+++ /dev/null
-Copyright (c) 1994-1996, 1998-2005, 2007-2010
- Todd C. Miller <Todd.Miller@courtesan.com>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-Sponsored in part by the Defense Advanced Research Projects
-Agency (DARPA) and Air Force Research Laboratory, Air Force
-Materiel Command, USAF, under agreement number F39502-99-1-0512.
-
-=pod
-
-=head1 NAME
-
-sudoers - list of which users may execute what
-
-=head1 DESCRIPTION
-
-The I<sudoers> file is composed of two types of entries: aliases
-(basically variables) and user specifications (which specify who
-may run what).
-
-When multiple entries match for a user, they are applied in order.
-Where there are multiple matches, the last match is used (which is
-not necessarily the most specific match).
-
-The I<sudoers> grammar will be described below in Extended Backus-Naur
-Form (EBNF). Don't despair if you don't know what EBNF is; it is
-fairly simple, and the definitions below are annotated.
-
-=head2 Quick guide to EBNF
-
-EBNF is a concise and exact way of describing the grammar of a language.
-Each EBNF definition is made up of I<production rules>. E.g.,
-
- symbol ::= definition | alternate1 | alternate2 ...
-
-Each I<production rule> references others and thus makes up a
-grammar for the language. EBNF also contains the following
-operators, which many readers will recognize from regular
-expressions. Do not, however, confuse them with "wildcard"
-characters, which have different meanings.
-
-=over 4
-
-=item C<?>
-
-Means that the preceding symbol (or group of symbols) is optional.
-That is, it may appear once or not at all.
-
-=item C<*>
-
-Means that the preceding symbol (or group of symbols) may appear
-zero or more times.
-
-=item C<+>
-
-Means that the preceding symbol (or group of symbols) may appear
-one or more times.
-
-=back
-
-Parentheses may be used to group symbols together. For clarity,
-we will use single quotes ('') to designate what is a verbatim character
-string (as opposed to a symbol name).
-
-=head2 Aliases
-
-There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
-C<Host_Alias> and C<Cmnd_Alias>.
-
- Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
- 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
- 'Host_Alias' Host_Alias (':' Host_Alias)* |
- 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
-
- User_Alias ::= NAME '=' User_List
-
- Runas_Alias ::= NAME '=' Runas_List
-
- Host_Alias ::= NAME '=' Host_List
-
- Cmnd_Alias ::= NAME '=' Cmnd_List
-
- NAME ::= [A-Z]([A-Z][0-9]_)*
-
-Each I<alias> definition is of the form
-
- Alias_Type NAME = item1, item2, ...
-
-where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
-or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
-and underscore characters ('_'). A C<NAME> B<must> start with an
-uppercase letter. It is possible to put several alias definitions
-of the same type on a single line, joined by a colon (':'). E.g.,
-
- Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
-
-The definitions of what constitutes a valid I<alias> member follow.
-
- User_List ::= User |
- User ',' User_List
-
- User ::= '!'* user name |
- '!'* '#'uid |
- '!'* '%'group |
- '!'* '+'netgroup |
- '!'* '%:'nonunix_group |
- '!'* User_Alias
-
-A C<User_List> is made up of one or more user names, uids (prefixed
-with '#'), system groups (prefixed with '%'), netgroups (prefixed
-with '+') and C<User_Alias>es. Each list item may be prefixed with
-zero or more '!' operators. An odd number of '!' operators negate
-the value of the item; an even number just cancel each other out.
-
-A C<user name>, C<group>, C<netgroup> or C<nonunix_group> may
-be enclosed in double quotes to avoid the need for escaping special
-characters. Alternately, special characters may be specified in
-escaped hex mode, e.g. \x20 for space.
-
-The C<nonunix_group> syntax depends on the underlying implementation.
-For instance, the QAS AD backend supports the following formats:
-
-=over 4
-
-=item *
-
-Group in the same domain: "Group Name"
-
-=item *
-
-Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
-
-=item *
-
-Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
-
-=back
-
-Note that quotes around group names are optional. Unquoted strings must
-use a backslash (\) to escape spaces and the '@' symbol.
-
- Runas_List ::= Runas_Member |
- Runas_Member ',' Runas_List
-
- Runas_Member ::= '!'* user name |
- '!'* '#'uid |
- '!'* '%'group |
- '!'* +netgroup |
- '!'* Runas_Alias
-
-A C<Runas_List> is similar to a C<User_List> except that instead
-of C<User_Alias>es it can contain C<Runas_Alias>es. Note that
-user names and groups are matched as strings. In other words, two
-users (groups) with the same uid (gid) are considered to be distinct.
-If you wish to match all user names with the same uid (e.g.E<nbsp>root
-and toor), you can use a uid instead (#0 in the example given).
-
- Host_List ::= Host |
- Host ',' Host_List
-
- Host ::= '!'* host name |
- '!'* ip_addr |
- '!'* network(/netmask)? |
- '!'* '+'netgroup |
- '!'* Host_Alias
-
-A C<Host_List> is made up of one or more host names, IP addresses,
-network numbers, netgroups (prefixed with '+') and other aliases.
-Again, the value of an item may be negated with the '!' operator.
-If you do not specify a netmask along with the network number,
-B<sudo> will query each of the local host's network interfaces and,
-if the network number corresponds to one of the hosts's network
-interfaces, the corresponding netmask will be used. The netmask
-may be specified either in standard IP address notation
-(e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
-or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A host name may
-include shell-style wildcards (see the L<Wildcards> section below),
-but unless the C<host name> command on your machine returns the fully
-qualified host name, you'll need to use the I<fqdn> option for
-wildcards to be useful. Note B<sudo> only inspects actual network
-interfaces; this means that IP address 127.0.0.1 (localhost) will
-never match. Also, the host name "localhost" will only match if
-that is the actual host name, which is usually only the case for
-non-networked systems.
-
- Cmnd_List ::= Cmnd |
- Cmnd ',' Cmnd_List
-
- commandname ::= file name |
- file name args |
- file name '""'
-
- Cmnd ::= '!'* commandname |
- '!'* directory |
- '!'* "sudoedit" |
- '!'* Cmnd_Alias
-
-A C<Cmnd_List> is a list of one or more commandnames, directories, and other
-aliases. A commandname is a fully qualified file name which may include
-shell-style wildcards (see the L<Wildcards> section below). A simple
-file name allows the user to run the command with any arguments he/she
-wishes. However, you may also specify command line arguments (including
-wildcards). Alternately, you can specify C<""> to indicate that the command
-may only be run B<without> command line arguments. A directory is a
-fully qualified path name ending in a '/'. When you specify a directory
-in a C<Cmnd_List>, the user will be able to run any file within that directory
-(but not in any subdirectories therein).
