-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2008
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010
.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.\" $Sudo: sudoers.man.in,v 1.74 2008/12/03 20:58:41 millert Exp $
-.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
+.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "December 3, 2008" "1.7.0" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "June 1, 2010" "1.7.2p7" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
fairly simple, and the definitions below are annotated.
-.Sh "Quick guide to \s-1EBNF\s0"
+.SS "Quick guide to \s-1EBNF\s0"
.IX Subsection "Quick guide to EBNF"
\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
Parentheses may be used to group symbols together. For clarity,
we will use single quotes ('') to designate what is a verbatim character
string (as opposed to a symbol name).
-.Sh "Aliases"
+.SS "Aliases"
.IX Subsection "Aliases"
There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
+\& \*(Aq!\*(Aq* \*(Aq%:\*(Aqnonunix_group |
\& \*(Aq!\*(Aq* User_Alias
.Ve
.PP
zero or more '!' operators. An odd number of '!' operators negate
the value of the item; an even number just cancel each other out.
.PP
+A \f(CW\*(C`username\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR and \f(CW\*(C`nonunix_groups\*(C'\fR may
+be enclosed in double quotes to avoid the need for escaping special
+characters. Alternately, special characters may be specified in
+escaped hex mode, e.g. \ex20 for space.
+.PP
+The \f(CW\*(C`nonunix_group\*(C'\fR syntax depends on the underlying implementation.
+For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports the following formats:
+.IP "\(bu" 4
+Group in the same domain: \*(L"Group Name\*(R"
+.IP "\(bu" 4
+Group in any domain: \*(L"Group Name@FULLY.QUALIFIED.DOMAIN\*(R"
+.IP "\(bu" 4
+Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
+.PP
+Note that quotes around group names are optional. Unquoted strings must
+use a backslash (\e) to escape spaces and the '@' symbol.
+.PP
.Vb 2
\& Runas_List ::= Runas_Member |
\& Runas_Member \*(Aq,\*(Aq Runas_List
is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
as \fBsudoedit\fR). It may take command line arguments just as
a normal command does.
-.Sh "Defaults"
+.SS "Defaults"
.IX Subsection "Defaults"
Certain configuration options may be changed from their default
values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
defaults.
.PP
See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
-.Sh "User Specification"
+.SS "User Specification"
.IX Subsection "User Specification"
.Vb 2
\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
\&
\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
\&
-\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (: Runas_List)? \*(Aq)\*(Aq
+\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
\&
\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq )
(and as what user) on specified hosts. By default, commands are
run as \fBroot\fR, but this can be changed on a per-command basis.
.PP
-Let's break that down into its constituent parts:
-.Sh "Runas_Spec"
+The basic structure of a user specification is `who = where (as_whom)
+what'. Let's break that down into its constituent parts:
+.SS "Runas_Spec"
.IX Subsection "Runas_Spec"
A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
\& /usr/local/bin/minicom
.Ve
-.Sh "Tag_Spec"
+.SS "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the
\&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may
be overridden by use of the \f(CW\*(C`UNSETENV\*(C'\fR tag.
-.Sh "Wildcards"
+.SS "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
-to be used in hostnames, pathnames and command line arguments in the
-\&\fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
-\&\fIfnmatch\fR\|(3) routine. Note that these are \fInot\fR regular expressions.
+to be used in hostnames, pathnames and command line arguments in
+the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
+\&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
+regular expressions.
.ie n .IP "\*(C`*\*(C'" 8
.el .IP "\f(CW\*(C`*\*(C'\fR" 8
.IX Item "*"
For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
.PP
-\&\s-1POSIX\s0 character classes may also be used if your system's
-\&\fIfnmatch\fR\|(3) function supports them. However, because the
-\&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must
-be escaped. For example:
+\&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3)
+and \fIfnmatch\fR\|(3) functions support them. However, because the
+\&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must be
+escaped. For example:
.PP
.Vb 1
\& /bin/ls [[\e:alpha\e:]]*
.Ve
.PP
match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
-.Sh "Exceptions to wildcard rules"
+.SS "Exceptions to wildcard rules"
.IX Subsection "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
.ie n .IP """""" 8
If the empty string \f(CW""\fR is the only command line argument in the
\&\fIsudoers\fR entry it means that command is not allowed to be run
with \fBany\fR arguments.
