matches historical
-behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
-umask to be the union of the user's umask and what is specified in
-\&\fIsudoers\fR. This flag is \fIoff\fR by default.
-.if \n(LC \{\
-.IP "use_loginclass" 16
-.IX Item "use_loginclass"
-If set, \fBsudo\fR will apply the defaults specified for the target user's
-login class if one exists. Only available if \fBsudo\fR is configured with
-the \-\-with\-logincap option. This flag is \fIoff\fR by default.
-\}
-.IP "use_pty" 16
-.IX Item "use_pty"
-If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O
-logging is being gone. A malicious program run under \fBsudo\fR could
-conceivably fork a background process that retains to the user's
-terminal device after the main program has finished executing. Use
-of this option will make that impossible.
-.IP "visiblepw" 16
-.IX Item "visiblepw"
-By default, \fBsudo\fR will refuse to run if the user must enter a
-password but it is not possible to disable echo on the terminal.
-If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password
-even when it would be visible on the screen. This makes it possible
-to run things like \f(CW"rsh somehost sudo ls"\fR since \fIrsh\fR\|(1) does
-not allocate a tty. This flag is \fIoff\fR by default.
-.PP
-\&\fBIntegers\fR:
-.IP "closefrom" 16
-.IX Item "closefrom"
-Before it executes a command, \fBsudo\fR will close all open file
-descriptors other than standard input, standard output and standard
-error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used
-to specify a different file descriptor at which to start closing.
-The default is \f(CW3\fR.
-.IP "passwd_tries" 16
-.IX Item "passwd_tries"
-The number of tries a user gets to enter his/her password before
-\&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`@passwd_tries@\*(C'\fR.
-.PP
-\&\fBIntegers that can be used in a boolean context\fR:
-.IP "loglinelen" 16
-.IX Item "loglinelen"
-Number of characters per line for the file log. This value is used
-to decide when to wrap lines for nicer log files. This has no
-effect on the syslog log file, only the file log. The default is
-\&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap).
-.IP "passwd_timeout" 16
-.IX Item "passwd_timeout"
-Number of minutes before the \fBsudo\fR password prompt times out, or
-\&\f(CW0\fR for no timeout. The timeout may include a fractional component
-if minute granularity is insufficient, for example \f(CW2.5\fR. The
-default is \f(CW\*(C`@password_timeout@\*(C'\fR.
-.IP "timestamp_timeout" 16
-.IX Item "timestamp_timeout"
-Number of minutes that can elapse before \fBsudo\fR will ask for a
-passwd again. The timeout may include a fractional component if
-minute granularity is insufficient, for example \f(CW2.5\fR. The default
-is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password.
-If set to a value less than \f(CW0\fR the user's timestamp will never
-expire. This can be used to allow users to create or delete their
-own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
-.IP "umask" 16
-.IX Item "umask"
-Umask to use when running the command. Negate this option or set
-it to 0777 to preserve the user's umask. The actual umask that is
-used will be the union of the user's umask and \f(CW\*(C`@sudo_umask@\*(C'\fR.
-This guarantees that \fBsudo\fR never lowers the umask when running a
-command. Note on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration
-may specify its own umask which will override the value set in
-\&\fIsudoers\fR.
-.PP
-\&\fBStrings\fR:
-.IP "badpass_message" 16
-.IX Item "badpass_message"
-Message that is displayed if a user enters an incorrect password.
-The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled.
-.IP "editor" 16
-.IX Item "editor"
-A colon (':') separated list of editors allowed to be used with
-\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
-\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
-list that exists and is executable. The default is \f(CW"@editor@"\fR.
-.IP "mailsub" 16
-.IX Item "mailsub"
-Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
-will expand to the host name of the machine.
-Default is \f(CW\*(C`@mailsub@\*(C'\fR.
-.IP "noexec_file" 16
-.IX Item "noexec_file"
-Path to a shared library containing dummy versions of the \fIexecv()\fR,
-\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error.
-This is used to implement the \fInoexec\fR functionality on systems that
-support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI@noexec_file@\fR.
-.IP "passprompt" 16
-.IX Item "passprompt"
-The default prompt to use when asking for a password; can be overridden
-via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable.