-
-If a C<Cmnd> has associated command line arguments, then the arguments
-in the C<Cmnd> must match exactly those given by the user on the command line
-(or match the wildcards if there are any). Note that the following
-characters must be escaped with a '\' if they are used in command
-arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
-is used to permit a user to run B<sudo> with the B<-e> option (or
-as B<sudoedit>). It may take command line arguments just as
-a normal command does.
-
-=head2 Defaults
-
-Certain configuration options may be changed from their default
-values at runtime via one or more C<Default_Entry> lines. These
-may affect all users on any host, all users on a specific host, a
-specific user, a specific command, or commands being run as a specific user.
-Note that per-command entries may not include command line arguments.
-If you need to specify arguments, define a C<Cmnd_Alias> and reference
-that instead.
-
- Default_Type ::= 'Defaults' |
- 'Defaults' '@' Host_List |
- 'Defaults' ':' User_List |
- 'Defaults' '!' Cmnd_List |
- 'Defaults' '>' Runas_List
-
- Default_Entry ::= Default_Type Parameter_List
-
- Parameter_List ::= Parameter |
- Parameter ',' Parameter_List
-
- Parameter ::= Parameter '=' Value |
- Parameter '+=' Value |
- Parameter '-=' Value |
- '!'* Parameter
-
-Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
-Flags are implicitly boolean and can be turned off via the '!'
-operator. Some integer, string and list parameters may also be
-used in a boolean context to disable them. Values may be enclosed
-in double quotes (C<">) when they contain multiple words. Special
-characters may be escaped with a backslash (C<\>).
-
-Lists have two additional assignment operators, C<+=> and C<-=>.
-These operators are used to add to and delete from a list respectively.
-It is not an error to use the C<-=> operator to remove an element
-that does not exist in a list.
-
-Defaults entries are parsed in the following order: generic, host
-and user Defaults first, then runas Defaults and finally command
-defaults.
-
-See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
-
-=head2 User Specification
-
- User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
- (':' Host_List '=' Cmnd_Spec_List)*
-
- Cmnd_Spec_List ::= Cmnd_Spec |
- Cmnd_Spec ',' Cmnd_Spec_List
-
- Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
-
- Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
-
- SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
-
- Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
- 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
- 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
-
-A B<user specification> determines which commands a user may run
-(and as what user) on specified hosts. By default, commands are
-run as B<root>, but this can be changed on a per-command basis.
-
-The basic structure of a user specification is `who = where (as_whom)
-what'. Let's break that down into its constituent parts:
-
-=head2 Runas_Spec
-
-A C<Runas_Spec> determines the user and/or the group that a command
-may be run as. A fully-specified C<Runas_Spec> consists of two
-C<Runas_List>s (as defined above) separated by a colon (':') and
-enclosed in a set of parentheses. The first C<Runas_List> indicates
-which users the command may be run as via B<sudo>'s B<-u> option.
-The second defines a list of groups that can be specified via
-B<sudo>'s B<-g> option. If both C<Runas_List>s are specified, the
-command may be run with any combination of users and groups listed
-in their respective C<Runas_List>s. If only the first is specified,
-the command may be run as any user in the list but no B<-g> option
-may be specified. If the first C<Runas_List> is empty but the
-second is specified, the command may be run as the invoking user
-with the group set to any listed in the C<Runas_List>. If no
-C<Runas_Spec> is specified the command may be run as B<root> and
-no group may be specified.
-
-A C<Runas_Spec> sets the default for the commands that follow it.
-What this means is that for the entry:
-
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
-
-The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
-F</usr/bin/lprm> -- but only as B<operator>. E.g.,
-
- $ sudo -u operator /bin/ls.
-
-It is also possible to override a C<Runas_Spec> later on in an
-entry. If we modify the entry like so:
-
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
-
-Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
-but F</bin/kill> and F</usr/bin/lprm> as B<root>.
-
-We can extend this to allow B<dgb> to run C</bin/ls> with either
-the user or group set to B<operator>:
-
- dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
- /usr/bin/lprm
-
-In the following example, user B<tcm> may run commands that access
-a modem device file with the dialer group. Note that in this example
-only the group will be set, the command still runs as user B<tcm>.
-
- tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
- /usr/local/bin/minicom
-
-=head2 SELinux_Spec
-
-On systems with SELinux support, I<sudoers> entries may optionally have
-an SELinux role and/or type associated with a command. If a role or
-type is specified with the command it will override any default values
-specified in I<sudoers>. A role or type specified on the command line,
-however, will supercede the values in I<sudoers>.
-
-=head2 Tag_Spec
-
-A command may have zero or more tags associated with it. There are
-eight possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>,
-C<EXEC>, C<SETENV>, C<NOSETENV>, C<LOG_INPUT>, C<NOLOG_INPUT>,
-C<LOG_OUTPUT> and C<NOLOG_OUTPUT>. Once a tag is set on a C<Cmnd>,
-subsequent C<Cmnd>s in the C<Cmnd_Spec_List>, inherit the tag unless
-it is overridden by the opposite tag (i.e.: C<PASSWD> overrides
-C<NOPASSWD> and C<NOEXEC> overrides C<EXEC>).
-
-=head3 NOPASSWD and PASSWD
-
-By default, B<sudo> requires that a user authenticate him or herself
-before running a command. This behavior can be modified via the
-C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
-a default for the commands that follow it in the C<Cmnd_Spec_List>.
-Conversely, the C<PASSWD> tag can be used to reverse things.
-For example:
-
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
-
-would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
-F</usr/bin/lprm> as B<root> on the machine rushmore without
-authenticating himself. If we only want B<ray> to be able to
-run F</bin/kill> without a password the entry would be:
-
- ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
-
-Note, however, that the C<PASSWD> tag has no effect on users who are
-in the group specified by the I<exempt_group> option.
-
-By default, if the C<NOPASSWD> tag is applied to any of the entries
-for a user on the current host, he or she will be able to run
-C<sudo -l> without a password. Additionally, a user may only run
-C<sudo -v> without a password if the C<NOPASSWD> tag is present
-for all a user's entries that pertain to the current host.
-This behavior may be overridden via the verifypw and listpw options.
-
-=head3 NOEXEC and EXEC
-
-If B<sudo> has been compiled with I<noexec> support and the underlying
-operating system supports it, the C<NOEXEC> tag can be used to prevent
-a dynamically-linked executable from running further commands itself.
-
-In the following example, user B<aaron> may run F</usr/bin/more>
-and F</usr/bin/vi> but shell escapes will be disabled.
-
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
-See the L<PREVENTING SHELL ESCAPES> section below for more details
-on how C<NOEXEC> works and whether or not it will work on your system.
-
-=head3 SETENV and NOSETENV
-
-These tags override the value of the I<setenv> option on a per-command
-basis. Note that if C<SETENV> has been set for a command, any
-environment variables set on the command line way are not subject
-to the restrictions imposed by I<env_check>, I<env_delete>, or
-I<env_keep>. As such, only trusted users should be allowed to set
-variables in this manner. If the command matched is B<ALL>, the
-C<SETENV> tag is implied for that command; this default may
-be overridden by use of the C<NOSETENV> tag.
-
-=head3 LOG_INPUT and NOLOG_INPUT
-
-These tags override the value of the I<log_input> option on a
-per-command basis. For more information, see the description of
-I<log_input> in the L<"SUDOERS OPTIONS"> section below.
-
-=head3 LOG_OUTPUT and NOLOG_OUTPUT
-
-These tags override the value of the I<log_output> option on a
-per-command basis. For more information, see the description of
-I<log_output> in the L<"SUDOERS OPTIONS"> section below.
-
-=head2 Wildcards
-
-B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
-to be used in host names, path names and command line arguments in
-the I<sudoers> file. Wildcard matching is done via the B<POSIX>
-L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not>
-regular expressions.
-
-=over 8
-
-=item C<*>
-
-Matches any set of zero or more characters.
-
-=item C<?>
-
-Matches any single character.
-
-=item C<[...]>
-
-Matches any character in the specified range.
-
-=item C<[!...]>
-
-Matches any character B<not> in the specified range.
-
-=item C<\x>
-
-For any character "x", evaluates to "x". This is used to
-escape special characters such as: "*", "?", "[", and "}".
-
-=back
-
-POSIX character classes may also be used if your system's L<glob(3)>
-and L<fnmatch(3)> functions support them. However, because the
-C<':'> character has special meaning in I<sudoers>, it must be
-escaped. For example:
-
- /bin/ls [[\:alpha\:]]*
-
-Would match any file name beginning with a letter.
-
-Note that a forward slash ('/') will B<not> be matched by
-wildcards used in the path name. When matching the command
-line arguments, however, a slash B<does> get matched by
-wildcards. This is to make a path like:
-
- /usr/bin/*
-
-match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
-
-=head2 Exceptions to wildcard rules
-
-The following exceptions apply to the above rules:
-
-=over 8
-
-=item C<"">
-
-If the empty string C<""> is the only command line argument in the
-I<sudoers> entry it means that command is not allowed to be run
-with B<any> arguments.
-
-=back
-
-=head2 Including other files from within sudoers
-
-It is possible to include other I<sudoers> files from within the
-I<sudoers> file currently being parsed using the C<#include> and
-C<#includedir> directives.
-
-This can be used, for example, to keep a site-wide I<sudoers> file
-in addition to a local, per-machine file. For the sake of this
-example the site-wide I<sudoers> will be F</etc/sudoers> and the
-per-machine one will be F</etc/sudoers.local>. To include
-F</etc/sudoers.local> from within F</etc/sudoers> we would use the
-following line in F</etc/sudoers>:
-
-=over 4
-
-C<#include /etc/sudoers.local>
-
-=back
-
-When B<sudo> reaches this line it will suspend processing of the
-current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>.
-Upon reaching the end of F</etc/sudoers.local>, the rest of
-F</etc/sudoers> will be processed. Files that are included may
-themselves include other files. A hard limit of 128 nested include
-files is enforced to prevent include file loops.
-
-The file name may include the C<%h> escape, signifying the short form
-of the host name. I.e., if the machine's host name is "xerxes", then
-
-C<#include /etc/sudoers.%h>
-
-will cause B<sudo> to include the file F</etc/sudoers.xerxes>.
-
-The C<#includedir> directive can be used to create a F<sudo.d>
-directory that the system package manager can drop I<sudoers> rules
-into as part of package installation. For example, given:
-
-C<#includedir /etc/sudoers.d>
-
-B<sudo> will read each file in F</etc/sudoers.d>, skipping file
-names that end in C<~> or contain a C<.> character to avoid causing
-problems with package manager or editor temporary/backup files.
-Files are parsed in sorted lexical order. That is,
-F</etc/sudoers.d/01_first> will be parsed before
-F</etc/sudoers.d/10_second>. Be aware that because the sorting is
-lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded
-B<after> F</etc/sudoers.d/10_second>. Using a consistent number
-of leading zeroes in the file names can be used to avoid such
-problems.
-
-Note that unlike files included via C<#include>, B<visudo> will not
-edit the files in a C<#includedir> directory unless one of them
-contains a syntax error. It is still possible to run B<visudo>
-with the C<-f> flag to edit the files directly.
-
-=head2 Other special characters and reserved words
-
-The pound sign ('#') is used to indicate a comment (unless it is
-part of a #include directive or unless it occurs in the context of
-a user name and is followed by one or more digits, in which case
-it is treated as a uid). Both the comment character and any text
-after it, up to the end of the line, are ignored.
-
-The reserved word B<ALL> is a built-in I<alias> that always causes
-a match to succeed. It can be used wherever one might otherwise
-use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
-You should not try to define your own I<alias> called B<ALL> as the
-built-in alias will be used in preference to your own. Please note
-that using B<ALL> can be dangerous since in a command context, it
-allows the user to run B<any> command on the system.
-
-An exclamation point ('!') can be used as a logical I<not> operator
-both in an I<alias> and in front of a C<Cmnd>. This allows one to
-exclude certain values. Note, however, that using a C<!> in
-conjunction with the built-in C<ALL> alias to allow a user to
-run "all but a few" commands rarely works as intended (see SECURITY
-NOTES below).
-
-Long lines can be continued with a backslash ('\') as the last
-character on the line.
-
-Whitespace between elements in a list as well as special syntactic
-characters in a I<User Specification> ('=', ':', '(', ')') is optional.
-
-The following characters must be escaped with a backslash ('\') when
-used as part of a word (e.g.E<nbsp>a user name or host name):
-'@', '!', '=', ':', ',', '(', ')', '\'.
-
-=head1 SUDOERS OPTIONS
-
-B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
-explained earlier. A list of all supported Defaults parameters,
-grouped by type, are listed below.
-
-B<Boolean Flags>:
-
-=over 16
-
-=item always_set_home
-
-If enabled, B<sudo> will set the C<HOME> environment variable to the
-home directory of the target user (which is root unless the B<-u>
-option is used). This effectively means that the B<-H> option is
-always implied. Note that C<HOME> is already set when the the
-I<env_reset> option is enabled, so I<always_set_home> is only
-effective for configurations where I<env_reset> is disabled.
-This flag is I<off> by default.
-
-=item authenticate
-
-If set, users must authenticate themselves via a password (or other
-means of authentication) before they may run commands. This default
-may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
-This flag is I<on> by default.
-
-=item closefrom_override
-
-If set, the user may use B<sudo>'s B<-C> option which
-overrides the default starting point at which B<sudo> begins
-closing open file descriptors. This flag is I<off> by default.
-
-=item compress_io
-
-If set, and B<sudo> is configured to log a command's input or output,
-the I/O logs will be compressed using B<zlib>. This flag is I<on>
-by default when B<sudo> is compiled with B<zlib> support.
-
-=item env_editor
-
-If set, B<visudo> will use the value of the EDITOR or VISUAL
-environment variables before falling back on the default editor list.
-Note that this may create a security hole as it allows the user to
-run any arbitrary command as root without logging. A safer alternative
-is to place a colon-separated list of editors in the C<editor>
-variable. B<visudo> will then only use the EDITOR or VISUAL if
-they match a value specified in C<editor>. This flag is I<@env_editor@> by
-default.
-
-=item env_reset
-
-If set, B<sudo> will reset the environment to only contain the
-LOGNAME, MAIL, SHELL, USER, USERNAME and the C<SUDO_*> variables. Any
-variables in the caller's environment that match the C<env_keep>
-and C<env_check> lists are then added. The default contents of the
-C<env_keep> and C<env_check> lists are displayed when B<sudo> is
-run by root with the I<-V> option. If the I<secure_path> option
-is set, its value will be used for the C<PATH> environment variable.
-This flag is I<on> by default.
-
-=item fast_glob
-
-Normally, B<sudo> uses the L<glob(3)> function to do shell-style
-globbing when matching path names. However, since it accesses the
-file system, L<glob(3)> can take a long time to complete for some
-patterns, especially when the pattern references a network file
-system that is mounted on demand (automounted). The I<fast_glob>
-option causes B<sudo> to use the L<fnmatch(3)> function, which does
-not access the file system to do its matching. The disadvantage
-of I<fast_glob> is that it is unable to match relative path names
-such as F<./ls> or F<../bin/ls>. This has security implications
-when path names that include globbing characters are used with the
-negation operator, C<'!'>, as such rules can be trivially bypassed.
-As such, this option should not be used when I<sudoers> contains rules
-that contain negated path names which include globbing characters.
-This flag is I<off> by default.
-
-=item fqdn
-
-Set this flag if you want to put fully qualified host names in the
-I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
-You may still use the short form if you wish (and even mix the two).
-Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
-which may make B<sudo> unusable if DNS stops working (for example
-if the machine is not plugged into the network). Also note that
-you must use the host's official name as DNS knows it. That is,
-you may not use a host alias (C<CNAME> entry) due to performance
-issues and the fact that there is no way to get all aliases from
-DNS. If your machine's host name (as returned by the C<hostname>
-command) is already fully qualified you shouldn't need to set
-I<fqdn>. This flag is I<@fqdn@> by default.
-
-=item ignore_dot
-
-If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
-environment variable; the C<PATH> itself is not modified. This
-flag is I<@ignore_dot@> by default.
-
-=item ignore_local_sudoers
-
-If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
-This is intended for Enterprises that wish to prevent the usage of local
-sudoers files so that only LDAP is used. This thwarts the efforts of
-rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
-When this option is present, F<@sysconfdir@/sudoers> does not even need to
-exist. Since this option tells B<sudo> how to behave when no specific LDAP
-entries have been matched, this sudoOption is only meaningful for the
-C<cn=defaults> section. This flag is I<off> by default.
-
-=item insults
-
-If set, B<sudo> will insult users when they enter an incorrect
-password. This flag is I<@insults@> by default.
-
-=item log_host
-
-If set, the host name will be logged in the (non-syslog) B<sudo> log file.
-This flag is I<off> by default.
-
-=item log_year
-
-If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
-This flag is I<off> by default.
-
-=item long_otp_prompt
-
-When validating with a One Time Password (OPT) scheme such as
-B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
-to cut and paste the challenge to a local window. It's not as
-pretty as the default but some people find it more convenient. This
-flag is I<@long_otp_prompt@> by default.
-
-=item mail_always
-
-Send mail to the I<mailto> user every time a users runs B<sudo>.
-This flag is I<off> by default.
-
-=item mail_badpass
-
-Send mail to the I<mailto> user if the user running B<sudo> does not
-enter the correct password. This flag is I<off> by default.
-
-=item mail_no_host
-
-If set, mail will be sent to the I<mailto> user if the invoking
-user exists in the I<sudoers> file, but is not allowed to run
-commands on the current host. This flag is I<@mail_no_host@> by default.
-
-=item mail_no_perms
-
-If set, mail will be sent to the I<mailto> user if the invoking
-user is allowed to use B<sudo> but the command they are trying is not
-listed in their I<sudoers> file entry or is explicitly denied.
-This flag is I<@mail_no_perms@> by default.
-
-=item mail_no_user
-
-If set, mail will be sent to the I<mailto> user if the invoking
-user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
-by default.
-
-=item noexec
-
-If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
-tag has been set, unless overridden by a C<EXEC> tag. See the
-description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
-ESCAPES> section at the end of this manual. This flag is I<off> by default.
-
-=item path_info
-
-Normally, B<sudo> will tell the user when a command could not be
-found in their C<PATH> environment variable. Some sites may wish
-to disable this as it could be used to gather information on the
-location of executables that the normal user does not have access
-to. The disadvantage is that if the executable is simply not in
-the user's C<PATH>, B<sudo> will tell the user that they are not
-allowed to run it, which can be confusing. This flag is I<@path_info@>
-by default.
-
-=item passprompt_override
-
-The password prompt specified by I<passprompt> will normally only
-be used if the password prompt provided by systems such as PAM matches
-the string "Password:". If I<passprompt_override> is set, I<passprompt>
-will always be used. This flag is I<off> by default.
-
-=item preserve_groups
-
-By default, B<sudo> will initialize the group vector to the list of
-groups the target user is in. When I<preserve_groups> is set, the
-user's existing group vector is left unaltered. The real and
-effective group IDs, however, are still set to match the target
-user. This flag is I<off> by default.
-
-=item pwfeedback
-
-By default, B<sudo> reads the password like most other Unix programs,
-by turning off echo until the user hits the return (or enter) key.
-Some users become confused by this as it appears to them that B<sudo>
-has hung at this point. When I<pwfeedback> is set, B<sudo> will
-provide visual feedback when the user presses a key. Note that
-this does have a security impact as an onlooker may be able to
-determine the length of the password being entered.
-This flag is I<off> by default.
-
-=item requiretty
-
-If set, B<sudo> will only run when the user is logged in to a real
-tty. When this flag is set, B<sudo> can only be run from a login
-session and not via other means such as L<cron(8)> or cgi-bin scripts.
-This flag is I<off> by default.
-
-=item root_sudo
-
-If set, root is allowed to run B<sudo> too. Disabling this prevents users
-from "chaining" B<sudo> commands to get a root shell by doing something
-like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
-will also prevent root from running B<sudoedit>.
-Disabling I<root_sudo> provides no real additional security; it
-exists purely for historical reasons.
-This flag is I<@root_sudo@> by default.
