-Copyright (c) 1994-1996, 1998-2005, 2007-2008
+Copyright (c) 1994-1996, 1998-2005, 2007-2009
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
Agency (DARPA) and Air Force Research Laboratory, Air Force
Materiel Command, USAF, under agreement number F39502-99-1-0512.
-$Sudo: sudoers.pod,v 1.155 2008/12/03 20:57:13 millert Exp $
+$Sudo: sudoers.pod,v 1.173 2009/06/30 12:41:09 millert Exp $
=pod
=head1 NAME
'!'* '#'uid |
'!'* '%'group |
'!'* '+'netgroup |
+ '!'* '%:'nonunix_group |
'!'* User_Alias
A C<User_List> is made up of one or more usernames, uids (prefixed
zero or more '!' operators. An odd number of '!' operators negate
the value of the item; an even number just cancel each other out.
+A C<username>, C<group>, C<netgroup> and C<nonunix_groups> may
+be enclosed in double quotes to avoid the need for escaping special
+characters. Alternately, special characters may be specified in
+escaped hex mode, e.g. \x20 for space.
+
+The C<nonunix_group> syntax depends on the underlying implementation.
+For instance, the QAS AD backend supports the following formats:
+
+=over 4
+
+=item *
+
+Group in the same domain: "Group Name"
+
+=item *
+
+Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
+
+=item *
+
+Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
+
+=back
+
+Note that quotes around group names are optional. Unquoted strings must
+use a backslash (\) to escape spaces and the '@' symbol.
+
Runas_List ::= Runas_Member |
Runas_Member ',' Runas_List
and user Defaults first, then runas Defaults and finally command
defaults.
-See L</"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
+See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
=head2 User Specification
Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
- Runas_Spec ::= '(' Runas_List? (: Runas_List)? ')'
+ Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:' )
(and as what user) on specified hosts. By default, commands are
run as B<root>, but this can be changed on a per-command basis.
-Let's break that down into its constituent parts:
+The basic structure of a user specification is `who = where (as_whom)
+what'. Let's break that down into its constituent parts:
=head2 Runas_Spec
=head2 Wildcards
B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
-to be used in hostnames, pathnames and command line arguments in the
-I<sudoers> file. Wildcard matching is done via the B<POSIX>
-L<fnmatch(3)> routine. Note that these are I<not> regular expressions.
+to be used in hostnames, pathnames and command line arguments in
+the I<sudoers> file. Wildcard matching is done via the B<POSIX>
+L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not>
+regular expressions.
=over 8
=back
-POSIX character classes may also be used if your system's
-L<fnmatch(3)> function supports them. However, because the
-C<':'> character has special meaning in I<sudoers>, it must
-be escaped. For example:
+POSIX character classes may also be used if your system's L<glob(3)>
+and L<fnmatch(3)> functions support them. However, because the
+C<':'> character has special meaning in I<sudoers>, it must be
+escaped. For example:
/bin/ls [[\:alpha\:]]*
=head2 Including other files from within sudoers
It is possible to include other I<sudoers> files from within the
-I<sudoers> file currently being parsed using the C<#include>
-directive, similar to the one used by the C preprocessor. This is
-useful, for example, for keeping a site-wide I<sudoers> file in
-addition to a per-machine local one. For the sake of this example
-the site-wide I<sudoers> will be F</etc/sudoers> and the per-machine
-one will be F</etc/sudoers.local>. To include F</etc/sudoers.local>
-from F</etc/sudoers> we would use the following line in F</etc/sudoers>:
+I<sudoers> file currently being parsed using the C<#include> and
+C<#includedir> directives.
+
+This can be used, for example, to keep a site-wide I<sudoers> file
+in addition to a local, per-machine file. For the sake of this
+example the site-wide I<sudoers> will be F</etc/sudoers> and the
+per-machine one will be F</etc/sudoers.local>. To include
+F</etc/sudoers.local> from within F</etc/sudoers> we would use the
+following line in F</etc/sudoers>:
+
+=over 4
+
+C<#include /etc/sudoers.local>
- #include /etc/sudoers.local
+=back
When B<sudo> reaches this line it will suspend processing of the
current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>.
themselves include other files. A hard limit of 128 nested include
files is enforced to prevent include file loops.
+The filename may include the C<%h> escape, signifying the short form
+of the hostname. I.e., if the machine's hostname is "xerxes", then
+
+C<#include /etc/sudoers.%h>
+
+will cause B<sudo> to include the file F</etc/sudoers.xerxes>.
+
+The C<#includedir> directive can be used to create a F<sudo.d>
+directory that the system package manager can drop I<sudoers> rules
+into as part of package installation. For example, given:
+
+C<#includedir /etc/sudoers.d>
+
+B<sudo> will read each file in F</etc/sudoers.d>, skipping file
+names that end in C<~> or contain a C<.> character to avoid causing
+problems with package manager or editor temporary/backup files.
