2 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2013
3 .\" Todd C. Miller <Todd.Miller@courtesan.com>
5 .\" Permission to use, copy, modify, and distribute this software for any
6 .\" purpose with or without fee is hereby granted, provided that the above
7 .\" copyright notice and this permission notice appear in all copies.
9 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 .\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
18 .\" Sponsored in part by the Defense Advanced Research Projects
19 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
20 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
23 .Dt SUDOERS @mansectform@
24 .Os Sudo @PACKAGE_VERSION@
27 .Nd default sudo security policy plugin
31 policy plugin determines a user's
37 The policy is driven by
39 .Pa @sysconfdir@/sudoers
40 file or, optionally in LDAP.
41 The policy format is described in detail in the
42 .Sx SUDOERS FILE FORMAT
44 For information on storing
48 .Xr sudoers.ldap @mansectform@ .
49 .Ss Configuring sudo.conf for sudoers
52 .Xr sudo.conf @mansectform@
53 file to determine which policy and and I/O logging plugins to load.
55 .Xr sudo.conf @mansectform@
56 file is present, or if it contains no
60 will be used for policy decisions and I/O logging.
61 To explicitly configure
62 .Xr sudo.conf @mansectform@
65 plugin, the following configuration can be used.
66 .Bd -literal -offset indent
67 Plugin sudoers_policy sudoers.so
68 Plugin sudoers_io sudoers.so
73 1.8.5, it is possible to specify optional arguments to the
76 .Xr sudo.conf @mansectform@
78 These arguments, if present, should be listed after the path to the plugin
81 Multiple arguments may be specified, separated by white space.
83 .Bd -literal -offset indent
84 Plugin sudoers_policy sudoers.so sudoers_mode=0400
87 The following plugin arguments are supported:
89 .It ldap_conf=pathname
92 argument can be used to override the default path to the
95 .It ldap_secret=pathname
98 argument can be used to override the default path to the
101 .It sudoers_file=pathname
104 argument can be used to override the default path to the
110 argument can be used to override the default owner of the sudoers file.
111 It should be specified as a numeric user ID.
115 argument can be used to override the default group of the sudoers file.
116 It must be specified as a numeric group ID (not a group name).
117 .It sudoers_mode=mode
120 argument can be used to override the default file mode for the sudoers file.
121 It should be specified as an octal value.
124 For more information on configuring
125 .Xr sudo.conf @mansectform@ ,
126 please refer to its manual.
127 .Ss Authentication and logging
130 security policy requires that most users authenticate
131 themselves before they can use
133 A password is not required
134 if the invoking user is root, if the target user is the same as the
135 invoking user, or if the policy has disabled authentication for the
142 authentication, it validates the invoking user's credentials, not
143 the target user's (or root's) credentials.
144 This can be changed via
150 flags, described later.
152 If a user who is not listed in the policy tries to run a command
155 mail is sent to the proper authorities.
157 used for such mail is configurable via the
160 (described later) and defaults to
163 Note that mail will not be sent if an unauthorized user tries to
172 determine for themselves whether or not they are allowed to use
177 is run by root and the
182 policy will use this value to determine who
184 This can be used by a user to log commands
185 through sudo even when a root shell has been invoked.
189 option to remain useful even when invoked via a
190 sudo-run script or program.
191 Note, however, that the
193 lookup is still done for root, not the user specified by
197 uses time stamp files for credential caching.
199 user has been authenticated, the time stamp is updated and the user
200 may then use sudo without a password for a short period of time
203 minutes unless overridden by the
209 uses a tty-based time stamp which means that
210 there is a separate time stamp for each of a user's login sessions.
213 option can be disabled to force the use of a
214 single time stamp for all of a user's sessions.
217 can log both successful and unsuccessful attempts (as well
225 but this is changeable via the
232 also supports logging a command's input and output
234 I/O logging is not on by default but can be enabled using
239 Defaults flags as well as the
244 .Ss Command environment
245 Since environment variables can influence program behavior,
247 provides a means to restrict which variables from the user's
248 environment are inherited by the command to be run.
252 can deal with environment variables.
258 to be executed with a new, minimal environment.
260 systems without PAM), the environment is initialized with the
264 On BSD systems, if the
266 option is enabled, the environment is initialized
272 .Pa /etc/login.conf .