-
-=item rootpw
-
-If set, B<sudo> will prompt for the root password instead of the password
-of the invoking user. This flag is I<off> by default.
-
-=item runaspw
-
-If set, B<sudo> will prompt for the password of the user defined by the
-I<runas_default> option (defaults to C<@runas_default@>) instead of the
-password of the invoking user. This flag is I<off> by default.
-
-=item set_home
-
-If enabled and B<sudo> is invoked with the B<-s> option the C<HOME>
-environment variable will be set to the home directory of the target
-user (which is root unless the B<-u> option is used). This effectively
-makes the B<-s> option imply B<-H>. Note that C<HOME> is already
-set when the the I<env_reset> option is enabled, so I<set_home> is
-only effective for configurations where I<env_reset> is disabled.
-This flag is I<off> by default.
-
-=item set_logname
-
-Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
-environment variables to the name of the target user (usually root
-unless the B<-u> option is given). However, since some programs
-(including the RCS revision control system) use C<LOGNAME> to
-determine the real identity of the user, it may be desirable to
-change this behavior. This can be done by negating the set_logname
-option. Note that if the I<env_reset> option has not been disabled,
-entries in the I<env_keep> list will override the value of
-I<set_logname>. This flag is I<on> by default.
-
-=item setenv
-
-Allow the user to disable the I<env_reset> option from the command
-line. Additionally, environment variables set via the command line
-are not subject to the restrictions imposed by I<env_check>,
-I<env_delete>, or I<env_keep>. As such, only trusted users should
-be allowed to set variables in this manner. This flag is I<off>
-by default.
-
-=item shell_noargs
-
-If set and B<sudo> is invoked with no arguments it acts as if the
-B<-s> option had been given. That is, it runs a shell as root (the
-shell is determined by the C<SHELL> environment variable if it is
-set, falling back on the shell listed in the invoking user's
-/etc/passwd entry if not). This flag is I<off> by default.
-
-=item stay_setuid
-
-Normally, when B<sudo> executes a command the real and effective
-UIDs are set to the target user (root by default). This option
-changes that behavior such that the real UID is left as the invoking
-user's UID. In other words, this makes B<sudo> act as a setuid
-wrapper. This can be useful on systems that disable some potentially
-dangerous functionality when a program is run setuid. This option
-is only effective on systems with either the setreuid() or setresuid()
-function. This flag is I<off> by default.
-
-=item targetpw
-
-If set, B<sudo> will prompt for the password of the user specified
-by the B<-u> option (defaults to C<root>) instead of the password
-of the invoking user. In addition, the timestamp file name will
-include the target user's name. Note that this flag precludes the
-use of a uid not listed in the passwd database as an argument to
-the B<-u> option. This flag is I<off> by default.
-
-=item log_input
-
-If set, B<sudo> will run the command in a I<pseudo tty> and log all
-user input.
-If the standard input is not connected to the user's tty, due to
-I/O redirection or because the command is part of a pipeline, that
-input is also captured and stored in a separate log file.
-
-Input is logged to the F</var/log/sudo-io> directory using a unique
-session ID that is included in the normal B<sudo> log line, prefixed
-with I<TSID=>.
-
-=item log_output
-
-If set, B<sudo> will run the command in a I<pseudo tty> and log all
-output that is sent to the screen, similar to the script(1) command.
-If the standard output or standard error is not connected to the
-user's tty, due to I/O redirection or because the command is part
-of a pipeline, that output is also captured and stored in separate
-log files.
-
-Output is logged to the
-F</var/log/sudo-io> directory using a unique session ID that is
-included in the normal B<sudo> log line, prefixed with I<TSID=>.
-
-Output logs may be viewed with the L<sudoreplay(8)> utility, which
-can also be used to list or search the available logs.
-
-=item tty_tickets
-
-If set, users must authenticate on a per-tty basis. With this flag
-enabled, B<sudo> will use a file named for the tty the user is
-logged in on in the user's time stamp directory. If disabled, the
-time stamp of the directory is used instead. This flag is
-I<@tty_tickets@> by default.
-
-=item umask_override
-
-If set, B<sudo> will set the umask as specified by I<sudoers> without
-modification. This makes it possible to specify a more permissive
-umask in I<sudoers> than the user's own umask and matches historical
-behavior. If I<umask_override> is not set, B<sudo> will set the
-umask to be the union of the user's umask and what is specified in
-I<sudoers>. This flag is I<off> by default.
-
-=item use_loginclass
-
-If set, B<sudo> will apply the defaults specified for the target user's
-login class if one exists. Only available if B<sudo> is configured with
-the --with-logincap option. This flag is I<off> by default.
-
-=item use_pty
-
-If set, B<sudo> will run the command in a pseudo-pty even if no I/O
-logging is being gone. A malicious program run under B<sudo> could
-conceivably fork a background process that retains to the user's
-terminal device after the main program has finished executing. Use
-of this option will make that impossible.
-
-=item visiblepw
-
-By default, B<sudo> will refuse to run if the user must enter a
-password but it is not possible to disable echo on the terminal.
-If the I<visiblepw> flag is set, B<sudo> will prompt for a password
-even when it would be visible on the screen. This makes it possible
-to run things like C<"rsh somehost sudo ls"> since L<rsh(1)> does
-not allocate a tty. This flag is I<off> by default.
-
-=back
-
-B<Integers>:
-
-=over 16
-
-=item closefrom
-
-Before it executes a command, B<sudo> will close all open file
-descriptors other than standard input, standard output and standard
-error (ie: file descriptors 0-2). The I<closefrom> option can be used
-to specify a different file descriptor at which to start closing.
-The default is C<3>.
-
-=item passwd_tries
-
-The number of tries a user gets to enter his/her password before
-B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
-
-=back
-
-B<Integers that can be used in a boolean context>:
-
-=over 16
-
-=item loglinelen
-
-Number of characters per line for the file log. This value is used
-to decide when to wrap lines for nicer log files. This has no
-effect on the syslog log file, only the file log. The default is
-C<@loglen@> (use 0 or negate the option to disable word wrap).
-
-=item passwd_timeout
-
-Number of minutes before the B<sudo> password prompt times out, or
-C<0> for no timeout. The timeout may include a fractional component
-if minute granularity is insufficient, for example C<2.5>. The
-default is C<@password_timeout@>.
-
-=item timestamp_timeout
-
-Number of minutes that can elapse before B<sudo> will ask for a
-passwd again. The timeout may include a fractional component if
-minute granularity is insufficient, for example C<2.5>. The default
-is C<@timeout@>. Set this to C<0> to always prompt for a password.
-If set to a value less than C<0> the user's timestamp will never
-expire. This can be used to allow users to create or delete their
-own timestamps via C<sudo -v> and C<sudo -k> respectively.