-.Sh "Including other files from within sudoers"
+.SS "Including other files from within sudoers"
.IX Subsection "Including other files from within sudoers"
It is possible to include other \fIsudoers\fR files from within the
-\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR
-directive, similar to the one used by the C preprocessor. This is
-useful, for example, for keeping a site-wide \fIsudoers\fR file in
-addition to a per-machine local one. For the sake of this example
-the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the per-machine
-one will be \fI/etc/sudoers.local\fR. To include \fI/etc/sudoers.local\fR
-from \fI/etc/sudoers\fR we would use the following line in \fI/etc/sudoers\fR:
-.PP
-.Vb 1
-\& #include /etc/sudoers.local
-.Ve
+\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and
+\&\f(CW\*(C`#includedir\*(C'\fR directives.
+.PP
+This can be used, for example, to keep a site-wide \fIsudoers\fR file
+in addition to a local, per-machine file. For the sake of this
+example the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the
+per-machine one will be \fI/etc/sudoers.local\fR. To include
+\&\fI/etc/sudoers.local\fR from within \fI/etc/sudoers\fR we would use the
+following line in \fI/etc/sudoers\fR:
+.Sp
+.RS 4
+\&\f(CW\*(C`#include /etc/sudoers.local\*(C'\fR
+.RE
.PP
When \fBsudo\fR reaches this line it will suspend processing of the
current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
\&\fI/etc/sudoers\fR will be processed. Files that are included may
themselves include other files. A hard limit of 128 nested include
files is enforced to prevent include file loops.
-.Sh "Other special characters and reserved words"
+.PP
+The filename may include the \f(CW%h\fR escape, signifying the short form
+of the hostname. I.e., if the machine's hostname is \*(L"xerxes\*(R", then
+.PP
+\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
+.PP
+will cause \fBsudo\fR to include the file \fI/etc/sudoers.xerxes\fR.
+.PP
+The \f(CW\*(C`#includedir\*(C'\fR directive can be used to create a \fIsudo.d\fR
+directory that the system package manager can drop \fIsudoers\fR rules
+into as part of package installation. For example, given:
+.PP
+\&\f(CW\*(C`#includedir /etc/sudoers.d\*(C'\fR
+.PP
+\&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping file
+names that end in \f(CW\*(C`~\*(C'\fR or contain a \f(CW\*(C`.\*(C'\fR character to avoid causing
+problems with package manager or editor temporary/backup files.
+Files are parsed in sorted lexical order. That is,
+\&\fI/etc/sudoers.d/01_first\fR will be parsed before
+\&\fI/etc/sudoers.d/10_second\fR. Be aware that because the sorting is
+lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR would be loaded
+\&\fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a consistent number
+of leading zeroes in the file names can be used to avoid such
+problems.
+.PP
+Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not
+edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
+contains a syntax error. It is still possible to run \fBvisudo\fR
+with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly.
+.SS "Other special characters and reserved words"
.IX Subsection "Other special characters and reserved words"
The pound sign ('#') is used to indicate a comment (unless it is
part of a #include directive or unless it occurs in the context of
.IP "passprompt_override" 16
.IX Item "passprompt_override"
The password prompt specified by \fIpassprompt\fR will normally only
-be used if the passwod prompt provided by systems such as \s-1PAM\s0 matches
+be used if the password prompt provided by systems such as \s-1PAM\s0 matches
the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR
will always be used. This flag is \fIoff\fR by default.
.IP "preserve_groups" 16
.IX Item "preserve_groups"
-By default \fBsudo\fR will initialize the group vector to the list of
+By default, \fBsudo\fR will initialize the group vector to the list of
groups the target user is in. When \fIpreserve_groups\fR is set, the
user's existing group vector is left unaltered. The real and
effective group IDs, however, are still set to match the target
user. This flag is \fIoff\fR by default.
+.IP "pwfeedback" 16
+.IX Item "pwfeedback"
+By default, \fBsudo\fR reads the password like most other Unix programs,
+by turning off echo until the user hits the return (or enter) key.
+Some users become confused by this as it appears to them that \fBsudo\fR
+has hung at this point. When \fIpwfeedback\fR is set, \fBsudo\fR will
+provide visual feedback when the user presses a key. Note that
+this does have a security impact as an onlooker may be able to
+determine the length of the password being entered.
+This flag is \fIoff\fR by default.
.IP "requiretty" 16
.IX Item "requiretty"
If set, \fBsudo\fR will only run when the user is logged in to a real
shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
set, falling back on the shell listed in the invoking user's
/etc/passwd entry if not). This flag is \fIoff\fR by default.
+.IP "fast_glob" 16
+.IX Item "fast_glob"
+Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
+globbing when matching pathnames. However, since it accesses the
+file system, \fIglob\fR\|(3) can take a long time to complete for some
+patterns, especially when the pattern references a network file
+system that is mounted on demand (automounted). The \fIfast_glob\fR
+option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
+not access the file system to do its matching. The disadvantage
+of \fIfast_glob\fR is that it is unable to match relative pathnames
+such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
+when path names that include globbing characters are used with the
+negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
+As such, this option should not be used when \fIsudoers\fR contains rules
+that contain negated path names which include globbing characters.
