X-Git-Url: https://git.gag.com/?a=blobdiff_plain;f=sudoers.cat;h=1649855355e81738e90abccde5cbc42c7c7dcdee;hb=e728e9e78f6751aee7d45d2105d58f2033e04e83;hp=b8d57f66a66dbd50aa3d7b68169898f09bbb109e;hpb=17fe41bae8a65fb88683c9795414556ed9b636e9;p=debian%2Fsudo diff --git a/sudoers.cat b/sudoers.cat index b8d57f6..1649855 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -8,60 +8,60 @@ NNAAMMEE sudoers - list of which users may execute what DDEESSCCRRIIPPTTIIOONN - The _s_u_d_o_e_r_s file is composed of two types of entries: - aliases (basically variables) and user specifications - (which specify who may run what). + The _s_u_d_o_e_r_s file is composed of two types of entries: aliases + (basically variables) and user specifications (which specify who may + run what). - When multiple entries match for a user, they are applied - in order. Where there are multiple matches, the last - match is used (which is not necessarily the most specific - match). + When multiple entries match for a user, they are applied in order. + Where there are multiple matches, the last match is used (which is not + necessarily the most specific match). - The _s_u_d_o_e_r_s grammar will be described below in Extended - Backus-Naur Form (EBNF). Don't despair if you don't know - what EBNF is; it is fairly simple, and the definitions - below are annotated. + The _s_u_d_o_e_r_s grammar will be described below in Extended Backus-Naur + Form (EBNF). Don't despair if you don't know what EBNF is; it is + fairly simple, and the definitions below are annotated. - QQuuiicckk gguuiiddee ttoo EEBBNNFF - - EBNF is a concise and exact way of describing the grammar - of a language. Each EBNF definition is made up of _p_r_o_d_u_c_­ - _t_i_o_n _r_u_l_e_s. E.g., + QQuuiicckk gguuiiddee ttoo EEBBNNFF + EBNF is a concise and exact way of describing the grammar of a + language. Each EBNF definition is made up of _p_r_o_d_u_c_t_i_o_n _r_u_l_e_s. E.g., symbol ::= definition | alternate1 | alternate2 ... - Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a - grammar for the language. EBNF also contains the follow­ - ing operators, which many readers will recognize from reg­ - ular expressions. Do not, however, confuse them with - "wildcard" characters, which have different meanings. + Each _p_r_o_d_u_c_t_i_o_n _r_u_l_e references others and thus makes up a grammar for + the language. EBNF also contains the following operators, which many + readers will recognize from regular expressions. Do not, however, + confuse them with "wildcard" characters, which have different meanings. - ? Means that the preceding symbol (or group of symbols) - is optional. That is, it may appear once or not at - all. + ? Means that the preceding symbol (or group of symbols) is optional. + That is, it may appear once or not at all. - * Means that the preceding symbol (or group of symbols) - may appear zero or more times. + * Means that the preceding symbol (or group of symbols) may appear + zero or more times. - + Means that the preceding symbol (or group of symbols) - may appear one or more times. + + Means that the preceding symbol (or group of symbols) may appear + one or more times. - Parentheses may be used to group symbols together. For - clarity, we will use single quotes ('') to designate what - is a verbatim character string (as opposed to a symbol - name). + Parentheses may be used to group symbols together. For clarity, we + will use single quotes ('') to designate what is a verbatim character + string (as opposed to a symbol name). - AAlliiaasseess + AAlliiaasseess + There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias + and Cmnd_Alias. - There are four kinds of aliases: User_Alias, Runas_Alias, - Host_Alias and Cmnd_Alias. + Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | + 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | + 'Host_Alias' Host_Alias (':' Host_Alias)* | + 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* + User_Alias ::= NAME '=' User_List + Runas_Alias ::= NAME '=' Runas_List + Host_Alias ::= NAME '=' Host_List -1.6.9p16 May 8, 2008 1 +1.7.4 July 21, 2010 1 @@ -70,16 +70,6 @@ DDEESSCCRRIIPPTTIIOONN SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Alias ::= 'User_Alias' User_Alias (':' User_Alias)* | - 'Runas_Alias' Runas_Alias (':' Runas_Alias)* | - 'Host_Alias' Host_Alias (':' Host_Alias)* | - 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)* - - User_Alias ::= NAME '=' User_List - - Runas_Alias ::= NAME '=' Runas_List - - Host_Alias ::= NAME '=' Host_List Cmnd_Alias ::= NAME '=' Cmnd_List @@ -89,45 +79,55 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Alias_Type NAME = item1, item2, ... - where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, - Host_Alias, or Cmnd_Alias. A NAME is a string of upper­ - case letters, numbers, and underscore characters ('_'). A - NAME mmuusstt start with an uppercase letter. It is possible - to put several alias definitions of the same type on a - single line, joined by a colon (':'). E.g., + where _A_l_i_a_s___T_y_p_e is one of User_Alias, Runas_Alias, Host_Alias, or + Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and + underscore characters ('_'). A NAME mmuusstt start with an uppercase + letter. It is possible to put several alias definitions of the same + type on a single line, joined by a colon (':'). E.g., Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 - The definitions of what constitutes a valid _a_l_i_a_s member - follow. + The definitions of what constitutes a valid _a_l_i_a_s member follow. User_List ::= User | User ',' User_List - User ::= '!'* username | + User ::= '!'* user name | + '!'* '#'uid | '!'* '%'group | '!'* '+'netgroup | + '!'* '%:'nonunix_group | '!'* User_Alias - A User_List is made up of one or more usernames, system - groups (prefixed with '%'), netgroups (prefixed with '+') - and other aliases. Each list item may be prefixed with - one or more '!' operators. An odd number of '!' operators - negate the value of the item; an even number just cancel - each other out. + A User_List is made up of one or more user names, uids (prefixed with + '#'), system groups (prefixed with '%'), netgroups (prefixed with '+') + and User_Aliases. Each list item may be prefixed with zero or more '!' + operators. An odd number of '!' operators negate the value of the + item; an even number just cancel each other out. + + A user name, group, netgroup or nonunix_group may be enclosed in double + quotes to avoid the need for escaping special characters. Alternately, + special characters may be specified in escaped hex mode, e.g. \x20 for + space. + + The nonunix_group syntax depends on the underlying implementation. For + instance, the QAS AD backend supports the following formats: - Runas_List ::= Runas_User | - Runas_User ',' Runas_List + +o Group in the same domain: "Group Name" - Runas_User ::= '!'* username | - '!'* '#'uid | - '!'* '%'group | - '!'* +netgroup | - '!'* Runas_Alias + +o Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN" + +o Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567" + Note that quotes around group names are optional. Unquoted strings + must use a backslash (\) to escape spaces and the '@' symbol. -1.6.9p16 May 8, 2008 2 + Runas_List ::= Runas_Member | + Runas_Member ',' Runas_List + + + +1.7.4 July 21, 2010 2 @@ -136,64 +136,64 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - A Runas_List is similar to a User_List except that it can - also contain uids (prefixed with '#') and instead of - User_Aliases it can contain Runas_Aliases. Note that - usernames and groups are matched as strings. In other - words, two users (groups) with the same uid (gid) are con­ - sidered to be distinct. If you wish to match all user­ - names with the same uid (e.g. root and toor), you can use - a uid instead (#0 in the example given). + + Runas_Member ::= '!'* user name | + '!'* '#'uid | + '!'* '%'group | + '!'* +netgroup | + '!'* Runas_Alias + + A Runas_List is similar to a User_List except that instead of + User_Aliases it can contain Runas_Aliases. Note that user names and + groups are matched as strings. In other words, two users (groups) with + the same uid (gid) are considered to be distinct. If you wish to match + all user names with the same uid (e.g. root and toor), you can use a + uid instead (#0 in the example given). Host_List ::= Host | Host ',' Host_List - Host ::= '!'* hostname | + Host ::= '!'* host name | '!'* ip_addr | '!'* network(/netmask)? | '!'* '+'netgroup | '!'* Host_Alias - A Host_List is made up of one or more hostnames, IP - addresses, network numbers, netgroups (prefixed with '+') - and other aliases. Again, the value of an item may be - negated with the '!' operator. If you do not specify a - netmask along with the network number, ssuuddoo will query - each of the local host's network interfaces and, if the - network number corresponds to one of the hosts's network - interfaces, the corresponding netmask will be used. The - netmask may be specified either in standard IP address - notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or - CIDR notation (number of bits, e.g. 24 or 64). A hostname - may include shell-style wildcards (see the Wildcards sec­ - tion below), but unless the hostname command on your - machine returns the fully qualified hostname, you'll need - to use the _f_q_d_n option for wildcards to be useful. + A Host_List is made up of one or more host names, IP addresses, network + numbers, netgroups (prefixed with '+') and other aliases. Again, the + value of an item may be negated with the '!' operator. If you do not + specify a netmask along with the network number, ssuuddoo will query each + of the local host's network interfaces and, if the network number + corresponds to one of the hosts's network interfaces, the corresponding + netmask will be used. The netmask may be specified either in standard + IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or + CIDR notation (number of bits, e.g. 24 or 64). A host name may include + shell-style wildcards (see the Wildcards section below), but unless the + host name command on your machine returns the fully qualified host + name, you'll need to use the _f_q_d_n option for wildcards to be useful. + Note ssuuddoo only inspects actual network interfaces; this means that IP + address 127.0.0.1 (localhost) will never match. Also, the host name + "localhost" will only match if that is the actual host name, which is + usually only the case for non-networked systems. Cmnd_List ::= Cmnd | Cmnd ',' Cmnd_List - commandname ::= filename | - filename args | - filename '""' + commandname ::= file name | + file name args | + file name '""' Cmnd ::= '!'* commandname | '!'* directory | '!'* "sudoedit" | '!'* Cmnd_Alias - A Cmnd_List is a list of one or more commandnames, direc­ - tories, and other aliases. A commandname is a fully qual­ - ified filename which may include shell-style wildcards - (see the Wildcards section below). A simple filename - allows the user to run the command with any arguments - he/she wishes. However, you may also specify command line - arguments (including wildcards). Alternately, you can - specify "" to indicate that the command may only be run + A Cmnd_List is a list of one or more commandnames, directories, and + other aliases. A commandname is a fully qualified file name which may -1.6.9p16 May 8, 2008 3 +1.7.4 July 21, 2010 3 @@ -202,33 +202,36 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - wwiitthhoouutt command line arguments. A directory is a fully - qualified pathname ending in a '/'. When you specify a - directory in a Cmnd_List, the user will be able to run any - file within that directory (but not in any subdirectories - therein). - - If a Cmnd has associated command line arguments, then the - arguments in the Cmnd must match exactly those given by - the user on the command line (or match the wildcards if - there are any). Note that the following characters must - be escaped with a '\' if they are used in command argu­ - ments: ',', ':', '=', '\'. The special command "sudoedit" - is used to permit a user to run ssuuddoo with the --ee flag (or - as ssuuddooeeddiitt). It may take command line arguments just as - a normal command does. - - DDeeffaauullttss - - Certain configuration options may be changed from their - default values at runtime via one or more Default_Entry - lines. These may affect all users on any host, all users - on a specific host, a specific user, or commands being run - as a specific user. + include shell-style wildcards (see the Wildcards section below). A + simple file name allows the user to run the command with any arguments + he/she wishes. However, you may also specify command line arguments + (including wildcards). Alternately, you can specify "" to indicate + that the command may only be run wwiitthhoouutt command line arguments. A + directory is a fully qualified path name ending in a '/'. When you + specify a directory in a Cmnd_List, the user will be able to run any + file within that directory (but not in any subdirectories therein). + + If a Cmnd has associated command line arguments, then the arguments in + the Cmnd must match exactly those given by the user on the command line + (or match the wildcards if there are any). Note that the following + characters must be escaped with a '\' if they are used in command + arguments: ',', ':', '=', '\'. The special command "sudoedit" is used + to permit a user to run ssuuddoo with the --ee option (or as ssuuddooeeddiitt). It + may take command line arguments just as a normal command does. + + DDeeffaauullttss + Certain configuration options may be changed from their default values + at runtime via one or more Default_Entry lines. These may affect all + users on any host, all users on a specific host, a specific user, a + specific command, or commands being run as a specific user. Note that + per-command entries may not include command line arguments. If you + need to specify arguments, define a Cmnd_Alias and reference that + instead. Default_Type ::= 'Defaults' | 'Defaults' '@' Host_List | 'Defaults' ':' User_List | + 'Defaults' '!' Cmnd_List | 'Defaults' '>' Runas_List Default_Entry ::= Default_Type Parameter_List @@ -241,25 +244,22 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Parameter '-=' Value | '!'