-.\" Copyright (c) 1994-1996, 1998-2005, 2007
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2008
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: sudoers.man.in,v 1.45.2.29 2008/06/22 20:29:03 millert Exp $
-.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
+.\" $Sudo: sudoers.man.in,v 1.74 2008/12/03 20:58:41 millert Exp $
+.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
.\"
.\" Standard preamble:
.\" ========================================================================
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. | will give a
-.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
-.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
-.\" expand to `' in nroff, nothing in troff, for use with C<>.
-.tr \(*W-|\(bv\*(Tr
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds R" ''
'br\}
.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
-.if \nF \{\
+.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
-.\"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.hy 0
-.if n .na
+.el \{\
+. de IX
+..
+.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "Jun 21, 2008" "1.6.9p17" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "December 3, 2008" "1.7.0" "MAINTENANCE COMMANDS"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
.PP
.Vb 4
-\& Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
-\& 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
-\& 'Host_Alias' Host_Alias (':' Host_Alias)* |
-\& 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
-.Ve
-.PP
-.Vb 1
-\& User_Alias ::= NAME '=' User_List
-.Ve
-.PP
-.Vb 1
-\& Runas_Alias ::= NAME '=' Runas_List
-.Ve
-.PP
-.Vb 1
-\& Host_Alias ::= NAME '=' Host_List
-.Ve
-.PP
-.Vb 1
-\& Cmnd_Alias ::= NAME '=' Cmnd_List
-.Ve
-.PP
-.Vb 1
-\& NAME ::= [A-Z]([A-Z][0-9]_)*
+\& Alias ::= \*(AqUser_Alias\*(Aq User_Alias (\*(Aq:\*(Aq User_Alias)* |
+\& \*(AqRunas_Alias\*(Aq Runas_Alias (\*(Aq:\*(Aq Runas_Alias)* |
+\& \*(AqHost_Alias\*(Aq Host_Alias (\*(Aq:\*(Aq Host_Alias)* |
+\& \*(AqCmnd_Alias\*(Aq Cmnd_Alias (\*(Aq:\*(Aq Cmnd_Alias)*
+\&
+\& User_Alias ::= NAME \*(Aq=\*(Aq User_List
+\&
+\& Runas_Alias ::= NAME \*(Aq=\*(Aq Runas_List
+\&
+\& Host_Alias ::= NAME \*(Aq=\*(Aq Host_List
+\&
+\& Cmnd_Alias ::= NAME \*(Aq=\*(Aq Cmnd_List
+\&
+\& NAME ::= [A\-Z]([A\-Z][0\-9]_)*
.Ve
.PP
Each \fIalias\fR definition is of the form
.PP
.Vb 2
\& User_List ::= User |
-\& User ',' User_List
-.Ve
-.PP
-.Vb 4
-\& User ::= '!'* username |
-\& '!'* '%'group |
-\& '!'* '+'netgroup |
-\& '!'* User_Alias
+\& User \*(Aq,\*(Aq User_List
+\&
+\& User ::= \*(Aq!\*(Aq* username |
+\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
+\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
+\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
+\& \*(Aq!\*(Aq* User_Alias
.Ve
.PP
-A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, system groups
-(prefixed with '%'), netgroups (prefixed with '+') and other aliases.
-Each list item may be prefixed with one or more '!' operators.
-An odd number of '!' operators negate the value of the item; an even
-number just cancel each other out.
+A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids (prefixed
+with '#'), system groups (prefixed with '%'), netgroups (prefixed
+with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with
+zero or more '!' operators. An odd number of '!' operators negate
+the value of the item; an even number just cancel each other out.
