X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=doc%2Fsudoers.cat;fp=doc%2Fsudoers.cat;h=6033d16fb7aee5a3345a3b2dc4aee77e2cb92740;hb=6ad45aa23af5f5f3b54468937d6a13089201b891;hp=0000000000000000000000000000000000000000;hpb=97bd3ae46779c69fcdab82d0c64bdf05be009ec3;p=debian%2Fsudo diff --git a/doc/sudoers.cat b/doc/sudoers.cat new file mode 100644 index 0000000..6033d16 --- /dev/null +++ b/doc/sudoers.cat @@ -0,0 +1,1817 @@ +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + + +NNAAMMEE + sudoers - default sudo security policy module + +DDEESSCCRRIIPPTTIIOONN + The _s_u_d_o_e_r_s policy module determines a user's ssuuddoo privileges. It is + the default ssuuddoo policy plugin. The policy is driven by the + _/_e_t_c_/_s_u_d_o_e_r_s file or, optionally in LDAP. The policy format is + described in detail in the "SUDOERS FILE FORMAT" section. For + information on storing _s_u_d_o_e_r_s policy information in LDAP, please see + _s_u_d_o_e_r_s_._l_d_a_p(4). + + AAuutthheennttiiccaattiioonn aanndd LLooggggiinngg + The _s_u_d_o_e_r_s security policy requires that most users authenticate + themselves before they can use ssuuddoo. A password is not required if the + invoking user is root, if the target user is the same as the invoking + user, or if the policy has disabled authentication for the user or + command. Unlike _s_u(1), when _s_u_d_o_e_r_s requires authentication, it + validates the invoking user's credentials, not the target user's (or + root's) credentials. This can be changed via the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and + _r_u_n_a_s_p_w flags, described later. + + If a user who is not listed in the policy tries to run a command via + ssuuddoo, mail is sent to the proper authorities. The address used for + such mail is configurable via the _m_a_i_l_t_o Defaults entry (described + later) and defaults to root. + + Note that mail will not be sent if an unauthorized user tries to run + ssuuddoo with the --ll or --vv option. This allows users to determine for + themselves whether or not they are allowed to use ssuuddoo. + + If ssuuddoo is run by root and the SUDO_USER environment variable is set, + the _s_u_d_o_e_r_s policy will use this value to determine who the actual user + is. This can be used by a user to log commands through sudo even when + a root shell has been invoked. It also allows the --ee option to remain + useful even when invoked via a sudo-run script or program. Note, + however, that the _s_u_d_o_e_r_s lookup is still done for root, not the user + specified by SUDO_USER. + + _s_u_d_o_e_r_s uses time stamp files for credential caching. Once a user has + been authenticated, a time stamp is updated and the user may then use + sudo without a password for a short period of time (5 minutes unless + overridden by the _t_i_m_e_o_u_t option. By default, _s_u_d_o_e_r_s uses a tty-based + time stamp which means that there is a separate time stamp for each of + a user's login sessions. The _t_t_y___t_i_c_k_e_t_s option can be disabled to + force the use of a single time stamp for all of a user's sessions. + + _s_u_d_o_e_r_s can log both successful and unsuccessful attempts (as well as + errors) to _s_y_s_l_o_g(3), a log file, or both. By default, _s_u_d_o_e_r_s will + log via _s_y_s_l_o_g(3) but this is changeable via the _s_y_s_l_o_g and _l_o_g_f_i_l_e + Defaults settings. + + _s_u_d_o_e_r_s also supports logging a command's input and output streams. + I/O logging is not on by default but can be enabled using the _l_o_g___i_n_p_u_t + and _l_o_g___o_u_t_p_u_t Defaults flags as well as the LOG_INPUT and LOG_OUTPUT + command tags. + + CCoommmmaanndd EEnnvviirroonnmmeenntt + Since environment variables can influence program behavior, _s_u_d_o_e_r_s + provides a means to restrict which variables from the user's + environment are inherited by the command to be run. There are two + distinct ways _s_u_d_o_e_r_s can deal with environment variables. + + By default, the _e_n_v___r_e_s_e_t option is enabled. This causes commands to + be executed with a new, minimal environment. On AIX (and Linux systems + without PAM), the environment is initialized with the contents of the + _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t file. On BSD systems, if the _u_s_e___l_o_g_i_n_c_l_a_s_s option is + enabled, the environment is initialized based on the _p_a_t_h and _s_e_t_e_n_v + settings in _/_e_t_c_/_l_o_g_i_n_._c_o_n_f. The new environment contains the TERM, + PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables + in addition to variables from the invoking process permitted by the + _e_n_v___c_h_e_c_k and _e_n_v___k_e_e_p options. This is effectively a whitelist for + environment variables. + + If, however, the _e_n_v___r_e_s_e_t option is disabled, any variables not + explicitly denied by the _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e options are inherited + from the invoking process. In this case, _e_n_v___c_h_e_c_k and _e_n_v___d_e_l_e_t_e + behave like a blacklist. Since it is not possible to blacklist all + potentially dangerous environment variables, use of the default + _e_n_v___r_e_s_e_t behavior is encouraged. + + In all cases, environment variables with a value beginning with () are + removed as they could be interpreted as bbaasshh functions. The list of + environment variables that ssuuddoo allows or denies is contained in the + output of sudo -V when run as root. + + Note that the dynamic linker on most operating systems will remove + variables that can control dynamic linking from the environment of + setuid executables, including ssuuddoo. Depending on the operating system + this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and + others. These type of variables are removed from the environment + before ssuuddoo even begins execution and, as such, it is not possible for + ssuuddoo to preserve them. + + As a special case, if ssuuddoo's --ii option (initial login) is specified, + _s_u_d_o_e_r_s will initialize the environment regardless of the value of + _e_n_v___r_e_s_e_t. The _D_I_S_P_L_A_Y, _P_A_T_H and _T_E_R_M variables remain unchanged; + _H_O_M_E, _M_A_I_L, _S_H_E_L_L, _U_S_E_R, and _L_O_G_N_A_M_E are set based on the target user. + On AIX (and Linux systems without PAM), the contents of + _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t are also included. On BSD systems, if the + _u_s_e___l_o_g_i_n_c_l_a_s_s option is enabled, the _p_a_t_h and _s_e_t_e_n_v variables in + _/_e_t_c_/_l_o_g_i_n_._c_o_n_f are also applied. All other environment variables are + removed. + + Finally, if the _e_n_v___f_i_l_e option is defined, any variables present in + that file will be set to their specified values as long as they would + not conflict with an existing environment variable. + +SSUUDDOOEERRSS FFIILLEE FFOORRMMAATT + The _s_u_d_o_e_r_s file is composed of two types of entries: aliases + (basically variables) and user specifications (which specify who may + run what). + + When multiple entries match for a user, they are applied in order. + Where there are multiple matches, the last match is used (which is not + necessarily the most specific match). + + The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur + Form (EBNF). Don't despair if you don't know what EBNF is; it is + fairly simple, and the definitions below are annotated. + + QQuuiicckk gguuiiddee ttoo EEBBNNFF + EBNF is a concise and exact way of describing the grammar of a + language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., + + symbol ::= definition | alternate1 | alternate2 ... + + Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for + the language. EBNF also contains the following operators, which many + readers will recognize from regular expressions. Do not, however, + confuse them with "wildcard" characters, which have different meanings. + + ? Means that the preceding symbol (or group of symbols) is optional. + That is, it may appear once or not at all. + + * Means that the preceding symbol (or group of symbols) may appear + zero or more times. + + + Means that the preceding symbol (or group of symbols) may appear + one or more times. + + Parentheses may be used to group symbols together. For clarity, we + will use single quotes ('') to designate what is a verbatim character + string (as opposed to a symbol name). + + AAlliiaasseess + There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias + and Cmnd_Alias. + + Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | + 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | + 'Host_Alias' Host_Alias (':' Host_Alias)* | + 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* + + User_Alias ::= NAME '=' User_List + + Runas_Alias ::= NAME '=' Runas_List + + Host_Alias ::= NAME '=' Host_List + + Cmnd_Alias ::= NAME '=' Cmnd_List + + NAME ::= [A-Z]([A-Z][0-9]_)* + + Each _a_l_i_a_s definition is of the form + + Alias_Type NAME = item1, item2, ... + + where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or + Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and + underscore characters ('_'). A NAME mmuusstt start with an uppercase + letter. It is possible to put several alias definitions of the same + type on a single line, joined by a colon (':'). E.g., + + Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 + + The definitions of what constitutes a valid _a_l_i_a_s member follow. + + User_List ::= User | + User ',' User_List + + User ::= '!'* user name | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* +netgroup | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | + '!'