+This flag is \fIoff\fR by default.
.IP "stay_setuid" 16
.IX Item "stay_setuid"
Normally, when \fBsudo\fR executes a command the real and effective
the user running it. With this flag enabled, \fBsudo\fR will use a
file named for the tty the user is logged in on in that directory.
This flag is \fI@tty_tickets@\fR by default.
+.IP "umask_override" 16
+.IX Item "umask_override"
+If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without
+modification. This makes it possible to specify a more permissive
+umask in \fIsudoers\fR than the user's own umask and matches historical
+behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
+umask to be the union of the user's umask and what is specified in
+\&\fIsudoers\fR. This flag is \fIoff\fR by default.
@LCMAN@.IP "use_loginclass" 16
@LCMAN@.IX Item "use_loginclass"
@LCMAN@If set, \fBsudo\fR will apply the defaults specified for the target user's
environment variable.
.IP "env_file" 12
.IX Item "env_file"
-The \fIenv_file\fR options specifies the fully qualified path to a file
-containing variables to be set in the environment of the program
-being run. Entries in this file should be of the form \f(CW\*(C`VARIABLE=value\*(C'\fR.
-Variables in this file are subject to other \fBsudo\fR environment
-settings such as \fIenv_keep\fR and \fIenv_check\fR.
+The \fIenv_file\fR options specifies the fully qualified path to a
+file containing variables to be set in the environment of the program
+being run. Entries in this file should either be of the form
+\&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may
+optionally be surrounded by single or double quotes. Variables in
+this file are subject to other \fBsudo\fR environment settings such
+as \fIenv_keep\fR and \fIenv_check\fR.
.IP "exempt_group" 12
.IX Item "exempt_group"
Users in this group are exempt from password and \s-1PATH\s0 requirements.
want to use this. Another use is if you want to have the \*(L"root path\*(R"
be separate from the \*(L"user path.\*(R" Users in the group specified by the
\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
-This is not set by default.
+This option is @secure_path@ by default.
.IP "syslog" 12
.IX Item "syslog"
Syslog facility if syslog is being used for logging (negate to
the \fI\-V\fR option.
.IP "env_delete" 16
.IX Item "env_delete"
-Environment variables to be removed from the user's environment.
-The argument may be a double-quoted, space-separated list or a
-single value without double-quotes. The list can be replaced, added
-to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
-\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment
-variables to remove is displayed when \fBsudo\fR is run by root with the
-\&\fI\-V\fR option. Note that many operating systems will remove potentially
-dangerous variables from the environment of any setuid process (such
-as \fBsudo\fR).
+Environment variables to be removed from the user's environment
+when the \fIenv_reset\fR option is not in effect. The argument may
+be a double-quoted, space-separated list or a single value without
+double-quotes. The list can be replaced, added to, deleted from,
+or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators
+respectively. The default list of environment variables to remove
+is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
+Note that many operating systems will remove potentially dangerous
+variables from the environment of any setuid process (such as
+\&\fBsudo\fR).
.IP "env_keep" 16
.IX Item "env_keep"
Environment variables to be preserved in the user's environment
\& # Runas alias specification
\& Runas_Alias OP = root, operator
\& Runas_Alias DB = oracle, sybase
+\& Runas_Alias ADMINGRP = adm, oper
\&
\& # Host alias specification
\& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
.PP
.Vb 1
\& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root
+\&
+\& %opers ALL = (: ADMINGRP) /usr/sbin/
.Ve
.PP
+Users in the \fBopers\fR group may run commands in \fI/usr/sbin/\fR as themselves
+with any group in the \fI\s-1ADMINGRP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (the \fBadm\fR and \fBoper\fR
+groups).
+.PP
The user \fBpete\fR is allowed to change anyone's password except for
root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
does not take multiple usernames on the command line.
different name, or use a shell escape from an editor or other
program. Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
+.PP
+Furthermore, if the \fIfast_glob\fR option is in use, it is not possible
+to reliably negate commands where the path name includes globbing
+(aka wildcard) characters. This is because the C library's
+\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
+is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke
+privileges.
+.PP
+For example, given the following \fIsudoers\fR entry:
+.PP
+.Vb 2
+\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,
+\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
+.Ve
+.PP
+User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
+enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
.SH "PREVENTING SHELL ESCAPES"
.IX Header "PREVENTING SHELL ESCAPES"
Once \fBsudo\fR executes a program, that program is free to do whatever
\&\fBsudoedit\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
-\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(8)
+\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(8)
.SH "CAVEATS"
.IX Header "CAVEATS"
The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR