=cut
-Copyright (c) 1994-1996,1998-2001 Todd C. Miller <Todd.Miller@courtesan.com>
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without
-modification, are permitted provided that the following conditions
-are met:
-
-1. Redistributions of source code must retain the above copyright
- notice, this list of conditions and the following disclaimer.
-
-2. Redistributions in binary form must reproduce the above copyright
- notice, this list of conditions and the following disclaimer in the
- documentation and/or other materials provided with the distribution.
-
-3. The name of the author may not be used to endorse or promote products
- derived from this software without specific prior written permission
- from the author.
-
-4. Products derived from this software may not be called "Sudo" nor
- may "Sudo" appear in their names without specific prior written
- permission from the author.
-
-THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
-INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
-AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
-THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
-EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
-PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
-OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
-OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+Copyright (c) 1994-1996, 1998-2005, 2007
+ Todd C. Miller <Todd.Miller@courtesan.com>
+
+Permission to use, copy, modify, and distribute this software for any
+purpose with or without fee is hereby granted, provided that the above
+copyright notice and this permission notice appear in all copies.
+
+THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-$Sudo: sudoers.pod,v 1.63 2002/01/13 18:36:44 millert Exp $
+Sponsored in part by the Defense Advanced Research Projects
+Agency (DARPA) and Air Force Research Laboratory, Air Force
+Materiel Command, USAF, under agreement number F39502-99-1-0512.
+
+$Sudo: sudoers.pod,v 1.95.2.20 2007/08/27 19:52:28 millert Exp $
=pod
=head1 NAME
=head1 DESCRIPTION
-The I<sudoers> file is composed of two types of entries:
-aliases (basically variables) and user specifications
-(which specify who may run what). The grammar of I<sudoers>
-will be described below in Extended Backus-Naur Form (EBNF).
-Don't despair if you don't know what EBNF is; it is fairly
-simple, and the definitions below are annotated.
+The I<sudoers> file is composed of two types of entries: aliases
+(basically variables) and user specifications (which specify who
+may run what).
+
+When multiple entries match for a user, they are applied in order.
+Where there are multiple matches, the last match is used (which is
+not necessarily the most specific match).
+
+The I<sudoers> grammar will be described below in Extended Backus-Naur
+Form (EBNF). Don't despair if you don't know what EBNF is; it is
+fairly simple, and the definitions below are annotated.
=head2 Quick guide to EBNF
expressions. Do not, however, confuse them with "wildcard"
characters, which have different meanings.
-=over 8
+=over 4
=item C<?>
where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
-and the underscore characters ('_'). A C<NAME> B<must> start with an
+and underscore characters ('_'). A C<NAME> B<must> start with an
uppercase letter. It is possible to put several alias definitions
of the same type on a single line, joined by a colon (':'). E.g.,
'!'* '+'netgroup |
'!'* User_Alias
-A C<User_List> is made up of one or more usernames, uids
-(prefixed with '#'), System groups (prefixed with '%'),
-netgroups (prefixed with '+') and other aliases. Each list
-item may be prefixed with one or more '!' operators. An odd number
-of '!' operators negate the value of the item; an even number
-just cancel each other out.
+A C<User_List> is made up of one or more usernames, system groups
+(prefixed with '%'), netgroups (prefixed with '+') and other aliases.
+Each list item may be prefixed with one or more '!' operators.
+An odd number of '!' operators negate the value of the item; an even
+number just cancel each other out.
Runas_List ::= Runas_User |
Runas_User ',' Runas_List
A C<Runas_List> is similar to a C<User_List> except that it can
also contain uids (prefixed with '#') and instead of C<User_Alias>es
-it can contain C<Runas_Alias>es.
+it can contain C<Runas_Alias>es. Note that usernames and groups
+are matched as strings. In other words, two users (groups) with
+the same uid (gid) are considered to be distinct. If you wish to
+match all usernames with the same uid (e.g.E<nbsp>root and toor), you
+can use a uid instead (#0 in the example given).
Host_List ::= Host |
Host ',' Host_List
A C<Host_List> is made up of one or more hostnames, IP addresses,
network numbers, netgroups (prefixed with '+') and other aliases.
Again, the value of an item may be negated with the '!' operator.
-If you do not specify a netmask with a network number, the netmask
-of the host's ethernet interface(s) will be used when matching.
-The netmask may be specified either in dotted quad notation (e.g.
-255.255.255.0) or CIDR notation (number of bits, e.g. 24). A hostname
-may include shell-style wildcards (see `Wildcards' section below),
+If you do not specify a netmask along with the network number,
+B<sudo> will query each of the local host's network interfaces and,
+if the network number corresponds to one of the hosts's network
+interfaces, the corresponding netmask will be used. The netmask
+may be specified either in standard IP address notation
+(e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
+or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A hostname may
+include shell-style wildcards (see the L<Wildcards> section below),
but unless the C<hostname> command on your machine returns the fully
-qualified hostname, you'll need to use the I<fqdn> option for wildcards
-to be useful.
+qualified hostname, you'll need to use the I<fqdn> option for
+wildcards to be useful.
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
Cmnd ::= '!'* commandname |
'!'* directory |
+ '!'* "sudoedit" |
'!'* Cmnd_Alias
A C<Cmnd_List> is a list of one or more commandnames, directories, and other
aliases. A commandname is a fully qualified filename which may include
-shell-style wildcards (see `Wildcards' section below). A simple
+shell-style wildcards (see the L<Wildcards> section below). A simple
filename allows the user to run the command with any arguments he/she
wishes. However, you may also specify command line arguments (including
wildcards). Alternately, you can specify C<""> to indicate that the command
in the C<Cmnd> must match exactly those given by the user on the command line
(or match the wildcards if there are any). Note that the following
characters must be escaped with a '\' if they are used in command
-arguments: ',', ':', '=', '\'.
+arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
+is used to permit a user to run B<sudo> with the B<-e> flag (or
+as B<sudoedit>). It may take command line arguments just as
+a normal command does.
=head2 Defaults
Certain configuration options may be changed from their default
values at runtime via one or more C<Default_Entry> lines. These
-may affect all users on any host, all users on a specific host,
-or just a specific user. When multiple entries match, they are
-applied in order. Where there are conflicting values, the last
-value on a matching line takes effect.
+may affect all users on any host, all users on a specific host, a
+specific user, or commands being run as a specific user.
- Default_Type ::= 'Defaults' ||
- 'Defaults' ':' User ||
- 'Defaults' '@' Host
+ Default_Type ::= 'Defaults' |
+ 'Defaults' '@' Host_List |
+ 'Defaults' ':' User_List |
+ 'Defaults' '>' Runas_List
Default_Entry ::= Default_Type Parameter_List
- Parameter ::= Parameter '=' Value ||
- Parameter '+=' Value ||
- Parameter '-=' Value ||
- '!'* Parameter ||
+ Parameter_List ::= Parameter |
+ Parameter ',' Parameter_List
+
+ Parameter ::= Parameter '=' Value |
+ Parameter '+=' Value |
+ Parameter '-=' Value |
+ '!'* Parameter
Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
Flags are implicitly boolean and can be turned off via the '!'
It is not an error to use the C<-=> operator to remove an element
that does not exist in a list.
-Note that since the I<sudoers> file is parsed in order the best place
-to put the Defaults section is after the Host, User, and Cmnd aliases
-but before the user specifications.
+See L</"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
-B<Flags>:
+=head2 User Specification
-=over 12
+ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
+ (':' Host_List '=' Cmnd_Spec_List)*
-=item long_otp_prompt
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
-When validating with a One Time Password scheme (B<S/Key> or B<OPIE>),
-a two-line prompt is used to make it easier to cut and paste the
-challenge to a local window. It's not as pretty as the default but
-some people find it more convenient. This flag is I<@long_otp_prompt@>
-by default.
+ Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
-=item ignore_dot
+ Runas_Spec ::= '(' Runas_List ')'
-If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
-environment variable; the C<PATH> itself is not modified. This
-flag is I<@ignore_dot@> by default.
+ Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'SETENV:' | 'NOSETENV:')
-=item mail_always
+A B<user specification> determines which commands a user may run
+(and as what user) on specified hosts. By default, commands are
+run as B<root>, but this can be changed on a per-command basis.
-Send mail to the I<mailto> user every time a users runs B<sudo>.
-This flag is I<off> by default.
+Let's break that down into its constituent parts:
-=item mail_badpass
+=head2 Runas_Spec
-Send mail to the I<mailto> user if the user running sudo does not
-enter the correct password. This flag is I<off> by default.
+A C<Runas_Spec> is simply a C<Runas_List> (as defined above)
+enclosed in a set of parentheses. If you do not specify a
+C<Runas_Spec> in the user specification, a default C<Runas_Spec>
+of B<root> will be used. A C<Runas_Spec> sets the default for
+commands that follow it. What this means is that for the entry:
-=item mail_no_user
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
-If set, mail will be sent to the I<mailto> user if the invoking
-user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
-by default.
+The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
+F</usr/bin/lprm> -- but only as B<operator>. E.g.,
-=item mail_no_host
+ $ sudo -u operator /bin/ls.
-If set, mail will be sent to the I<mailto> user if the invoking
-user exists in the I<sudoers> file, but is not allowed to run
-commands on the current host. This flag is I<@mail_no_host@> by default.
+It is also possible to override a C<Runas_Spec> later on in an
+entry. If we modify the entry like so:
-=item mail_no_perms
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
-If set, mail will be sent to the I<mailto> user if the invoking
-user allowed to use B<sudo> but the command they are trying is not
-listed in their I<sudoers> file entry. This flag is I<@mail_no_perms@>
-by default.
+Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
+but F</bin/kill> and F</usr/bin/lprm> as B<root>.
-=item tty_tickets
+=head2 Tag_Spec
-If set, users must authenticate on a per-tty basis. Normally,
-B<sudo> uses a directory in the ticket dir with the same name as
-the user running it. With this flag enabled, B<sudo> will use a
-file named for the tty the user is logged in on in that directory.
-This flag is I<@tty_tickets@> by default.
+A command may have zero or more tags associated with it. There are
+six possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>, C<EXEC>,
+C<SETENV> and C<NOSETENV>.
+Once a tag is set on a C<Cmnd>, subsequent C<Cmnd>s in the
+C<Cmnd_Spec_List>, inherit the tag unless it is overridden by the
+opposite tag (i.e.: C<PASSWD> overrides C<NOPASSWD> and C<NOEXEC>
+overrides C<EXEC>).
-=item lecture
+=head3 NOPASSWD and PASSWD
-If set, a user will receive a short lecture the first time he/she
-runs B<sudo>. This flag is I<@lecture@> by default.
+By default, B<sudo> requires that a user authenticate him or herself
+before running a command. This behavior can be modified via the
+C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
+a default for the commands that follow it in the C<Cmnd_Spec_List>.
+Conversely, the C<PASSWD> tag can be used to reverse things.
+For example:
-=item authenticate
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
-If set, users must authenticate themselves via a password (or other
-means of authentication) before they may run commands. This default
-may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
-This flag is I<on> by default.
+would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
+F</usr/bin/lprm> as root on the machine rushmore as B<root> without
+authenticating himself. If we only want B<ray> to be able to
+run F</bin/kill> without a password the entry would be:
-=item root_sudo
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
-If set, root is allowed to run B<sudo> too. Disabling this prevents users
-from "chaining" B<sudo> commands to get a root shell by doing something
-like C<"sudo sudo /bin/sh">.
-This flag is I<on> by default.
+Note, however, that the C<PASSWD> tag has no effect on users who are
+in the group specified by the I<exempt_group> option.
-=item log_host
+By default, if the C<NOPASSWD> tag is applied to any of the entries
+for a user on the current host, he or she will be able to run
+C<sudo -l> without a password. Additionally, a user may only run
+C<sudo -v> without a password if the C<NOPASSWD> tag is present
+for all a user's entries that pertain to the current host.
+This behavior may be overridden via the verifypw and listpw options.
-If set, the hostname will be logged in the (non-syslog) B<sudo> log file.
-This flag is I<off> by default.
+=head3 NOEXEC and EXEC
-=item log_year
+If B<sudo> has been compiled with I<noexec> support and the underlying
+operating system supports it, the C<NOEXEC> tag can be used to prevent
+a dynamically-linked executable from running further commands itself.