* User_Alias + + A User_List is made up of one or more user names, user ids (prefixed + with '#'), system group names and ids (prefixed with '%' and '%#' + respectively), netgroups (prefixed with '+'), non-Unix group names and + IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each + list item may be prefixed with zero or more '!' operators. An odd + number of '!' operators negate the value of the item; an even number + just cancel each other out. + + A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid + may be enclosed in double quotes to avoid the need for escaping special + characters. Alternately, special characters may be specified in + escaped hex mode, e.g. \x20 for space. When using double quotes, any + prefix characters must be included inside the quotes. + + The actual nonunix_group and nonunix_gid syntax depends on the + underlying group provider plugin (see the _g_r_o_u_p___p_l_u_g_i_n description + below). For instance, the QAS AD plugin supports the following + formats: + + o Group in the same domain: "Group Name" + + o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" + + o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" + + Note that quotes around group names are optional. Unquoted strings + must use a backslash (\) to escape spaces and special characters. See + "Other special characters and reserved words" for a list of characters + that need to be escaped. + + Runas_List ::= Runas_Member | + Runas_Member ',' Runas_List + + Runas_Member ::= '!'* user name | + '!'* #uid | + '!'* %group | + '!'* %#gid | + '!'* %:nonunix_group | + '!'* %:#nonunix_gid | + '!'* +netgroup | + '!'* Runas_Alias + + A Runas_List is similar to a User_List except that instead of + User_Aliases it can contain Runas_Aliases. Note that user names and + groups are matched as strings. In other words, two users (groups) with + the same uid (gid) are considered to be distinct. If you wish to match + all user names with the same uid (e.g. root and toor), you can use a + uid instead (#0 in the example given). + + Host_List ::= Host | + Host ',' Host_List + + Host ::= '!'* host name | + '!'* ip_addr | + '!'* network(/netmask)? | + '!'* +netgroup | + '!'* Host_Alias + + A Host_List is made up of one or more host names, IP addresses, network + numbers, netgroups (prefixed with '+') and other aliases. Again, the + value of an item may be negated with the '!' operator. If you do not + specify a netmask along with the network number, ssuuddoo will query each + of the local host's network interfaces and, if the network number + corresponds to one of the hosts's network interfaces, the corresponding + netmask will be used. The netmask may be specified either in standard + IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or + CIDR notation (number of bits, e.g. 24 or 64). A host name may include + shell-style wildcards (see the Wildcards section below), but unless the + host name command on your machine returns the fully qualified host + name, you'll need to use the _f_q_d_n option for wildcards to be useful. + Note ssuuddoo only inspects actual network interfaces; this means that IP + address 127.0.0.1 (localhost) will never match. Also, the host name + "localhost" will only match if that is the actual host name, which is + usually only the case for non-networked systems. + + Cmnd_List ::= Cmnd | + Cmnd ',' Cmnd_List + + commandname ::= file name | + file name args | + file name '""' + + Cmnd ::= '!'* commandname | + '!'* directory | + '!'* "sudoedit" | + '!'* Cmnd_Alias + + A Cmnd_List is a list of one or more commandnames, directories, and + other aliases. A commandname is a fully qualified file name which may + include shell-style wildcards (see the Wildcards section below). A + simple file name allows the user to run the command with any arguments + he/she wishes. However, you may also specify command line arguments + (including wildcards). Alternately, you can specify "" to indicate + that the command may only be run wwiitthhoouutt command line arguments. A + directory is a fully qualified path name ending in a '/'. When you + specify a directory in a Cmnd_List, the user will be able to run any + file within that directory (but not in any subdirectories therein). + + If a Cmnd has associated command line arguments, then the arguments in + the Cmnd must match exactly those given by the user on the command line + (or match the wildcards if there are any). Note that the following + characters must be escaped with a '\' if they are used in command + arguments: ',', ':', '=', '\'. The special command "sudoedit" is used + to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It + may take command line arguments just as a normal command does. + + DDeeffaauullttss + Certain configuration options may be changed from their default values + at runtime via one or more Default_Entry lines. These may affect all + users on any host, all users on a specific host, a specific user, a + specific command, or commands being run as a specific user. Note that + per-command entries may not include command line arguments. If you + need to specify arguments, define a Cmnd_Alias and reference that + instead. + + Default_Type ::= 'Defaults' | + 'Defaults' '@' Host_List | + 'Defaults' ':' User_List | + 'Defaults' '!' Cmnd_List | + 'Defaults' '>' Runas_List + + Default_Entry ::= Default_Type Parameter_List + + Parameter_List ::= Parameter | + Parameter ',' Parameter_List + + Parameter ::= Parameter '=' Value | + Parameter '+=' Value | + Parameter '-=' Value | + '!'* Parameter + + Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are + implicitly boolean and can be turned off via the '!' operator. Some + integer, string and list parameters may also be used in a boolean + context to disable them. Values may be enclosed in double quotes (") + when they contain multiple words. Special characters may be escaped + with a backslash (\). + + Lists have two additional assignment operators, += and -=. These + operators are used to add to and delete from a list respectively. It + is not an error to use the -= operator to remove an element that does + not exist in a list. + + Defaults entries are parsed in the following order: generic, host and + user Defaults first, then runas Defaults and finally command defaults. + + See "SUDOERS OPTIONS" for a list of supported Defaults parameters. + + UUsseerr SSppeecciiffiiccaattiioonn + User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ + (':' Host_List '=' Cmnd_Spec_List)* + + Cmnd_Spec_List ::= Cmnd_Spec | + Cmnd_Spec ',' Cmnd_Spec_List + + Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd + + Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' + + SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') + + Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | + 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | + 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') + + A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as + what user) on specified hosts. By default, commands are run as rroooott, + but this can be changed on a per-command basis. + + The basic structure of a user specification is `who where = (as_whom) + what'. Let's break that down into its constituent parts: + + RRuunnaass__SSppeecc + A Runas_Spec determines the user and/or the group that a command may be + run as. A fully-specified Runas_Spec consists of two Runas_Lists (as + defined above) separated by a colon (':') and enclosed in a set of + parentheses. The first Runas_List indicates which users the command + may be run as via ssuuddoo's --uu option. The second defines a list of + groups that can be specified via ssuuddoo's --gg option. If both Runas_Lists + are specified, the command may be run with any combination of users and + groups listed in their respective Runas_Lists. If only the first is + specified, the command may be run as any user in the list but no --gg + option may be specified. If the first Runas_List is empty but the + second is specified, the command may be run as the invoking user with + the group set to any listed in the Runas_List. If no Runas_Spec is + specified the command may be run as rroooott and no group may be specified. + + A Runas_Spec sets the default for the commands that follow it. What + this means is that for the entry: + + dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm + + The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only + as ooppeerraattoorr. E.g., + + $ sudo -u operator /bin/ls + + It is also possible to override a Runas_Spec later on in an entry. If + we modify the entry like so: + + dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm + + Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l + and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. + + We can extend this to allow ddggbb to run /bin/ls with either the user or + group set to ooppeerraattoorr: + + dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ + /usr/bin/lprm + + Note that while the group portion of the Runas_Spec permits the user to + run as command with that group, it does not force the user to do so. + If no group is specified on the command line, the command will run with + the group listed in the target user's password database entry. The + following would all be permitted by the sudoers entry above: + + $ sudo -u operator /bin/ls + $ sudo -u operator -g operator /bin/ls + $ sudo -g operator /bin/ls + + In the following example, user ttccmm may run commands that access a modem + device file with the dialer group. + + tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ + /usr/local/bin/minicom + + Note that in this example only the group will be set, the command still + runs as user ttccmm. E.g. + + $ sudo -g dialer /usr/bin/cu + + Multiple users and groups may be present in a Runas_Spec, in which case + the user may select any combination of users and groups via the --uu and + --gg options. In this example: + + alan ALL = (root, bin : operator, system) ALL + + user aallaann may run any command as either user root or bin, optionally + setting the group to operator or system. + + SSEELLiinnuuxx__SSppeecc + On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an + SELinux role and/or type associated with a command. If a role or type + is specified with the command it will override any default values + specified in _s_u_d_o_e_r_s. A role or type specified on the command line, + however, will supercede the values in _s_u_d_o_e_r_s. + + TTaagg__SSppeecc + A command may have zero or more tags associated with it. There are + eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, + NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a + tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit + the tag unless it is overridden by the opposite tag (i.e.: PASSWD + overrides NOPASSWD and NOEXEC overrides EXEC). + + _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D + + By default, ssuuddoo requires that a user authenticate him or herself + before running a command. This behavior can be modified via the + NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for + the commands that follow it in the Cmnd_Spec_List. Conversely, the + PASSWD tag can be used to reverse things. For example: + + ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm + + would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m + as rroooott on the machine rushmore without authenticating himself. If we + only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry + would be: + + ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm + + Note, however, that the PASSWD tag has no effect on users who are in + the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. + + By default, if the NOPASSWD tag is applied to any of the entries for a + user on the current host, he or she will be able to run sudo -l without + a password. Additionally, a user may only run sudo -v without a + password if the NOPASSWD tag is present for all a user's entries that + pertain to the current host. This behavior may be overridden via the + verifypw and listpw options. + + _N_O_E_X_E_C _a_n_d _E_X_E_C + + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying + operating system supports it, the NOEXEC tag can be used to prevent a + dynamically-linked executable from running further commands itself. + + In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and + _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. + + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + + See the "Preventing Shell Escapes" section below for more details on + how NOEXEC works and whether or not it will work on your system. + + _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V + + These tags override the value of the _s_e_t_e_n_v option on a per-command + basis. Note that if SETENV has been set for a command, the user may + disable the _e_n_v___r_e_s_e_t option from the command line via the --EE option. + Additionally, environment variables set on the command line are not + subject to the restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or + _e_n_v___k_e_e_p. As such, only trusted users should be allowed to set + variables in this manner. If the command matched is AALLLL, the SETENV + tag is implied for that command; this default may be overridden by use + of the NOSETENV tag. + + _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T + + These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command + basis. For more information, see the description of _l_o_g___i_n_p_u_t in the + "SUDOERS OPTIONS" section below. + + _L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T + + These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command + basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the + "SUDOERS OPTIONS" section below. + + WWiillddccaarrddss + ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be + used in host names, path names and command line arguments in the + _s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and + _f_n_m_a_t_c_h(3) routines. Note that these are _n_o_t regular expressions. + + * Matches any set of zero or more characters. + + ? Matches any single character. + + [...] Matches any character in the specified range. + + [!...] Matches any character nnoott in the specified range. + + \x For any character "x", evaluates to "x". This is used to + escape special characters such as: "*", "?", "[", and "}". + + POSIX character classes may also be used if your system's _g_l_o_b(3) and + _f_n_m_a_t_c_h(3) functions support them. However, because the ':' character + has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example: + + /bin/ls [[\:alpha\:]]* + + Would match any file name beginning with a letter. + + Note that a forward slash ('/') will nnoott be matched by wildcards used + in the path name. When matching the command line arguments, however, a + slash ddooeess get matched by wildcards. This is to make a path like: + + /usr/bin/* + + match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. + + EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess + The following exceptions apply to the above rules: + + "" If the empty string "" is the only command line argument in the + _s_u_d_o_e_r_s entry it means that command is not allowed to be run + with aannyy arguments. + + IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss + It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s + file currently being parsed using the #include and #includedir + directives. + + This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in + addition to a local, per-machine file. For the sake of this example + the site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will + be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within + _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: + + #include /etc/sudoers.local + + When ssuuddoo reaches this line it will suspend processing of the current + file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching + the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be + processed. Files that are included may themselves include other files. + A hard limit of 128 nested include files is enforced to prevent include + file loops. + + If the path to the include file is not fully-qualified (does not begin + with a _/), it must be located in the same directory as the sudoers file + it was included from. For example, if _/_e_t_c_/_s_u_d_o_e_r_s contains the line: + + #include sudoers.local + + the file that will be included is _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. + + The file name may also include the %h escape, signifying the short form + of the host name. I.e., if the machine's host name is "xerxes", then + + #include /etc/sudoers.%h + + will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. + + The #includedir directive can be used to create a _s_u_d_o_._d directory that + the system package manager can drop _s_u_d_o_e_r_s rules into as part of + package installation. For example, given: + + #includedir /etc/sudoers.d + + ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that + end in ~ or contain a . character to avoid causing problems with + package manager or editor temporary/backup files. Files are parsed in + sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed + before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is + lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr + _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes + in the file names can be used to avoid such problems. + + Note that unlike files included via #include, vviissuuddoo will not edit the + files in a #includedir directory unless one of them contains a syntax + error. It is still possible to run vviissuuddoo with the -f flag to edit the + files directly. + + OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss + The pound sign ('#') is used to indicate a comment (unless it is part + of a #include directive or unless it occurs in the context of a user + name and is followed by one or more digits, in which case it is treated + as a uid). Both the comment character and any text after it, up to the + end of the line, are ignored. + + The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to + succeed. It can be used wherever one might otherwise use a Cmnd_Alias, + User_Alias, Runas_Alias, or Host_Alias. You should not try to define + your own _a_l_i_a_s called AALLLL as the built-in alias will be used in + preference to your own. Please note that using AALLLL can be dangerous + since in a command context, it allows the user to run aannyy command on + the system. + + An exclamation point ('!') can be used as a logical _n_o_t operator both + in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain + values. Note, however, that using a ! in conjunction with the built-in + ALL alias to allow a user to run "all but a few" commands rarely works + as intended (see SECURITY NOTES below). + + Long lines can be continued with a backslash ('\') as the last + character on the line. + + Whitespace between elements in a list as well as special syntactic + characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional. + + The following characters must be escaped with a backslash ('\') when + used as part of a word (e.g. a user name or host name): '!', '=', ':', + ',', '(', ')', '\'. + +SSUUDDOOEERRSS OOPPTTIIOONNSS + ssuuddoo's behavior can be modified by Default_Entry lines, as explained + earlier. A list of all supported Defaults parameters, grouped by type, + are listed below. + + BBoooolleeaann FFllaaggss: + + always_set_home If enabled, ssuuddoo will set the HOME environment variable + to the home directory of the target user (which is root + unless the --uu option is