273 The new environment contains the
285 in addition to variables from the invoking process permitted by the
290 This is effectively a whitelist
291 for environment variables.
295 option is disabled, any variables not
296 explicitly denied by the
301 inherited from the invoking process.
306 behave like a blacklist.
307 Since it is not possible
308 to blacklist all potentially dangerous environment variables, use
311 behavior is encouraged.
313 In all cases, environment variables with a value beginning with
315 are removed as they could be interpreted as
318 The list of environment variables that
321 contained in the output of
325 Note that the dynamic linker on most operating systems will remove
326 variables that can control dynamic linking from the environment of
327 setuid executables, including
329 Depending on the operating
330 system this may include
338 These type of variables are
339 removed from the environment before
341 even begins execution
342 and, as such, it is not possible for
346 As a special case, if
349 option (initial login) is
352 will initialize the environment regardless
360 variables remain unchanged;
367 are set based on the target user.
369 systems without PAM), the contents of
373 On BSD systems, if the
383 All other environment variables are removed.
387 option is defined, any variables present
388 in that file will be set to their specified values as long as they
389 would not conflict with an existing environment variable.
390 .Sh SUDOERS FILE FORMAT
393 file is composed of two types of entries: aliases
394 (basically variables) and user specifications (which specify who
397 When multiple entries match for a user, they are applied in order.
398 Where there are multiple matches, the last match is used (which is
399 not necessarily the most specific match).
403 grammar will be described below in Extended Backus-Naur
405 Don't despair if you are unfamiliar with EBNF; it is fairly simple,
406 and the definitions below are annotated.
407 .Ss Quick guide to EBNF
408 EBNF is a concise and exact way of describing the grammar of a language.
409 Each EBNF definition is made up of
410 .Em production rules .
413 .Li symbol ::= definition | alternate1 | alternate2 ...
417 references others and thus makes up a
418 grammar for the language.
419 EBNF also contains the following
420 operators, which many readers will recognize from regular
422 Do not, however, confuse them with
424 characters, which have different meanings.
427 Means that the preceding symbol (or group of symbols) is optional.
428 That is, it may appear once or not at all.
430 Means that the preceding symbol (or group of symbols) may appear
433 Means that the preceding symbol (or group of symbols) may appear
437 Parentheses may be used to group symbols together.
439 we will use single quotes
441 to designate what is a verbatim character string (as opposed to a symbol name).
443 There are four kinds of aliases:
450 Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
451 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
452 'Host_Alias' Host_Alias (':' Host_Alias)* |
453 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
455 User_Alias ::= NAME '=' User_List
457 Runas_Alias ::= NAME '=' Runas_List
459 Host_Alias ::= NAME '=' Host_List
461 Cmnd_Alias ::= NAME '=' Cmnd_List
463 NAME ::= [A-Z]([A-Z][0-9]_)*
468 definition is of the form
470 Alias_Type NAME = item1, item2, ...
483 is a string of uppercase letters, numbers,
484 and underscore characters
491 It is possible to put several alias definitions
492 of the same type on a single line, joined by a colon
496 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
499 The definitions of what constitutes a valid
506 User ::= '!'* user name |
511 '!'* %:nonunix_group |
512 '!'* %:#nonunix_gid |
518 is made up of one or more user names, user IDs
521 system group names and IDs (prefixed with
525 respectively), netgroups (prefixed with
527 non-Unix group names and IDs (prefixed with
532 .Li User_Alias Ns No es.
533 Each list item may be prefixed with zero or more
538 operators negate the value of
539 the item; an even number just cancel each other out.
550 may be enclosed in double quotes to avoid the
551 need for escaping special characters.
552 Alternately, special characters
553 may be specified in escaped hex mode, e.g.\& \ex20 for space.
555 using double quotes, any prefix characters must be included inside
563 the underlying group provider plugin.
564 For instance, the QAS AD plugin supports the following formats:
565 .Bl -bullet -width 4n
567 Group in the same domain: "%:Group Name"
569 Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
571 Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
575 .Sx "GROUP PROVIDER PLUGINS"
576 for more information.
578 Note that quotes around group names are optional.
579 Unquoted strings must use a backslash
581 to escape spaces and special characters.
583 .Sx Other special characters and reserved words
585 characters that need to be escaped.
