-Copyright (c) 1994-1996, 1998-2005, 2007-2010
+Copyright (c) 1994-1996, 1998-2005, 2007-2011
Todd C. Miller <Todd.Miller@courtesan.com>
Permission to use, copy, modify, and distribute this software for any
User ',' User_List
User ::= '!'* user name |
- '!'* '#'uid |
- '!'* '%'group |
- '!'* '+'netgroup |
- '!'* '%:'nonunix_group |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
'!'* User_Alias
-A C<User_List> is made up of one or more user names, uids (prefixed
-with '#'), system groups (prefixed with '%'), netgroups (prefixed
-with '+') and C<User_Alias>es. Each list item may be prefixed with
-zero or more '!' operators. An odd number of '!' operators negate
-the value of the item; an even number just cancel each other out.
-
-A C<user name>, C<group>, C<netgroup> or C<nonunix_group> may
-be enclosed in double quotes to avoid the need for escaping special
-characters. Alternately, special characters may be specified in
-escaped hex mode, e.g. \x20 for space.
-
-The C<nonunix_group> syntax depends on the underlying implementation.
-For instance, the QAS AD backend supports the following formats:
+A C<User_List> is made up of one or more user names, user ids
+(prefixed with '#'), system group names and ids (prefixed with '%'
+and '%#' respectively), netgroups (prefixed with '+'), non-Unix
+group names and IDs (prefixed with '%:' and '%:#' respectively) and
+C<User_Alias>es. Each list item may be prefixed with zero or more
+'!' operators. An odd number of '!' operators negate the value of
+the item; an even number just cancel each other out.
+
+A C<user name>, C<uid>, C<group>, C<gid>, C<netgroup>, C<nonunix_group>
+or C<nonunix_gid> may be enclosed in double quotes to avoid the
+need for escaping special characters. Alternately, special characters
+may be specified in escaped hex mode, e.g. \x20 for space. When
+using double quotes, any prefix characters must be included inside
+the quotes.
+
+The C<nonunix_group> and C<nonunix_gid> syntax depends on the
+underlying implementation. For instance, the QAS AD backend supports
+the following formats:
=over 4
=back
-Note that quotes around group names are optional. Unquoted strings must
-use a backslash (\) to escape spaces and the '@' symbol.
+Note that quotes around group names are optional. Unquoted strings
+must use a backslash (\) to escape spaces and special characters.
+See L<"Other special characters and reserved words"> for a list of
+characters that need to be escaped.
Runas_List ::= Runas_Member |
Runas_Member ',' Runas_List
Runas_Member ::= '!'* user name |
- '!'* '#'uid |
- '!'* '%'group |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
'!'* +netgroup |
'!'* Runas_Alias
Host ::= '!'* host name |
'!'* ip_addr |
'!'* network(/netmask)? |
- '!'* '+'netgroup |
+ '!'* +netgroup |
'!'* Host_Alias
A C<Host_List> is made up of one or more host names, IP addresses,
(and as what user) on specified hosts. By default, commands are
run as B<root>, but this can be changed on a per-command basis.
-The basic structure of a user specification is `who = where (as_whom)
+The basic structure of a user specification is `who where = (as_whom)
what'. Let's break that down into its constituent parts:
=head2 Runas_Spec
The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
F</usr/bin/lprm> -- but only as B<operator>. E.g.,
- $ sudo -u operator /bin/ls.
+ $ sudo -u operator /bin/ls
It is also possible to override a C<Runas_Spec> later on in an
entry. If we modify the entry like so:
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
/usr/bin/lprm
+Note that while the group portion of the C<Runas_Spec> permits the
+user to run as command with that group, it does not force the user
+to do so. If no group is specified on the command line, the command
+will run with the group listed in the target user's password database
+entry. The following would all be permitted by the sudoers entry above:
+
+ $ sudo -u operator /bin/ls
+ $ sudo -u operator -g operator /bin/ls
+ $ sudo -g operator /bin/ls
+
In the following example, user B<tcm> may run commands that access
-a modem device file with the dialer group. Note that in this example
-only the group will be set, the command still runs as user B<tcm>.
+a modem device file with the dialer group.
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
+Note that in this example only the group will be set, the command
+still runs as user B<tcm>. E.g.
+
+ $ sudo -g dialer /usr/bin/cu
+
+Multiple users and groups may be present in a C<Runas_Spec>, in
+which case the user may select any combination of users and groups
+via the B<-u> and B<-g> options. In this example:
+
+ alan ALL = (root, bin : operator, system) ALL
+
+user B<alan> may run any command as either user root or bin,
+optionally setting the group to operator or system.
+
=head2 SELinux_Spec
On systems with SELinux support, I<sudoers> entries may optionally have
=head3 SETENV and NOSETENV
These tags override the value of the I<setenv> option on a per-command
-basis. Note that if C<SETENV> has been set for a command, any
-environment variables set on the command line way are not subject
-to the restrictions imposed by I<env_check>, I<env_delete>, or
-I<env_keep>. As such, only trusted users should be allowed to set
-variables in this manner. If the command matched is B<ALL>, the
-C<SETENV> tag is implied for that command; this default may
-be overridden by use of the C<NOSETENV> tag.
+basis. Note that if C<SETENV> has been set for a command, the user
+may disable the I<env_reset> option from the command line via the
+B<-E> option. Additionally, environment variables set on the command
+line are not subject to the restrictions imposed by I<env_check>,
+I<env_delete>, or I<env_keep>. As such, only trusted users should
+be allowed to set variables in this manner. If the command matched
+is B<ALL>, the C<SETENV> tag is implied for that command; this
+default may be overridden by use of the C<NOSETENV> tag.