* Parameter - Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or - lliissttss. Flags are implicitly boolean and can be turned off - via the '!' operator. Some integer, string and list - parameters may also be used in a boolean context to dis­ - able them. Values may be enclosed in double quotes (") - when they contain multiple words. Special characters may - be escaped with a backslash (\). + Parameters may be ffllaaggss, iinntteeggeerr values, ssttrriinnggss, or lliissttss. Flags are + implicitly boolean and can be turned off via the '!' operator. Some + integer, string and list parameters may also be used in a boolean + context to disable them. Values may be enclosed in double quotes (") + when they contain multiple words. Special characters may be escaped + with a backslash (\). - Lists have two additional assignment operators, += and -=. - These operators are used to add to and delete from a list - respectively. It is not an error to use the -= operator - to remove an element that does not exist in a list. + Lists have two additional assignment operators, += and -=. These + operators are used to add to and delete from a list respectively. It + is not an error to use the -= operator to remove an element that does + not exist in a list. - See "SUDOERS OPTIONS" for a list of supported Defaults - parameters. -1.6.9p16 May 8, 2008 4 +1.7.4 July 21, 2010 4 @@ -268,262 +268,328 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - UUsseerr SSppeecciiffiiccaattiioonn + Defaults entries are parsed in the following order: generic, host and + user Defaults first, then runas Defaults and finally command defaults. + See "SUDOERS OPTIONS" for a list of supported Defaults parameters. + + UUsseerr SSppeecciiffiiccaattiioonn User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ (':' Host_List '=' Cmnd_Spec_List)* Cmnd_Spec_List ::= Cmnd_Spec | Cmnd_Spec ',' Cmnd_Spec_List - Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd + Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd + + Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')' - Runas_Spec ::= '(' Runas_List ')' + SELinux_Spec ::= ('ROLE=role' | 'TYPE=type') Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | - 'SETENV:' | 'NOSETENV:') + 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' | + 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:') + + A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may run (and as + what user) on specified hosts. By default, commands are run as rroooott, + but this can be changed on a per-command basis. + + The basic structure of a user specification is `who = where (as_whom) + what'. Let's break that down into its constituent parts: + + RRuunnaass__SSppeecc + A Runas_Spec determines the user and/or the group that a command may be + run as. A fully-specified Runas_Spec consists of two Runas_Lists (as + defined above) separated by a colon (':') and enclosed in a set of + parentheses. The first Runas_List indicates which users the command + may be run as via ssuuddoo's --uu option. The second defines a list of + groups that can be specified via ssuuddoo's --gg option. If both Runas_Lists + are specified, the command may be run with any combination of users and + groups listed in their respective Runas_Lists. If only the first is + specified, the command may be run as any user in the list but no --gg + option may be specified. If the first Runas_List is empty but the + second is specified, the command may be run as the invoking user with + the group set to any listed in the Runas_List. If no Runas_Spec is + specified the command may be run as rroooott and no group may be specified. + + A Runas_Spec sets the default for the commands that follow it. What + this means is that for the entry: + + dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm - A uusseerr ssppeecciiffiiccaattiioonn determines which commands a user may - run (and as what user) on specified hosts. By default, - commands are run as rroooott, but this can be changed on a - per-command basis. + The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m -- but only + as ooppeerraattoorr. E.g., - Let's break that down into its constituent parts: + $ sudo -u operator /bin/ls. - RRuunnaass__SSppeecc - A Runas_Spec is simply a Runas_List (as defined above) - enclosed in a set of parentheses. If you do not specify a - Runas_Spec in the user specification, a default Runas_Spec - of rroooott will be used. A Runas_Spec sets the default for - commands that follow it. What this means is that for the - entry: - dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm - The user ddggbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m - -- but only as ooppeerraattoorr. E.g., +1.7.4 July 21, 2010 5 - $ sudo -u operator /bin/ls. - It is also possible to override a Runas_Spec later on in - an entry. If we modify the entry like so: - dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm - Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, - but _/_b_i_n_/_k_i_l_l and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. - TTaagg__SSppeecc +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - A command may have zero or more tags associated with it. - There are six possible tag values, NOPASSWD, PASSWD, - NOEXEC, EXEC, SETENV and NOSETENV. Once a tag is set on a - Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the - tag unless it is overridden by the opposite tag (i.e.: - PASSWD overrides NOPASSWD and NOEXEC overrides EXEC). + It is also possible to override a Runas_Spec later on in an entry. If + we modify the entry like so: + dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm -1.6.9p16 May 8, 2008 5 + Then user ddggbb is now allowed to run _/_b_i_n_/_l_s as ooppeerraattoorr, but _/_b_i_n_/_k_i_l_l + and _/_u_s_r_/_b_i_n_/_l_p_r_m as rroooott. + We can extend this to allow ddggbb to run /bin/ls with either the user or + group set to ooppeerraattoorr: + dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \ + /usr/bin/lprm + In the following example, user ttccmm may run commands that access a modem + device file with the dialer group. Note that in this example only the + group will be set, the command still runs as user ttccmm. + tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \ + /usr/local/bin/minicom -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + SSEELLiinnuuxx__SSppeecc + On systems with SELinux support, _s_u_d_o_e_r_s entries may optionally have an + SELinux role and/or type associated with a command. If a role or type + is specified with the command it will override any default values + specified in _s_u_d_o_e_r_s. A role or type specified on the command line, + however, will supercede the values in _s_u_d_o_e_r_s. + TTaagg__SSppeecc + A command may have zero or more tags associated with it. There are + eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, + NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a + tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit + the tag unless it is overridden by the opposite tag (i.e.: PASSWD + overrides NOPASSWD and NOEXEC overrides EXEC). _N_O_P_A_S_S_W_D _a_n_d _P_A_S_S_W_D - By default, ssuuddoo requires that a user authenticate him or - herself before running a command. This behavior can be - modified via the NOPASSWD tag. Like a Runas_Spec, the - NOPASSWD tag sets a default for the commands that follow - it in the Cmnd_Spec_List. Conversely, the PASSWD tag can - be used to reverse things. For example: + By default, ssuuddoo requires that a user authenticate him or herself + before running a command. This behavior can be modified via the + NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for + the commands that follow it in the Cmnd_Spec_List. Conversely, the + PASSWD tag can be used to reverse things. For example: ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm - would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and - _/_u_s_r_/_b_i_n_/_l_p_r_m as root on the machine rushmore as rroooott - without authenticating himself. If we only want rraayy to be - able to run _/_b_i_n_/_k_i_l_l without a password the entry would - be: + would allow the user rraayy to run _/_b_i_n_/_k_i_l_l, _/_b_i_n_/_l_s, and _/_u_s_r_/_b_i_n_/_l_p_r_m + as rroooott on the machine rushmore without authenticating himself. If we + only want rraayy to be able to run _/_b_i_n_/_k_i_l_l without a password the entry + would be: ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm - Note, however, that the PASSWD tag has no effect on users - who are in the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. + Note, however, that the PASSWD tag has no effect on users who are in + + + +1.7.4 July 21, 2010 6 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + + the group specified by the _e_x_e_m_p_t___g_r_o_u_p option. - By default, if the NOPASSWD tag is applied to any of the - entries for a user on the current host, he or she will be - able to run sudo -l without a password. Additionally, a - user may only run sudo -v without a password if the - NOPASSWD tag is present for all a user's entries that per­ - tain to the current host. This behavior may be overridden - via the verifypw and listpw options. + By default, if the NOPASSWD tag is applied to any of the entries for a + user on the current host, he or she will be able to run sudo -l without + a password. Additionally, a user may only run sudo -v without a + password if the NOPASSWD tag is present for all a user's entries that + pertain to the current host. This behavior may be overridden via the + verifypw and listpw options. _N_O_E_X_E_C _a_n_d _E_X_E_C - If ssuuddoo has been compiled with _n_o_e_x_e_c support and the - underlying operating system supports it, the NOEXEC tag - can be used to prevent a dynamically-linked executable - from running further commands itself. + If ssuuddoo has been compiled with _n_o_e_x_e_c support and the underlying + operating system supports it, the NOEXEC tag can be used to prevent a + dynamically-linked executable from running further commands itself. - In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e - and _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. + In the following example, user aaaarroonn may run _/_u_s_r_/_b_i_n_/_m_o_r_e and + _/_u_s_r_/_b_i_n_/_v_i but shell escapes will be disabled. aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - See the "PREVENTING SHELL ESCAPES" section below for more - details on how NOEXEC works and whether or not it will - work on your system. + See the "PREVENTING SHELL ESCAPES" section below for more details on + how NOEXEC works and whether or not it will work on your system. _S_E_T_E_N_V _a_n_d _N_O_S_E_T_E_N_V - These tags override the value of the _s_e_t_e_n_v option on a - per-command basis. Note that if SETENV has been set for a - command, any environment variables set on the command line - way are not subject to the restrictions imposed by - _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only trusted - users should be allowed to set variables in this manner. + These tags override the value of the _s_e_t_e_n_v option on a per-command + basis. Note that if SETENV has been set for a command, any environment + variables set on the command line way are not subject to the + restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, + only trusted users should be allowed to set variables in this manner. + If the command matched is AALLLL, the SETENV tag is implied for that + command; this default may be overridden by use of the NOSETENV tag. + _L_O_G___I_N_P_U_T _a_n_d _N_O_L_O_G___I_N_P_U_T + These tags override the value of the _l_o_g___i_n_p_u_t option on a per-command + basis. For more information, see the description of _l_o_g___i_n_p_u_t in the + "SUDOERS OPTIONS" section below. -1.6.9p16 May 8, 2008 6 + _L_O_G___O_U_T_P_U_T _a_n_d _N_O_L_O_G___O_U_T_P_U_T + These tags override the value of the _l_o_g___o_u_t_p_u_t option on a per-command + basis. For more information, see the description of _l_o_g___o_u_t_p_u_t in the + "SUDOERS OPTIONS" section below. + WWiillddccaarrddss + ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob characters) to be + used in host names, path names and command line arguments in the + _s_u_d_o_e_r_s file. Wildcard matching is done via the PPOOSSIIXX _g_l_o_b(3) and + _f_n_m_a_t_c_h(3) routines. Note that these are _n_o_t regular expressions. + + * Matches any set of zero or more characters. + ? Matches any single character. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +1.7.4 July 21, 2010 7 - If the command matched is AALLLL, the SETENV tag is implied - for that command; this default may be overridden by use of - the UNSETENV tag. - WWiillddccaarrddss - ssuuddoo allows shell-style _w_i_l_d_c_a_r_d_s (aka meta or glob char­ - acters) to be used in pathnames as well as command line - arguments in the _s_u_d_o_e_r_s file. Wildcard matching is done - via the PPOOSSIIXX _f_n_m_a_t_c_h(3) routine. Note that these are _n_o_t - regular expressions. - * Matches any set of zero or more characters. - ? Matches any single character. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + [...] Matches any character in the specified range. [!...] Matches any character nnoott in the specified range. - \x For any character "x", evaluates to "x". This is - used to escape special characters such as: "*", - "?", "[", and "}". + \x For any character "x", evaluates to "x". This is used to + escape special characters such as: "*", "?", "[", and "}". + + POSIX character classes may also be used if your system's _g_l_o_b(3) and + _f_n_m_a_t_c_h(3) functions support them. However, because the ':' character + has special meaning in _s_u_d_o_e_r_s, it must be escaped. For example: + + /bin/ls [[\:alpha\:]]* - Note that a forward slash ('/') will nnoott be matched by - wildcards used in the pathname. When matching the command - line arguments, however, a slash ddooeess get matched by wild­ - cards. This is to make a path like: + Would match any file name beginning with a letter. + + Note that a forward slash ('/') will nnoott be matched by wildcards used + in the path name. When matching the command line arguments, however, a + slash ddooeess get matched by wildcards. This is to make a path like: /usr/bin/* match _/_u_s_r_/_b_i_n_/_w_h_o but not _/_u_s_r_/_b_i_n_/_X_1_1_/_x_t_e_r_m. - EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess - + EExxcceeppttiioonnss ttoo wwiillddccaarrdd rruulleess The following exceptions apply to the above rules: - "" If the empty string "" is the only command line - argument in the _s_u_d_o_e_r_s entry it means that com­ - mand is not allowed to be run with aannyy arguments. + "" If the empty string "" is the only command line argument in the + _s_u_d_o_e_r_s entry it means that command is not allowed to be run + with aannyy arguments. - OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss + IInncclluuddiinngg ootthheerr ffiilleess ffrroomm wwiitthhiinn ssuuddooeerrss + It is possible to include other _s_u_d_o_e_r_s files from within the _s_u_d_o_e_r_s + file currently being parsed using the #include and #includedir + directives. - The pound sign ('#') is used to indicate a comment (unless - it is part of a #include directive or unless it occurs in - the context of a user name and is followed by one or more - digits, in which case it is treated as a uid). Both the - comment character and any text after it, up to the end of - the line, are ignored. + This can be used, for example, to keep a site-wide _s_u_d_o_e_r_s file in + addition to a local, per-machine file. For the sake of this example + the site-wide _s_u_d_o_e_r_s will be _/_e_t_c_/_s_u_d_o_e_r_s and the per-machine one will + be _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. To include _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l from within + _/_e_t_c_/_s_u_d_o_e_r_s we would use the following line in _/_e_t_c_/_s_u_d_o_e_r_s: - The reserved word AALLLL is a built-in _a_l_i_a_s that always - causes a match to succeed. It can be used wherever one - might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias, - or Host_Alias. You should not try to define your own + #include /etc/sudoers.local + When ssuuddoo reaches this line it will suspend processing of the current + file (_/_e_t_c_/_s_u_d_o_e_r_s) and switch to _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l. Upon reaching + the end of _/_e_t_c_/_s_u_d_o_e_r_s_._l_o_c_a_l, the rest of _/_e_t_c_/_s_u_d_o_e_r_s will be + processed. Files that are included may themselves include other files. + A hard limit of 128 nested include files is enforced to prevent include + file loops. + The file name may include the %h escape, signifying the short form of + the host name. I.e., if the machine's host name is "xerxes", then -1.6.9p16 May 8, 2008 7 + #include /etc/sudoers.%h +1.7.4 July 21, 2010 8 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - - _a_l_i_a_s called AALLLL as the built-in alias will be used in - preference to your own. Please note that using AALLLL can be - dangerous since in a command context, it allows the user - to run aannyy command on the system. - An exclamation point ('!') can be used as a logical _n_o_t - operator both in an _a_l_i_a_s and in front of a Cmnd. This - allows one to exclude certain values. Note, however, that - using a ! in conjunction with the built-in ALL alias to - allow a user to run "all but a few" commands rarely works - as intended (see SECURITY NOTES below). - Long lines can be continued with a backslash ('\') as the - last character on the line. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Whitespace between elements in a list as well as special - syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', - '(', ')') is optional. - The following characters must be escaped with a backslash - ('\') when used as part of a word (e.g. a username or - hostname): '@', '!', '=', ':', ',', '(', ')', '\'. + will cause ssuuddoo to include the file _/_e_t_c_/_s_u_d_o_e_r_s_._x_e_r_x_e_s. + + The #includedir directive can be used to create a _s_u_d_o_._d directory that + the system package manager can drop _s_u_d_o_e_r_s rules into as part of + package installation. For example, given: + + #includedir /etc/sudoers.d + + ssuuddoo will read each file in _/_e_t_c_/_s_u_d_o_e_r_s_._d, skipping file names that + end in ~ or contain a . character to avoid causing problems with + package manager or editor temporary/backup files. Files are parsed in + sorted lexical order. That is, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_0_1___f_i_r_s_t will be parsed + before _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Be aware that because the sorting is + lexical, not numeric, _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1___w_h_o_o_p_s would be loaded aafftteerr + _/_e_t_c_/_s_u_d_o_e_r_s_._d_/_1_0___s_e_c_o_n_d. Using a consistent number of leading zeroes + in the file names can be used to avoid such problems. + + Note that unlike files included via #include, vviissuuddoo will not edit the + files in a #includedir directory unless one of them contains a syntax + error. It is still possible to run vviissuuddoo with the -f flag to edit the + files directly. + + OOtthheerr ssppeecciiaall cchhaarraacctteerrss aanndd rreesseerrvveedd wwoorrddss + The pound sign ('#') is used to indicate a comment (unless it is part + of a #include directive or unless it occurs in the context of a user + name and is followed by one or more digits, in which case it is treated + as a uid). Both the comment character and any text after it, up to the + end of the line, are ignored. + + The reserved word AALLLL is a built-in _a_l_i_a_s that always causes a match to + succeed. It can be used wherever one might otherwise use a Cmnd_Alias, + User_Alias, Runas_Alias, or Host_Alias. You should not try to define + your own _a_l_i_a_s called AALLLL as the built-in alias will be used in + preference to your own. Please note that using AALLLL can be dangerous + since in a command context, it allows the user to run aannyy command on + the system. + + An exclamation point ('!') can be used as a logical _n_o_t operator both + in an _a_l_i_a_s and in front of a Cmnd. This allows one to exclude certain + values. Note, however, that using a ! in conjunction with the built-in + ALL alias to allow a user to run "all but a few" commands rarely works + as intended (see SECURITY NOTES below). -SSUUDDOOEERRSS OOPPTTIIOONNSS - ssuuddoo's behavior can be modified by Default_Entry lines, as - explained earlier. A list of all supported Defaults - parameters, grouped by type, are listed below. + Long lines can be continued with a backslash ('\') as the last + character on the line. - FFllaaggss: + Whitespace between elements in a list as well as special syntactic + characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', '(', ')') is optional. - always_set_home If set, ssuuddoo will set the HOME environment - variable to the home directory of the tar­ - get user (which is root unless the --uu - option is used). This effectively means - that the --HH flag is always implied. This - flag is _o_f_f by default. + The following characters must be escaped with a backslash ('\') when + used as part of a word (e.g. a user name or host name): '@', '!', '=', + ':', ',', '(', ')', '\'. - authenticate If set, users must authenticate themselves - via a password (or other means of authen­ - tication) before they may run commands. - This default may be overridden via the - PASSWD and NOPASSWD tags. This flag is _o_n - by default. - env_editor If set, vviissuuddoo will use the value of the - EDITOR or VISUAL environment variables - before falling back on the default editor - list. Note that this may create a secu­ - rity hole as it allows the user to run any - arbitrary command as root without logging. - A safer alternative is to place a colon- - separated list of editors in the editor - variable. vviissuuddoo will then only use the - EDITOR or VISUAL if they match a value -1.6.9p16 May 8, 2008 8 +1.7.4 July 21, 2010 9 @@ -532,64 +598,64 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - specified in editor. This flag is _o_f_f by +SSUUDDOOEERRSS OOPPTTIIOONNSS + ssuuddoo's behavior can be modified by Default_Entry lines, as explained + earlier. A list of all supported Defaults parameters, grouped by type, + are listed below. + + BBoooolleeaann FFllaaggss: + + always_set_home If enabled, ssuuddoo will set the HOME environment variable + to the home directory of the target user (which is root + unless the --uu option is used). This effectively means + that the --HH option is always implied. Note that HOME + is already set when the the _e_n_v___r_e_s_e_t option is + enabled, so _a_l_w_a_y_s___s_e_t___h_o_m_e is only effective for + configurations where _e_n_v___r_e_s_e_t is disabled. This flag + is _o_f_f by default. + + authenticate If set, users must authenticate themselves via a + password (or other means of authentication) before they + may run commands. This default may be overridden via + the PASSWD and NOPASSWD tags. This flag is _o_n by default. - env_reset If set, ssuuddoo will reset the environment to - only contain the LOGNAME, SHELL, USER, - USERNAME and the SUDO_* variables. Any - variables in the caller's environment that - match the env_keep and env_check lists are - then added. The default contents of the - env_keep and env_check lists are displayed - when ssuuddoo is run by root with the _-_V - option. If ssuuddoo was compiled with the - SECURE_PATH option, its value will be used - for the PATH environment variable. This - flag is _o_n by default. + closefrom_override + If set, the user may use ssuuddoo's --CC option which + overrides the default starting point at which ssuuddoo + begins closing open file descriptors. This flag is _o_f_f + by default. - fqdn Set this flag if you want to put fully - qualified hostnames in the _s_u_d_o_e_r_s file. - I.e., instead of myhost you would use - myhost.mydomain.edu. You may still use - the short form if you wish (and even mix - the two). Beware that turning on _f_q_d_n - requires ssuuddoo to make DNS lookups which - may make ssuuddoo unusable if DNS stops work­ - ing (for example if the machine is not - plugged into the network). Also note that - you must use the host's official name as - DNS knows it. That is, you may not use a - host alias (CNAME entry) due to perfor­ - mance issues and the fact that there is no - way to get all aliases from DNS. If your - machine's hostname (as returned by the - hostname command) is already fully quali­ - fied you shouldn't need to set _f_q_d_n. This - flag is _o_f_f by default. + compress_io If set, and ssuuddoo is configured to log a command's input + or output, the I/O logs will be compressed using zzlliibb. + This flag is _o_n by default when ssuuddoo is compiled with + zzlliibb support. - ignore_dot If set, ssuuddoo will ignore '.' or '' (cur­ - rent dir) in the PATH environment vari­ - able; the PATH itself is not modified. - This flag is _o_f_f by default. Currently, - while it is possible to set _i_g_n_o_r_e___d_o_t in - _s_u_d_o_e_r_s, its value is not used. This - option should be considered read-only (it - will be fixed in a future version of - ssuuddoo). + env_editor If set, vviissuuddoo will use the value of the EDITOR or + VISUAL environment variables before falling back on the + default editor list. Note that this may create a + security hole as it allows the user to run any + arbitrary command as root without logging. A safer + alternative is to place a colon-separated list of + editors in the editor variable. vviissuuddoo will then only + use the EDITOR or VISUAL if they match a value + specified in editor. This