used). This effectively means + that the --HH option is always implied. Note that HOME + is already set when the the _e_n_v___r_e_s_e_t option is + enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for + configurations where either _e_n_v___r_e_s_e_t is disabled or + HOME is present in the _e_n_v___k_e_e_p list. This flag is _o_f_f + by default. + + authenticate If set, users must authenticate themselves via a + password (or other means of authentication) before they + may run commands. This default may be overridden via + the PASSWD and NOPASSWD tags. This flag is _o_n by + default. + + closefrom_override + If set, the user may use ssuuddoo's --CC option which + overrides the default starting point at which ssuuddoo + begins closing open file descriptors. This flag is _o_f_f + by default. + + compress_io If set, and ssuuddoo is configured to log a command's input + or output, the I/O logs will be compressed using zzlliibb. + This flag is _o_n by default when ssuuddoo is compiled with + zzlliibb support. + + env_editor If set, vviissuuddoo will use the value of the EDITOR or + VISUAL environment variables before falling back on the + default editor list. Note that this may create a + security hole as it allows the user to run any + arbitrary command as root without logging. A safer + alternative is to place a colon-separated list of + editors in the editor variable. vviissuuddoo will then only + use the EDITOR or VISUAL if they match a value + specified in editor. This flag is _o_f_f by default. + + env_reset If set, ssuuddoo will run the command in a minimal + environment containing the TERM, PATH, HOME, MAIL, + SHELL, LOGNAME, USER, USERNAME and SUDO_* variables. + Any variables in the caller's environment that match + the env_keep and env_check lists are then added, + followed by any variables present in the file specified + by the _e_n_v___f_i_l_e option (if any). The default contents + of the env_keep and env_check lists are displayed when + ssuuddoo is run by root with the _-_V option. If the + _s_e_c_u_r_e___p_a_t_h option is set, its value will be used for + the PATH environment variable. This flag is _o_n by + default. + + fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell- + style globbing when matching path names. However, + since it accesses the file system, _g_l_o_b(3) can take a + long time to complete for some patterns, especially + when the pattern references a network file system that + is mounted on demand (automounted). The _f_a_s_t___g_l_o_b + option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, + which does not access the file system to do its + matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is + unable to match relative path names such as _._/_l_s or + _._._/_b_i_n_/_l_s. This has security implications when path + names that include globbing characters are used with + the negation operator, '!', as such rules can be + trivially bypassed. As such, this option should not be + used when _s_u_d_o_e_r_s contains rules that contain negated + path names which include globbing characters. This + flag is _o_f_f by default. + + fqdn Set this flag if you want to put fully qualified host + names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you + would use myhost.mydomain.edu. You may still use the + short form if you wish (and even mix the two). Beware + that turning on _f_q_d_n requires ssuuddoo to make DNS lookups + which may make ssuuddoo unusable if DNS stops working (for + example if the machine is not plugged into the + network). Also note that you must use the host's + official name as DNS knows it. That is, you may not + use a host alias (CNAME entry) due to performance + issues and the fact that there is no way to get all + aliases from DNS. If your machine's host name (as + returned by the hostname command) is already fully + qualified you shouldn't need to set _f_q_d_n. This flag is + _o_f_f by default. + + ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the + PATH environment variable; the PATH itself is not + modified. This flag is _o_f_f by default. + + ignore_local_sudoers + If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be + skipped. This is intended for Enterprises that wish to + prevent the usage of local sudoers files so that only + LDAP is used. This thwarts the efforts of rogue + operators who would attempt to add roles to + _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present, + _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this + option tells ssuuddoo how to behave when no specific LDAP + entries have been matched, this sudoOption is only + meaningful for the cn=defaults section. This flag is + _o_f_f by default. + + insults If set, ssuuddoo will insult users when they enter an + incorrect password. This flag is _o_f_f by default. + + log_host If set, the host name will be logged in the (non- + syslog) ssuuddoo log file. This flag is _o_f_f by default. + + log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and + log all user input. If the standard input is not + connected to the user's tty, due to I/O redirection or + because the command is part of a pipeline, that input + is also captured and stored in a separate log file. + + Input is logged to the directory specified by the + _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a + unique session ID that is included in the normal ssuuddoo + log line, prefixed with _T_S_I_D_=. The _i_o_l_o_g___f_i_l_e option + may be used to control the format of the session ID. + + Note that user input may contain sensitive information + such as passwords (even if they are not echoed to the + screen), which will be stored in the log file + unencrypted. In most cases, logging the command output + via _l_o_g___o_u_t_p_u_t is all that is required. + + log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and + log all output that is sent to the screen, similar to + the _s_c_r_i_p_t(1) command. If the standard output or + standard error is not connected to the user's tty, due + to I/O redirection or because the command is part of a + pipeline, that output is also captured and stored in + separate log files. + + Output is logged to the directory specified by the + _i_o_l_o_g___d_i_r option (_/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o by default) using a + unique session ID that is included in the normal ssuuddoo + log line, prefixed with _T_S_I_D_=. The _i_o_l_o_g___f_i_l_e option + may be used to control the format of the session ID. + + Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m) + utility, which can also be used to list or search the + available logs. + + log_year If set, the four-digit year will be logged in the (non- + syslog) ssuuddoo log file. This flag is _o_f_f by default. + + long_otp_prompt When validating with a One Time Password (OTP) scheme + such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to + make it easier to cut and paste the challenge to a + local window. It's not as pretty as the default but + some people find it more convenient. This flag is _o_f_f + by default. + + mail_always Send mail to the _m_a_i_l_t_o user every time a users runs + ssuuddoo. This flag is _o_f_f by default. + + mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo + does not enter the correct password. This flag is _o_f_f + by default. + + mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user exists in the _s_u_d_o_e_r_s file, but is not + allowed to run commands on the current host. This flag + is _o_f_f by default. + + mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user is allowed to use ssuuddoo but the command + they are trying is not listed in their _s_u_d_o_e_r_s file + entry or is explicitly denied. This flag is _o_f_f by + default. + + mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user is not in the _s_u_d_o_e_r_s file. This flag is + _o_n by default. + + noexec If set, all commands run via ssuuddoo will behave as if the + NOEXEC tag has been set, unless overridden by a EXEC + tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as + well as the "Preventing Shell Escapes" section at the + end of this manual. This flag is _o_f_f by default. + + path_info Normally, ssuuddoo will tell the user when a command could + not be found in their PATH environment variable. Some + sites may wish to disable this as it could be used to + gather information on the location of executables that + the normal user does not have access to. The + disadvantage is that if the executable is simply not in + the user's PATH, ssuuddoo will tell the user that they are + not allowed to run it, which can be confusing. This + flag is _o_n by default. + + passprompt_override + The password prompt specified by _p_a_s_s_p_r_o_m_p_t will + normally only be used if the password prompt provided + by systems such as PAM matches the string "Password:". + If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always + be used. This flag is _o_f_f by default. + + preserve_groups By default, ssuuddoo will initialize the group vector to + the list of groups the target user is in. When + _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group + vector is left unaltered. The real and effective group + IDs, however, are still set to match the target user. + This flag is _o_f_f by default. + + pwfeedback By default, ssuuddoo reads the password like most other + Unix programs, by turning off echo until the user hits + the return (or enter) key. Some users become confused + by this as it appears to them that ssuuddoo has hung at + this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide + visual feedback when the user presses a key. Note that + this does have a security impact as an onlooker may be + able to determine the length of the