.PP
.Vb 2
-\& Runas_List ::= Runas_User |
-\& Runas_User ',' Runas_List
+\& Runas_List ::= Runas_Member |
+\& Runas_Member \*(Aq,\*(Aq Runas_List
+\&
+\& Runas_Member ::= \*(Aq!\*(Aq* username |
+\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
+\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
+\& \*(Aq!\*(Aq* +netgroup |
+\& \*(Aq!\*(Aq* Runas_Alias
.Ve
.PP
-.Vb 5
-\& Runas_User ::= '!'* username |
-\& '!'* '#'uid |
-\& '!'* '%'group |
-\& '!'* +netgroup |
-\& '!'* Runas_Alias
-.Ve
-.PP
-A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that it can
-also contain uids (prefixed with '#') and instead of \f(CW\*(C`User_Alias\*(C'\fRes
-it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that usernames and groups
-are matched as strings. In other words, two users (groups) with
-the same uid (gid) are considered to be distinct. If you wish to
-match all usernames with the same uid (e.g.\ root and toor), you
-can use a uid instead (#0 in the example given).
+A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
+of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
+usernames and groups are matched as strings. In other words, two
+users (groups) with the same uid (gid) are considered to be distinct.
+If you wish to match all usernames with the same uid (e.g.\ root
+and toor), you can use a uid instead (#0 in the example given).
.PP
.Vb 2
\& Host_List ::= Host |
-\& Host ',' Host_List
-.Ve
-.PP
-.Vb 5
-\& Host ::= '!'* hostname |
-\& '!'* ip_addr |
-\& '!'* network(/netmask)? |
-\& '!'* '+'netgroup |
-\& '!'* Host_Alias
+\& Host \*(Aq,\*(Aq Host_List
+\&
+\& Host ::= \*(Aq!\*(Aq* hostname |
+\& \*(Aq!\*(Aq* ip_addr |
+\& \*(Aq!\*(Aq* network(/netmask)? |
+\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
+\& \*(Aq!\*(Aq* Host_Alias
.Ve
.PP
A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
.PP
.Vb 2
\& Cmnd_List ::= Cmnd |
-\& Cmnd ',' Cmnd_List
-.Ve
-.PP
-.Vb 3
+\& Cmnd \*(Aq,\*(Aq Cmnd_List
+\&
\& commandname ::= filename |
\& filename args |
-\& filename '""'
-.Ve
-.PP
-.Vb 4
-\& Cmnd ::= '!'* commandname |
-\& '!'* directory |
-\& '!'* "sudoedit" |
-\& '!'* Cmnd_Alias
+\& filename \*(Aq""\*(Aq
+\&
+\& Cmnd ::= \*(Aq!\*(Aq* commandname |
+\& \*(Aq!\*(Aq* directory |
+\& \*(Aq!\*(Aq* "sudoedit" |
+\& \*(Aq!\*(Aq* Cmnd_Alias
.Ve
.PP
A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
(or match the wildcards if there are any). Note that the following
characters must be escaped with a '\e' if they are used in command
arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR
-is used to permit a user to run \fBsudo\fR with the \fB\-e\fR flag (or
+is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
as \fBsudoedit\fR). It may take command line arguments just as
a normal command does.
.Sh "Defaults"
Certain configuration options may be changed from their default
values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
may affect all users on any host, all users on a specific host, a
-specific user, or commands being run as a specific user.
+specific user, a specific command, or commands being run as a specific user.
+Note that per-command entries may not include command line arguments.
+If you need to specify arguments, define a \f(CW\*(C`Cmnd_Alias\*(C'\fR and reference
+that instead.
.PP
-.Vb 4
-\& Default_Type ::= 'Defaults' |
-\& 'Defaults' '@' Host_List |
-\& 'Defaults' ':' User_List |
-\& 'Defaults' '>' Runas_List
-.Ve
-.PP
-.Vb 1
+.Vb 5
+\& Default_Type ::= \*(AqDefaults\*(Aq |
+\& \*(AqDefaults\*(Aq \*(Aq@\*(Aq Host_List |
+\& \*(AqDefaults\*(Aq \*(Aq:\*(Aq User_List |
+\& \*(AqDefaults\*(Aq \*(Aq!\*(Aq Cmnd_List |
+\& \*(AqDefaults\*(Aq \*(Aq>\*(Aq Runas_List
+\&
\& Default_Entry ::= Default_Type Parameter_List
-.Ve
-.PP
-.Vb 2
+\&
\& Parameter_List ::= Parameter |
-\& Parameter ',' Parameter_List
-.Ve
-.PP
-.Vb 4
-\& Parameter ::= Parameter '=' Value |
-\& Parameter '+=' Value |
-\& Parameter '-=' Value |
-\& '!'* Parameter
+\& Parameter \*(Aq,\*(Aq Parameter_List
+\&
+\& Parameter ::= Parameter \*(Aq=\*(Aq Value |
+\& Parameter \*(Aq+=\*(Aq Value |
+\& Parameter \*(Aq\-=\*(Aq Value |
+\& \*(Aq!\*(Aq* Parameter
.Ve
.PP
Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
that does not exist in a list.