587 Runas_List ::= Runas_Member |
588 Runas_Member ',' Runas_List
590 Runas_Member ::= '!'* user name |
594 '!'* %:nonunix_group |
595 '!'* %:#nonunix_gid |
606 .Li User_Alias Ns No es
608 .Li Runas_Alias Ns No es .
610 user names and groups are matched as strings.
612 users (groups) with the same uid (gid) are considered to be distinct.
613 If you wish to match all user names with the same uid (e.g.\&
614 root and toor), you can use a uid instead (#0 in the example given).
619 Host ::= '!'* host name |
621 '!'* network(/netmask)? |
628 is made up of one or more host names, IP addresses,
629 network numbers, netgroups (prefixed with
632 Again, the value of an item may be negated with the
635 If you do not specify a netmask along with the network number,
637 will query each of the local host's network interfaces and,
638 if the network number corresponds to one of the hosts's network
639 interfaces, the corresponding netmask will be used.
641 may be specified either in standard IP address notation
642 (e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
643 or CIDR notation (number of bits, e.g.\& 24 or 64).
644 A host name may include shell-style wildcards (see the
649 command on your machine returns the fully
650 qualified host name, you'll need to use the
652 option for wildcards to be useful.
655 only inspects actual network interfaces; this means that IP address
656 127.0.0.1 (localhost) will never match.
659 will only match if that is the actual host name, which is usually
660 only the case for non-networked systems.
662 digest ::= [A-Fa-f0-9]+ |
665 Digest_Spec ::= "sha224" ':' digest |
666 "sha256" ':' digest |
667 "sha384" ':' digest |
673 command name ::= file name |
677 Cmnd ::= Digest_Spec? '!'* command name |
685 is a list of one or more command names, directories, and other aliases.
686 A command name is a fully qualified file name which may include
687 shell-style wildcards (see the
690 A simple file name allows the user to run the command with any
691 arguments he/she wishes.
692 However, you may also specify command line arguments (including
694 Alternately, you can specify
696 to indicate that the command
699 command line arguments.
701 fully qualified path name ending in a
703 When you specify a directory in a
705 the user will be able to run any file within that directory
706 (but not in any sub-directories therein).
710 has associated command line arguments, then the arguments
713 must match exactly those given by the user on the command line
714 (or match the wildcards if there are any).
715 Note that the following characters must be escaped with a
717 if they are used in command arguments:
724 is used to permit a user to run
730 It may take command line arguments just as a normal command does.
733 is a command built into
735 itself and must be specified in
737 without a leading path.
743 the command will only match successfully if it can be verified
744 using the specified SHA-2 digest.
745 This may be useful in situations where the user invoking
747 has write access to the command or its parent directory.
748 The following digest formats are supported: sha224, sha256, sha384 and sha512.
749 The string may be specified in either hex or base64 format
750 (base64 is more compact).
751 There are several utilities capable of generating SHA-2 digests in hex
752 format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
754 For example, using openssl:
756 $ openssl dgst -sha224 /bin/ls
757 SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
760 It is also possible to use openssl to generate base64 output:
762 $ openssl dgst -binary -sha224 /bin/ls | openssl base64
763 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
766 Command digests are only supported by version 1.8.7 or higher.
768 Certain configuration options may be changed from their default
769 values at run-time via one or more
772 These may affect all users on any host, all users on a specific host, a
773 specific user, a specific command, or commands being run as a specific user.
774 Note that per-command entries may not include command line arguments.
775 If you need to specify arguments, define a
780 Default_Type ::= 'Defaults' |
781 'Defaults' '@' Host_List |
782 'Defaults' ':' User_List |
783 'Defaults' '!' Cmnd_List |
784 'Defaults' '>' Runas_List
786 Default_Entry ::= Default_Type Parameter_List
788 Parameter_List ::= Parameter |
789 Parameter ',' Parameter_List
791 Parameter ::= Parameter '=' Value |
792 Parameter '+=' Value |
793 Parameter '-=' Value |
804 Flags are implicitly boolean and can be turned off via the
807 Some integer, string and list parameters may also be
808 used in a boolean context to disable them.
809 Values may be enclosed
812 when they contain multiple words.
813 Special characters may be escaped with a backslash
816 Lists have two additional assignment operators,
820 These operators are used to add to and delete from a list respectively.
821 It is not an error to use the
823 operator to remove an element
824 that does not exist in a list.