-If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
-This flag is I<off> by default.
+In the following example, user B<aaron> may run F</usr/bin/more>
+and F</usr/bin/vi> but shell escapes will be disabled.
-=item shell_noargs
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-If set and B<sudo> is invoked with no arguments it acts as if the
-B<-s> flag had been given. That is, it runs a shell as root (the
-shell is determined by the C<SHELL> environment variable if it is
-set, falling back on the shell listed in the invoking user's
-/etc/passwd entry if not). This flag is I<off> by default.
+See the L<PREVENTING SHELL ESCAPES> section below for more details
+on how C<NOEXEC> works and whether or not it will work on your system.
-=item set_home
+=head3 SETENV and NOSETENV
-If set and B<sudo> is invoked with the B<-s> flag the C<HOME>
-environment variable will be set to the home directory of the target
-user (which is root unless the B<-u> option is used). This effectively
-makes the B<-s> flag imply B<-H>. This flag is I<off> by default.
+These tags override the value of the I<setenv> option on a per-command
+basis. Note that if C<SETENV> has been set for a command, any
+environment variables set on the command line way are not subject
+to the restrictions imposed by I<env_check>, I<env_delete>, or
+I<env_keep>. As such, only trusted users should be allowed to set
+variables in this manner.
+
+=head2 Wildcards
+
+B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
+to be used in pathnames as well as command line arguments in the
+I<sudoers> file. Wildcard matching is done via the B<POSIX>
+L<fnmatch(3)> routine. Note that these are I<not> regular expressions.
+
+=over 8
+
+=item C<*>
+
+Matches any set of zero or more characters.
+
+=item C<?>
+
+Matches any single character.
+
+=item C<[...]>
+
+Matches any character in the specified range.
+
+=item C<[!...]>
+
+Matches any character B<not> in the specified range.
+
+=item C<\x>
+
+For any character "x", evaluates to "x". This is used to
+escape special characters such as: "*", "?", "[", and "}".
+
+=back
+
+Note that a forward slash ('/') will B<not> be matched by
+wildcards used in the pathname. When matching the command
+line arguments, however, a slash B<does> get matched by
+wildcards. This is to make a path like:
+
+ /usr/bin/*
+
+match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
+
+=head2 Exceptions to wildcard rules
+
+The following exceptions apply to the above rules:
+
+=over 8
+
+=item C<"">
+
+If the empty string C<""> is the only command line argument in the
+I<sudoers> entry it means that command is not allowed to be run
+with B<any> arguments.
+
+=back
+
+=head2 Other special characters and reserved words
+
+The pound sign ('#') is used to indicate a comment (unless it is
+part of a #include directive or unless it occurs in the context of
+a user name and is followed by one or more digits, in which case
+it is treated as a uid). Both the comment character and any text
+after it, up to the end of the line, are ignored.
+
+The reserved word B<ALL> is a built-in I<alias> that always causes
+a match to succeed. It can be used wherever one might otherwise
+use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
+You should not try to define your own I<alias> called B<ALL> as the
+built-in alias will be used in preference to your own. Please note
+that using B<ALL> can be dangerous since in a command context, it
+allows the user to run B<any> command on the system.
+
+An exclamation point ('!') can be used as a logical I<not> operator
+both in an I<alias> and in front of a C<Cmnd>. This allows one to
+exclude certain values. Note, however, that using a C<!> in
+conjunction with the built-in C<ALL> alias to allow a user to
+run "all but a few" commands rarely works as intended (see SECURITY
+NOTES below).
+
+Long lines can be continued with a backslash ('\') as the last
+character on the line.
+
+Whitespace between elements in a list as well as special syntactic
+characters in a I<User Specification> ('=', ':', '(', ')') is optional.
+
+The following characters must be escaped with a backslash ('\') when
+used as part of a word (e.g.E<nbsp>a username or hostname):
+'@', '!', '=', ':', ',', '(', ')', '\'.
+
+=head1 SUDOERS OPTIONS
+
+B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
+explained earlier. A list of all supported Defaults parameters,
+grouped by type, are listed below.
+
+B<Flags>:
+
+=over 16
=item always_set_home
This effectively means that the B<-H> flag is always implied.
This flag is I<off> by default.
-=item path_info
+=item authenticate
-Normally, B<sudo> will tell the user when a command could not be
-found in their C<PATH> environment variable. Some sites may wish
-to disable this as it could be used to gather information on the
-location of executables that the normal user does not have access
-to. The disadvantage is that if the executable is simply not in
-the user's C<PATH>, B<sudo> will tell the user that they are not
-allowed to run it, which can be confusing. This flag is I<off> by
+If set, users must authenticate themselves via a password (or other
+means of authentication) before they may run commands. This default
+may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
+This flag is I<on> by default.
+
+=item env_editor
+
+If set, B<visudo> will use the value of the EDITOR or VISUAL
+environment variables before falling back on the default editor list.
+Note that this may create a security hole as it allows the user to
+run any arbitrary command as root without logging. A safer alternative
+is to place a colon-separated list of editors in the C<editor>
+variable. B<visudo> will then only use the EDITOR or VISUAL if
+they match a value specified in C<editor>. This flag is I<@env_editor@> by
default.
-=item preserve_groups
+=item env_reset
-By default B<sudo> will initialize the group vector to the list of
-groups the target user is in. When I<preserve_groups> is set, the
-user's existing group vector is left unaltered. The real and
-effective group IDs, however, are still set to match the target
-user. This flag is I<off> by default.
+If set, B<sudo> will reset the environment to only contain the
+LOGNAME, SHELL, USER, USERNAME and the C<SUDO_*> variables. Any
+variables in the caller's environment that match the C<env_keep>
+and C<env_check> lists are then added. The default contents of the
+C<env_keep> and C<env_check> lists are displayed when B<sudo> is
+run by root with the I<-V> option. If B<sudo> was compiled with
+the C<SECURE_PATH> option, its value will be used for the C<PATH>
+environment variable. This flag is I<on> by default.
=item fqdn
Set this flag if you want to put fully qualified hostnames in the
-I<sudoers> file. I.e.: instead of myhost you would use myhost.mydomain.edu.