password being + entered. This flag is _o_f_f by default. + + requiretty If set, ssuuddoo will only run when the user is logged in + to a real tty. When this flag is set, ssuuddoo can only be + run from a login session and not via other means such + as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by + default. + + root_sudo If set, root is allowed to run ssuuddoo too. Disabling + this prevents users from "chaining" ssuuddoo commands to + get a root shell by doing something like "sudo sudo + /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o + will also prevent root from running ssuuddooeeddiitt. + Disabling _r_o_o_t___s_u_d_o provides no real additional + security; it exists purely for historical reasons. + This flag is _o_n by default. + + rootpw If set, ssuuddoo will prompt for the root password instead + of the password of the invoking user. This flag is _o_f_f + by default. + + runaspw If set, ssuuddoo will prompt for the password of the user + defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) + instead of the password of the invoking user. This + flag is _o_f_f by default. + + set_home If enabled and ssuuddoo is invoked with the --ss option the + HOME environment variable will be set to the home + directory of the target user (which is root unless the + --uu option is used). This effectively makes the --ss + option imply --HH. Note that HOME is already set when + the the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is + only effective for configurations where either + _e_n_v___r_e_s_e_t is disabled or HOME is present in the + _e_n_v___k_e_e_p list. This flag is _o_f_f by default. + + set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME + environment variables to the name of the target user + (usually root unless the --uu option is given). However, + since some programs (including the RCS revision control + system) use LOGNAME to determine the real identity of + the user, it may be desirable to change this behavior. + This can be done by negating the set_logname option. + Note that if the _e_n_v___r_e_s_e_t option has not been + disabled, entries in the _e_n_v___k_e_e_p list will override + the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default. + + set_utmp When enabled, ssuuddoo will create an entry in the utmp (or + utmpx) file when a pseudo-tty is allocated. A pseudo- + tty is allocated by ssuuddoo when the _l_o_g___i_n_p_u_t, _l_o_g___o_u_t_p_u_t + or _u_s_e___p_t_y flags are enabled. By default, the new + entry will be a copy of the user's existing utmp entry + (if any), with the tty, time, type and pid fields + updated. This flag is _o_n by default. + + setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the + command line via the --EE option. Additionally, + environment variables set via the command line are not + subject to the restrictions imposed by _e_n_v___c_h_e_c_k, + _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted users + should be allowed to set variables in this manner. + This flag is _o_f_f by default. + + shell_noargs If set and ssuuddoo is invoked with no arguments it acts as + if the --ss option had been given. That is, it runs a + shell as root (the shell is determined by the SHELL + environment variable if it is set, falling back on the + shell listed in the invoking user's /etc/passwd entry + if not). This flag is _o_f_f by default. + + stay_setuid Normally, when ssuuddoo executes a command the real and + effective UIDs are set to the target user (root by + default). This option changes that behavior such that + the real UID is left as the invoking user's UID. In + other words, this makes ssuuddoo act as a setuid wrapper. + This can be useful on systems that disable some + potentially dangerous functionality when a program is + run setuid. This option is only effective on systems + with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. + This flag is _o_f_f by default. + + targetpw If set, ssuuddoo will prompt for the password of the user + specified by the --uu option (defaults to root) instead + of the password of the invoking user. In addition, the + timestamp file name will include the target user's + name. Note that this flag precludes the use of a uid + not listed in the passwd database as an argument to the + --uu option. This flag is _o_f_f by default. + + tty_tickets If set, users must authenticate on a per-tty basis. + With this flag enabled, ssuuddoo will use a file named for + the tty the user is logged in on in the user's time + stamp directory. If disabled, the time stamp of the + directory is used instead. This flag is _o_n by default. + + umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s + without modification. This makes it possible to + specify a more permissive umask in _s_u_d_o_e_r_s than the + user's own umask and matches historical behavior. If + _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to + be the union of the user's umask and what is specified + in _s_u_d_o_e_r_s. This flag is _o_f_f by default. + + use_loginclass If set, ssuuddoo will apply the defaults specified for the + target user's login class if one exists. Only + available if ssuuddoo is configured with the + --with-logincap option. This flag is _o_f_f by default. + + use_pty If set, ssuuddoo will run the command in a pseudo-pty even + if no I/O logging is being gone. A malicious program + run under ssuuddoo could conceivably fork a background + process that retains to the user's terminal device + after the main program has finished executing. Use of + this option will make that impossible. This flag is + _o_f_f by default. + + utmp_runas If set, ssuuddoo will store the name of the runas user when + updating the utmp (or utmpx) file. By default, ssuuddoo + stores the name of the invoking user. This flag is _o_f_f + by default. + + visiblepw By default, ssuuddoo will refuse to run if the user must + enter a password but it is not possible to disable echo + on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo + will prompt for a password even when it would be + visible on the screen. This makes it possible to run + things like "rsh somehost sudo ls" since _r_s_h(1) does + not allocate a tty. This flag is _o_f_f by default. + + IInntteeggeerrss: + + closefrom Before it executes a command, ssuuddoo will close all open + file descriptors other than standard input, standard + output and standard error (ie: file descriptors 0-2). + The _c_l_o_s_e_f_r_o_m option can be used to specify a different + file descriptor at which to start closing. The default + is 3. + + passwd_tries The number of tries a user gets to enter his/her + password before ssuuddoo logs the failure and exits. The + default is 3. + + IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + + loglinelen Number of characters per line for the file log. This + value is used to decide when to wrap lines for nicer + log files. This has no effect on the syslog log file, + only the file log. The default is 80 (use 0 or negate + the option to disable word wrap). + + passwd_timeout Number of minutes before the ssuuddoo password prompt times + out, or 0 for no timeout. The timeout may include a + fractional component if minute granularity is + insufficient, for example 2.5. The default is 5. + + timestamp_timeout + Number of minutes that can elapse before ssuuddoo will ask + for a passwd again. The timeout may include a + fractional component if minute granularity is + insufficient, for example 2.5. The default is 5. Set + this to 0 to always prompt for a password. If set to a + value less than 0 the user's timestamp will never + expire. This can be used to allow users to create or + delete their own timestamps via sudo -v and sudo -k + respectively. + + umask Umask to use when running the command. Negate this + option or set it to 0777 to preserve the user's umask. + The actual umask that is used will be the union of the + user's umask and the value of the _u_m_a_s_k option, which + defaults to 0022. This guarantees that ssuuddoo never + lowers the umask when running a command. Note on + systems that use PAM, the default PAM configuration may + specify its own umask which will override the value set + in _s_u_d_o_e_r_s. + + SSttrriinnggss: + + badpass_message Message that is displayed if a user enters an incorrect + password. The default is Sorry, try again. unless + insults are enabled. + + editor A colon (':') separated list of editors allowed to be + used with vviissuuddoo. vviissuuddoo will choose the editor that + matches the user's EDITOR environment variable if + possible, or the first editor in the list that exists + and is executable. The default is "vi". + + iolog_dir The top-level directory to use when constructing the + path name for the input/output log directory. Only + used if the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t options are enabled + or when the LOG_INPUT or LOG_OUTPUT tags are present + for a command. The session sequence number, if any, is + stored in the directory. The default is + "/var/log/sudo-io". + + The following percent (`%') escape sequences are + supported: + + %{seq} + expanded to a monotonically increasing base-36 + sequence number, such as 0100A5, where every two + digits are used to form a new directory, e.g. + _0_1_/_0_0_/_A_5 + + %{user} + expanded to the invoking user's login name + + %{group} + expanded to the name of the invoking user's real + group ID + + %{runas_user} + expanded to the login name of the user the command + will be run as (e.g. root) + + %{runas_group} + expanded to the group name of the user the command + will be run as (e.g. wheel) + + %{hostname} + expanded to the local host name without the domain + name + + %{command} + expanded to the base name of the command being