826 Defaults entries are parsed in the following order: generic, host
827 and user Defaults first, then runas Defaults and finally command
832 for a list of supported Defaults parameters.
833 .Ss User specification
835 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
836 (':' Host_List '=' Cmnd_Spec_List)*
838 Cmnd_Spec_List ::= Cmnd_Spec |
839 Cmnd_Spec ',' Cmnd_Spec_List
841 Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
843 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
845 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
847 Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
849 Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
850 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
851 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
855 .Sy user specification
856 determines which commands a user may run
857 (and as what user) on specified hosts.
858 By default, commands are
861 but this can be changed on a per-command basis.
863 The basic structure of a user specification is
864 .Dq who where = (as_whom) what .
865 Let's break that down into its constituent parts:
869 determines the user and/or the group that a command
874 .Li Runas_List Ns No s
875 (as defined above) separated by a colon
877 and enclosed in a set of parentheses.
881 which users the command may be run as via
885 The second defines a list of groups that can be specified via
890 .Li Runas_List Ns No s
891 are specified, the command may be run with any combination of users
892 and groups listed in their respective
893 .Li Runas_List Ns No s.
894 If only the first is specified, the command may be run as any user
902 second is specified, the command may be run as the invoking user
903 with the group set to any listed in the
906 .Li Runas_List Ns No s
907 are empty, the command may only be run as the invoking user.
910 is specified the command may be run as
913 no group may be specified.
917 sets the default for the commands that follow it.
918 What this means is that for the entry:
920 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
929 .Pa /usr/bin/lprm Ns No \(em Ns but
934 $ sudo -u operator /bin/ls
937 It is also possible to override a
939 later on in an entry.
940 If we modify the entry like so:
942 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
947 is now allowed to run
958 We can extend this to allow
963 the user or group set to
966 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
970 Note that while the group portion of the
973 user to run as command with that group, it does not force the user
975 If no group is specified on the command line, the command
976 will run with the group listed in the target user's password database
978 The following would all be permitted by the sudoers entry above:
980 $ sudo -u operator /bin/ls
981 $ sudo -u operator -g operator /bin/ls
982 $ sudo -g operator /bin/ls
985 In the following example, user
987 may run commands that access
988 a modem device file with the dialer group.
990 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
991 /usr/local/bin/minicom
994 Note that in this example only the group will be set, the command
999 $ sudo -g dialer /usr/bin/cu
1002 Multiple users and groups may be present in a
1004 in which case the user may select any combination of users and groups via the
1011 alan ALL = (root, bin : operator, system) ALL
1016 may run any command as either user root or bin,
1017 optionally setting the group to operator or system.
1019 On systems with SELinux support,
1021 entries may optionally have an SELinux role and/or type associated
1024 type is specified with the command it will override any default values
1027 A role or type specified on the command line,
1028 however, will supersede the values in
1030 .Ss Solaris_Priv_Spec
1033 entries may optionally specify Solaris privilege set and/or limit
1034 privilege set associated with a command.
1035 If privileges or limit privileges are specified with the command
1036 it will override any default values specified in
1039 A privilege set is a comma-separated list of privilege names.
1042 command can be used to list all privileges known to the system.
1048 In addition, there are several
1055 the set of all privileges
1057 the set of all privileges available in the current zone
1059 the default set of privileges normal users are granted at login time
1062 Privileges can be excluded from a set by prefixing the privilege
1069 A command may have zero or more tags associated with it.
1071 ten possible tag values:
1083 Once a tag is set on a
1088 .Li Cmnd_Spec_List ,
1089 inherit the tag unless it is overridden by the opposite tag (in other words,
1098 .It Em NOPASSWD No and Em PASSWD
1102 requires that a user authenticate him or herself
1103 before running a command.
1104 This behavior can be modified via the
1112 a default for the commands that follow it in the
1113 .Li Cmnd_Spec_List .
1116 tag can be used to reverse things.
1119 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1122 would allow the user
1131 on the machine rushmore without authenticating himself.
1137 without a password the entry would be:
1139 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1142 Note, however, that the
1144 tag has no effect on users who are in the group specified by the
1150 tag is applied to any of the entries for a user on the current host,
1151 he or she will be able to run
1154 Additionally, a user may only run
1156 without a password if the
1158 tag is present for all a user's entries that pertain to the current host.