-The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported:
-.RS 16
-.ie n .IP "%H" 4
-.el .IP "\f(CW%H\fR" 4
-.IX Item "%H"
-expanded to the local host name including the domain name
-(on if the machine's host name is fully qualified or the \fIfqdn\fR
-option is set)
-.ie n .IP "%h" 4
-.el .IP "\f(CW%h\fR" 4
-.IX Item "%h"
-expanded to the local host name without the domain name
-.ie n .IP "%p" 4
-.el .IP "\f(CW%p\fR" 4
-.IX Item "%p"
-expanded to the user whose password is being asked for (respects the
-\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
-.ie n .IP "%U" 4
-.el .IP "\f(CW%U\fR" 4
-.IX Item "%U"
-expanded to the login name of the user the command will
-be run as (defaults to root)
-.ie n .IP "%u" 4
-.el .IP "\f(CW%u\fR" 4
-.IX Item "%u"
-expanded to the invoking user's login name
-.ie n .IP "\*(C`%%\*(C'" 4
-.el .IP "\f(CW\*(C`%%\*(C'\fR" 4
-.IX Item "%%"
-two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
-.RE
-.RS 16
-.Sp
-The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
-.RE
-.if \n(SL \{\
-.IP "role" 16
-.IX Item "role"
-The default SELinux role to use when constructing a new security
-context to run the command. The default role may be overridden on
-a per-command basis in \fIsudoers\fR or via command line options.
-This option is only available whe \fBsudo\fR is built with SELinux support.
-\}
-.IP "runas_default" 16
-.IX Item "runas_default"
-The default user to run commands as if the \fB\-u\fR option is not specified
-on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR.
-Note that if \fIrunas_default\fR is set it \fBmust\fR occur before
-any \f(CW\*(C`Runas_Alias\*(C'\fR specifications.
-.IP "syslog_badpri" 16
-.IX Item "syslog_badpri"
-Syslog priority to use when user authenticates unsuccessfully.
-Defaults to \f(CW\*(C`@badpri@\*(C'\fR.
-.IP "syslog_goodpri" 16
-.IX Item "syslog_goodpri"
-Syslog priority to use when user authenticates successfully.
-Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
-.IP "sudoers_locale" 16
-.IX Item "sudoers_locale"
-Locale to use when parsing the sudoers file. Note that changing
-the locale may affect how sudoers is interpreted.
-Defaults to \f(CW"C"\fR.
-.IP "timestampdir" 16
-.IX Item "timestampdir"
-The directory in which \fBsudo\fR stores its timestamp files.
-The default is \fI@timedir@\fR.
-.IP "timestampowner" 16
-.IX Item "timestampowner"
-The owner of the timestamp directory and the timestamps stored therein.
-The default is \f(CW\*(C`root\*(C'\fR.
-.if \n(SL \{\
-.IP "type" 16
-.IX Item "type"
-The default SELinux type to use when constructing a new security
-context to run the command. The default type may be overridden on
-a per-command basis in \fIsudoers\fR or via command line options.
-This option is only available whe \fBsudo\fR is built with SELinux support.
-\}
-.PP
-\&\fBStrings that can be used in a boolean context\fR:
-.IP "askpass" 12
-.IX Item "askpass"
-The \fIaskpass\fR option specifies the fully qualified path to a helper
-program used to read the user's password when no terminal is
-available. This may be the case when \fBsudo\fR is executed from a
-graphical (as opposed to text-based) application. The program
-specified by \fIaskpass\fR should display the argument passed to it
-as the prompt and write the user's password to the standard output.
-The value of \fIaskpass\fR may be overridden by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR
-environment variable.
-.IP "env_file" 12
-.IX Item "env_file"
-The \fIenv_file\fR options specifies the fully qualified path to a
-file containing variables to be set in the environment of the program
-being run. Entries in this file should either be of the form
-\&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may
-optionally be surrounded by single or double quotes. Variables in
-this file are subject to other \fBsudo\fR environment settings such
-as \fIenv_keep\fR and \fIenv_check\fR.
-.IP "exempt_group" 12
-.IX Item "exempt_group"
-Users in this group are exempt from password and \s-1PATH\s0 requirements.
-This is not set by default.
-.IP "lecture" 12
-.IX Item "lecture"
-This option controls when a short lecture will be printed along with
-the password prompt. It has the following possible values:
-.RS 12
-.IP "always" 8
-.IX Item "always"
-Always lecture the user.