.PP
+Defaults entries are parsed in the following order: generic, host
+and user Defaults first, then runas Defaults and finally command
+defaults.
+.PP
See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
.Sh "User Specification"
.IX Subsection "User Specification"
.Vb 2
-\& User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
-\& (':' Host_List '=' Cmnd_Spec_List)*
-.Ve
-.PP
-.Vb 2
+\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
+\& (\*(Aq:\*(Aq Host_List \*(Aq=\*(Aq Cmnd_Spec_List)*
+\&
\& Cmnd_Spec_List ::= Cmnd_Spec |
-\& Cmnd_Spec ',' Cmnd_Spec_List
-.Ve
-.PP
-.Vb 1
+\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
+\&
\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
-.Ve
-.PP
-.Vb 1
-\& Runas_Spec ::= '(' Runas_List ')'
-.Ve
-.PP
-.Vb 2
-\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
-\& 'SETENV:' | 'NOSETENV:')
+\&
+\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (: Runas_List)? \*(Aq)\*(Aq
+\&
+\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
+\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq )
.Ve
.PP
A \fBuser specification\fR determines which commands a user may run
Let's break that down into its constituent parts:
.Sh "Runas_Spec"
.IX Subsection "Runas_Spec"
-A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above)
-enclosed in a set of parentheses. If you do not specify a
-\&\f(CW\*(C`Runas_Spec\*(C'\fR in the user specification, a default \f(CW\*(C`Runas_Spec\*(C'\fR
-of \fBroot\fR will be used. A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for
-commands that follow it. What this means is that for the entry:
+A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
+may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
+\&\f(CW\*(C`Runas_List\*(C'\fRs (as defined above) separated by a colon (':') and
+enclosed in a set of parentheses. The first \f(CW\*(C`Runas_List\*(C'\fR indicates
+which users the command may be run as via \fBsudo\fR's \fB\-u\fR option.
+The second defines a list of groups that can be specified via
+\&\fBsudo\fR's \fB\-g\fR option. If both \f(CW\*(C`Runas_List\*(C'\fRs are specified, the
+command may be run with any combination of users and groups listed
+in their respective \f(CW\*(C`Runas_List\*(C'\fRs. If only the first is specified,
+the command may be run as any user in the list but no \fB\-g\fR option
+may be specified. If the first \f(CW\*(C`Runas_List\*(C'\fR is empty but the
+second is specified, the command may be run as the invoking user
+with the group set to any listed in the \f(CW\*(C`Runas_List\*(C'\fR. If no
+\&\f(CW\*(C`Runas_Spec\*(C'\fR is specified the command may be run as \fBroot\fR and
+no group may be specified.
+.PP
+A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for the commands that follow it.
+What this means is that for the entry:
.PP
.Vb 1
\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
.PP
.Vb 1
-\& $ sudo -u operator /bin/ls.
+\& $ sudo \-u operator /bin/ls.
.Ve
.PP
It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
.PP
Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
+.PP
+We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with either
+the user or group set to \fBoperator\fR:
+.PP
+.Vb 2
+\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \e
+\& /usr/bin/lprm
+.Ve
+.PP
+In the following example, user \fBtcm\fR may run commands that access
+a modem device file with the dialer group. Note that in this example
+only the group will be set, the command still runs as user \fBtcm\fR.