run + + In addition, any escape sequences supported by the + system's _s_t_r_f_t_i_m_e_(_) function will be expanded. + + To include a literal `%' character, the string `%%' + should be used. + + iolog_file The path name, relative to _i_o_l_o_g___d_i_r, in which to store + input/output logs when the _l_o_g___i_n_p_u_t or _l_o_g___o_u_t_p_u_t + options are enabled or when the LOG_INPUT or LOG_OUTPUT + tags are present for a command. Note that _i_o_l_o_g___f_i_l_e + may contain directory components. The default is + "%{seq}". + + See the _i_o_l_o_g___d_i_r option above for a list of supported + percent (`%') escape sequences. + + In addition to the escape sequences, path names that + end in six or more Xs will have the Xs replaced with a + unique combination of digits and letters, similar to + the _m_k_t_e_m_p_(_) function. + + mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape + %h will expand to the host name of the machine. + Default is *** SECURITY information for %h ***. + + noexec_file This option is no longer supported. The path to the + noexec file should now be set in the _/_e_t_c_/_s_u_d_o_._c_o_n_f + file. + + passprompt The default prompt to use when asking for a password; + can be overridden via the --pp option or the SUDO_PROMPT + environment variable. The following percent (`%') + escape sequences are supported: + + %H expanded to the local host name including the + domain name (only if the machine's host name is + fully qualified or the _f_q_d_n option is set) + + %h expanded to the local host name without the domain + name + + %p expanded to the user whose password is being asked + for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w + flags in _s_u_d_o_e_r_s) + + %U expanded to the login name of the user the command + will be run as (defaults to root) + + %u expanded to the invoking user's login name + + %% two consecutive % characters are collapsed into a + single % character + + The default value is Password:. + + role The default SELinux role to use when constructing a new + security context to run the command. The default role + may be overridden on a per-command basis in _s_u_d_o_e_r_s or + via command line options. This option is only + available whe ssuuddoo is built with SELinux support. + + runas_default The default user to run commands as if the --uu option is + not specified on the command line. This defaults to + root. + + syslog_badpri Syslog priority to use when user authenticates + unsuccessfully. Defaults to alert. + + The following syslog priorities are supported: aalleerrtt, + ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and wwaarrnniinngg. + + syslog_goodpri Syslog priority to use when user authenticates + successfully. Defaults to notice. + + See syslog_badpri for the list of supported syslog + priorities. + + sudoers_locale Locale to use when parsing the sudoers file, logging + commands, and sending email. Note that changing the + locale may affect how sudoers is interpreted. Defaults + to "C". + + timestampdir The directory in which ssuuddoo stores its timestamp files. + The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. + + timestampowner The owner of the timestamp directory and the timestamps + stored therein. The default is root. + + type The default SELinux type to use when constructing a new + security context to run the command. The default type + may be overridden on a per-command basis in _s_u_d_o_e_r_s or + via command line options. This option is only + available whe ssuuddoo is built with SELinux support. + + SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + + env_file The _e_n_v___f_i_l_e option specifies the fully qualified path to a + file containing variables to be set in the environment of + the program being run. Entries in this file should either + be of the form VARIABLE=value or export VARIABLE=value. + The value may optionally be surrounded by single or double + quotes. Variables in this file are subject to other ssuuddoo + environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k. + + exempt_group + Users in this group are exempt from password and PATH + requirements. The group name specified should not include + a % prefix. This is not set by default. + + group_plugin + A string containing a _s_u_d_o_e_r_s group plugin with optional + arguments. This can be used to implement support for the + nonunix_group syntax described earlier. The string should + consist of the plugin path, either fully-qualified or + relative to the _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c directory, followed by + any configuration arguments the plugin requires. These + arguments (if any) will be passed to the plugin's + initialization function. If arguments are present, the + string must be enclosed in double quotes ("). + + For example, given _/_e_t_c_/_s_u_d_o_-_g_r_o_u_p, a group file in Unix + group format, the sample group plugin can be used: + + Defaults group_plugin="sample_group.so /etc/sudo-group" + + For more information see _s_u_d_o___p_l_u_g_i_n(4). + + lecture This option controls when a short lecture will be printed + along with the password prompt. It has the following + possible values: + + always Always lecture the user. + + never Never lecture the user. + + once Only lecture the user the first time they run ssuuddoo. + + If no value is specified, a value of _o_n_c_e is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _o_n_c_e. + + lecture_file + Path to a file containing an alternate ssuuddoo lecture that + will be used in place of the standard lecture if the named + file exists. By default, ssuuddoo uses a built-in lecture. + + listpw This option controls when a password will be required when + a user runs ssuuddoo with the --ll option. It has the following + possible values: + + all All the user's _s_u_d_o_e_r_s entries for the current host + must have the NOPASSWD flag set to avoid entering a + password. + + always The user must always enter a password to use the --ll + option. + + any At least one of the user's _s_u_d_o_e_r_s entries for the + current host must have the NOPASSWD flag set to + avoid entering a password. + + never The user need never enter a password to use the --ll + option. + + If no value is specified, a value of _a_n_y is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _a_n_y. + + logfile Path to the ssuuddoo log file (not the syslog log file). + Setting a path turns on logging to a file; negating this + option turns it off. By default, ssuuddoo logs via syslog. + + mailerflags Flags to use when invoking mailer. Defaults to --tt. + + mailerpath Path to mail program used to send warning mail. Defaults + to the path to sendmail found at configure time. + + mailfrom Address to use for the "from" address when sending warning + and error mail. The address should be enclosed in double + quotes (") to protect against ssuuddoo interpreting the @ sign. + Defaults to the name of the user running ssuuddoo. + + mailto Address to send warning and error mail to. The address + should be enclosed in double quotes (") to protect against + ssuuddoo interpreting the @ sign. Defaults to root. + + secure_path Path used for every command run from ssuuddoo. If you don't + trust the people running ssuuddoo to have a sane PATH + environment variable you may want to use this. Another use + is if you want to have the "root path" be separate from the + "user path." Users in the group specified by the + _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This + option is not set by default. + + syslog Syslog facility if syslog is being used for logging (negate + to disable syslog logging). Defaults to auth. + + The following syslog facilities are supported: aauutthhpprriivv (if + your OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11, + llooccaall22, llooccaall33, llooccaall44, llooccaall55, llooccaall66, and llooccaall77. + + verifypw This option controls when a password will be required when + a user runs ssuuddoo with the --vv option. It has the following + possible values: + + all All the user's _s_u_d_o_e_r_s entries for the current host + must have the NOPASSWD flag set to avoid entering a + password. + + always The user must always enter a password to use the --vv + option. + + any At least one of the user's _s_u_d_o_e_r_s entries for the + current host must have the NOPASSWD flag set to + avoid entering a password. + + never The user need never enter a password to use the --vv + option. + + If no value is specified, a value of _a_l_l is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _a_l_l. + + LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + + env_check Environment variables to be removed from the user's + environment if the variable's value contains % or / + characters. This can be used to guard against printf- + style format vulnerabilities in poorly-written + programs. The argument may be a double-quoted, space- + separated list or a single value without double-quotes. + The list can be replaced, added to, deleted from, or + disabled by using the =, +=, -=, and ! operators + respectively. Regardless of whether the env_reset + option is enabled or disabled, variables specified by + env_check will be preserved in the environment if they + pass the aforementioned check. The default list of + environment variables to check is displayed when ssuuddoo + is run by root with the _-_V option. + + env_delete Environment variables to be removed from the user's + environment when the _e_n_v___r_e_s_e_t option is not in effect. + The argument may be a double-quoted, space-separated + list or a single value without double-quotes. The list + can be replaced, added to, deleted from, or disabled by + using the =, +=, -=, and ! operators respectively. The + default