-
-=item umask
-
-Umask to use when running the command. Negate this option or set
-it to 0777 to preserve the user's umask. The actual umask that is
-used will be the union of the user's umask and C<@sudo_umask@>.
-This guarantees that B<sudo> never lowers the umask when running a
-command. Note on systems that use PAM, the default PAM configuration
-may specify its own umask which will override the value set in
-I<sudoers>.
-
-=back
-
-B<Strings>:
-
-=over 16
-
-=item badpass_message
-
-Message that is displayed if a user enters an incorrect password.
-The default is C<@badpass_message@> unless insults are enabled.
-
-=item editor
-
-A colon (':') separated list of editors allowed to be used with
-B<visudo>. B<visudo> will choose the editor that matches the user's
-EDITOR environment variable if possible, or the first editor in the
-list that exists and is executable. The default is C<"@editor@">.
-
-=item mailsub
-
-Subject of the mail sent to the I<mailto> user. The escape C<%h>
-will expand to the host name of the machine.
-Default is C<@mailsub@>.
-
-=item noexec_file
-
-Path to a shared library containing dummy versions of the execv(),
-execve() and fexecve() library functions that just return an error.
-This is used to implement the I<noexec> functionality on systems that
-support C<LD_PRELOAD> or its equivalent. Defaults to F<@noexec_file@>.
-
-=item passprompt
-
-The default prompt to use when asking for a password; can be overridden
-via the B<-p> option or the C<SUDO_PROMPT> environment variable.
-The following percent (`C<%>') escapes are supported:
-
-=over 4
-
-=item C<%H>
-
-expanded to the local host name including the domain name
-(on if the machine's host name is fully qualified or the I<fqdn>
-option is set)
-
-=item C<%h>
-
-expanded to the local host name without the domain name
-
-=item C<%p>
-
-expanded to the user whose password is being asked for (respects the
-I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
-
-=item C<%U>
-
-expanded to the login name of the user the command will
-be run as (defaults to root)
-
-=item C<%u>
-
-expanded to the invoking user's login name
-
-=item C<%%>
-
-two consecutive C<%> characters are collapsed into a single C<%> character
-
-=back
-
-The default value is C<@passprompt@>.
-
-=item role
-
-The default SELinux role to use when constructing a new security
-context to run the command. The default role may be overridden on
-a per-command basis in I<sudoers> or via command line options.
-This option is only available whe B<sudo> is built with SELinux support.
-
-=item runas_default
-
-The default user to run commands as if the B<-u> option is not specified
-on the command line. This defaults to C<@runas_default@>.
-Note that if I<runas_default> is set it B<must> occur before
-any C<Runas_Alias> specifications.
-
-=item syslog_badpri
-
-Syslog priority to use when user authenticates unsuccessfully.
-Defaults to C<@badpri@>.
-
-=item syslog_goodpri
-
-Syslog priority to use when user authenticates successfully.
-Defaults to C<@goodpri@>.
-
-=item sudoers_locale
-
-Locale to use when parsing the sudoers file. Note that changing
-the locale may affect how sudoers is interpreted.
-Defaults to C<"C">.
-
-=item timestampdir
-
-The directory in which B<sudo> stores its timestamp files.
-The default is F<@timedir@>.
-
-=item timestampowner
-
-The owner of the timestamp directory and the timestamps stored therein.
-The default is C<root>.
-
-=item type
-
-The default SELinux type to use when constructing a new security
-context to run the command. The default type may be overridden on
-a per-command basis in I<sudoers> or via command line options.
-This option is only available whe B<sudo> is built with SELinux support.
-
-=back
-
-B<Strings that can be used in a boolean context>:
-
-=over 12
-
-=item askpass
-
-The I<askpass> option specifies the fully qualified path to a helper
-program used to read the user's password when no terminal is
-available. This may be the case when B<sudo> is executed from a
-graphical (as opposed to text-based) application. The program
-specified by I<askpass> should display the argument passed to it
-as the prompt and write the user's password to the standard output.
-The value of I<askpass> may be overridden by the C<SUDO_ASKPASS>
-environment variable.
-
-=item env_file
-
-The I<env_file> options specifies the fully qualified path to a
-file containing variables to be set in the environment of the program
-being run. Entries in this file should either be of the form
-C<VARIABLE=value> or C<export VARIABLE=value>. The value may
-optionally be surrounded by single or double quotes. Variables in
-this file are subject to other B<sudo> environment settings such
-as I<env_keep> and I<env_check>.
-
-=item exempt_group
-
-Users in this group are exempt from password and PATH requirements.
-This is not set by default.
-
-=item lecture
-
-This option controls when a short lecture will be printed along with
-the password prompt. It has the following possible values:
-
-=over 8
-
-=item always
-
-Always lecture the user.
-
-=item never
-
-Never lecture the user.
-
-=item once
-
-Only lecture the user the first time they run B<sudo>.
-
-=back
-
-If no value is specified, a value of I<once> is implied.
-Negating the option results in a value of I<never> being used.
-The default value is I<@lecture@>.
-
-=item lecture_file
-
-Path to a file containing an alternate B<sudo> lecture that will
-be used in place of the standard lecture if the named file exists.
-By default, B<sudo> uses a built-in lecture.
-
-=item listpw
-
-This option controls when a password will be required when a
-user runs B<sudo> with the B<-l> option. It has the following possible values:
-
-=over 8
-
-=item all
-
-All the user's I<sudoers> entries for the current host must have
-the C<NOPASSWD> flag set to avoid entering a password.
-
-=item always
-
-The user must always enter a password to use the B<-l> option.
-
-=item any
-
-At least one of the user's I<sudoers> entries for the current host
-must have the C<NOPASSWD> flag set to avoid entering a password.
-
-=item never
-
-The user need never enter a password to use the B<-l> option.
-
-=back
-
-If no value is specified, a value of I<any> is implied.
-Negating the option results in a value of I<never> being used.
-The default value is I<any>.
-
-=item logfile
-
-Path to the B<sudo> log file (not the syslog log file). Setting a path
-turns on logging to a file; negating this option turns it off.
-By default, B<sudo> logs via syslog.
-
-=item mailerflags
-
-Flags to use when invoking mailer. Defaults to B<-t>.
-
-=item mailerpath
-
-Path to mail program used to send warning mail.
-Defaults to the path to sendmail found at configure time.
-
-=item mailfrom
-
-Address to use for the "from" address when sending warning and error
-mail. The address should be enclosed in double quotes (C<">) to
-protect against B<sudo> interpreting the C<@> sign. Defaults to
-the name of the user running B<sudo>.
-
-=item mailto
-
-Address to send warning and error mail to. The address should
-be enclosed in double quotes (C<">) to protect against B<sudo>
-interpreting the C<@> sign. Defaults to C<@mailto@>.