+.PP
+.Vb 2
+\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
+\& /usr/local/bin/minicom
+.Ve
.Sh "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
-six possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
+eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
\&\f(CW\*(C`SETENV\*(C'\fR and \f(CW\*(C`NOSETENV\*(C'\fR.
Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
.Ve
.PP
would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
-\&\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
+\&\fI/usr/bin/lprm\fR as \fBroot\fR on the machine rushmore without
authenticating himself. If we only want \fBray\fR to be able to
run \fI/bin/kill\fR without a password the entry would be:
.PP
.Sh "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
-to be used in pathnames as well as command line arguments in the
+to be used in hostnames, pathnames and command line arguments in the
\&\fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
\&\fIfnmatch\fR\|(3) routine. Note that these are \fInot\fR regular expressions.
.ie n .IP "\*(C`*\*(C'" 8
For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
.PP
+\&\s-1POSIX\s0 character classes may also be used if your system's
+\&\fIfnmatch\fR\|(3) function supports them. However, because the
+\&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must
+be escaped. For example:
+.PP
+.Vb 1
+\& /bin/ls [[\e:alpha\e:]]*
+.Ve
+.PP
+Would match any filename beginning with a letter.
+.PP
Note that a forward slash ('/') will \fBnot\fR be matched by
wildcards used in the pathname. When matching the command
line arguments, however, a slash \fBdoes\fR get matched by
If the empty string \f(CW""\fR is the only command line argument in the
\&\fIsudoers\fR entry it means that command is not allowed to be run
with \fBany\fR arguments.
+.Sh "Including other files from within sudoers"
+.IX Subsection "Including other files from within sudoers"
+It is possible to include other \fIsudoers\fR files from within the
+\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR
+directive, similar to the one used by the C preprocessor. This is
+useful, for example, for keeping a site-wide \fIsudoers\fR file in
+addition to a per-machine local one. For the sake of this example
+the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the per-machine
+one will be \fI/etc/sudoers.local\fR. To include \fI/etc/sudoers.local\fR
+from \fI/etc/sudoers\fR we would use the following line in \fI/etc/sudoers\fR:
+.PP
+.Vb 1
+\& #include /etc/sudoers.local
+.Ve
+.PP
+When \fBsudo\fR reaches this line it will suspend processing of the
+current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
+Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
+\&\fI/etc/sudoers\fR will be processed. Files that are included may
+themselves include other files. A hard limit of 128 nested include
+files is enforced to prevent include file loops.
.Sh "Other special characters and reserved words"
.IX Subsection "Other special characters and reserved words"
The pound sign ('#') is used to indicate a comment (unless it is
.IX Item "always_set_home"
If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home
directory of the target user (which is root unless the \fB\-u\fR option is used).
-This effectively means that the \fB\-H\fR flag is always implied.
+This effectively means that the \fB\-H\fR option is always implied.
This flag is \fIoff\fR by default.
.IP "authenticate" 16
.IX Item "authenticate"
means of authentication) before they may run commands. This default
may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
This flag is \fIon\fR by default.
+.IP "closefrom_override" 16
+.IX Item "closefrom_override"
+If set, the user may use \fBsudo\fR's \fB\-C\fR option which
+overrides the default starting point at which \fBsudo\fR begins
+closing open file descriptors. This flag is \fIoff\fR by default.
.IP "env_editor" 16
.IX Item "env_editor"
If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the
\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is
-run by root with the \fI\-V\fR option. If \fBsudo\fR was compiled with
-the \f(CW\*(C`SECURE_PATH\*(C'\fR option, its value will be used for the \f(CW\*(C`PATH\*(C'\fR
-environment variable. This flag is \fIon\fR by default.
+run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option
+is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
+This flag is \fIon\fR by default.
.IP "fqdn" 16
.IX Item "fqdn"
Set this flag if you want to put fully qualified hostnames in the
.IX Item "ignore_dot"
If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
-flag is \fI@ignore_dot@\fR by default. Currently, while it is possible
-to set \fIignore_dot\fR in \fIsudoers\fR, its value is not used. This option
-should be considered read-only (it will be fixed in a future version
-of \fBsudo\fR).