list of environment variables to remove is + displayed when ssuuddoo is run by root with the _-_V option. + Note that many operating systems will remove + potentially dangerous variables from the environment of + any setuid process (such as ssuuddoo). + + env_keep Environment variables to be preserved in the user's + environment when the _e_n_v___r_e_s_e_t option is in effect. + This allows fine-grained control over the environment + ssuuddoo-spawned processes will receive. The argument may + be a double-quoted, space-separated list or a single + value without double-quotes. The list can be replaced, + added to, deleted from, or disabled by using the =, +=, + -=, and ! operators respectively. The default list of + variables to keep is displayed when ssuuddoo is run by root + with the _-_V option. + +SSUUDDOO..CCOONNFF + The _/_e_t_c_/_s_u_d_o_._c_o_n_f file determines which plugins the ssuuddoo front end + will load. If no _/_e_t_c_/_s_u_d_o_._c_o_n_f file is present, or it contains no + Plugin lines, ssuuddoo will use the _s_u_d_o_e_r_s security policy and I/O + logging, which corresponds to the following _/_e_t_c_/_s_u_d_o_._c_o_n_f file. + + # + # Default /etc/sudo.conf file + # + # Format: + # Plugin plugin_name plugin_path plugin_options ... + # Path askpass /path/to/askpass + # Path noexec /path/to/sudo_noexec.so + # Debug sudo /var/log/sudo_debug all@warn + # Set disable_coredump true + # + # The plugin_path is relative to /usr/local/libexec unless + # fully qualified. + # The plugin_name corresponds to a global symbol in the plugin + # that contains the plugin interface structure. + # The plugin_options are optional. + # + Plugin policy_plugin sudoers.so + Plugin io_plugin sudoers.so + + PPLLUUGGIINN OOPPTTIIOONNSS + Starting with ssuuddoo 1.8.5 it is possible to pass options to the _s_u_d_o_e_r_s + plugin. Options may be listed after the path to the plugin (i.e. after + _s_u_d_o_e_r_s_._s_o); multiple options should be space-separated. For example: + + Plugin sudoers_policy sudoers.so sudoers_file=/etc/sudoers sudoers_uid=0 sudoers_gid=0 sudoers_mode=0440 + + The following plugin options are supported: + + sudoers_file=pathname + The _s_u_d_o_e_r_s___f_i_l_e option can be used to override the default + path to the _s_u_d_o_e_r_s file. + + sudoers_uid=uid + The _s_u_d_o_e_r_s___u_i_d option can be used to override the default + owner of the sudoers file. It should be specified as a + numeric user ID. + + sudoers_gid=gid + The _s_u_d_o_e_r_s___g_i_d option can be used to override the default + group of the sudoers file. It should be specified as a + numeric group ID. + + sudoers_mode=mode + The _s_u_d_o_e_r_s___m_o_d_e option can be used to override the default + file mode for the sudoers file. It should be specified as an + octal value. + + DDEEBBUUGG FFLLAAGGSS + Versions 1.8.4 and higher of the _s_u_d_o_e_r_s plugin supports a debugging + framework that can help track down what the plugin is doing internally + if there is a problem. This can be configured in the _/_e_t_c_/_s_u_d_o_._c_o_n_f + file as described in _s_u_d_o(1m). + + The _s_u_d_o_e_r_s plugin uses the same debug flag format as ssuuddoo itself: + _s_u_b_s_y_s_t_e_m@_p_r_i_o_r_i_t_y. + + The priorities used by _s_u_d_o_e_r_s, in order of decreasing severity, are: + _c_r_i_t, _e_r_r, _w_a_r_n, _n_o_t_i_c_e, _d_i_a_g, _i_n_f_o, _t_r_a_c_e and _d_e_b_u_g. Each priority, + when specified, also includes all priorities higher than it. For + example, a priority of _n_o_t_i_c_e would include debug messages logged at + _n_o_t_i_c_e and higher. + + The following subsystems are used by _s_u_d_o_e_r_s: + + _a_l_i_a_s User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing + + _a_l_l matches every subsystem + + _a_u_d_i_t BSM and Linux audit code + + _a_u_t_h user authentication + + _d_e_f_a_u_l_t_s _s_u_d_o_e_r_s _D_e_f_a_u_l_t_s settings + + _e_n_v environment handling + + _l_d_a_p LDAP-based sudoers + + _l_o_g_g_i_n_g logging support + + _m_a_t_c_h matching of users, groups, hosts and netgroups in _s_u_d_o_e_r_s + + _n_e_t_i_f network interface handling + + _n_s_s network service switch handling in _s_u_d_o_e_r_s + + _p_a_r_s_e_r _s_u_d_o_e_r_s file parsing + + _p_e_r_m_s permission setting + + _p_l_u_g_i_n The equivalent of _m_a_i_n for the plugin. + + _p_t_y pseudo-tty related code + + _r_b_t_r_e_e redblack tree internals + + _u_t_i_l utility functions + +FFIILLEESS + _/_e_t_c_/_s_u_d_o_._c_o_n_f Sudo front end configuration + + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + + _/_e_t_c_/_g_r_o_u_p Local groups file + + _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups + + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files + + _/_v_a_r_/_a_d_m_/_s_u_d_o Directory containing time stamps for the + _s_u_d_o_e_r_s security policy + + _/_e_t_c_/_e_n_v_i_r_o_n_m_e_n_t Initial environment for --ii mode on AIX and + Linux systems + +EEXXAAMMPPLLEESS + Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit + contrived. First, we allow a few environment variables to pass and + then define our _a_l_i_a_s_e_s: + + # Run X applications through sudo; HOME is used to find the + # .Xauthority file. Note that other programs use HOME to find + # configuration files and this may lead to privilege escalation! + Defaults env_keep += "DISPLAY HOME" + + # User alias specification + User_Alias FULLTIMERS = millert, mikef, dowdy + User_Alias PARTTIMERS = bostley, jwfox, crawl + User_Alias WEBMASTERS = will, wendy, wim + + # Runas alias specification + Runas_Alias OP = root, operator + Runas_Alias DB = oracle, sybase + Runas_Alias ADMINGRP = adm, oper + + # Host alias specification + Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ + SGI = grolsch, dandelion, black :\ + ALPHA = widget, thalamus, foobar :\ + HPPA = boa, nag, python + Host_Alias CUNETS = 128.138.0.0/255.255.0.0 + Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 + Host_Alias SERVERS = master, mail, www, ns + Host_Alias CDROM = orion, perseus, hercules + + # Cmnd alias specification + Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\ + /usr/sbin/restore, /usr/sbin/rrestore + Cmnd_Alias KILL = /usr/bin/kill + Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm + Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown + Cmnd_Alias HALT = /usr/sbin/halt + Cmnd_Alias REBOOT = /usr/sbin/reboot + Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \ + /usr/local/bin/tcsh, /usr/bin/rsh, \ + /usr/local/bin/zsh + Cmnd_Alias SU = /usr/bin/su + Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less + + Here we override some of the compiled in default values. We want ssuuddoo + to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't + want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt + need not give a password, and we don't want to reset the LOGNAME, USER + or USERNAME environment variables when running commands as root. + Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an + additional local log file and make sure we log the year in each log + line since the log entries will be kept around for several years. + Lastly, we disable shell escapes for the commands in the PAGERS + Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s). + + # Override built-in defaults + Defaults syslog=auth + Defaults>root !set_logname + Defaults:FULLTIMERS !lecture + Defaults:millert !authenticate + Defaults@SERVERS log_year, logfile=/var/log/sudo.log + Defaults!PAGERS noexec + + The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run + what. + + root ALL = (ALL) ALL + %wheel ALL = (ALL) ALL + + We let rroooott and any user in group wwhheeeell run any command on any host as + any user. + + FULLTIMERS ALL = NOPASSWD: ALL + + Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on + any host without authenticating themselves. + + PARTTIMERS ALL = ALL + + Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on + any host but they must authenticate themselves first (since the entry + lacks the NOPASSWD tag). + + jack CSNETS = ALL + + The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias + (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of + those networks, only 128.138.204.0 has an explicit netmask (in CIDR + notation) indicating it is a class C network. For the other networks + in _C_S_N_E_T_S, the local machine's netmask will be used during matching. + + lisa CUNETS = ALL + + The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the + class B network 128.138.0.0). + + operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ + sudoedit /etc/printcap, /usr/oper/bin/ + + The ooppeerraattoorr user may run commands limited to simple maintenance. + Here, those are commands related to backups, killing processes, the + printing system, shutting down the system, and any commands in the + directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. + + joe ALL = /usr/bin/su operator + + The user jjooee may only _s_u(1) to operator. + + pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root + + %opers ALL = (: ADMINGRP) /usr/sbin/ + + Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves + with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups). + + The user ppeettee is allowed to change anyone's password except for root on + the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take + multiple user names on the command line. + + bob SPARC = (OP) ALL : SGI = (OP) ALL + + The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user + listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr). + + jim +biglab = ALL + + The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. + ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. + + +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser + + Users in the sseeccrreettaarriieess netgroup need