-.IP "never" 8
-.IX Item "never"
-Never lecture the user.
-.IP "once" 8
-.IX Item "once"
-Only lecture the user the first time they run \fBsudo\fR.
-.RE
-.RS 12
-.Sp
-If no value is specified, a value of \fIonce\fR is implied.
-Negating the option results in a value of \fInever\fR being used.
-The default value is \fI@lecture@\fR.
-.RE
-.IP "lecture_file" 12
-.IX Item "lecture_file"
-Path to a file containing an alternate \fBsudo\fR lecture that will
-be used in place of the standard lecture if the named file exists.
-By default, \fBsudo\fR uses a built-in lecture.
-.IP "listpw" 12
-.IX Item "listpw"
-This option controls when a password will be required when a
-user runs \fBsudo\fR with the \fB\-l\fR option. It has the following possible values:
-.RS 12
-.IP "all" 8
-.IX Item "all"
-All the user's \fIsudoers\fR entries for the current host must have
-the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "always" 8
-.IX Item "always"
-The user must always enter a password to use the \fB\-l\fR option.
-.IP "any" 8
-.IX Item "any"
-At least one of the user's \fIsudoers\fR entries for the current host
-must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "never" 8
-.IX Item "never"
-The user need never enter a password to use the \fB\-l\fR option.
-.RE
-.RS 12
-.Sp
-If no value is specified, a value of \fIany\fR is implied.
-Negating the option results in a value of \fInever\fR being used.
-The default value is \fIany\fR.
-.RE
-.IP "logfile" 12
-.IX Item "logfile"
-Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
-turns on logging to a file; negating this option turns it off.
-By default, \fBsudo\fR logs via syslog.
-.IP "mailerflags" 12
-.IX Item "mailerflags"
-Flags to use when invoking mailer. Defaults to \fB\-t\fR.
-.IP "mailerpath" 12
-.IX Item "mailerpath"
-Path to mail program used to send warning mail.
-Defaults to the path to sendmail found at configure time.
-.IP "mailfrom" 12
-.IX Item "mailfrom"
-Address to use for the \*(L"from\*(R" address when sending warning and error
-mail. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to
-protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to
-the name of the user running \fBsudo\fR.
-.IP "mailto" 12
-.IX Item "mailto"
-Address to send warning and error mail to. The address should
-be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
-interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
-.IP "secure_path" 12
-.IX Item "secure_path"
-Path used for every command run from \fBsudo\fR. If you don't trust the
-people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may
-want to use this. Another use is if you want to have the \*(L"root path\*(R"
-be separate from the \*(L"user path.\*(R" Users in the group specified by the
-\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
-This option is @secure_path@ by default.
-.IP "syslog" 12
-.IX Item "syslog"
-Syslog facility if syslog is being used for logging (negate to
-disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
-.IP "verifypw" 12
-.IX Item "verifypw"
-This option controls when a password will be required when a user runs
-\&\fBsudo\fR with the \fB\-v\fR option. It has the following possible values:
-.RS 12
-.IP "all" 8
-.IX Item "all"
-All the user's \fIsudoers\fR entries for the current host must have
-the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "always" 8
-.IX Item "always"
-The user must always enter a password to use the \fB\-v\fR option.
-.IP "any" 8
-.IX Item "any"
-At least one of the user's \fIsudoers\fR entries for the current host
-must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "never" 8
-.IX Item "never"
-The user need never enter a password to use the \fB\-v\fR option.
-.RE
-.RS 12
-.Sp
-If no value is specified, a value of \fIall\fR is implied.
-Negating the option results in a value of \fInever\fR being used.
-The default value is \fIall\fR.
-.RE
-.PP
-\&\fBLists that can be used in a boolean context\fR:
-.IP "env_check" 16
-.IX Item "env_check"
-Environment variables to be removed from the user's environment if
-the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
-be used to guard against printf-style format vulnerabilities in
-poorly-written programs. The argument may be a double-quoted,
-space-separated list or a single value without double-quotes. The
-list can be replaced, added to, deleted from, or disabled by using
-the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless
-of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables
-specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if
-they pass the aforementioned check. The default list of environment
-variables to check is displayed when \fBsudo\fR is run by root with
-the \fI\-V\fR option.