+I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
which may make B<sudo> unusable if DNS stops working (for example
command) is already fully qualified you shouldn't need to set
I<fqdn>. This flag is I<@fqdn@> by default.
+=item ignore_dot
+
+If set, B<sudo> will ignore '.' or '' (current dir) in the C<PATH>
+environment variable; the C<PATH> itself is not modified. This
+flag is I<@ignore_dot@> by default. Currently, while it is possible
+to set I<ignore_dot> in I<sudoers>, its value is not used. This option
+should be considered read-only (it will be fixed in a future version
+of B<sudo>).
+
+=item ignore_local_sudoers
+
+If set via LDAP, parsing of @sysconfdir@/sudoers will be skipped.
+This is intended for Enterprises that wish to prevent the usage of local
+sudoers files so that only LDAP is used. This thwarts the efforts of
+rogue operators who would attempt to add roles to @sysconfdir@/sudoers.
+When this option is present, @sysconfdir@/sudoers does not even need to exist.
+Since this option tells B<sudo> how to behave when no specific LDAP entries
+have been matched, this sudoOption is only meaningful for the cn=defaults
+section. This flag is I<off> by default.
+
=item insults
If set, B<sudo> will insult users when they enter an incorrect
password. This flag is I<@insults@> by default.
+=item log_host
+
+If set, the hostname will be logged in the (non-syslog) B<sudo> log file.
+This flag is I<off> by default.
+
+=item log_year
+
+If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
+This flag is I<off> by default.
+
+=item long_otp_prompt
+
+When validating with a One Time Password (OPT) scheme such as
+B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
+to cut and paste the challenge to a local window. It's not as
+pretty as the default but some people find it more convenient. This
+flag is I<@long_otp_prompt@> by default.
+
+=item mail_always
+
+Send mail to the I<mailto> user every time a users runs B<sudo>.
+This flag is I<off> by default.
+
+=item mail_badpass
+
+Send mail to the I<mailto> user if the user running B<sudo> does not
+enter the correct password. This flag is I<off> by default.
+
+=item mail_no_host
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user exists in the I<sudoers> file, but is not allowed to run
+commands on the current host. This flag is I<@mail_no_host@> by default.
+
+=item mail_no_perms
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user is allowed to use B<sudo> but the command they are trying is not
+listed in their I<sudoers> file entry or is explicitly denied.
+This flag is I<@mail_no_perms@> by default.
+
+=item mail_no_user
+
+If set, mail will be sent to the I<mailto> user if the invoking
+user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
+by default.
+
+=item noexec
+
+If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
+tag has been set, unless overridden by a C<EXEC> tag. See the
+description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
+ESCAPES> section at the end of this manual. This flag is I<off> by default.
+
+=item path_info
+
+Normally, B<sudo> will tell the user when a command could not be
+found in their C<PATH> environment variable. Some sites may wish
+to disable this as it could be used to gather information on the
+location of executables that the normal user does not have access
+to. The disadvantage is that if the executable is simply not in
+the user's C<PATH>, B<sudo> will tell the user that they are not
+allowed to run it, which can be confusing. This flag is I<@path_info@>
+by default.
+
+=item preserve_groups
+
+By default B<sudo> will initialize the group vector to the list of
+groups the target user is in. When I<preserve_groups> is set, the
+user's existing group vector is left unaltered. The real and
+effective group IDs, however, are still set to match the target
+user. This flag is I<off> by default.
+
=item requiretty
If set, B<sudo> will only run when the user is logged in to a real
tty. This will disallow things like C<"rsh somehost sudo ls"> since
-rsh(1) does not allocate a tty. Because it is not possible to turn
-of echo when there is no tty present, some sites may with to set
+L<rsh(1)> does not allocate a tty. Because it is not possible to turn
+off echo when there is no tty present, some sites may wish to set
this flag to prevent a user from entering a visible password. This
flag is I<off> by default.
-=item env_editor
+=item root_sudo
-If set, B<visudo> will use the value of the EDITOR or VISUAL
-environment variables before falling back on the default editor list.
-Note that this may create a security hole as it allows the user to
-run any arbitrary command as root without logging. A safer alternative
-is to place a colon-separated list of editors in the C<editor>
-variable. B<visudo> will then only use the EDITOR or VISUAL if
-they match a value specified in C<editor>. This flag is C<@env_editor@> by
-default.
+If set, root is allowed to run B<sudo> too. Disabling this prevents users
+from "chaining" B<sudo> commands to get a root shell by doing something
+like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
+will also prevent root and from running B<sudoedit>.
+Disabling I<root_sudo> provides no real additional security; it
+exists purely for historical reasons.
+This flag is I<@root_sudo@> by default.
=item rootpw
=item runaspw
If set, B<sudo> will prompt for the password of the user defined by the
-I<runas_default> option (defaults to C<root>) instead of the password
-of the invoking user. This flag is I<off> by default.
+I<runas_default> option (defaults to C<@runas_default@>) instead of the
+password of the invoking user. This flag is I<off> by default.
-=item targetpw
+=item set_home
-If set, B<sudo> will prompt for the password of the user specified by
-the B<-u> flag (defaults to C<root>) instead of the password of the
-invoking user. This flag is I<off> by default.
+If set and B<sudo> is invoked with the B<-s> flag the C<HOME>
+environment variable will be set to the home directory of the target
+user (which is root unless the B<-u> option is used). This effectively
+makes the B<-s> flag imply B<-H>. This flag is I<off> by default.
=item set_logname
-Normally, B<sudo> will set the C<LOGNAME> and C<USER> environment variables
-to the name of the target user (usually root unless the B<-u> flag is given).
-However, since some programs (including the RCS revision control system)
-use C<LOGNAME> to determine the real identity of the user, it may be desirable
-to change this behavior. This can be done by negating the set_logname option.
+Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
+environment variables to the name of the target user (usually root
+unless the B<-u> flag is given). However, since some programs
+(including the RCS revision control system) use C<LOGNAME> to
+determine the real identity of the user, it may be desirable to
+change this behavior. This can be done by negating the set_logname
+option. Note that if the I<env_reset> option has not been disabled,
+entries in the I<env_keep> list will override the value of
+I<set_logname>. This flag is I<off> by default.