+flag is \fI@ignore_dot@\fR by default.
.IP "ignore_local_sudoers" 16
.IX Item "ignore_local_sudoers"
If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped.
password. This flag is \fI@insults@\fR by default.
.IP "log_host" 16
.IX Item "log_host"
-If set, the hostname will be logged in the (non\-syslog) \fBsudo\fR log file.
+If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file.
This flag is \fIoff\fR by default.
.IP "log_year" 16
.IX Item "log_year"
-If set, the four-digit year will be logged in the (non\-syslog) \fBsudo\fR log file.
+If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
This flag is \fIoff\fR by default.
.IP "long_otp_prompt" 16
.IX Item "long_otp_prompt"
.IX Item "noexec"
If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
-description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
+description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0
+\&\s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
.IP "path_info" 16
.IX Item "path_info"
Normally, \fBsudo\fR will tell the user when a command could not be
.IP "requiretty" 16
.IX Item "requiretty"
If set, \fBsudo\fR will only run when the user is logged in to a real
-tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since
-\&\fIrsh\fR\|(1) does not allocate a tty. Because it is not possible to turn
-off echo when there is no tty present, some sites may wish to set
-this flag to prevent a user from entering a visible password. This
-flag is \fIoff\fR by default.
+tty. When this flag is set, \fBsudo\fR can only be run from a login
+session and not via other means such as \fIcron\fR\|(@mansectsu@) or cgi-bin scripts.
+This flag is \fIoff\fR by default.
.IP "root_sudo" 16
.IX Item "root_sudo"
If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
password of the invoking user. This flag is \fIoff\fR by default.
.IP "set_home" 16
.IX Item "set_home"
-If set and \fBsudo\fR is invoked with the \fB\-s\fR flag the \f(CW\*(C`HOME\*(C'\fR
+If set and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
environment variable will be set to the home directory of the target
user (which is root unless the \fB\-u\fR option is used). This effectively
-makes the \fB\-s\fR flag imply \fB\-H\fR. This flag is \fIoff\fR by default.
+makes the \fB\-s\fR option imply \fB\-H\fR. This flag is \fIoff\fR by default.
.IP "set_logname" 16
.IX Item "set_logname"
Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
environment variables to the name of the target user (usually root
-unless the \fB\-u\fR flag is given). However, since some programs
+unless the \fB\-u\fR option is given). However, since some programs
(including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to
determine the real identity of the user, it may be desirable to
change this behavior. This can be done by negating the set_logname
.IP "shell_noargs" 16
.IX Item "shell_noargs"
If set and \fBsudo\fR is invoked with no arguments it acts as if the
-\&\fB\-s\fR flag had been given. That is, it runs a shell as root (the
+\&\fB\-s\fR option had been given. That is, it runs a shell as root (the
shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
set, falling back on the shell listed in the invoking user's
/etc/passwd entry if not). This flag is \fIoff\fR by default.
.IP "targetpw" 16
.IX Item "targetpw"
If set, \fBsudo\fR will prompt for the password of the user specified by
-the \fB\-u\fR flag (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the
+the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the
invoking user. Note that this precludes the use of a uid not listed
-in the passwd database as an argument to the \fB\-u\fR flag.
+in the passwd database as an argument to the \fB\-u\fR option.
This flag is \fIoff\fR by default.
.IP "tty_tickets" 16
.IX Item "tty_tickets"
@LCMAN@If set, \fBsudo\fR will apply the defaults specified for the target user's
@LCMAN@login class if one exists. Only available if \fBsudo\fR is configured with
@LCMAN@the \-\-with\-logincap option. This flag is \fIoff\fR by default.
+.IP "visiblepw" 16
+.IX Item "visiblepw"
+By default, \fBsudo\fR will refuse to run if the user must enter a
+password but it is not possible to disable echo on the terminal.