-
-=item secure_path
-
-Path used for every command run from B<sudo>. If you don't trust the
-people running B<sudo> to have a sane C<PATH> environment variable you may
-want to use this. Another use is if you want to have the "root path"
-be separate from the "user path." Users in the group specified by the
-I<exempt_group> option are not affected by I<secure_path>.
-This option is @secure_path@ by default.
-
-=item syslog
-
-Syslog facility if syslog is being used for logging (negate to
-disable syslog logging). Defaults to C<@logfac@>.
-
-=item verifypw
-
-This option controls when a password will be required when a user runs
-B<sudo> with the B<-v> option. It has the following possible values:
-
-=over 8
-
-=item all
-
-All the user's I<sudoers> entries for the current host must have
-the C<NOPASSWD> flag set to avoid entering a password.
-
-=item always
-
-The user must always enter a password to use the B<-v> option.
-
-=item any
-
-At least one of the user's I<sudoers> entries for the current host
-must have the C<NOPASSWD> flag set to avoid entering a password.
-
-=item never
-
-The user need never enter a password to use the B<-v> option.
-
-=back
-
-If no value is specified, a value of I<all> is implied.
-Negating the option results in a value of I<never> being used.
-The default value is I<all>.
-
-=back
-
-B<Lists that can be used in a boolean context>:
-
-=over 16
-
-=item env_check
-
-Environment variables to be removed from the user's environment if
-the variable's value contains C<%> or C</> characters. This can
-be used to guard against printf-style format vulnerabilities in
-poorly-written programs. The argument may be a double-quoted,
-space-separated list or a single value without double-quotes. The
-list can be replaced, added to, deleted from, or disabled by using
-the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
-of whether the C<env_reset> option is enabled or disabled, variables
-specified by C<env_check> will be preserved in the environment if
-they pass the aforementioned check. The default list of environment
-variables to check is displayed when B<sudo> is run by root with
-the I<-V> option.
-
-=item env_delete
-
-Environment variables to be removed from the user's environment
-when the I<env_reset> option is not in effect. The argument may
-be a double-quoted, space-separated list or a single value without
-double-quotes. The list can be replaced, added to, deleted from,
-or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators
-respectively. The default list of environment variables to remove
-is displayed when B<sudo> is run by root with the I<-V> option.
-Note that many operating systems will remove potentially dangerous
-variables from the environment of any setuid process (such as
-B<sudo>).
-
-=item env_keep
-
-Environment variables to be preserved in the user's environment
-when the I<env_reset> option is in effect. This allows fine-grained
-control over the environment B<sudo>-spawned processes will receive.
-The argument may be a double-quoted, space-separated list or a
-single value without double-quotes. The list can be replaced, added
-to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
-C<!> operators respectively. The default list of variables to keep
-is displayed when B<sudo> is run by root with the I<-V> option.
-
-=back
-
-When logging via L<syslog(3)>, B<sudo> accepts the following values
-for the syslog facility (the value of the B<syslog> Parameter):
-B<authpriv> (if your OS supports it), B<auth>, B<daemon>, B<user>,
-B<local0>, B<local1>, B<local2>, B<local3>, B<local4>, B<local5>,
-B<local6>, and B<local7>. The following syslog priorities are
-supported: B<alert>, B<crit>, B<debug>, B<emerg>, B<err>, B<info>,
-B<notice>, and B<warning>.
-
-=head1 FILES
-
-=over 24
-
-=item F<@sysconfdir@/sudoers>
-
-List of who can run what
-
-=item F</etc/group>
-
-Local groups file
-
-=item F</etc/netgroup>
-
-List of network groups
-
-=item F</var/log/sudo-io>
-
-I/O log files
-
-=back
-
-=head1 EXAMPLES
-
-Below are example I<sudoers> entries. Admittedly, some of
-these are a bit contrived. First, we allow a few environment
-variables to pass and then define our I<aliases>:
-
- # Run X applications through sudo; HOME is used to find the
- # .Xauthority file. Note that other programs use HOME to find
- # configuration files and this may lead to privilege escalation!
- Defaults env_keep += "DISPLAY HOME"
-
- # User alias specification
- User_Alias FULLTIMERS = millert, mikef, dowdy
- User_Alias PARTTIMERS = bostley, jwfox, crawl
- User_Alias WEBMASTERS = will, wendy, wim
-
- # Runas alias specification
- Runas_Alias OP = root, operator
- Runas_Alias DB = oracle, sybase
- Runas_Alias ADMINGRP = adm, oper
-
- # Host alias specification
- Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
- SGI = grolsch, dandelion, black :\
- ALPHA = widget, thalamus, foobar :\
- HPPA = boa, nag, python
- Host_Alias CUNETS = 128.138.0.0/255.255.0.0
- Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
- Host_Alias SERVERS = master, mail, www, ns
- Host_Alias CDROM = orion, perseus, hercules
-
- # Cmnd alias specification
- Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
- /usr/sbin/restore, /usr/sbin/rrestore
- Cmnd_Alias KILL = /usr/bin/kill
- Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
- Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
- Cmnd_Alias HALT = /usr/sbin/halt
- Cmnd_Alias REBOOT = /usr/sbin/reboot
- Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
- /usr/local/bin/tcsh, /usr/bin/rsh, \
- /usr/local/bin/zsh
- Cmnd_Alias SU = /usr/bin/su
- Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
-
-Here we override some of the compiled in default values. We want
-B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
-cases. We don't want to subject the full time staff to the B<sudo>
-lecture, user B<millert> need not give a password, and we don't
-want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
-variables when running commands as root. Additionally, on the
-machines in the I<SERVERS> C<Host_Alias>, we keep an additional
-local log file and make sure we log the year in each log line since
-the log entries will be kept around for several years. Lastly, we
-disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
-(F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
-
- # Override built-in defaults
- Defaults syslog=auth
- Defaults>root !set_logname
- Defaults:FULLTIMERS !lecture
- Defaults:millert !authenticate
- Defaults@SERVERS log_year, logfile=/var/log/sudo.log
- Defaults!PAGERS noexec
-
-The I<User specification> is the part that actually determines who may
-run what.
-
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
-
-We let B<root> and any user in group B<wheel> run any command on any
-host as any user.
-
- FULLTIMERS ALL = NOPASSWD: ALL
-
-Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
-command on any host without authenticating themselves.
-
- PARTTIMERS ALL = ALL
-
-Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
-command on any host but they must authenticate themselves first
-(since the entry lacks the C<NOPASSWD> tag).
-
- jack CSNETS = ALL
-
-The user B<jack> may run any command on the machines in the I<CSNETS> alias
-(the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
-Of those networks, only C<128.138.204.0> has an explicit netmask (in
-CIDR notation) indicating it is a class C network. For the other
-networks in I<CSNETS>, the local machine's netmask will be used
-during matching.
-
- lisa CUNETS = ALL
-
-The user B<lisa> may run any command on any host in the I<CUNETS> alias
-(the class B network C<128.138.0.0>).