+Files are parsed in sorted lexical order. That is,
+F</etc/sudoers.d/01_first> will be parsed before
+F</etc/sudoers.d/10_second>. Be aware that because the sorting is
+lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded
+B<after> F</etc/sudoers.d/10_second>. Using a consistent number
+of leading zeroes in the file names can be used to avoid such
+problems.
+
+Note that unlike files included via C<#include>, B<visudo> will not
+edit the files in a C<#includedir> directory unless one of them
+contains a syntax error. It is still possible to run B<visudo>
+with the C<-f> flag to edit the files directly.
+
=head2 Other special characters and reserved words
The pound sign ('#') is used to indicate a comment (unless it is
=item preserve_groups
-By default B<sudo> will initialize the group vector to the list of
+By default, B<sudo> will initialize the group vector to the list of
groups the target user is in. When I<preserve_groups> is set, the
user's existing group vector is left unaltered. The real and
effective group IDs, however, are still set to match the target
user. This flag is I<off> by default.
+=item pwfeedback
+
+By default, B<sudo> reads the password like most other Unix programs,
+by turning off echo until the user hits the return (or enter) key.
+Some users become confused by this as it appears to them that B<sudo>
+has hung at this point. When I<pwfeedback> is set, B<sudo> will
+provide visual feedback when the user presses a key. Note that
+this does have a security impact as an onlooker may be able to
+determine the length of the password being entered.
+This flag is I<off> by default.
+
=item requiretty
If set, B<sudo> will only run when the user is logged in to a real
set, falling back on the shell listed in the invoking user's
/etc/passwd entry if not). This flag is I<off> by default.
+=item fast_glob
+
+Normally, B<sudo> uses the L<glob(3)> function to do shell-style
+globbing when matching pathnames. However, since it accesses the
+file system, L<glob(3)> can take a long time to complete for some
+patterns, especially when the pattern references a network file
+system that is mounted on demand (automounted). The I<fast_glob>
+option causes B<sudo> to use the L<fnmatch(3)> function, which does
+not access the file system to do its matching. The disadvantage
+of I<fast_glob> is that it is unable to match relative pathnames
+such as F<./ls> or F<../bin/ls>. This flag is I<off> by default.
+
=item stay_setuid
Normally, when B<sudo> executes a command the real and effective
file named for the tty the user is logged in on in that directory.
This flag is I<@tty_tickets@> by default.
+=item umask_override
+
+If set, B<sudo> will set the umask as specified by I<sudoers> without
+modification. This makes it possible to specify a more permissive
+umask in I<sudoers> than the user's own umask and matches historical
+behavior. If I<umask_override> is not set, B<sudo> will set the
+umask to be the union of the user's umask and what is specified in
+I<sudoers>. This flag is I<off> by default.
+
=item use_loginclass
If set, B<sudo> will apply the defaults specified for the target user's
=item env_file
-The I<env_file> options specifies the fully qualified path to a file
-containing variables to be set in the environment of the program
-being run. Entries in this file should be of the form C<VARIABLE=value>.
-Variables in this file are subject to other B<sudo> environment
-settings such as I<env_keep> and I<env_check>.
+The I<env_file> options specifies the fully qualified path to a
+file containing variables to be set in the environment of the program
+being run. Entries in this file should either be of the form
+C<VARIABLE=value> or C<export VARIABLE=value>. The value may
+optionally be surrounded by single or double quotes. Variables in
+this file are subject to other B<sudo> environment settings such
+as I<env_keep> and I<env_check>.
=item exempt_group
=item env_delete
-
Not effective due to security issues: only variables listed in
I<env_keep> or I<env_check> can be passed through B<sudo>!
-The argument may be a double-quoted, space-separated list or a
-single value without double-quotes. The list can be replaced, added
-to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
-C<!> operators respectively. The default list of environment
-variables to remove is displayed when B<sudo> is run by root with the
-I<-V> option. Note that many operating systems will remove potentially
-dangerous variables from the environment of any setuid process (such
-as B<sudo>).
+Environment variables to be removed from the user's environment
+when the I<env_reset> option is not in effect. The argument may
+be a double-quoted, space-separated list or a single value without
+double-quotes. The list can be replaced, added to, deleted from,
+or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators
+respectively. The default list of environment variables to remove
+is displayed when B<sudo> is run by root with the I<-V> option.
+Note that many operating systems will remove potentially dangerous
+variables from the environment of any setuid process (such as
+B<sudo>).
=item env_keep
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
+ Runas_Alias ADMINGRP = adm, oper
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+ %opers ALL = (: ADMINGRP) /usr/sbin/
+
+Users in the B<opers> group may run commands in F</usr/sbin/> as themselves
+with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper>
+groups).
+
The user B<pete> is allowed to change anyone's password except for
root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
does not take multiple usernames on the command line.
=head1 SEE ALSO
-L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<sudo(8)>, L<visudo(8)>
+L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<sudo(8)>, L<visudo(8)>
=head1 CAVEATS