+If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password
+even when it would be visible on the screen. This makes it possible
+to run things like \f(CW"rsh somehost sudo ls"\fR since \fIrsh\fR\|(1) does
+not allocate a tty. This flag is \fIoff\fR by default.
.PP
\&\fBIntegers\fR:
+.IP "closefrom" 16
+.IX Item "closefrom"
+Before it executes a command, \fBsudo\fR will close all open file
+descriptors other than standard input, standard output and standard
+error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used
+to specify a different file descriptor at which to start closing.
+The default is \f(CW3\fR.
.IP "passwd_tries" 16
.IX Item "passwd_tries"
The number of tries a user gets to enter his/her password before
.IP "umask" 16
.IX Item "umask"
Umask to use when running the command. Negate this option or set
-it to 0777 to preserve the user's umask. The default is \f(CW\*(C`@sudo_umask@\*(C'\fR.
+it to 0777 to preserve the user's umask. The actual umask that is
+used will be the union of the user's umask and \f(CW\*(C`@sudo_umask@\*(C'\fR.
+This guarantees that \fBsudo\fR never lowers the umask when running a
+command. Note on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration
+may specify its own umask which will override the value set in
+\&\fIsudoers\fR.
.PP
\&\fBStrings\fR:
.IP "badpass_message" 16
@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
.IP "runas_default" 16
.IX Item "runas_default"
-The default user to run commands as if the \fB\-u\fR flag is not specified
+The default user to run commands as if the \fB\-u\fR option is not specified
on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR.
Note that if \fIrunas_default\fR is set it \fBmust\fR occur before
any \f(CW\*(C`Runas_Alias\*(C'\fR specifications.
.IX Item "syslog_goodpri"
Syslog priority to use when user authenticates successfully.
Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
+.IP "sudoers_locale" 16
+.IX Item "sudoers_locale"
+Locale to use when parsing the sudoers file. Note that changing
+the locale may affect how sudoers is interpreted.
+Defaults to \f(CW"C"\fR.
.IP "timestampdir" 16
.IX Item "timestampdir"
The directory in which \fBsudo\fR stores its timestamp files.
@SEMAN@This option is only available whe \fBsudo\fR is built with SELinux support.
.PP
\&\fBStrings that can be used in a boolean context\fR:
+.IP "askpass" 12
+.IX Item "askpass"
+The \fIaskpass\fR option specifies the fully qualified path to a helper
+program used to read the user's password when no terminal is
+available. This may be the case when \fBsudo\fR is executed from a
+graphical (as opposed to text-based) application. The program
+specified by \fIaskpass\fR should display the argument passed to it
+as the prompt and write the user's password to the standard output.
+The value of \fIaskpass\fR may be overridden by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR
+environment variable.
+.IP "env_file" 12
+.IX Item "env_file"
+The \fIenv_file\fR options specifies the fully qualified path to a file
+containing variables to be set in the environment of the program
+being run. Entries in this file should be of the form \f(CW\*(C`VARIABLE=value\*(C'\fR.
+Variables in this file are subject to other \fBsudo\fR environment
+settings such as \fIenv_keep\fR and \fIenv_check\fR.
.IP "exempt_group" 12
.IX Item "exempt_group"
Users in this group are exempt from password and \s-1PATH\s0 requirements.
.IP "listpw" 12
.IX Item "listpw"
This option controls when a password will be required when a
-user runs \fBsudo\fR with the \fB\-l\fR flag. It has the following possible values:
-.RS 12
-.IP "all" 8
-.IX Item "all"
-All the user's \fIsudoers\fR entries for the current host must have
-the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "always" 8
-.IX Item "always"
-The user must always enter a password to use the \fB\-l\fR flag.
-.IP "any" 8
-.IX Item "any"
-At least one of the user's \fIsudoers\fR entries for the current host
-must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "never" 8
-.IX Item "never"
-The user need never enter a password to use the \fB\-l\fR flag.
-.RE
-.RS 12
-.Sp
-If no value is specified, a value of \fIany\fR is implied.
-Negating the option results in a value of \fInever\fR being used.
-The default value is \fIany\fR.
-.RE
-.IP "logfile" 12
-.IX Item "logfile"
-Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
-turns on logging to a file; negating this option turns it off.
-By default, \fBsudo\fR logs via syslog.
-.IP "mailerflags" 12
-.IX Item "mailerflags"
-Flags to use when invoking mailer. Defaults to \fB\-t\fR.
-.IP "mailerpath" 12
-.IX Item "mailerpath"
-Path to mail program used to send warning mail.
-Defaults to the path to sendmail found at configure time.
-.IP "mailto" 12
-.IX Item "mailto"
-Address to send warning and error mail to. The address should
-be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
-interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
-.IP "exempt_group" 12
-.IX Item "exempt_group"
-Users in this group are exempt from password and \s-1PATH\s0 requirements.
-On Debian systems, this is set to the group 'sudo' by default.
-.IP "syslog" 12
-.IX Item "syslog"
-Syslog facility if syslog is being used for logging (negate to
-disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
-.IP "verifypw" 12
-.IX Item "verifypw"
-This option controls when a password will be required when a user runs
-\&\fBsudo\fR with the \fB\-v\fR flag. It has the following possible values:
+user runs \fBsudo\fR with the \fB\-l\fR option. It has the following possible values:
.RS 12
.IP "all" 8
.IX Item "all"
the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
.IP "always" 8
.IX Item "always"
-The user must always enter a password to use the \fB\-l\fR flag.
+The user must always enter a password to use the \fB\-l\fR option.
.IP "any" 8
.IX Item "any"
At least one of the user's \fIsudoers\fR entries for the current host
must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
.IP "never" 8
.IX Item "never"
-The user need never enter a password to use the \fB\-l\fR flag.
+The user need never enter a password to use the \fB\-l\fR option.
.RE
.RS 12
.Sp
.IX Item "mailerpath"
Path to mail program used to send warning mail.
Defaults to the path to sendmail found at configure time.
+.IP "mailfrom" 12
+.IX Item "mailfrom"
+Address to use for the \*(L"from\*(R" address when sending warning and error
+mail. The address should be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to
+protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to
+the name of the user running \fBsudo\fR.
.IP "mailto" 12
.IX Item "mailto"
Address to send warning and error mail to. The address should
be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
+.IP "secure_path" 12
+.IX Item "secure_path"
+Path used for every command run from \fBsudo\fR. If you don't trust the
+people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may
+want to use this. Another use is if you want to have the \*(L"root path\*(R"
+be separate from the \*(L"user path.\*(R" Users in the group specified by the
+\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
+This is not set by default.
.IP "syslog" 12
.IX Item "syslog"
Syslog facility if syslog is being used for logging (negate to
.IP "verifypw" 12
.IX Item "verifypw"
This option controls when a password will be required when a user runs
-\&\fBsudo\fR with the \fB\-v\fR flag. It has the following possible values:
+\&\fBsudo\fR with the \fB\-v\fR option. It has the following possible values:
.RS 12
.IP "all" 8
.IX Item "all"
the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
.IP "always" 8
.IX Item "always"
-The user must always enter a password to use the \fB\-v\fR flag.
+The user must always enter a password to use the \fB\-v\fR option.
.IP "any" 8
.IX Item "any"
At least one of the user's \fIsudoers\fR entries for the current host
must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
.IP "never" 8
.IX Item "never"
-The user need never enter a password to use the \fB\-v\fR flag.
+The user need never enter a password to use the \fB\-v\fR option.
.RE
.RS 12
.Sp
Environment variables to be removed from the user's environment if
the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
be used to guard against printf-style format vulnerabilities in
-poorly-written programs. The argument may be a double\-quoted,
-space-separated list or a single value without double\-quotes. The
+poorly-written programs. The argument may be a double-quoted,
+space-separated list or a single value without double-quotes. The
list can be replaced, added to, deleted from, or disabled by using
the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless
of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables
.IP "env_delete" 16
.IX Item "env_delete"
Environment variables to be removed from the user's environment.