-
- operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
- sudoedit /etc/printcap, /usr/oper/bin/
-
-The B<operator> user may run commands limited to simple maintenance.
-Here, those are commands related to backups, killing processes, the
-printing system, shutting down the system, and any commands in the
-directory F</usr/oper/bin/>.
-
- joe ALL = /usr/bin/su operator
-
-The user B<joe> may only L<su(1)> to operator.
-
- pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
-
- %opers ALL = (: ADMINGRP) /usr/sbin/
-
-Users in the B<opers> group may run commands in F</usr/sbin/> as themselves
-with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper>
-groups).
-
-The user B<pete> is allowed to change anyone's password except for
-root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
-does not take multiple user names on the command line.
-
- bob SPARC = (OP) ALL : SGI = (OP) ALL
-
-The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
-as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
-
- jim +biglab = ALL
-
-The user B<jim> may run any command on machines in the I<biglab> netgroup.
-B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
-
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-
-Users in the B<secretaries> netgroup need to help manage the printers
-as well as add and remove users, so they are allowed to run those
-commands on all machines.
-
- fred ALL = (DB) NOPASSWD: ALL
-
-The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
-(B<oracle> or B<sybase>) without giving a password.
-
- john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
-
-On the I<ALPHA> machines, user B<john> may su to anyone except root
-but he is not allowed to specify any options to the L<su(1)> command.
-
- jen ALL, !SERVERS = ALL
-
-The user B<jen> may run any command on any machine except for those
-in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
-
- jill SERVERS = /usr/bin/, !SU, !SHELLS
-
-For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
-any commands in the directory F</usr/bin/> except for those commands
-belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
-
- steve CSNETS = (operator) /usr/local/op_commands/
-
-The user B<steve> may run any command in the directory /usr/local/op_commands/
-but only as user operator.
-
- matt valkyrie = KILL
-
-On his personal workstation, valkyrie, B<matt> needs to be able to
-kill hung processes.
-
- WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
-
-On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
-wendy, and wim), may run any command as user www (which owns the
-web pages) or simply L<su(1)> to www.
-
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
-
-Any user may mount or unmount a CD-ROM on the machines in the CDROM
-C<Host_Alias> (orion, perseus, hercules) without entering a password.
-This is a bit tedious for users to type, so it is a prime candidate
-for encapsulating in a shell script.
-
-=head1 SECURITY NOTES
-
-It is generally not effective to "subtract" commands from C<ALL>
-using the '!' operator. A user can trivially circumvent this
-by copying the desired command to a different name and then
-executing that. For example:
-
- bill ALL = ALL, !SU, !SHELLS
-
-Doesn't really prevent B<bill> from running the commands listed in
-I<SU> or I<SHELLS> since he can simply copy those commands to a
-different name, or use a shell escape from an editor or other
-program. Therefore, these kind of restrictions should be considered
-advisory at best (and reinforced by policy).
-
-Furthermore, if the I<fast_glob> option is in use, it is not possible
-to reliably negate commands where the path name includes globbing
-(aka wildcard) characters. This is because the C library's
-L<fnmatch(3)> function cannot resolve relative paths. While this
-is typically only an inconvenience for rules that grant privileges,
-it can result in a security issue for rules that subtract or revoke
-privileges.
-
-For example, given the following I<sudoers> entry:
-
- john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
- /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
-
-User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
-enabled by changing to F</usr/bin> and running C<./passwd root> instead.
-
-=head1 PREVENTING SHELL ESCAPES
-
-Once B<sudo> executes a program, that program is free to do whatever
-it pleases, including run other programs. This can be a security
-issue since it is not uncommon for a program to allow shell escapes,
-which lets a user bypass B<sudo>'s access control and logging.
-Common programs that permit shell escapes include shells (obviously),
-editors, paginators, mail and terminal programs.
-
-There are two basic approaches to this problem:
-
-=over 10
-
-=item restrict
-
-Avoid giving users access to commands that allow the user to run
-arbitrary commands. Many editors have a restricted mode where shell
-escapes are disabled, though B<sudoedit> is a better solution to
-running editors via B<sudo>. Due to the large number of programs that
-offer shell escapes, restricting users to the set of programs that
-do not if often unworkable.
-
-=item noexec
-
-Many systems that support shared libraries have the ability to
-override default library functions by pointing an environment
-variable (usually C<LD_PRELOAD>) to an alternate shared library.
-On such systems, B<sudo>'s I<noexec> functionality can be used to
-prevent a program run by B<sudo> from executing any other programs.
-Note, however, that this applies only to native dynamically-linked
-executables. Statically-linked executables and foreign executables
-running under binary emulation are not affected.
-
-To tell whether or not B<sudo> supports I<noexec>, you can run
-the following as root:
-
- sudo -V | grep "dummy exec"
-
-If the resulting output contains a line that begins with:
-
- File containing dummy exec functions:
-
-then B<sudo> may be able to replace the exec family of functions
-in the standard library with its own that simply return an error.
-Unfortunately, there is no foolproof way to know whether or not
-I<noexec> will work at compile-time. I<noexec> should work on
-SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX
-11.x. It is known B<not> to work on AIX and UnixWare. I<noexec>
-is expected to work on most operating systems that support the
-C<LD_PRELOAD> environment variable. Check your operating system's
-manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
-dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
-
-To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
-in the User Specification section above. Here is that example again:
-
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
-This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
-with I<noexec> enabled. This will prevent those two commands from
-executing other commands (such as a shell). If you are unsure
-whether or not your system is capable of supporting I<noexec> you
-can always just try it out and see if it works.
-
-=back
-
-Note that restricting shell escapes is not a panacea. Programs
-running as root are still capable of many potentially hazardous
-operations (such as changing or overwriting files) that could lead
-to unintended privilege escalation. In the specific case of an
-editor, a safer approach is to give the user permission to run
-B<sudoedit>.
-
-=head1 SEE ALSO
-
-L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<sudo(8)>, L<visudo(8)>
-
-=head1 CAVEATS
-
-The I<sudoers> file should B<always> be edited by the B<visudo>
-command which locks the file and does grammatical checking. It is
-imperative that I<sudoers> be free of syntax errors since B<sudo>
-will not run with a syntactically incorrect I<sudoers> file.
-
-When using netgroups of machines (as opposed to users), if you
-store fully qualified host name in the netgroup (as is usually the
-case), you either need to have the machine's host name be fully qualified
-as returned by the C<hostname> command or use the I<fqdn> option in
-I<sudoers>.
-
-=head1 BUGS
-
-If you feel you have found a bug in B<sudo>, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
-
-=head1 SUPPORT
-
-Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
-search the archives.
-
-=head1 DISCLAIMER
-
-B<sudo> is provided ``AS IS'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the LICENSE
-file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
-for complete details.
projects / debian / sudo / blobdiff