-.IP "env_delete" 16
-.IX Item "env_delete"
-Environment variables to be removed from the user's environment
-when the \fIenv_reset\fR option is not in effect. The argument may
-be a double-quoted, space-separated list or a single value without
-double-quotes. The list can be replaced, added to, deleted from,
-or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators
-respectively. The default list of environment variables to remove
-is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
-Note that many operating systems will remove potentially dangerous
-variables from the environment of any setuid process (such as
-\&\fBsudo\fR).
-.IP "env_keep" 16
-.IX Item "env_keep"
-Environment variables to be preserved in the user's environment
-when the \fIenv_reset\fR option is in effect. This allows fine-grained
-control over the environment \fBsudo\fR\-spawned processes will receive.
-The argument may be a double-quoted, space-separated list or a
-single value without double-quotes. The list can be replaced, added
-to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
-\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
-is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
-.PP
-When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values
-for the syslog facility (the value of the \fBsyslog\fR Parameter):
-\&\fBauthpriv\fR (if your \s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR,
-\&\fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR,
-\&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are
-supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR,
-\&\fBnotice\fR, and \fBwarning\fR.
-.SH "FILES"
-.IX Header "FILES"
-.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
-.el .IP "\fI@sysconfdir@/sudoers\fR" 24
-.IX Item "@sysconfdir@/sudoers"
-List of who can run what
-.IP "\fI/etc/group\fR" 24
-.IX Item "/etc/group"
-Local groups file
-.IP "\fI/etc/netgroup\fR" 24
-.IX Item "/etc/netgroup"
-List of network groups
-.IP "\fI/var/log/sudo\-io\fR" 24
-.IX Item "/var/log/sudo-io"
-I/O log files
-.SH "EXAMPLES"
-.IX Header "EXAMPLES"
-Below are example \fIsudoers\fR entries. Admittedly, some of
-these are a bit contrived. First, we allow a few environment
-variables to pass and then define our \fIaliases\fR:
-.PP
-.Vb 4
-\& # Run X applications through sudo; HOME is used to find the
-\& # .Xauthority file. Note that other programs use HOME to find
-\& # configuration files and this may lead to privilege escalation!
-\& Defaults env_keep += "DISPLAY HOME"
-\&
-\& # User alias specification
-\& User_Alias FULLTIMERS = millert, mikef, dowdy
-\& User_Alias PARTTIMERS = bostley, jwfox, crawl
-\& User_Alias WEBMASTERS = will, wendy, wim
-\&
-\& # Runas alias specification
-\& Runas_Alias OP = root, operator
-\& Runas_Alias DB = oracle, sybase
-\& Runas_Alias ADMINGRP = adm, oper
-\&
-\& # Host alias specification
-\& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
-\& SGI = grolsch, dandelion, black :\e
-\& ALPHA = widget, thalamus, foobar :\e
-\& HPPA = boa, nag, python
-\& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
-\& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
-\& Host_Alias SERVERS = master, mail, www, ns
-\& Host_Alias CDROM = orion, perseus, hercules
-\&
-\& # Cmnd alias specification
-\& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
-\& /usr/sbin/restore, /usr/sbin/rrestore
-\& Cmnd_Alias KILL = /usr/bin/kill
-\& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
-\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
-\& Cmnd_Alias HALT = /usr/sbin/halt
-\& Cmnd_Alias REBOOT = /usr/sbin/reboot
-\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
-\& /usr/local/bin/tcsh, /usr/bin/rsh, \e
-\& /usr/local/bin/zsh
-\& Cmnd_Alias SU = /usr/bin/su
-\& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
-.Ve
-.PP
-Here we override some of the compiled in default values. We want
-\&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all
-cases. We don't want to subject the full time staff to the \fBsudo\fR
-lecture, user \fBmillert\fR need not give a password, and we don't
-want to reset the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR or \f(CW\*(C`USERNAME\*(C'\fR environment
-variables when running commands as root. Additionally, on the
-machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional
-local log file and make sure we log the year in each log line since
-the log entries will be kept around for several years. Lastly, we
-disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR
-(\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR).
-.PP
-.Vb 7
-\& # Override built\-in defaults
-\& Defaults syslog=auth
-\& Defaults>root !set_logname
-\& Defaults:FULLTIMERS !lecture
-\& Defaults:millert !authenticate
-\& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
-\& Defaults!PAGERS noexec
-.Ve
-.PP
-The \fIUser specification\fR is the part that actually determines who may
-run what.