-The argument may be a double\-quoted, space-separated list or a
-single value without double\-quotes. The list can be replaced, added
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment
variables to remove is displayed when \fBsudo\fR is run by root with the
Environment variables to be preserved in the user's environment
when the \fIenv_reset\fR option is in effect. This allows fine-grained
control over the environment \fBsudo\fR\-spawned processes will receive.
-The argument may be a double\-quoted, space-separated list or a
-single value without double\-quotes. The list can be replaced, added
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
\&\fBnotice\fR, and \fBwarning\fR.
.SH "FILES"
.IX Header "FILES"
-.IP "\fI@sysconfdir@/sudoers\fR" 24
+.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
+.el .IP "\fI@sysconfdir@/sudoers\fR" 24
.IX Item "@sysconfdir@/sudoers"
List of who can run what
.IP "\fI/etc/group\fR" 24
List of network groups
.SH "EXAMPLES"
.IX Header "EXAMPLES"
-Since the \fIsudoers\fR file is parsed in a single pass, order is
-important. In general, you should structure \fIsudoers\fR such that
-the \f(CW\*(C`Host_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, and \f(CW\*(C`Cmnd_Alias\*(C'\fR specifications
-come first, followed by any \f(CW\*(C`Default_Entry\*(C'\fR lines, and finally the
-\&\f(CW\*(C`Runas_Alias\*(C'\fR and user specifications. The basic rule of thumb
-is you cannot reference an Alias that has not already been defined.
-.PP
Below are example \fIsudoers\fR entries. Admittedly, some of
these are a bit contrived. First, we define our \fIaliases\fR:
.PP
\& User_Alias FULLTIMERS = millert, mikef, dowdy
\& User_Alias PARTTIMERS = bostley, jwfox, crawl
\& User_Alias WEBMASTERS = will, wendy, wim
-.Ve
-.PP
-.Vb 3
+\&
\& # Runas alias specification
\& Runas_Alias OP = root, operator
\& Runas_Alias DB = oracle, sybase
-.Ve
-.PP
-.Vb 9
+\&
\& # Host alias specification
\& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
\& SGI = grolsch, dandelion, black :\e
\& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
\& Host_Alias SERVERS = master, mail, www, ns
\& Host_Alias CDROM = orion, perseus, hercules
-.Ve
-.PP
-.Vb 13
+\&
\& # Cmnd alias specification
\& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
\& /usr/sbin/restore, /usr/sbin/rrestore
(\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR).
.PP
.Vb 7
-\& # Override built-in defaults
+\& # Override built\-in defaults
\& Defaults syslog=auth
\& Defaults>root !set_logname
\& Defaults:FULLTIMERS !lecture
The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
.PP
.Vb 1
-\& pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
+\& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root
.Ve
.PP
The user \fBpete\fR is allowed to change anyone's password except for
(\fBoracle\fR or \fBsybase\fR) without giving a password.
.PP
.Vb 1
-\& john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+\& john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root*
.Ve
.PP
On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
-but he is not allowed to give \fIsu\fR\|(1) any flags.
+but he is not allowed to specify any options to the \fIsu\fR\|(1) command.
.PP
.Vb 1
\& jen ALL, !SERVERS = ALL
.PP
.Vb 2
\& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
-\& /sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM
+\& /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM
.Ve
.PP
Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0
the following as root:
.Sp
.Vb 1
-\& sudo -V | grep "dummy exec"
+\& sudo \-V | grep "dummy exec"
.Ve
.Sp
If the resulting output contains a line that begins with:
then \fBsudo\fR may be able to replace the exec family of functions
in the standard library with its own that simply return an error.
Unfortunately, there is no foolproof way to know whether or not
-\&\fInoexec\fR will work at compile\-time. \fInoexec\fR should work on
+\&\fInoexec\fR will work at compile-time. \fInoexec\fR should work on
SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX
11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fInoexec\fR
is expected to work on most operating systems that support the
projects / debian / sudo / blobdiff