flag is _o_f_f by default. - ignore_local_sudoers - If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s - will be skipped. This is intended for - Enterprises that wish to prevent the usage - of local sudoers files so that only LDAP - is used. This thwarts the efforts of - rogue operators who would attempt to add - roles to _/_e_t_c_/_s_u_d_o_e_r_s. When this option + env_reset If set, ssuuddoo will reset the environment to only contain + the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_* + variables. Any variables in the caller's environment + that match the env_keep and env_check lists are then + added. The default contents of the env_keep and + env_check lists are displayed when ssuuddoo is run by root + with the _-_V option. If the _s_e_c_u_r_e___p_a_t_h option is set, + its value will be used for the PATH environment + variable. This flag is _o_n by default. + + fast_glob Normally, ssuuddoo uses the _g_l_o_b(3) function to do shell- -1.6.9p16 May 8, 2008 9 +1.7.4 July 21, 2010 10 @@ -598,262 +664,328 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - is present, _/_e_t_c_/_s_u_d_o_e_r_s does not even - need to exist. Since this option tells - ssuuddoo how to behave when no specific LDAP - entries have been matched, this sudoOption - is only meaningful for the cn=defaults - section. This flag is _o_f_f by default. + style globbing when matching path names. However, + since it accesses the file system, _g_l_o_b(3) can take a + long time to complete for some patterns, especially + when the pattern references a network file system that + is mounted on demand (automounted). The _f_a_s_t___g_l_o_b + option causes ssuuddoo to use the _f_n_m_a_t_c_h(3) function, + which does not access the file system to do its + matching. The disadvantage of _f_a_s_t___g_l_o_b is that it is + unable to match relative path names such as _._/_l_s or + _._._/_b_i_n_/_l_s. This has security implications when path + names that include globbing characters are used with + the negation operator, '!', as such rules can be + trivially bypassed. As such, this option should not be + used when _s_u_d_o_e_r_s contains rules that contain negated + path names which include globbing characters. This + flag is _o_f_f by default. - insults If set, ssuuddoo will insult users when they - enter an incorrect password. This flag is + fqdn Set this flag if you want to put fully qualified host + names in the _s_u_d_o_e_r_s file. I.e., instead of myhost you + would use myhost.mydomain.edu. You may still use the + short form if you wish (and even mix the two). Beware + that turning on _f_q_d_n requires ssuuddoo to make DNS lookups + which may make ssuuddoo unusable if DNS stops working (for + example if the machine is not plugged into the + network). Also note that you must use the host's + official name as DNS knows it. That is, you may not + use a host alias (CNAME entry) due to performance + issues and the fact that there is no way to get all + aliases from DNS. If your machine's host name (as + returned by the hostname command) is already fully + qualified you shouldn't need to set _f_q_d_n. This flag is _o_f_f by default. - log_host If set, the hostname will be logged in the - (non-syslog) ssuuddoo log file. This flag is + ignore_dot If set, ssuuddoo will ignore '.' or '' (current dir) in the + PATH environment variable; the PATH itself is not + modified. This flag is _o_f_f by default. + + ignore_local_sudoers + If set via LDAP, parsing of _/_e_t_c_/_s_u_d_o_e_r_s will be + skipped. This is intended for Enterprises that wish to + prevent the usage of local sudoers files so that only + LDAP is used. This thwarts the efforts of rogue + operators who would attempt to add roles to + _/_e_t_c_/_s_u_d_o_e_r_s. When this option is present, + _/_e_t_c_/_s_u_d_o_e_r_s does not even need to exist. Since this + option tells ssuuddoo how to behave when no specific LDAP + entries have been matched, this sudoOption is only + meaningful for the cn=defaults section. This flag is _o_f_f by default. - log_year If set, the four-digit year will be logged - in the (non-syslog) ssuuddoo log file. This - flag is _o_f_f by default. + insults If set, ssuuddoo will insult users when they enter an + incorrect password. This flag is _o_f_f by default. - long_otp_prompt When validating with a One Time Password - (OPT) scheme such as SS//KKeeyy or OOPPIIEE, a two- - line prompt is used to make it easier to - cut and paste the challenge to a local - window. It's not as pretty as the default - but some people find it more convenient. - This flag is _o_f_f by default. + log_host If set, the host name will be logged in the (non- - mail_always Send mail to the _m_a_i_l_t_o user every time a - users runs ssuuddoo. This flag is _o_f_f by - default. - mail_badpass Send mail to the _m_a_i_l_t_o user if the user - running ssuuddoo does not enter the correct - password. This flag is _o_f_f by default. - mail_no_host If set, mail will be sent to the _m_a_i_l_t_o - user if the invoking user exists in the - _s_u_d_o_e_r_s file, but is not allowed to run - commands on the current host. This flag - is _o_f_f by default. +1.7.4 July 21, 2010 11 - mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o - user if the invoking user is allowed to - use ssuuddoo but the command they are trying - is not listed in their _s_u_d_o_e_r_s file entry - or is explicitly denied. This flag is _o_f_f - by default. - mail_no_user If set, mail will be sent to the _m_a_i_l_t_o - user if the invoking user is not in the - _s_u_d_o_e_r_s file. This flag is _o_n by default. - noexec If set, all commands run via ssuuddoo will - behave as if the NOEXEC tag has been set, +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p16 May 8, 2008 10 + syslog) ssuuddoo log file. This flag is _o_f_f by default. + log_year If set, the four-digit year will be logged in the (non- + syslog) ssuuddoo log file. This flag is _o_f_f by default. + long_otp_prompt When validating with a One Time Password (OPT) scheme + such as SS//KKeeyy or OOPPIIEE, a two-line prompt is used to + make it easier to cut and paste the challenge to a + local window. It's not as pretty as the default but + some people find it more convenient. This flag is _o_f_f + by default. + mail_always Send mail to the _m_a_i_l_t_o user every time a users runs + ssuuddoo. This flag is _o_f_f by default. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + mail_badpass Send mail to the _m_a_i_l_t_o user if the user running ssuuddoo + does not enter the correct password. This flag is _o_f_f + by default. + mail_no_host If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user exists in the _s_u_d_o_e_r_s file, but is not + allowed to run commands on the current host. This flag + is _o_f_f by default. - unless overridden by a EXEC tag. See the - description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as - well as the "PREVENTING SHELL ESCAPES" - section at the end of this manual. This - flag is _o_f_f by default. + mail_no_perms If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user is allowed to use ssuuddoo but the command + they are trying is not listed in their _s_u_d_o_e_r_s file + entry or is explicitly denied. This flag is _o_f_f by + default. - path_info Normally, ssuuddoo will tell the user when a - command could not be found in their PATH - environment variable. Some sites may wish - to disable this as it could be used to - gather information on the location of exe­ - cutables that the normal user does not - have access to. The disadvantage is that - if the executable is simply not in the - user's PATH, ssuuddoo will tell the user that - they are not allowed to run it, which can - be confusing. This flag is _o_n by default. + mail_no_user If set, mail will be sent to the _m_a_i_l_t_o user if the + invoking user is not in the _s_u_d_o_e_r_s file. This flag is + _o_n by default. + + noexec If set, all commands run via ssuuddoo will behave as if the + NOEXEC tag has been set, unless overridden by a EXEC + tag. See the description of _N_O_E_X_E_C _a_n_d _E_X_E_C below as + well as the "PREVENTING SHELL ESCAPES" section at the + end of this manual. This flag is _o_f_f by default. + + path_info Normally, ssuuddoo will tell the user when a command could + not be found in their PATH environment variable. Some + sites may wish to disable this as it could be used to + gather information on the location of executables that + the normal user does not have access to. The + disadvantage is that if the executable is simply not in + the user's PATH, ssuuddoo will tell the user that they are + not allowed to run it, which can be confusing. This + flag is _o_n by default. passprompt_override - The password prompt specified by - _p_a_s_s_p_r_o_m_p_t will normally only be used if - the passwod prompt provided by systems - such as PAM matches the string "Pass­ - word:". If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, - _p_a_s_s_p_r_o_m_p_t will always be used. This flag - is _o_f_f by default. + The password prompt specified by _p_a_s_s_p_r_o_m_p_t will + normally only be used if the password prompt provided + by systems such as PAM matches the string "Password:". - preserve_groups By default ssuuddoo will initialize the group - vector to the list of groups the target - user is in. When _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, - the user's existing group vector is left - unaltered. The real and effective group - IDs, however, are still set to match the - target user. This flag is _o_f_f by default. - - requiretty If set, ssuuddoo will only run when the user - is logged in to a real tty. This will - disallow things like "rsh somehost sudo - ls" since _r_s_h(1) does not allocate a tty. - Because it is not possible to turn off - echo when there is no tty present, some - sites may wish to set this flag to prevent - a user from entering a visible password. - This flag is _o_f_f by default. - root_sudo If set, root is allowed to run ssuuddoo too. - Disabling this prevents users from "chain­ - ing" ssuuddoo commands to get a root shell by - doing something like "sudo sudo /bin/sh". - Note, however, that turning off _r_o_o_t___s_u_d_o - will also prevent root and from running - ssuuddooeeddiitt. Disabling _r_o_o_t___s_u_d_o provides no - real additional security; it exists purely - for historical reasons. This flag is _o_n +1.7.4 July 21, 2010 12 -1.6.9p16 May 8, 2008 11 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + If _p_a_s_s_p_r_o_m_p_t___o_v_e_r_r_i_d_e is set, _p_a_s_s_p_r_o_m_p_t will always + be used. This flag is _o_f_f by default. + + preserve_groups By default, ssuuddoo will initialize the group vector to + the list of groups the target user is in. When + _p_r_e_s_e_r_v_e___g_r_o_u_p_s is set, the user's existing group + vector is left unaltered. The real and effective group + IDs, however, are still set to match the target user. + This flag is _o_f_f by default. + pwfeedback By default, ssuuddoo reads the password like most other + Unix programs, by turning off echo until the user hits + the return (or enter) key. Some users become confused + by this as it appears to them that ssuuddoo has hung at + this point. When _p_w_f_e_e_d_b_a_c_k is set, ssuuddoo will provide + visual feedback when the user presses a key. Note that + this does have a security impact as an onlooker may be + able to determine the length of the password being + entered. This flag is _o_f_f by default. + + requiretty If set, ssuuddoo will only run when the user is logged in + to a real tty. When this flag is set, ssuuddoo can only be + run from a login session and not via other means such + as _c_r_o_n(1m) or cgi-bin scripts. This flag is _o_f_f by + default. + root_sudo If set, root is allowed to run ssuuddoo too. Disabling + this prevents users from "chaining" ssuuddoo commands to + get a root shell by doing something like "sudo sudo + /bin/sh". Note, however, that turning off _r_o_o_t___s_u_d_o + will also prevent root from running ssuuddooeeddiitt. + Disabling _r_o_o_t___s_u_d_o provides no real additional + security; it exists purely for historical reasons. + This flag is _o_n by default. + + rootpw If set, ssuuddoo will prompt for the root password instead + of the password of the invoking user. This flag is _o_f_f by default. - rootpw If set, ssuuddoo will prompt for the root - password instead of the password of the - invoking user. This flag is _o_f_f by - default. + runaspw If set, ssuuddoo will prompt for the password of the user + defined by the _r_u_n_a_s___d_e_f_a_u_l_t option (defaults to root) + instead of the password of the invoking user. This + flag is _o_f_f by default. + + set_home If enabled and ssuuddoo is invoked with the --ss option the + HOME environment variable will be set to the home + directory of the target user (which is root unless the + --uu option is used). This effectively makes the --ss + option imply --HH. Note that HOME is already set when + the the _e_n_v___r_e_s_e_t option is enabled, so _s_e_t___h_o_m_e is + only effective for configurations where _e_n_v___r_e_s_e_t is + disabled. This flag is _o_f_f by default. + + set_logname Normally, ssuuddoo will set the LOGNAME, USER and USERNAME + + + +1.7.4 July 21, 2010 13 + - runaspw If set, ssuuddoo will prompt for the password - of the user defined by the _r_u_n_a_s___d_e_f_a_u_l_t - option (defaults to root) instead of the - password of the invoking user. This flag - is _o_f_f by default. - set_home If set and ssuuddoo is invoked with the --ss - flag the HOME environment variable will be - set to the home directory of the target - user (which is root unless the --uu option - is used). This effectively makes the --ss - flag imply --HH. This flag is _o_f_f by - default. - set_logname Normally, ssuuddoo will set the LOGNAME, USER - and USERNAME environment variables to the - name of the target user (usually root - unless the --uu flag is given). However, - since some programs (including the RCS - revision control system) use LOGNAME to - determine the real identity of the user, - it may be desirable to change this behav­ - ior. This can be done by negating the - set_logname option. Note that if the - _e_n_v___r_e_s_e_t option has not been disabled, - entries in the _e_n_v___k_e_e_p list will override - the value of _s_e_t___l_o_g_n_a_m_e. This flag is - _o_f_f by default. - setenv Allow the user to disable the _e_n_v___r_e_s_e_t - option from the command line. Addition­ - ally, environment variables set via the - command line are not subject to the - restrictions imposed by _e_n_v___c_h_e_c_k, - _e_n_v___d_e_l_e_t_e, or _e_n_v___k_e_e_p. As such, only - trusted users should be allowed to set - variables in this manner. This flag is +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + + environment variables to the name of the target user + (usually root unless the --uu option is given). However, + since some programs (including the RCS revision control + system) use LOGNAME to determine the real identity of + the user, it may be desirable to change this behavior. + This can be done by negating the set_logname option. + Note that if the _e_n_v___r_e_s_e_t option has not been + disabled, entries in the _e_n_v___k_e_e_p list will override + the value of _s_e_t___l_o_g_n_a_m_e. This flag is _o_n by default. + + setenv Allow the user to disable the _e_n_v___r_e_s_e_t option from the + command line. Additionally, environment variables set + via the command line are not subject to the + restrictions imposed by _e_n_v___c_h_e_c_k, _e_n_v___d_e_l_e_t_e, or + _e_n_v___k_e_e_p. As such, only trusted users should be + allowed to set variables in this manner. This flag is _o_f_f by default. - shell_noargs If set and ssuuddoo is invoked with no argu­ - ments it acts as if the --ss flag had been - given. That is, it runs a shell as root - (the shell is determined by the SHELL - environment variable if it is set, falling - back on the shell listed in the invoking - user's /etc/passwd entry if not). This - flag is _o_f_f by default. + shell_noargs If set and ssuuddoo is invoked with no arguments it acts as + if the --ss option had been given. That is, it runs a + shell as root (the shell is determined by the SHELL + environment variable if it is set, falling back on the + shell listed in the invoking user's /etc/passwd entry + if not). This flag is _o_f_f by default. + + stay_setuid Normally, when ssuuddoo executes a command the real and + effective UIDs are set to the target user (root by + default). This option changes that behavior such that + the real UID is left as the invoking user's UID. In + other words, this makes ssuuddoo act as a setuid wrapper. + This can be useful on systems that disable some + potentially dangerous functionality when a program is + run setuid. This option is only effective on systems + with either the _s_e_t_r_e_u_i_d_(_) or _s_e_t_r_e_s_u_i_d_(_) function. + This flag is _o_f_f by default. + targetpw If set, ssuuddoo will prompt for the password of the user + specified by the --uu option (defaults to root) instead + of the password of the invoking user. In addition, the + timestamp file name will include the target user's + name. Note that this flag precludes the use of a uid + not listed in the passwd database as an argument to the + --uu option. This flag is _o_f_f by default. + log_input If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and + log all user input. If the standard input is not + connected to the user's tty, due to I/O redirection or + because the command is part of a pipeline, that input + is also captured and stored in a separate log file. -1.6.9p16 May 8, 2008 12 + Input is logged to the _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o directory using + a unique session ID that is included in the normal ssuuddoo + log line, prefixed with _T_S_I_D_=. +1.7.4 July 21, 2010 14 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - stay_setuid Normally, when ssuuddoo executes a command the - real and effective UIDs are set to the - target user (root by default). This - option changes that behavior such that the - real UID is left as the invoking user's - UID. In other words, this makes ssuuddoo act - as a setuid wrapper. This can be useful - on systems that disable some potentially - dangerous functionality when a program is - run setuid. This option is only effective - on systems with either the _s_e_t_r_e_u_i_d_(_) or - _s_e_t_r_e_s_u_i_d_(_) function. This flag is _o_f_f by - default. - targetpw If set, ssuuddoo will prompt for the password - of the user specified by the --uu flag - (defaults to root) instead of the password - of the invoking user. Note that this pre­ - cludes the use of a uid not listed in the - passwd database as an argument to the --uu - flag. This flag is _o_f_f by default. - - tty_tickets If set, users must authenticate on a per- - tty basis. Normally, ssuuddoo uses a direc­ - tory in the ticket dir with the same name - as the user running it. With this flag - enabled, ssuuddoo will use a file named for - the tty the user is logged in on in that - directory. This flag is _o_f_f by default. - - use_loginclass If set, ssuuddoo will apply the defaults spec­ - ified for the target user's login class if - one exists. Only available if ssuuddoo is - configured with the --with-logincap - option. This flag is _o_f_f by default. - IInntteeggeerrss: +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - passwd_tries The number of tries a user gets to enter - his/her password before ssuuddoo logs the - failure and exits. The default is 3. - IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + log_output If set, ssuuddoo will run the command in a _p_s_e_u_d_o _t_t_y and + log all output that is sent to the screen, similar to + the _s_c_r_i_p_t(1) command. If the standard output or + standard error is not connected to the user's tty, due + to I/O redirection or because the command is part of a + pipeline, that output is also captured and stored in + separate log files. + + Output is logged to the _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o directory + using a unique session ID that is included in the + normal ssuuddoo log line, prefixed with _T_S_I_D_=. + + Output logs may be viewed with the _s_u_d_o_r_e_p_l_a_y(1m) + utility, which can also be used to list or search the + available logs. + + tty_tickets If set, users must authenticate on a per-tty basis. + With this flag enabled, ssuuddoo will use a file named for + the tty the user is logged in on in the user's time + stamp directory. If disabled, the time stamp of the + directory is used instead. This flag is _o_n by default. + + umask_override If set, ssuuddoo will set the umask as specified by _s_u_d_o_e_r_s + without modification. This makes it possible to + specify a more permissive umask in _s_u_d_o_e_r_s than the + user's own umask and matches historical behavior. If + _u_m_a_s_k___o_v_e_r_r_i_d_e is not set, ssuuddoo will set the umask to + be the union of the user's umask and what is specified + in _s_u_d_o_e_r_s. This flag is _o_f_f by default. + + use_loginclass If set, ssuuddoo will apply the defaults specified for the + target user's login class if one exists. Only + available if ssuuddoo is configured with the + --with-logincap option. This flag is _o_f_f by default. + + use_pty If set, ssuuddoo will run the command in a pseudo-pty even + if no I/O logging is being gone. A malicious program + run under ssuuddoo could conceivably fork a background + process that retains to the user's terminal device + after the main program has finished executing. Use of + this option will make that impossible. + + visiblepw By default, ssuuddoo will refuse to run if the user must + enter a password but it is not possible to disable echo + on the terminal. If the _v_i_s_i_b_l_e_p_w flag is set, ssuuddoo + will prompt for a password even when it would be + visible on the screen. This makes it possible to run + things like "rsh somehost sudo ls" since _r_s_h(1) does + not allocate a tty. This flag is _o_f_f by default. - loglinelen Number of characters per line for the file - log. This value is used to decide when to - wrap lines for nicer log files. This has - no effect on the syslog log file, only the - file log. The default is 80 (use 0 or - negate the option to disable word wrap). + IInntteeggeerrss: - passwd_timeout Number of minutes before the ssuuddoo password - prompt times out. The default is 5; set - this to 0 for no password timeout. + closefrom Before it executes a command, ssuuddoo will close all open + file descriptors other than standard input, standard -1.6.9p16 May 8, 2008 13 +1.7.4 July 21, 2010 15 @@ -862,64 +994,64 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + output and standard error (ie: file descriptors 0-2). + The _c_l_o_s_e_f_r_o_m option can be used to specify a different + file descriptor at which to start closing. The default + is 3. + + passwd_tries The number of tries a user gets to enter his/her + password before ssuuddoo logs the failure and exits. The + default is 3. + + IInntteeggeerrss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + + loglinelen Number of characters per line for the file log. This + value is used to decide when to wrap lines for nicer + log files. This has no effect on the syslog log file, + only the file log. The default is 80 (use 0 or negate + the option to disable word wrap). + + passwd_timeout Number of minutes before the ssuuddoo password prompt times + out, or 0 for no timeout. The timeout may include a + fractional component if minute granularity is + insufficient, for example 2.5. The default is 5. + timestamp_timeout - Number of minutes that can elapse before - ssuuddoo will ask for a passwd again. The - default is 5. Set this to 0 to always - prompt for a password. If set to a value - less than 0 the user's timestamp will - never expire. This can be used to allow - users to create or delete their own times­ - tamps via sudo -v and sudo -k respec­ - tively. - - umask Umask to use when running the command. - Negate this option or set it to 0777 to - preserve the user's umask. The default is - 0022. + Number of minutes that can elapse before ssuuddoo will ask + for a passwd again. The timeout may include a + fractional component if minute granularity is + insufficient, for example 2.5. The default is 5. Set + this to 0 to always prompt for a password. If set to a + value less than 0 the user's timestamp will never + expire. This can be used to allow users to create or + delete their own timestamps via sudo -v and sudo -k + respectively. + + umask Umask to use when running the command. Negate this + option or set it to 0777 to preserve the user's umask. + The actual umask that is used will be the union of the + user's umask and 0022. This guarantees that ssuuddoo never + lowers the umask when running a command. Note on + systems that use PAM, the default PAM configuration may + specify its own umask which will override the value set + in _s_u_d_o_e_r_s. SSttrriinnggss: - badpass_message Message that is displayed if a user enters - an incorrect password. The default is - Sorry, try again. unless insults are - enabled. - - editor A colon (':') separated list of editors - allowed to be used with vviissuuddoo. vviissuuddoo - will choose the editor that matches the - user's EDITOR environment variable if pos­ - sible, or the first editor in the list - that exists and is executable. The - default is the path to vi on your system. - - mailsub Subject of the mail sent to the _m_a_i_l_t_o - user. The escape %h will expand to the - hostname of the machine. Default is *** - SECURITY information for %h ***. - - noexec_file Path to a shared library containing dummy - versions of the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_­ - _e_c_v_e_(_) library functions that just return - an error. This is used to implement the - _n_o_e_x_e_c functionality on systems that sup­ - port LD_PRELOAD or its equivalent. - Defaults to - _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. + badpass_message Message that is displayed if a user enters an incorrect + password. The default is Sorry, try again. unless + insults are enabled. - passprompt The default prompt to use when asking for - a password; can be overridden via the --pp - option or the SUDO_PROMPT environment - variable. The following percent (`%') - escapes are supported: + editor A colon (':') separated list of editors allowed to be + used with vviissuuddoo. vviissuuddoo will choose the editor that + matches the user's EDITOR environment variable if + possible, or the first editor in the list that exists + and is executable. The default is "vi". - %H expanded to