+
+=item setenv
+
+Allow the user to disable the I<env_reset> option from the command
+line. Additionally, environment variables set via the command line
+are not subject to the restrictions imposed by I<env_check>,
+I<env_delete>, or I<env_keep>. As such, only trusted users should
+be allowed to set variables in this manner. This flag is I<off>
+by default.
+
+=item shell_noargs
+
+If set and B<sudo> is invoked with no arguments it acts as if the
+B<-s> flag had been given. That is, it runs a shell as root (the
+shell is determined by the C<SHELL> environment variable if it is
+set, falling back on the shell listed in the invoking user's
+/etc/passwd entry if not). This flag is I<off> by default.
=item stay_setuid
changes that behavior such that the real UID is left as the invoking
user's UID. In other words, this makes B<sudo> act as a setuid
wrapper. This can be useful on systems that disable some potentially
-dangerous functionality when a program is run setuid. Note, however,
-that this means that sudo will run with the real uid of the invoking
-user which may allow that user to kill B<sudo> before it can log a
-failure, depending on how your OS defines the interaction between
-signals and setuid processes.
+dangerous functionality when a program is run setuid. This option
+is only effective on systems with either the setreuid() or setresuid()
+function. This flag is I<off> by default.
-=item env_reset
+=item targetpw
-If set, B<sudo> will reset the environment to only contain the
-following variables: C<HOME>, C<LOGNAME>, C<PATH>, C<SHELL>, C<TERM>,
-and C<USER> (in addition to the C<SUDO_*> variables).
-Of these, only C<TERM> is copied unaltered from the old environment.
-The other variables are set to default values (possibly modified
-by the value of the I<set_logname> option). If B<sudo> was compiled
-with the C<SECURE_PATH> option, its value will be used for the C<PATH>
-environment variable.
-Other variables may be preserved with the I<env_keep> option.
+If set, B<sudo> will prompt for the password of the user specified by
+the B<-u> flag (defaults to C<root>) instead of the password of the
+invoking user. Note that this precludes the use of a uid not listed
+in the passwd database as an argument to the B<-u> flag.
+This flag is I<off> by default.
+
+=item tty_tickets
+
+If set, users must authenticate on a per-tty basis. Normally,
+B<sudo> uses a directory in the ticket dir with the same name as
+the user running it. With this flag enabled, B<sudo> will use a
+file named for the tty the user is logged in on in that directory.
+This flag is I<@tty_tickets@> by default.
=item use_loginclass
B<Integers>:
-=over 12
+=over 16
=item passwd_tries
B<Integers that can be used in a boolean context>:
-=over 12
+=over 16
=item loglinelen
effect on the syslog log file, only the file log. The default is
C<@loglen@> (use 0 or negate the option to disable word wrap).
+=item passwd_timeout
+
+Number of minutes before the B<sudo> password prompt times out.
+The default is C<@password_timeout@>; set this to C<0> for no password timeout.
+
=item timestamp_timeout
Number of minutes that can elapse before B<sudo> will ask for a
expire. This can be used to allow users to create or delete their
own timestamps via C<sudo -v> and C<sudo -k> respectively.
-=item passwd_timeout
-
-Number of minutes before the B<sudo> password prompt times out.
-The default is C<@password_timeout@>, set this to C<0> for no password timeout.
-
=item umask
Umask to use when running the command. Negate this option or set
B<Strings>:
-=over 12
+=over 16
+
+=item badpass_message
+
+Message that is displayed if a user enters an incorrect password.
+The default is C<@badpass_message@> unless insults are enabled.
+
+=item editor
+
+A colon (':') separated list of editors allowed to be used with
+B<visudo>. B<visudo> will choose the editor that matches the user's
+EDITOR environment variable if possible, or the first editor in the
+list that exists and is executable. The default is the path to vi
+on your system.
=item mailsub
will expand to the hostname of the machine.
Default is C<@mailsub@>.
-=item badpass_message
+=item noexec_file
-Message that is displayed if a user enters an incorrect password.
-The default is C<@badpass_message@> unless insults are enabled.
+Path to a shared library containing dummy versions of the execv(),
+execve() and fexecve() library functions that just return an error.
+This is used to implement the I<noexec> functionality on systems that
+support C<LD_PRELOAD> or its equivalent. Defaults to F<@noexec_file@>.
+
+=item passprompt
+
+The default prompt to use when asking for a password; can be overridden
+via the B<-p> option or the C<SUDO_PROMPT> environment variable.
+The following percent (`C<%>') escapes are supported:
+
+=over 4
+
+=item C<%H>
+
+expanded to the local hostname including the domain name
+(on if the machine's hostname is fully qualified or the I<fqdn>
+option is set)
+
+=item C<%h>
+
+expanded to the local hostname without the domain name
+
+=item C<%U>
+
+expanded to the login name of the user the command will
+be run as (defaults to root)
+
+=item C<%u>
+
+expanded to the invoking user's login name
-=item timestampdir
+=item C<%%>
-The directory in which B<sudo> stores its timestamp files.
-The default is F<@timedir@>.
+two consecutive C<%> characters are collapsed into a single C<%> character
-=item passprompt
+=back
-The default prompt to use when asking for a password; can be overridden
-via the B<-p> option or the C<SUDO_PROMPT> environment variable. Supports
-two escapes: "%u" expands to the user's login name and "%h" expands
-to the local hostname. The default value is C<@passprompt@>.
+The default value is C<@passprompt@>.
=item runas_default
The default user to run commands as if the B<-u> flag is not specified
on the command line. This defaults to C<@runas_default@>.
+Note that if I<runas_default> is set it B<must> occur before
+any C<Runas_Alias> specifications.
+
+=item syslog_badpri
+
+Syslog priority to use when user authenticates unsuccessfully.
+Defaults to C<@badpri@>.
=item syslog_goodpri
Syslog priority to use when user authenticates successfully.
Defaults to C<@goodpri@>.
-=item syslog_badpri
+=item timestampdir
-Syslog priority to use when user authenticates unsuccessfully.
-Defaults to C<@badpri@>.