=head3 LOG_INPUT and NOLOG_INPUT
The following characters must be escaped with a backslash ('\') when
used as part of a word (e.g.E<nbsp>a user name or host name):
-'@', '!', '=', ':', ',', '(', ')', '\'.
+'!', '=', ':', ',', '(', ')', '\'.
=head1 SUDOERS OPTIONS
option is used). This effectively means that the B<-H> option is
always implied. Note that C<HOME> is already set when the the
I<env_reset> option is enabled, so I<always_set_home> is only
-effective for configurations where I<env_reset> is disabled.
+effective for configurations where either I<env_reset> is disabled
+or C<HOME> is present in the I<env_keep> list.
This flag is I<off> by default.
=item authenticate
C<env_keep> and C<env_check> lists are displayed when B<sudo> is
run by root with the I<-V> option. If the I<secure_path> option
is set, its value will be used for the C<PATH> environment variable.
-This flag is I<on> by default.
+This flag is I<@env_reset@> by default.
=item fast_glob
If set, the host name will be logged in the (non-syslog) B<sudo> log file.
This flag is I<off> by default.
+=item log_input
+
+If set, B<sudo> will run the command in a I<pseudo tty> and log all
+user input.
+If the standard input is not connected to the user's tty, due to
+I/O redirection or because the command is part of a pipeline, that
+input is also captured and stored in a separate log file.
+
+Input is logged to the directory specified by the I<iolog_dir>
+option (F<@iolog_dir@> by default) using a unique session ID that
+is included in the normal B<sudo> log line, prefixed with I<TSID=>.
+
+Note that user input may contain sensitive information such as
+passwords (even if they are not echoed to the screen), which will
+be stored in the log file unencrypted. In most cases, logging the
+command output via I<log_output> is all that is required.
+
+=item log_output
+
+If set, B<sudo> will run the command in a I<pseudo tty> and log all
+output that is sent to the screen, similar to the script(1) command.
+If the standard output or standard error is not connected to the
+user's tty, due to I/O redirection or because the command is part
+of a pipeline, that output is also captured and stored in separate
+log files.
+
+Output is logged to the directory specified by the I<iolog_dir>
+option (F<@iolog_dir@> by default) using a unique session ID that
+is included in the normal B<sudo> log line, prefixed with I<TSID=>.
+
+Output logs may be viewed with the L<sudoreplay(8)> utility, which
+can also be used to list or search the available logs.
+
=item log_year
If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
user (which is root unless the B<-u> option is used). This effectively
makes the B<-s> option imply B<-H>. Note that C<HOME> is already
set when the the I<env_reset> option is enabled, so I<set_home> is
-only effective for configurations where I<env_reset> is disabled.
+only effective for configurations where either I<env_reset> is disabled
+or C<HOME> is present in the I<env_keep> list.
This flag is I<off> by default.
=item set_logname
use of a uid not listed in the passwd database as an argument to
the B<-u> option. This flag is I<off> by default.
-=item log_input
-
-If set, B<sudo> will run the command in a I<pseudo tty> and log all
-user input.
-If the standard input is not connected to the user's tty, due to
-I/O redirection or because the command is part of a pipeline, that
-input is also captured and stored in a separate log file.
-
-Input is logged to the F</var/log/sudo-io> directory using a unique
-session ID that is included in the normal B<sudo> log line, prefixed
-with I<TSID=>.
-
-=item log_output
-
-If set, B<sudo> will run the command in a I<pseudo tty> and log all
-output that is sent to the screen, similar to the script(1) command.
-If the standard output or standard error is not connected to the
-user's tty, due to I/O redirection or because the command is part
-of a pipeline, that output is also captured and stored in separate
-log files.
-
-Output is logged to the
-F</var/log/sudo-io> directory using a unique session ID that is
-included in the normal B<sudo> log line, prefixed with I<TSID=>.
-
-Output logs may be viewed with the L<sudoreplay(8)> utility, which
-can also be used to list or search the available logs.
-
=item tty_tickets
If set, users must authenticate on a per-tty basis. With this flag
umask in I<sudoers> than the user's own umask and matches historical
behavior. If I<umask_override> is not set, B<sudo> will set the
umask to be the union of the user's umask and what is specified in
-I<sudoers>. This flag is I<off> by default.
+I<sudoers>. This flag is I<@umask_override@> by default.
=item use_loginclass
EDITOR environment variable if possible, or the first editor in the
list that exists and is executable. The default is C<"@editor@">.
+=item iolog_dir
+
+The directory in which to store input/output logs when the I<log_input>
+or I<log_output> options are enabled or when the C<LOG_INPUT> or
+C<LOG_OUTPUT> tags are present for a command.
+The default is C<"@iolog_dir@">.
+
=item mailsub
Subject of the mail sent to the I<mailto> user. The escape C<%h>
=item sudoers_locale
-Locale to use when parsing the sudoers file. Note that changing
-the locale may affect how sudoers is interpreted.
-Defaults to C<"C">.
+Locale to use when parsing the sudoers file, logging commands, and
+sending email. Note that changing the locale may affect how sudoers
+is interpreted. Defaults to C<"C">.
=item timestampdir
List of network groups
-=item F</var/log/sudo-io>
+=item F<@iolog_dir@>
I/O log files