-.PP
-.Vb 2
-\& root ALL = (ALL) ALL
-\& %wheel ALL = (ALL) ALL
-.Ve
-.PP
-We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
-host as any user.
-.PP
-.Vb 1
-\& FULLTIMERS ALL = NOPASSWD: ALL
-.Ve
-.PP
-Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
-command on any host without authenticating themselves.
-.PP
-.Vb 1
-\& PARTTIMERS ALL = ALL
-.Ve
-.PP
-Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
-command on any host but they must authenticate themselves first
-(since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag).
-.PP
-.Vb 1
-\& jack CSNETS = ALL
-.Ve
-.PP
-The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias
-(the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
-Of those networks, only \f(CW128.138.204.0\fR has an explicit netmask (in
-\&\s-1CIDR\s0 notation) indicating it is a class C network. For the other
-networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used
-during matching.
-.PP
-.Vb 1
-\& lisa CUNETS = ALL
-.Ve
-.PP
-The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias
-(the class B network \f(CW128.138.0.0\fR).
-.PP
-.Vb 2
-\& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
-\& sudoedit /etc/printcap, /usr/oper/bin/
-.Ve
-.PP
-The \fBoperator\fR user may run commands limited to simple maintenance.
-Here, those are commands related to backups, killing processes, the
-printing system, shutting down the system, and any commands in the
-directory \fI/usr/oper/bin/\fR.
-.PP
-.Vb 1
-\& joe ALL = /usr/bin/su operator
-.Ve
-.PP
-The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
-.PP
-.Vb 1
-\& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root
-\&
-\& %opers ALL = (: ADMINGRP) /usr/sbin/
-.Ve
-.PP
-Users in the \fBopers\fR group may run commands in \fI/usr/sbin/\fR as themselves
-with any group in the \fI\s-1ADMINGRP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (the \fBadm\fR and \fBoper\fR
-groups).
-.PP
-The user \fBpete\fR is allowed to change anyone's password except for
-root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
-does not take multiple user names on the command line.
-.PP
-.Vb 1
-\& bob SPARC = (OP) ALL : SGI = (OP) ALL
-.Ve
-.PP
-The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines
-as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR).
-.PP
-.Vb 1
-\& jim +biglab = ALL
-.Ve
-.PP
-The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
-\&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
-.PP
-.Vb 1
-\& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-.Ve
-.PP
-Users in the \fBsecretaries\fR netgroup need to help manage the printers
-as well as add and remove users, so they are allowed to run those
-commands on all machines.
-.PP
-.Vb 1
-\& fred ALL = (DB) NOPASSWD: ALL
-.Ve
-.PP
-The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR
-(\fBoracle\fR or \fBsybase\fR) without giving a password.
-.PP
-.Vb 1
-\& john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root*
-.Ve
-.PP
-On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
-but he is not allowed to specify any options to the \fIsu\fR\|(1) command.
-.PP
-.Vb 1
-\& jen ALL, !SERVERS = ALL
-.Ve
-.PP
-The user \fBjen\fR may run any command on any machine except for those
-in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns).
-.PP
-.Vb 1
-\& jill SERVERS = /usr/bin/, !SU, !SHELLS
-.Ve
-.PP
-For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run
-any commands in the directory \fI/usr/bin/\fR except for those commands
-belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR.
-.PP
-.Vb 1
-\& steve CSNETS = (operator) /usr/local/op_commands/
-.Ve
-.PP
-The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
-but only as user operator.
-.PP
-.Vb 1
-\& matt valkyrie = KILL
-.Ve
-.PP
-On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
-kill hung processes.
-.PP
-.Vb 1
-\& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
-.Ve
-.PP
-On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will,
-wendy, and wim), may run any command as user www (which owns the
-web pages) or simply \fIsu\fR\|(1) to www.
-.PP
-.Vb 2
-\& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
-\& /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM
-.Ve
-.PP
-Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0
-\&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password.
-This is a bit tedious for users to type, so it is a prime candidate
-for encapsulating in a shell script.