+The directory in which B<sudo> stores its timestamp files.
+The default is F<@timedir@>.
-=item editor
+=item timestampowner
-A colon (':') separated list of editors allowed to be used with
-B<visudo>. B<visudo> will choose the editor that matches the user's
-USER environment variable if possible, or the first editor in the
-list that exists and is executable. The default is the path to vi
-on your system.
+The owner of the timestamp directory and the timestamps stored therein.
+The default is C<root>.
=back
=over 12
-=item logfile
+=item exempt_group
-Path to the B<sudo> log file (not the syslog log file). Setting a path
-turns on logging to a file; negating this option turns it off.
+Users in this group are exempt from password and PATH requirements.
+This is not set by default.
-=item syslog
+=item lecture
-Syslog facility if syslog is being used for logging (negate to
-disable syslog logging). Defaults to C<@logfac@>.
+This option controls when a short lecture will be printed along with
+the password prompt. It has the following possible values:
-=item mailerpath
+=over 8
-Path to mail program used to send warning mail.
-Defaults to the path to sendmail found at configure time.
+=item always
-=item mailerflags
+Always lecture the user.
-Flags to use when invoking mailer. Defaults to B<-t>.
+=item never
-=item mailto
+Never lecture the user.
-Address to send warning and error mail to. The address should
-be enclosed in double quotes (C<">) to protect against sudo
-interpreting the C<@> sign. Defaults to C<@mailto@>.
+=item once
-=item exempt_group
+Only lecture the user the first time they run B<sudo>.
-Users in this group are exempt from password and PATH requirements.
-This is not set by default.
+=back
-=item verifypw
+If no value is specified, a value of I<once> is implied.
+Negating the option results in a value of I<never> being used.
+The default value is I<@lecture@>.
-This option controls when a password will be required when a user runs
-B<sudo> with the B<-v> flag. It has the following possible values:
+=item lecture_file
+
+Path to a file containing an alternate B<sudo> lecture that will
+be used in place of the standard lecture if the named file exists.
+By default, B<sudo> uses a built-in lecture.
+
+=item listpw
+
+This option controls when a password will be required when a
+user runs B<sudo> with the B<-l> flag. It has the following possible values:
=over 8
All the user's I<sudoers> entries for the current host must have
the C<NOPASSWD> flag set to avoid entering a password.
+=item always
+
+The user must always enter a password to use the B<-l> flag.
+
=item any
At least one of the user's I<sudoers> entries for the current host
=item never
-The user need never enter a password to use the B<-v> flag.
+The user need never enter a password to use the B<-l> flag.
-=item always
+=back
-The user must always enter a password to use the B<-v> flag.
+If no value is specified, a value of I<any> is implied.
+Negating the option results in a value of I<never> being used.
+The default value is I<any>.
-=back
+=item logfile
-The default value is `all'.
+Path to the B<sudo> log file (not the syslog log file). Setting a path
+turns on logging to a file; negating this option turns it off.
+By default, B<sudo> logs via syslog.
-=item listpw
+=item mailerflags
-This option controls when a password will be required when a
-user runs B<sudo> with the B<-l>. It has the following possible values:
+Flags to use when invoking mailer. Defaults to B<-t>.
+
+=item mailerpath
+
+Path to mail program used to send warning mail.
+Defaults to the path to sendmail found at configure time.
+
+=item mailto
+
+Address to send warning and error mail to. The address should
+be enclosed in double quotes (C<">) to protect against B<sudo>
+interpreting the C<@> sign. Defaults to C<@mailto@>.
+
+=item syslog
+
+Syslog facility if syslog is being used for logging (negate to
+disable syslog logging). Defaults to C<@logfac@>.
+
+=item verifypw
+
+This option controls when a password will be required when a user runs
+B<sudo> with the B<-v> flag. It has the following possible values:
=over 8
All the user's I<sudoers> entries for the current host must have
the C<NOPASSWD> flag set to avoid entering a password.
+=item always
+
+The user must always enter a password to use the B<-v> flag.
+
=item any
At least one of the user's I<sudoers> entries for the current host
=item never
-The user need never enter a password to use the B<-l> flag.
-
-=item always
-
-The user must always enter a password to use the B<-l> flag.
+The user need never enter a password to use the B<-v> flag.
=back
-The default value is `any'.
+If no value is specified, a value of I<all> is implied.
+Negating the option results in a value of I<never> being used.
+The default value is I<all>.
=back
B<Lists that can be used in a boolean context>:
-=over 12
+=over 16
=item env_check
Environment variables to be removed from the user's environment if
the variable's value contains C<%> or C</> characters. This can
-be used to guard against printf-style format vulnerabilties in
+be used to guard against printf-style format vulnerabilities in
poorly-written programs. The argument may be a double-quoted,
space-separated list or a single value without double-quotes. The
list can be replaced, added to, deleted from, or disabled by using
-the C<=>, C<+=>, C<-=>, and C<!> operators respectively. The default
-list of environment variable to check is printed when B<sudo> is
-run by root with the I<-V> option.
+the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
+of whether the C<env_reset> option is enabled or disabled, variables
+specified by C<env_check> will be preserved in the environment if
+they pass the aforementioned check. The default list of environment
+variables to check is displayed when B<sudo> is run by root with
+the I<-V> option.
=item env_delete
single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
C<!> operators respectively. The default list of environment
-variable to remove is printed when B<sudo> is run by root with the
-I<-V> option.
+variables to remove is displayed when B<sudo> is run by root with the
+I<-V> option. Note that many operating systems will remove potentially
+dangerous variables from the environment of any setuid process (such
+as B<sudo>).
=item env_keep
The argument may be a double-quoted, space-separated list or a
single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
-C<!> operators respectively. This list has no default members.
-
-=back
-
-When logging via syslog(3), B<sudo> accepts the following values for the syslog
-facility (the value of the B<syslog> Parameter): B<authpriv> (if your OS
-supports it), B<auth>, B<daemon>, B<user>, B<local0>, B<local1>, B<local2>,
-B<local3>, B<local4>, B<local5>, B<local6>, and B<local7>. The following
-syslog priorities are supported: B<alert>, B<crit>, B<debug>, B<emerg>,
-B<err>, B<info>, B<notice>, and B<warning>.