the local hostname includ­ - ing the domain name (on if the - machine's hostname is fully qualified -1.6.9p16 May 8, 2008 14 +1.7.4 July 21, 2010 16 @@ -928,269 +1060,305 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - or the _f_q_d_n option is set) + mailsub Subject of the mail sent to the _m_a_i_l_t_o user. The escape + %h will expand to the host name of the machine. + Default is *** SECURITY information for %h ***. - %h expanded to the local hostname without - the domain name + noexec_file Path to a shared library containing dummy versions of + the _e_x_e_c_v_(_), _e_x_e_c_v_e_(_) and _f_e_x_e_c_v_e_(_) library functions + that just return an error. This is used to implement + the _n_o_e_x_e_c functionality on systems that support + LD_PRELOAD or its equivalent. Defaults to + _/_u_s_r_/_l_o_c_a_l_/_l_i_b_e_x_e_c_/_s_u_d_o___n_o_e_x_e_c_._s_o. - %p expanded to the user whose password is - being asked for (respects the _r_o_o_t_p_w, - _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w flags in _s_u_d_o_e_r_s) + passprompt The default prompt to use when asking for a password; + can be overridden via the --pp option or the SUDO_PROMPT + environment variable. The following percent (`%') + escapes are supported: - %U expanded to the login name of the user - the command will be run as (defaults - to root) + %H expanded to the local host name including the + domain name (on if the machine's host name is fully + qualified or the _f_q_d_n option is set) - %u expanded to the invoking user's login + %h expanded to the local host name without the domain name - %% two consecutive % characters are col­ - lapsed into a single % character + %p expanded to the user whose password is being asked + for (respects the _r_o_o_t_p_w, _t_a_r_g_e_t_p_w and _r_u_n_a_s_p_w + flags in _s_u_d_o_e_r_s) + + %U expanded to the login name of the user the command + will be run as (defaults to root) + + %u expanded to the invoking user's login name + + %% two consecutive % characters are collapsed into a + single % character The default value is Password:. - runas_default The default user to run commands as if the - --uu flag is not specified on the command - line. This defaults to root. Note that - if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur + role The default SELinux role to use when constructing a new + security context to run the command. The default role + may be overridden on a per-command basis in _s_u_d_o_e_r_s or + via command line options. This option is only + available whe ssuuddoo is built with SELinux support. + + runas_default The default user to run commands as if the --uu option is + not specified on the command line. This defaults to + root. Note that if _r_u_n_a_s___d_e_f_a_u_l_t is set it mmuusstt occur before any Runas_Alias specifications. - syslog_badpri Syslog priority to use when user authenti­ - cates unsuccessfully. Defaults to alert. + syslog_badpri Syslog priority to use when user authenticates + unsuccessfully. Defaults to alert. - syslog_goodpri Syslog priority to use when user authenti­ - cates successfully. Defaults to notice. + syslog_goodpri Syslog priority to use when user authenticates + successfully. Defaults to notice. - timestampdir The directory in which ssuuddoo stores its - timestamp files. The default is - _/_v_a_r_/_r_u_n_/_s_u_d_o. - timestampowner The owner of the timestamp directory and - the timestamps stored therein. The - default is root. - SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - exempt_group - Users in this group are exempt from password - and PATH requirements. This is not set by - default. +1.7.4 July 21, 2010 17 - lecture This option controls when a short lecture will - be printed along with the password prompt. It - has the following possible values: - always Always lecture the user. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p16 May 8, 2008 15 + sudoers_locale Locale to use when parsing the sudoers file. Note that + changing the locale may affect how sudoers is + interpreted. Defaults to "C". + timestampdir The directory in which ssuuddoo stores its timestamp files. + The default is _/_v_a_r_/_a_d_m_/_s_u_d_o. + timestampowner The owner of the timestamp directory and the timestamps + stored therein. The default is root. + type The default SELinux type to use when constructing a new + security context to run the command. The default type + may be overridden on a per-command basis in _s_u_d_o_e_r_s or + via command line options. This option is only + available whe ssuuddoo is built with SELinux support. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + SSttrriinnggss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: + + askpass The _a_s_k_p_a_s_s option specifies the fully qualified path to a + helper program used to read the user's password when no + terminal is available. This may be the case when ssuuddoo is + executed from a graphical (as opposed to text-based) + application. The program specified by _a_s_k_p_a_s_s should + display the argument passed to it as the prompt and write + the user's password to the standard output. The value of + _a_s_k_p_a_s_s may be overridden by the SUDO_ASKPASS environment + variable. + + env_file The _e_n_v___f_i_l_e options specifies the fully qualified path to + a file containing variables to be set in the environment of + the program being run. Entries in this file should either + be of the form VARIABLE=value or export VARIABLE=value. + The value may optionally be surrounded by single or double + quotes. Variables in this file are subject to other ssuuddoo + environment settings such as _e_n_v___k_e_e_p and _e_n_v___c_h_e_c_k. + exempt_group + Users in this group are exempt from password and PATH + requirements. This is not set by default. + + lecture This option controls when a short lecture will be printed + along with the password prompt. It has the following + possible values: + + always Always lecture the user. never Never lecture the user. - once Only lecture the user the first time - they run ssuuddoo. + once Only lecture the user the first time they run ssuuddoo. - If no value is specified, a value of _o_n_c_e is - implied. Negating the option results in a - value of _n_e_v_e_r being used. The default value - is _o_n_c_e. + If no value is specified, a value of _o_n_c_e is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _o_n_c_e. - lecture_file - Path to a file containing an alternate ssuuddoo - lecture that will be used in place of the - standard lecture if the named file exists. By - default, ssuuddoo uses a built-in lecture. - listpw This option controls when a password will be - required when a user runs ssuuddoo with the --ll - flag. It has the following possible values: - all All the user's _s_u_d_o_e_r_s entries for the - current host must have the NOPASSWD - flag set to avoid entering a password. - always The user must always enter a password - to use the --ll flag. +1.7.4 July 21, 2010 18 - any At least one of the user's _s_u_d_o_e_r_s - entries for the current host must have - the NOPASSWD flag set to avoid enter­ - ing a password. - never The user need never enter a password - to use the --ll flag. - If no value is specified, a value of _a_n_y is - implied. Negating the option results in a - value of _n_e_v_e_r being used. The default value - is _a_n_y. - logfile Path to the ssuuddoo log file (not the syslog log - file). Setting a path turns on logging to a - file; negating this option turns it off. By - default, ssuuddoo logs via syslog. - mailerflags Flags to use when invoking mailer. Defaults to - --tt. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - mailerpath Path to mail program used to send warning - mail. Defaults to the path to sendmail found - at configure time. - mailto Address to send warning and error mail to. - The address should be enclosed in double + lecture_file + Path to a file containing an alternate ssuuddoo lecture that + will be used in place of the standard lecture if the named + file exists. By default, ssuuddoo uses a built-in lecture. + listpw This option controls when a password will be required when + a user runs ssuuddoo with the --ll option. It has the following + possible values: + all All the user's _s_u_d_o_e_r_s entries for the current host + must have the NOPASSWD flag set to avoid entering a + password. -1.6.9p16 May 8, 2008 16 + always The user must always enter a password to use the --ll + option. + any At least one of the user's _s_u_d_o_e_r_s entries for the + current host must have the NOPASSWD flag set to + avoid entering a password. + never The user need never enter a password to use the --ll + option. + If no value is specified, a value of _a_n_y is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _a_n_y. + logfile Path to the ssuuddoo log file (not the syslog log file). + Setting a path turns on logging to a file; negating this + option turns it off. By default, ssuuddoo logs via syslog. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + mailerflags Flags to use when invoking mailer. Defaults to --tt. + mailerpath Path to mail program used to send warning mail. Defaults + to the path to sendmail found at configure time. - quotes (") to protect against ssuuddoo interpret­ - ing the @ sign. Defaults to root. + mailfrom Address to use for the "from" address when sending warning + and error mail. The address should be enclosed in double + quotes (") to protect against ssuuddoo interpreting the @ sign. + Defaults to the name of the user running ssuuddoo. - syslog Syslog facility if syslog is being used for - logging (negate to disable syslog logging). - Defaults to local2. + mailto Address to send warning and error mail to. The address + should be enclosed in double quotes (") to protect against + ssuuddoo interpreting the @ sign. Defaults to root. - verifypw This option controls when a password will be - required when a user runs ssuuddoo with the --vv - flag. It has the following possible values: + secure_path Path used for every command run from ssuuddoo. If you don't + trust the people running ssuuddoo to have a sane PATH + environment variable you may want to use this. Another use + is if you want to have the "root path" be separate from the + "user path." Users in the group specified by the + _e_x_e_m_p_t___g_r_o_u_p option are not affected by _s_e_c_u_r_e___p_a_t_h. This + option is not set by default. - all All the user's _s_u_d_o_e_r_s entries for the - current host must have the NOPASSWD - flag set to avoid entering a password. + syslog Syslog facility if syslog is being used for logging (negate - always The user must always enter a password - to use the --vv flag. - any At least one of the user's _s_u_d_o_e_r_s - entries for the current host must have - the NOPASSWD flag set to avoid enter­ - ing a password. - never The user need never enter a password - to use the --vv flag. +1.7.4 July 21, 2010 19 - If no value is specified, a value of _a_l_l is - implied. Negating the option results in a - value of _n_e_v_e_r being used. The default value - is _a_l_l. - LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: - env_check Environment variables to be removed from - the user's environment if the variable's - value contains % or / characters. This - can be used to guard against printf-style - format vulnerabilities in poorly-written - programs. The argument may be a dou­ - ble-quoted, space-separated list or a sin­ - gle value without double-quotes. The list - can be replaced, added to, deleted from, - or disabled by using the =, +=, -=, and ! - operators respectively. Regardless of - whether the env_reset option is enabled or - disabled, variables specified by env_check - will be preserved in the environment if - they pass the aforementioned check. The - default list of environment variables to - check is displayed when ssuuddoo is run by - root with the _-_V option. - env_delete Environment variables to be removed from - the user's environment. The argument may +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) -1.6.9p16 May 8, 2008 17 + to disable syslog logging). Defaults to auth. + verifypw This option controls when a password will be required when + a user runs ssuuddoo with the --vv option. It has the following + possible values: + all All the user's _s_u_d_o_e_r_s entries for the current host + must have the NOPASSWD flag set to avoid entering a + password. + always The user must always enter a password to use the --vv + option. + any At least one of the user's _s_u_d_o_e_r_s entries for the + current host must have the NOPASSWD flag set to + avoid entering a password. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + never The user need never enter a password to use the --vv + option. + If no value is specified, a value of _a_l_l is implied. + Negating the option results in a value of _n_e_v_e_r being used. + The default value is _a_l_l. - be a double-quoted, space-separated list - or a single value without double-quotes. - The list can be replaced, added to, - deleted from, or disabled by using the =, - +=, -=, and ! operators respectively. The - default list of environment variables to - remove is displayed when ssuuddoo is run by - root with the _-_V option. Note that many - operating systems will remove potentially - dangerous variables from the environment - of any setuid process (such as ssuuddoo). - - env_keep Environment variables to be preserved in - the user's environment when the _e_n_v___r_e_s_e_t - option is in effect. This allows fine- - grained control over the environment - ssuuddoo-spawned processes will receive. The - argument may be a double-quoted, space- - separated list or a single value without - double-quotes. The list can be replaced, - added to, deleted from, or disabled by - using the =, +=, -=, and ! operators - respectively. The default list of vari­ - ables to keep is displayed when ssuuddoo is - run by root with the _-_V option. - - When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following - values for the syslog facility (the value of the ssyysslloogg - Parameter): aauutthhpprriivv (if your OS supports it), aauutthh, ddaaee­­ - mmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, llooccaall44, llooccaall55, - llooccaall66, and llooccaall77. The following syslog priorities are - supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, - and wwaarrnniinngg. + LLiissttss tthhaatt ccaann bbee uusseedd iinn aa bboooolleeaann ccoonntteexxtt: -FFIILLEESS - _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + env_check Environment variables to be removed from the user's + environment if the variable's value contains % or / + characters. This can be used to guard against printf- + style format vulnerabilities in poorly-written + programs. The argument may be a double-quoted, space- + separated list or a single value without double-quotes. + The list can be replaced, added to, deleted from, or + disabled by using the =, +=, -=, and ! operators + respectively. Regardless of whether the env_reset + option is enabled or disabled, variables specified by + env_check will be preserved in the environment if they + pass the aforementioned check. The default list of + environment variables to check is displayed when ssuuddoo + is run by root with the _-_V option. - _/_e_t_c_/_g_r_o_u_p Local groups file + env_delete Environment variables to be removed from the user's + environment when the _e_n_v___r_e_s_e_t option is not in effect. + The argument may be a double-quoted, space-separated + list or a single value without double-quotes. The list + can be replaced, added to, deleted from, or disabled by + using the =, +=, -=, and ! operators respectively. The + default list of environment variables to remove is + displayed when ssuuddoo is run by root with the _-_V option. + Note that many operating systems will remove + potentially dangerous variables from the environment of + any setuid process (such as ssuuddoo). - _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups + env_keep Environment variables to be preserved in the user's -EEXXAAMMPPLLEESS - Since the _s_u_d_o_e_r_s file is parsed in a single pass, order - is important. In general, you should structure _s_u_d_o_e_r_s - such that the Host_Alias, User_Alias, and Cmnd_Alias spec­ - ifications come first, followed by any Default_Entry - lines, and finally the Runas_Alias and user specifica­ - tions. The basic rule of thumb is you cannot reference an - Alias that has not already been defined. - Below are example _s_u_d_o_e_r_s entries. Admittedly, some of - these are a bit contrived. First, we define our _a_l_i_a_s_e_s: +1.7.4 July 21, 2010 20 -1.6.9p16 May 8, 2008 18 +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + environment when the _e_n_v___r_e_s_e_t option is in effect. + This allows fine-grained control over the environment + ssuuddoo-spawned processes will receive. The argument may + be a double-quoted, space-separated list or a single + value without double-quotes. The list can be replaced, + added to, deleted from, or disabled by using the =, +=, + -=, and ! operators respectively. The default list of + variables to keep is displayed when ssuuddoo is run by root + with the _-_V option. + When logging via _s_y_s_l_o_g(3), ssuuddoo accepts the following values for the + syslog facility (the value of the ssyysslloogg Parameter): aauutthhpprriivv (if your + OS supports it), aauutthh, ddaaeemmoonn, uusseerr, llooccaall00, llooccaall11, llooccaall22, llooccaall33, + llooccaall44, llooccaall55, llooccaall66, and llooccaall77. The following syslog priorities + are supported: aalleerrtt, ccrriitt, ddeebbuugg, eemmeerrgg, eerrrr, iinnffoo, nnoottiiccee, and + wwaarrnniinngg. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +FFIILLEESS + _/_e_t_c_/_s_u_d_o_e_r_s List of who can run what + + _/_e_t_c_/_g_r_o_u_p Local groups file + + _/_e_t_c_/_n_e_t_g_r_o_u_p List of network groups + + _/_v_a_r_/_l_o_g_/_s_u_d_o_-_i_o I/O log files + +EEXXAAMMPPLLEESS + Below are example _s_u_d_o_e_r_s entries. Admittedly, some of these are a bit + contrived. First, we allow a few environment variables to pass and + then define our _a_l_i_a_s_e_s: + # Run X applications through sudo; HOME is used to find the + # .Xauthority file. Note that other programs use HOME to find + # configuration files and this may lead to privilege escalation! + Defaults env_keep += "DISPLAY HOME" # User alias specification User_Alias FULLTIMERS = millert, mikef, dowdy @@ -1200,6 +1368,7 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) # Runas alias specification Runas_Alias OP = root, operator Runas_Alias DB = oracle, sybase + Runas_Alias ADMINGRP = adm, oper # Host alias specification Host_Alias SPARC = bigtime, eclipse, moet, anchor :\ @@ -1209,6 +1378,18 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Host_Alias CUNETS = 128.138.0.0/255.255.0.0 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 Host_Alias SERVERS = master, mail, www, ns + + + +1.7.4 July 21, 2010 21 + + + + + +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + + Host_Alias CDROM = orion, perseus, hercules # Cmnd alias specification @@ -1225,17 +1406,15 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Cmnd_Alias SU = /usr/bin/su Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less - Here we override some of the compiled in default values. - We want ssuuddoo to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility - in all cases. We don't want to subject the full time - staff to the ssuuddoo lecture, user mmiilllleerrtt need not give a - password, and we don't want to reset the LOGNAME, USER or - USERNAME environment variables when running commands as - root. Additionally, on the machines in the _S_E_R_V_E_R_S - Host_Alias, we keep an additional local log file and make - sure we log the year in each log line since the log - entries will be kept around for several years. Lastly, we - disable shell escapes for the commands in the PAGERS + Here we override some of the compiled in default values. We want ssuuddoo + to log via _s_y_s_l_o_g(3) using the _a_u_t_h facility in all cases. We don't + want to subject the full time staff to the ssuuddoo lecture, user mmiilllleerrtt + need not give a password, and we don't want to reset the LOGNAME, USER + or USERNAME environment variables when running commands as root. + Additionally, on the machines in the _S_E_R_V_E_R_S Host_Alias, we keep an + additional local log file and make sure we log the year in each log + line since the log entries will be kept around for several years. + Lastly, we disable shell escapes for the commands in the PAGERS Cmnd_Alias (_/_u_s_r_/_b_i_n_/_m_o_r_e, _/_u_s_r_/_b_i_n_/_p_g and _/_u_s_r_/_b_i_n_/_l_e_s_s). # Override built-in defaults @@ -1246,121 +1425,121 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) Defaults@SERVERS log_year, logfile=/var/log/sudo.log Defaults!PAGERS noexec + The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run + what. + root ALL = (ALL) ALL + %wheel ALL = (ALL) ALL + We let rroooott and any user in group wwhheeeell run any command on any host as + any user. -1.6.9p16 May 8, 2008 19 - + FULLTIMERS ALL = NOPASSWD: ALL + Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run any command on + any host without authenticating themselves. + PARTTIMERS ALL = ALL + Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run any command on + any host but they must authenticate themselves first (since the entry + lacks the NOPASSWD tag). -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually deter­ - mines who may run what. +1.7.4 July 21, 2010 22 - root ALL = (ALL) ALL - %wheel ALL = (ALL) ALL - We let rroooott and any user in group wwhheeeell run any command on - any host as any user. - FULLTIMERS ALL = NOPASSWD: ALL - Full time sysadmins (mmiilllleerrtt, mmiikkeeff, and ddoowwddyy) may run - any command on any host without authenticating themselves. - PARTTIMERS ALL = ALL +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - Part time sysadmins (bboossttlleeyy, jjwwffooxx, and ccrraawwll) may run - any command on any host but they must authenticate them­ - selves first (since the entry lacks the NOPASSWD tag). jack CSNETS = ALL - The user jjaacckk may run any command on the machines in the - _C_S_N_E_T_S alias (the networks 128.138.243.0, 128.138.204.0, - and 128.138.242.0). Of those networks, only 128.138.204.0 - has an explicit netmask (in CIDR notation) indicating it - is a class C network. For the other networks in _C_S_N_E_T_S, - the local machine's netmask will be used during matching. + The user jjaacckk may run any command on the machines in the _C_S_N_E_T_S alias + (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of + those networks, only 128.138.204.0 has an explicit netmask (in CIDR + notation) indicating it is a class C network. For the other networks + in _C_S_N_E_T_S, the local machine's netmask will be used during matching. lisa CUNETS = ALL - The user lliissaa may run any command on any host in the - _C_U_N_E_T_S alias (the class B network 128.138.0.0). + The user lliissaa may run any command on any host in the _C_U_N_E_T_S alias (the + class B network 128.138.0.0). operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\ sudoedit /etc/printcap, /usr/oper/bin/ - The ooppeerraattoorr user may run commands limited to simple main­ - tenance. Here, those are commands related to backups, - killing processes, the printing system, shutting down the - system, and any commands in the directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. + The ooppeerraattoorr user may run commands limited to simple maintenance. + Here, those are commands related to backups, killing processes, the + printing system, shutting down the system, and any commands in the + directory _/_u_s_r_/_o_p_e_r_/_b_i_n_/. joe ALL = /usr/bin/su operator The user jjooee may only _s_u(1) to operator. - pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root + pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root + + %opers ALL = (: ADMINGRP) /usr/sbin/ + + Users in the ooppeerrss group may run commands in _/_u_s_r_/_s_b_i_n_/ as themselves + with any group in the _A_D_M_I_N_G_R_P Runas_Alias (the aaddmm and ooppeerr groups). - The user ppeettee is allowed to change anyone's password - except for root on the _H_P_P_A machines. Note that this - assumes _p_a_s_s_w_d(1) does not take multiple usernames on the - command line. + The user ppeettee is allowed to change anyone's password except for root on + the _H_P_P_A machines. Note that this assumes _p_a_s_s_w_d(1) does not take + multiple user names on the command line. bob SPARC = (OP) ALL : SGI = (OP) ALL + The user bboobb may run anything on the _S_P_A_R_C and _S_G_I machines as any user + listed in the _O_P Runas_Alias (rroooott and ooppeerraattoorr). + jim +biglab = ALL -1.6.9p16 May 8, 2008 20 + The user jjiimm may run any command on machines in the _b_i_g_l_a_b netgroup. + ssuuddoo knows that "biglab" is a netgroup due to the '+' prefix. + +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser + Users in the sseeccrreettaarriieess netgroup need to help manage the printers as + well as add and remove users, so they are allowed to run those commands + on all machines. + fred ALL = (DB) NOPASSWD: ALL -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - The user bboobb may run anything on the _S_P_A_R_C and _S_G_I - machines as any user listed in the _O_P Runas_Alias (rroooott - and ooppeerraattoorr). +1.7.4 July 21, 2010 23 - jim +biglab = ALL - The user jjiimm may run any command on machines in the _b_i_g_l_a_b - netgroup. ssuuddoo knows that "biglab" is a netgroup due to - the '+' prefix. - +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser - Users in the sseeccrreettaarriieess netgroup need to help manage the - printers as well as add and remove users, so they are - allowed to run those commands on all machines. - fred ALL = (DB) NOPASSWD: ALL +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - The user ffrreedd can run commands as any user in the _D_B - Runas_Alias (oorraaccllee or ssyybbaassee) without giving a password. + + The user ffrreedd can run commands as any user in the _D_B Runas_Alias + (oorraaccllee or ssyybbaassee) without giving a password. john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* - On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except - root but he is not allowed to give _s_u(1) any flags. + On the _A_L_P_H_A machines, user jjoohhnn may su to anyone except root but he is + not allowed to specify any options to the _s_u(1) command. jen ALL, !SERVERS = ALL - The user jjeenn may run any command on any machine except for - those in the _S_E_R_V_E_R_S Host_Alias (master, mail, www and - ns). + The user jjeenn may run any command on any machine except for those in the + _S_E_R_V_E_R_S Host_Alias (master, mail, www and ns). jill SERVERS = /usr/bin/, !SU, !SHELLS - For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run - any commands in the directory _/_u_s_r_/_b_i_n_/ except for those - commands belonging to the _S_U and _S_H_E_L_L_S Cmnd_Aliases. + For any machine in the _S_E_R_V_E_R_S Host_Alias, jjiillll may run any commands in + the directory _/_u_s_r_/_b_i_n_/ except for those commands belonging to the _S_U + and _S_H_E_L_L_S Cmnd_Aliases. steve CSNETS = (operator) /usr/local/op_commands/ @@ -1369,19 +1548,38 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) matt valkyrie = KILL - On his personal workstation, valkyrie, mmaatttt needs to be - able to kill hung processes. + On his personal workstation, valkyrie, mmaatttt needs to be able to kill + hung processes. WEBMASTERS www = (www) ALL, (root) /usr/bin/su www - On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias - (will, wendy, and wim), may run any command as user www - (which owns the web pages) or simply _s_u(1) to www. + On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias (will, wendy, + and wim), may run any command as user www (which owns the web pages) or + simply _s_u(1) to www. + + ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ + /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM + + Any user may mount or unmount a CD-ROM on the machines in the CDROM + Host_Alias (orion, perseus, hercules) without entering a password. + This is a bit tedious for users to type, so it is a prime candidate for + encapsulating in a shell script. + +SSEECCUURRIITTYY NNOOTTEESS + It is generally not effective to "subtract" commands from ALL using the + '!' operator. A user can trivially circumvent this by copying the + desired command to a different name and then executing that. For + example: + + bill ALL = ALL, !SU, !SHELLS + Doesn't really prevent bbiillll from running the commands listed in _S_U or + _S_H_E_L_L_S since he can simply copy those commands to a different name, or + use a shell escape from an editor or other program. Therefore, these -1.6.9p16 May 8, 2008 21 +1.7.4 July 21, 2010 24 @@ -1390,165 +1588,165 @@ SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ - /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM + kind of restrictions should be considered advisory at best (and + reinforced by policy). - Any user may mount or unmount a CD-ROM on the machines in - the CDROM Host_Alias (orion, perseus, hercules) without - entering a password. This is a bit tedious for users to - type, so it is a prime candidate for encapsulating in a - shell script. + Furthermore, if the _f_a_s_t___g_l_o_b option is in use, it is not possible to + reliably negate commands where the path name includes globbing (aka + wildcard) characters. This is because the C library's _f_n_m_a_t_c_h(3) + function cannot resolve relative paths. While this is typically only + an inconvenience for rules that grant privileges, it can result in a + security issue for rules that subtract or revoke privileges. -SSEECCUURRIITTYY NNOOTTEESS - It is generally not effective to "subtract" commands from - ALL using the '!' operator. A user can trivially circum­ - vent this by copying the desired command to a different - name and then executing that. For example: + For example, given the following _s_u_d_o_e_r_s entry: - bill ALL = ALL, !SU, !SHELLS + john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*, + /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root - Doesn't really prevent bbiillll from running the commands - listed in _S_U or _S_H_E_L_L_S since he can simply copy those com­ - mands to a different name, or use a shell escape from an - editor or other program. Therefore, these kind of - restrictions should be considered advisory at best (and - reinforced by policy). + User jjoohhnn can still run /usr/bin/passwd root if _f_a_s_t___g_l_o_b is enabled by + changing to _/_u_s_r_/_b_i_n and running ./passwd root instead. PPRREEVVEENNTTIINNGG SSHHEELLLL EESSCCAAPPEESS - Once ssuuddoo executes a program, that program is free to do - whatever it pleases, including run other programs. This - can be a security issue since it is not uncommon for a - program to allow shell escapes, which lets a user bypass - ssuuddoo's access control and logging. Common programs that - permit shell escapes include shells (obviously), editors, + Once ssuuddoo executes a program, that program is free to do whatever it + pleases, including run other programs. This can be a security issue + since it is not uncommon for a program to allow shell escapes, which + lets a user bypass ssuuddoo's access control and logging. Common programs + that permit shell escapes include shells (obviously), editors, paginators, mail and terminal programs. There are two basic approaches to this problem: - restrict Avoid giving users access to commands that allow - the user to run arbitrary commands. Many edi­ - tors have a restricted mode where shell escapes - are disabled, though ssuuddooeeddiitt is a better solu­ - tion to running editors via ssuuddoo. Due to the - large number of programs that offer shell - escapes, restricting users to the set of pro­ - grams that do not if often unworkable. - - noexec Many systems that support shared libraries have - the ability to override default library func­ - tions by pointing an environment variable (usu­ - ally LD_PRELOAD) to an alternate shared library. - On such systems, ssuuddoo's _n_o_e_x_e_c functionality can - be used to prevent a program run by ssuuddoo from - executing any other programs. Note, however, - that this applies only to native dynamically- - linked executables. Statically-linked executa­ - bles and foreign executables running under + restrict Avoid giving users access to commands that allow the user to + run arbitrary commands. Many editors have a restricted mode + where shell escapes are disabled, though ssuuddooeeddiitt is a better + solution to running editors via ssuuddoo. Due to the large + number of programs that offer shell escapes, restricting + users to the set of programs that do not if often unworkable. + + noexec Many systems that support shared libraries have the ability + to override default library functions by pointing an + environment variable (usually LD_PRELOAD) to an alternate + shared library. On such systems, ssuuddoo's _n_o_e_x_e_c functionality + can be used to prevent a program run by ssuuddoo from executing + any other programs. Note, however, that this applies only to + native dynamically-linked executables. Statically-linked + executables and foreign executables running under binary + emulation are not affected. + + To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you can run the + following as root: + sudo -V | grep "dummy exec" + If the resulting output contains a line that begins with: -1.6.9p16 May 8, 2008 22 + File containing dummy exec functions: +1.7.4 July 21, 2010 25 -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - binary emulation are not affected. - To tell whether or not ssuuddoo supports _n_o_e_x_e_c, you - can run the following as root: - sudo -V | grep "dummy exec" +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) - If the resulting output contains a line that - begins with: - File containing dummy exec functions: + then ssuuddoo may be able to replace the exec family of functions + in the standard library with its own that simply return an + error. Unfortunately, there is no foolproof way to know + whether or not _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c + should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, + MacOS X, and HP-UX 11.x. It is known nnoott to work on AIX and + UnixWare. _n_o_e_x_e_c is expected to work on most operating + systems that support the LD_PRELOAD environment variable. + Check your operating system's manual pages for the dynamic + linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) + to see if LD_PRELOAD is supported. - then ssuuddoo may be able to replace the exec family - of functions in the standard library with its - own that simply return an error. Unfortunately, - there is no foolproof way to know whether or not - _n_o_e_x_e_c will work at compile-time. _n_o_e_x_e_c should - work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 - UNIX, MacOS X, and HP-UX 11.x. It is known nnoott - to work on AIX and UnixWare. _n_o_e_x_e_c is expected - to work on most operating systems that support - the LD_PRELOAD environment variable. Check your - operating system's manual pages for the dynamic - linker (usually ld.so, ld.so.1, dyld, dld.sl, - rld, or loader) to see if LD_PRELOAD is sup­ - ported. - - To enable _n_o_e_x_e_c for a command, use the NOEXEC - tag as documented in the User Specification sec­ - tion above. Here is that example again: + To enable _n_o_e_x_e_c for a command, use the NOEXEC tag as + documented in the User Specification section above. Here is + that example again: aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and - _/_u_s_r_/_b_i_n_/_v_i with _n_o_e_x_e_c enabled. This will pre­ - vent those two commands from executing other - commands (such as a shell). If you are unsure - whether or not your system is capable of sup­ - porting _n_o_e_x_e_c you can always just try it out - and see if it works. - - Note that restricting shell escapes is not a panacea. - Programs running as root are still capable of many poten­ - tially hazardous operations (such as changing or overwrit­ - ing files) that could lead to unintended privilege escala­ - tion. In the specific case of an editor, a safer approach - is to give the user permission to run ssuuddooeeddiitt. + This allows user aaaarroonn to run _/_u_s_r_/_b_i_n_/_m_o_r_e and _/_u_s_r_/_b_i_n_/_v_i + with _n_o_e_x_e_c enabled. This will prevent those two commands + from executing other commands (such as a shell). If you are + unsure whether or not your system is capable of supporting + _n_o_e_x_e_c you can always just try it out and see if it works. + + Note that restricting shell escapes is not a panacea. Programs running + as root are still capable of many potentially hazardous operations + (such as changing or overwriting files) that could lead to unintended + privilege escalation. In the specific case of an editor, a safer + approach is to give the user permission to run ssuuddooeeddiitt. SSEEEE AALLSSOO - _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _s_u_d_o(1m), _v_i_s_u_d_o(8) + _r_s_h(1), _s_u(1), _f_n_m_a_t_c_h(3), _g_l_o_b(3), _s_u_d_o(1m), _v_i_s_u_d_o(8) CCAAVVEEAATTSS - The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo - command which locks the file and does grammatical + The _s_u_d_o_e_r_s file should aallwwaayyss be edited by the vviissuuddoo command which + locks the file and does grammatical checking. It is imperative that + _s_u_d_o_e_r_s be free of syntax errors since ssuuddoo will not run with a + syntactically incorrect _s_u_d_o_e_r_s file. + When using netgroups of machines (as opposed to users), if you store + fully qualified host name in the netgroup (as is usually the case), you + either need to have the machine's host name be fully qualified as + returned by the hostname command or use the _f_q_d_n option in _s_u_d_o_e_r_s. +BBUUGGSS + If you feel you have found a bug in ssuuddoo, please submit a bug report at + http://www.sudo.ws/sudo/bugs/ -1.6.9p16 May 8, 2008 23 +SSUUPPPPOORRTT + Limited free support is available via the sudo-users mailing list, see + http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search + the archives. -SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) +1.7.4 July 21, 2010 26 - checking. It is imperative that _s_u_d_o_e_r_s be free of syntax - errors since ssuuddoo will not run with a syntactically incor­ - rect _s_u_d_o_e_r_s file. - When using netgroups of machines (as opposed to users), if - you store fully qualified hostnames in the netgroup (as is - usually the case), you either need to have the machine's - hostname be fully qualified as returned by the hostname - command or use the _f_q_d_n option in _s_u_d_o_e_r_s. -BBUUGGSS - If you feel you have found a bug in ssuuddoo, please submit a - bug report at http://www.sudo.ws/sudo/bugs/ -SSUUPPPPOORRTT - Limited free support is available via the sudo-users mail­ - ing list, see http://www.sudo.ws/mail­ - man/listinfo/sudo-users to subscribe or search the - archives. +SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4) + DDIISSCCLLAAIIMMEERR - ssuuddoo is provided ``AS IS'' and any express or implied war­ - ranties, including, but not limited to, the implied war­ - ranties of merchantability and fitness for a particular - purpose are disclaimed. See the LICENSE file distributed - with ssuuddoo or http://www.sudo.ws/sudo/license.html for com­ - plete details. + ssuuddoo is provided ``AS IS'' and any express or implied warranties, + including, but not limited to, the implied warranties of + merchantability and fitness for a particular purpose are disclaimed. + See the LICENSE file distributed with ssuuddoo or + http://www.sudo.ws/sudo/license.html for complete details. + + + + + + + + + + + + + + + + + + + + + @@ -1579,6 +1777,6 @@ DDIISSCCLLAAIIMMEERR -1.6.9p16 May 8, 2008 24 +1.7.4 July 21, 2010 27