-.SH "SECURITY NOTES"
-.IX Header "SECURITY NOTES"
-It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR
-using the '!' operator. A user can trivially circumvent this
-by copying the desired command to a different name and then
-executing that. For example:
-.PP
-.Vb 1
-\& bill ALL = ALL, !SU, !SHELLS
-.Ve
-.PP
-Doesn't really prevent \fBbill\fR from running the commands listed in
-\&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a
-different name, or use a shell escape from an editor or other
-program. Therefore, these kind of restrictions should be considered
-advisory at best (and reinforced by policy).
-.PP
-Furthermore, if the \fIfast_glob\fR option is in use, it is not possible
-to reliably negate commands where the path name includes globbing
-(aka wildcard) characters. This is because the C library's
-\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
-is typically only an inconvenience for rules that grant privileges,
-it can result in a security issue for rules that subtract or revoke
-privileges.
-.PP
-For example, given the following \fIsudoers\fR entry:
-.PP
-.Vb 2
-\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
-\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
-.Ve
-.PP
-User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
-enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
-.SH "PREVENTING SHELL ESCAPES"
-.IX Header "PREVENTING SHELL ESCAPES"
-Once \fBsudo\fR executes a program, that program is free to do whatever
-it pleases, including run other programs. This can be a security
-issue since it is not uncommon for a program to allow shell escapes,
-which lets a user bypass \fBsudo\fR's access control and logging.
-Common programs that permit shell escapes include shells (obviously),
-editors, paginators, mail and terminal programs.
-.PP
-There are two basic approaches to this problem:
-.IP "restrict" 10
-.IX Item "restrict"
-Avoid giving users access to commands that allow the user to run
-arbitrary commands. Many editors have a restricted mode where shell
-escapes are disabled, though \fBsudoedit\fR is a better solution to
-running editors via \fBsudo\fR. Due to the large number of programs that
-offer shell escapes, restricting users to the set of programs that
-do not if often unworkable.
-.IP "noexec" 10
-.IX Item "noexec"
-Many systems that support shared libraries have the ability to
-override default library functions by pointing an environment
-variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
-On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to
-prevent a program run by \fBsudo\fR from executing any other programs.
-Note, however, that this applies only to native dynamically-linked
-executables. Statically-linked executables and foreign executables
-running under binary emulation are not affected.
-.Sp
-To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run
-the following as root:
-.Sp
-.Vb 1
-\& sudo \-V | grep "dummy exec"
-.Ve
-.Sp
-If the resulting output contains a line that begins with:
-.Sp
-.Vb 1
-\& File containing dummy exec functions:
-.Ve
-.Sp
-then \fBsudo\fR may be able to replace the exec family of functions
-in the standard library with its own that simply return an error.
-Unfortunately, there is no foolproof way to know whether or not
-\&\fInoexec\fR will work at compile-time. \fInoexec\fR should work on
-SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX
-11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fInoexec\fR
-is expected to work on most operating systems that support the
-\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
-manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
-dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
-.Sp
-To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
-in the User Specification section above. Here is that example again:
-.Sp
-.Vb 1
-\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-.Ve
-.Sp
-This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR
-with \fInoexec\fR enabled. This will prevent those two commands from
-executing other commands (such as a shell). If you are unsure
-whether or not your system is capable of supporting \fInoexec\fR you
-can always just try it out and see if it works.
-.PP
-Note that restricting shell escapes is not a panacea. Programs
-running as root are still capable of many potentially hazardous
-operations (such as changing or overwriting files) that could lead
-to unintended privilege escalation. In the specific case of an
-editor, a safer approach is to give the user permission to run
-\&\fBsudoedit\fR.
-.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(8)
-.SH "CAVEATS"
-.IX Header "CAVEATS"
-The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
-command which locks the file and does grammatical checking. It is
-imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
-will not run with a syntactically incorrect \fIsudoers\fR file.
-.PP
-When using netgroups of machines (as opposed to users), if you
-store fully qualified host name in the netgroup (as is usually the
-case), you either need to have the machine's host name be fully qualified
-as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
-\&\fIsudoers\fR.
-.SH "BUGS"
-.IX Header "BUGS"
-If you feel you have found a bug in \fBsudo\fR, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
-.SH "SUPPORT"
-.IX Header "SUPPORT"
-Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
-search the archives.
-.SH "DISCLAIMER"
-.IX Header "DISCLAIMER"
-\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
-file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
-for complete details.
projects / debian / sudo / blobdiff