to help manage the printers as + well as add and remove users, so they are allowed to run those commands + on all machines. + + fred ALL = (DB) NOPASSWD: ALL + + The user ffrreedd can run commands as any user in the _D_B Runas_Alias + (oorraaccllee or ssyybbaassee) without giving a password. + + john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* + + On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is + not allowed to specify any options to the _s_u(1) command. + + jen ALL, !SERVERS = ALL + + The user jjeenn may run any command on any machine except for those in the + _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns). + + jill SERVERS = /usr/bin/, !SU, !SHELLS + + For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in + the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U + and _S_H_E_L_L_S Cmnd_Aliases. + + steve CSNETS = (operator) /usr/local/op_commands/ + + The user sstteevvee may run any command in the directory + /usr/local/op_commands/ but only as user operator. + + matt valkyrie = KILL + + On his personal workstation, valkyrie, mmaatttt needs to be able to kill + hung processes. + + WEBMASTERS www = (www) ALL, (root) /usr/bin/su www + + On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, + and wim), may run any command as user www (which owns the web pages) or + simply _s_u(1) to www. + + ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ + /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM + + Any user may mount or unmount a CD-ROM on the machines in the CDROM + Host_Alias (orion, perseus, hercules) without entering a password. + This is a bit tedious for users to type, so it is a prime candidate for + encapsulating in a shell script. + +SSEECCUURRIITTYY NNOOTTEESS + LLiimmiittaattiioonnss ooff tthhee ''!!'' ooppeerraattoorr + It is generally not effective to "subtract" commands from ALL using the + '!' operator. A user can trivially circumvent this by copying the + desired command to a different name and then executing that. For + example: + + bill ALL = ALL, !SU, !SHELLS + + Doesn't really prevent bbiillll from running the commands listed in _S_U or + _S_H_E_L_L_S since he can simply copy those commands to a different name, or + use a shell escape from an editor or other program. Therefore, these + kind of restrictions should be considered advisory at best (and + reinforced by policy). + + In general, if a user has sudo ALL there is nothing to prevent them + from creating their own program that gives them a root shell (or making + their own copy of a shell) regardless of any '!' elements in the user + specification. + + SSeeccuurriittyy iimmpplliiccaattiioonnss ooff _f_a_s_t___g_l_o_b + If the _f_a_s_t___g_l_o_b option is in use, it is not possible to reliably + negate commands where the path name includes globbing (aka wildcard) + characters. This is because the C library's _f_n_m_a_t_c_h(3) function cannot + resolve relative paths. While this is typically only an inconvenience + for rules that grant privileges, it can result in a security issue for + rules that subtract or revoke privileges. + + For example, given the following _s_u_d_o_e_r_s entry: + + john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root + + User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by + changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. + + PPrreevveennttiinngg SShheellll EEssccaappeess + Once ssuuddoo executes a program, that program is free to do whatever it + pleases, including run other programs. This can be a security issue + since it is not uncommon for a program to allow shell escapes, which + lets a user bypass ssuuddoo's access control and logging. Common programs + that permit shell escapes include shells (obviously), editors, + paginators, mail and terminal programs. + + There are two basic approaches to this problem: + + restrict Avoid giving users access to commands that allow the user to + run arbitrary commands. Many editors have a restricted mode + where shell escapes are disabled, though ssuuddooeeddiitt is a better + solution to running editors via ssuuddoo. Due to the large + number of programs that offer shell escapes, restricting + users to the set of programs that do not is often unworkable. + + noexec Many systems that support shared libraries have the ability + to override default library functions by pointing an + environment variable (usually LD_PRELOAD) to an alternate + shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality + can be used to prevent a program run by ssuuddoo from executing + any other programs. Note, however, that this applies only to + native dynamically-linked executables. Statically-linked + executables and foreign executables running under binary + emulation are not affected. + + The _n_o_e_x_e_c feature is known to work on SunOS, Solaris, *BSD, + Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and + above. It should be supported on most operating systems that + support the LD_PRELOAD environment variable. Check your + operating system's manual pages for the dynamic linker + (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see + if LD_PRELOAD is supported. + + On Solaris 10 and higher, _n_o_e_x_e_c uses Solaris privileges + instead of the LD_PRELOAD environment variable. + + To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as + documented in the User Specification section above. Here is + that example again: + + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + + This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i + with _n_o_e_x_e_c enabled. This will prevent those two commands + from executing other commands (such as a shell). If you are + unsure whether or not your system is capable of supporting + _n_o_e_x_e_c you can always just try it out and check whether shell + escapes work when _n_o_e_x_e_c is enabled. + + Note that restricting shell escapes is not a panacea. Programs running + as root are still capable of many potentially hazardous operations + (such as changing or overwriting files) that could lead to unintended + privilege escalation. In the specific case of an editor, a safer + approach is to give the user permission to run ssuuddooeeddiitt. + + TTiimmee ssttaammpp ffiillee cchheecckkss + _s_u_d_o_e_r_s will check the ownership of its time stamp directory + (_/_v_a_r_/_a_d_m_/_s_u_d_o by default) and ignore the directory's contents if it is + not owned by root or if it is writable by a user other than root. On + systems that allow non-root users to give away files via _c_h_o_w_n(2), if + the time stamp directory is located in a world-writable directory + (e.g., _/_t_m_p), it is possible for a user to create the time stamp + directory before ssuuddoo is run. However, because _s_u_d_o_e_r_s checks the + ownership and mode of the directory and its contents, the only damage + that can be done is to "hide" files by putting them in the time stamp + dir. This is unlikely to happen since once the time stamp dir is owned + by root and inaccessible by any other user, the user placing files + there would be unable to get them back out. + + _s_u_d_o_e_r_s will not honor time stamps set far in the future. Time stamps + with a date greater than current_time + 2 * TIMEOUT will be ignored and + sudo will log and complain. This is done to keep a user from creating + his/her own time stamp with a bogus date on systems that allow users to + give away files if the time stamp directory is located in a world- + writable directory. + + On systems where the boot time is available, _s_u_d_o_e_r_s will ignore time + stamps that date from before the machine booted. + + Since time stamp files live in the file system, they can outlive a + user's login session. As a result, a user may be able to login, run a + command with ssuuddoo after authenticating, logout, login again, and run + ssuuddoo without authenticating so long as the time stamp file's + modification time is within 5 minutes (or whatever the timeout is set + to in _s_u_d_o_e_r_s). When the _t_t_y___t_i_c_k_e_t_s option is enabled, the time stamp + has per-tty granularity but still may outlive the user's session. On + Linux systems where the devpts filesystem is used, Solaris systems with + the devices filesystem, as well as other systems that utilize a devfs + filesystem that monotonically increase the inode number of devices as + they are created (such as Mac OS X), _s_u_d_o_e_r_s is able to determine when + a tty-based time stamp file is stale and will ignore it. + Administrators should not rely on this feature as it is not universally + available. + +SSEEEE AALLSSOO + _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _m_k_t_e_m_p(3), _s_t_r_f_t_i_m_e(3), + _s_u_d_o_e_r_s_._l_d_a_p(4), _s_u_d_o___p_l_u_g_i_n(1m), _s_u_d_o(1m), _v_i_s_u_d_o(1m) + +CCAAVVEEAATTSS + The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which + locks the file and does grammatical checking. It is imperative that + _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a + syntactically incorrect _s_u_d_o_e_r_s file. + + When using netgroups of machines (as opposed to users), if you store + fully qualified host name in the netgroup (as is usually the case), you + either need to have the machine's host name be fully qualified as + returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. + +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ + +SSUUPPPPOORRTT + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. + +DDIISSCCLLAAIIMMEERR + ssuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of + merchantability and fitness for a particular purpose are disclaimed. + See the LICENSE file distributed with ssuuddoo or + http://www.sudo.ws/sudo/license.html for complete details. + + + +1.8.5 March 28, 2012 SUDOERS(4)