-
-=head2 User Specification
-
- User_Spec ::= User_list Host_List '=' Cmnd_Spec_List \
- (':' User_Spec)*
-
- Cmnd_Spec_List ::= Cmnd_Spec |
- Cmnd_Spec ',' Cmnd_Spec_List
-
- Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
-
- Runas_Spec ::= '(' Runas_List ')'
-
-A B<user specification> determines which commands a user may run
-(and as what user) on specified hosts. By default, commands are
-run as B<root>, but this can be changed on a per-command basis.
-
-Let's break that down into its constituent parts:
-
-=head2 Runas_Spec
-
-A C<Runas_Spec> is simply a C<Runas_List> (as defined above)
-enclosed in a set of parentheses. If you do not specify a
-C<Runas_Spec> in the user specification, a default C<Runas_Spec>
-of B<root> will be used. A C<Runas_Spec> sets the default for
-commands that follow it. What this means is that for the entry:
-
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who
-
-The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
-F</usr/bin/lprm> -- but only as B<operator>. E.g.,
-
- sudo -u operator /bin/ls.
-
-It is also possible to override a C<Runas_Spec> later on in an
-entry. If we modify the entry like so:
-
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
-
-Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
-but F</bin/kill> and F</usr/bin/lprm> as B<root>.
-
-=head2 NOPASSWD and PASSWD
-
-By default, B<sudo> requires that a user authenticate him or herself
-before running a command. This behavior can be modified via the
-C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
-a default for the commands that follow it in the C<Cmnd_Spec_List>.
-Conversely, the C<PASSWD> tag can be used to reverse things.
-For example:
-
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
-
-would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
-F</usr/bin/lprm> as root on the machine rushmore as B<root> without
-authenticating himself. If we only want B<ray> to be able to
-run F</bin/kill> without a password the entry would be:
-
- ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
-
-Note, however, that the C<PASSWD> tag has no effect on users who are
-in the group specified by the exempt_group option.
-
-By default, if the C<NOPASSWD> tag is applied to any of the entries
-for a user on the current host, he or she will be able to run
-C<sudo -l> without a password. Additionally, a user may only run
-C<sudo -v> without a password if the C<NOPASSWD> tag is present
-for all a user's entries that pertain to the current host.
-This behavior may be overridden via the verifypw and listpw options.
-
-=head2 Wildcards (aka meta characters):
-
-B<sudo> allows shell-style I<wildcards> to be used in pathnames
-as well as command line arguments in the I<sudoers> file. Wildcard
-matching is done via the B<POSIX> C<fnmatch(3)> routine. Note that
-these are I<not> regular expressions.
-
-=over 8
-
-=item C<*>
-
-Matches any set of zero or more characters.
-
-=item C<?>
-
-Matches any single character.
-
-=item C<[...]>
-
-Matches any character in the specified range.
-
-=item C<[!...]>
-
-Matches any character B<not> in the specified range.
-
-=item C<\x>
-
-For any character "x", evaluates to "x". This is used to
-escape special characters such as: "*", "?", "[", and "}".
+C<!> operators respectively. The default list of variables to keep
+is displayed when B<sudo> is run by root with the I<-V> option.
=back
-Note that a forward slash ('/') will B<not> be matched by
-wildcards used in the pathname. When matching the command
-line arguments, however, as slash B<does> get matched by
-wildcards. This is to make a path like:
-
- /usr/bin/*
-
-match C</usr/bin/who> but not C</usr/bin/X11/xterm>.
+When logging via L<syslog(3)>, B<sudo> accepts the following values
+for the syslog facility (the value of the B<syslog> Parameter):
+B<authpriv> (if your OS supports it), B<auth>, B<daemon>, B<user>,
+B<local0>, B<local1>, B<local2>, B<local3>, B<local4>, B<local5>,
+B<local6>, and B<local7>. The following syslog priorities are
+supported: B<alert>, B<crit>, B<debug>, B<emerg>, B<err>, B<info>,
+B<notice>, and B<warning>.
-=head2 Exceptions to wildcard rules:
+=head1 FILES
-The following exceptions apply to the above rules:
+=over 4
-=over 8
+=item F<@sysconfdir@/sudoers>C< >
+List of who can run what
-=item C<"">
+=item F</etc/group>C< >
+Local groups file
-If the empty string C<""> is the only command line argument in the
-I<sudoers> entry it means that command is not allowed to be run
-with B<any> arguments.
+=item F</etc/netgroup>C< >
+List of network groups
=back
-=head2 Other special characters and reserved words:
-
-The pound sign ('#') is used to indicate a comment (unless it
-occurs in the context of a user name and is followed by one or
-more digits, in which case it is treated as a uid). Both the
-comment character and any text after it, up to the end of the line,
-are ignored.
-
-The reserved word B<ALL> is a built in I<alias> that always causes
-a match to succeed. It can be used wherever one might otherwise
-use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
-You should not try to define your own I<alias> called B<ALL> as the
-built in alias will be used in preference to your own. Please note
-that using B<ALL> can be dangerous since in a command context, it
-allows the user to run B<any> command on the system.
-
-An exclamation point ('!') can be used as a logical I<not> operator
-both in an I<alias> and in front of a C<Cmnd>. This allows one to
-exclude certain values. Note, however, that using a C<!> in
-conjunction with the built in C<ALL> alias to allow a user to
-run "all but a few" commands rarely works as intended (see SECURITY
-NOTES below).
-
-Long lines can be continued with a backslash ('\') as the last
-character on the line.
-
-Whitespace between elements in a list as well as special syntactic
-characters in a I<User Specification> ('=', ':', '(', ')') is optional.
-
-The following characters must be escaped with a backslash ('\') when
-used as part of a word (e.g. a username or hostname):
-'@', '!', '=', ':', ',', '(', ')', '\'.
-
=head1 EXAMPLES
+Since the I<sudoers> file is parsed in a single pass, order is
+important. In general, you should structure I<sudoers> such that
+the C<Host_Alias>, C<User_Alias>, and C<Cmnd_Alias> specifications
+come first, followed by any C<Default_Entry> lines, and finally the
+C<Runas_Alias> and user specifications. The basic rule of thumb
+is you cannot reference an Alias that has not already been defined.
+
Below are example I<sudoers> entries. Admittedly, some of
these are a bit contrived. First, we define our I<aliases>:
Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
- Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
- Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
+ Cmnd_Alias HALT = /usr/sbin/halt
+ Cmnd_Alias REBOOT = /usr/sbin/reboot
Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
+ Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
Here we override some of the compiled in default values. We want
-B<sudo> to log via syslog(3) using the I<auth> facility in all cases.
-We don't want to subject the full time staff to the B<sudo> lecture,
-and user B<millert> need not give a password. In addition, on the
+B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
+cases. We don't want to subject the full time staff to the B<sudo>
+lecture, user B<millert> need not give a password, and we don't
+want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
+variables when running commands as root. Additionally, on the
machines in the I<SERVERS> C<Host_Alias>, we keep an additional
local log file and make sure we log the year in each log line since
-the log entries will be kept around for several years.
+the log entries will be kept around for several years. Lastly, we
+disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
+(F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
- # Override built in defaults
+ # Override built-in defaults
Defaults syslog=auth
+ Defaults>root !set_logname
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+ Defaults!PAGERS noexec
The I<User specification> is the part that actually determines who may
run what.
The user B<lisa> may run any command on any host in the I<CUNETS> alias
(the class B network C<128.138.0.0>).
- operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\
- /usr/oper/bin/
+ operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
+ sudoedit /etc/printcap, /usr/oper/bin/
The B<operator> user may run commands limited to simple maintenance.
Here, those are commands related to backups, killing processes, the
joe ALL = /usr/bin/su operator
-The user B<joe> may only su(1) to operator.
+The user B<joe> may only L<su(1)> to operator.
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
The user B<pete> is allowed to change anyone's password except for
-root on the I<HPPA> machines. Note that this assumes passwd(1)
+root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
does not take multiple usernames on the command line.
bob SPARC = (OP) ALL : SGI = (OP) ALL
jim +biglab = ALL
The user B<jim> may run any command on machines in the I<biglab> netgroup.
-B<Sudo> knows that "biglab" is a netgroup due to the '+' prefix.
+B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
On the I<ALPHA> machines, user B<john> may su to anyone except root
-but he is not allowed to give su(1) any flags.
+but he is not allowed to give L<su(1)> any flags.
jen ALL, !SERVERS = ALL
jill SERVERS = /usr/bin/, !SU, !SHELLS
For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
-any commands in the directory /usr/bin/ except for those commands
+any commands in the directory F</usr/bin/> except for those commands
belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
steve CSNETS = (operator) /usr/local/op_commands/
On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
wendy, and wim), may run any command as user www (which owns the
-web pages) or simply su(1) to www.
+web pages) or simply L<su(1)> to www.
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
program. Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
+=head1 PREVENTING SHELL ESCAPES
+
+Once B<sudo> executes a program, that program is free to do whatever
+it pleases, including run other programs. This can be a security
+issue since it is not uncommon for a program to allow shell escapes,
+which lets a user bypass B<sudo>'s access control and logging.
+Common programs that permit shell escapes include shells (obviously),
+editors, paginators, mail and terminal programs.
+
+There are two basic approaches to this problem:
+
+=over 10
+
+=item restrict
+
+Avoid giving users access to commands that allow the user to run
+arbitrary commands. Many editors have a restricted mode where shell
+escapes are disabled, though B<sudoedit> is a better solution to
+running editors via B<sudo>. Due to the large number of programs that
+offer shell escapes, restricting users to the set of programs that
+do not if often unworkable.
+
+=item noexec
+
+Many systems that support shared libraries have the ability to
+override default library functions by pointing an environment
+variable (usually C<LD_PRELOAD>) to an alternate shared library.
+On such systems, B<sudo>'s I<noexec> functionality can be used to
+prevent a program run by B<sudo> from executing any other programs.
+Note, however, that this applies only to native dynamically-linked
+executables. Statically-linked executables and foreign executables
+running under binary emulation are not affected.
+
+To tell whether or not B<sudo> supports I<noexec>, you can run
+the following as root:
+
+ sudo -V | grep "dummy exec"
+
+If the resulting output contains a line that begins with:
+
+ File containing dummy exec functions:
+
+then B<sudo> may be able to replace the exec family of functions
+in the standard library with its own that simply return an error.
+Unfortunately, there is no foolproof way to know whether or not
+I<noexec> will work at compile-time. I<noexec> should work on
+SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX
+11.x. It is known B<not> to work on AIX and UnixWare. I<noexec>
+is expected to work on most operating systems that support the
+C<LD_PRELOAD> environment variable. Check your operating system's
+manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
+dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
+
+To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
+in the User Specification section above. Here is that example again:
+
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
+with I<noexec> enabled. This will prevent those two commands from
+executing other commands (such as a shell). If you are unsure
+whether or not your system is capable of supporting I<noexec> you
+can always just try it out and see if it works.
+
+=back
+
+Note that restricting shell escapes is not a panacea. Programs
+running as root are still capable of many potentially hazardous
+operations (such as changing or overwriting files) that could lead
+to unintended privilege escalation. In the specific case of an
+editor, a safer approach is to give the user permission to run
+B<sudoedit>.
+
+=head1 SEE ALSO
+
+L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<sudo(8)>, L<visudo(8)>
+
=head1 CAVEATS
The I<sudoers> file should B<always> be edited by the B<visudo>
as returned by the C<hostname> command or use the I<fqdn> option in
I<sudoers>.
-=head1 FILES
+=head1 BUGS
- @sysconfdir@/sudoers List of who can run what
- /etc/group Local groups file
- /etc/netgroup List of network groups
+If you feel you have found a bug in B<sudo>, please submit a bug report
+at http://www.sudo.ws/sudo/bugs/
-=head1 SEE ALSO
+=head1 SUPPORT
+
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+
+=head1 DISCLAIMER
-rsh(1), sudo(8), visudo(8), su(1), fnmatch(3).
+B<sudo> is provided ``AS IS'' and any express or implied warranties,
+including, but not limited to, the implied warranties of merchantability
+and fitness for a particular purpose are disclaimed. See the LICENSE
+file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
+for complete details.