1159 This behavior may be overridden via the
1164 .It Em NOEXEC No and Em EXEC
1168 has been compiled with
1170 support and the underlying operating system supports it, the
1172 tag can be used to prevent a dynamically-linked executable from
1173 running further commands itself.
1175 In the following example, user
1181 but shell escapes will be disabled.
1183 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1187 .Sx Preventing shell escapes
1188 section below for more details on how
1190 works and whether or not it will work on your system.
1191 .It Em SETENV No and Em NOSETENV
1193 These tags override the value of the
1195 option on a per-command basis.
1198 has been set for a command, the user may disable the
1200 option from the command line via the
1203 Additionally, environment variables set on the command
1204 line are not subject to the restrictions imposed by
1209 As such, only trusted users should be allowed to set variables in this manner.
1210 If the command matched is
1214 tag is implied for that command; this default may be overridden by use of the
1217 .It Em LOG_INPUT No and Em NOLOG_INPUT
1219 These tags override the value of the
1221 option on a per-command basis.
1222 For more information, see the description of
1227 .It Em LOG_OUTPUT No and Em NOLOG_OUTPUT
1229 These tags override the value of the
1231 option on a per-command basis.
1232 For more information, see the description of
1242 (aka meta or glob characters)
1243 to be used in host names, path names and command line arguments in the
1246 Wildcard matching is done via the
1250 functions as specified by
1254 regular expressions.
1257 Matches any set of zero or more characters.
1259 Matches any single character.
1261 Matches any character in the specified range.
1263 Matches any character
1265 in the specified range.
1271 This is used to escape special characters such as:
1279 Character classes may also be used if your system's
1283 functions support them.
1284 However, because the
1286 character has special meaning in
1291 .Bd -literal -offset 4n
1292 /bin/ls [[\:alpha\:]]*
1295 Would match any file name beginning with a letter.
1297 Note that a forward slash
1302 wildcards used in the path name.
1303 This is to make a path like:
1304 .Bd -literal -offset 4n
1311 .Pa /usr/bin/X11/xterm .
1313 When matching the command line arguments, however, a slash
1315 get matched by wildcards since command line arguments may contain
1316 arbitrary strings and not just path names.
1318 Wildcards in command line arguments should be used with care.
1319 Because command line arguments are matched as a single, concatenated
1320 string, a wildcard such as
1324 can match multiple words.
1325 For example, while a sudoers entry like:
1326 .Bd -literal -offset 4n
1327 %operator ALL = /bin/cat /var/log/messages*
1330 will allow command like:
1331 .Bd -literal -offset 4n
1332 $ sudo cat /var/log/messages.1
1336 .Bd -literal -offset 4n
1337 $ sudo cat /var/log/messages /etc/shadow
1340 which is probably not what was intended.
1341 .Ss Exceptions to wildcard rules
1342 The following exceptions apply to the above rules:
1347 is the only command line argument in the
1349 entry it means that command is not allowed to be run with
1353 Command line arguments to the
1355 built-in command should always be path names, so a forward slash
1357 will not be matched by a wildcard.
1359 .Ss Including other files from within sudoers
1360 It is possible to include other
1362 files from within the
1364 file currently being parsed using the
1370 This can be used, for example, to keep a site-wide
1372 file in addition to a local, per-machine file.
1373 For the sake of this example the site-wide
1377 and the per-machine one will be
1378 .Pa /etc/sudoers.local .
1380 .Pa /etc/sudoers.local
1386 .Bd -literal -offset 4n
1387 #include /etc/sudoers.local
1392 reaches this line it will suspend processing of the current file
1395 .Pa /etc/sudoers.local .
1396 Upon reaching the end of
1397 .Pa /etc/sudoers.local ,
1401 Files that are included may themselves include other files.
1402 A hard limit of 128 nested include files is enforced to prevent include
1405 If the path to the include file is not fully-qualified (does not
1408 it must be located in the same directory as the sudoers file it was
1413 .Bd -literal -offset 4n
1414 .Li #include sudoers.local
1417 the file that will be included is
1418 .Pa /etc/sudoers.local .
1420 The file name may also include the
1422 escape, signifying the short form of the host name.
1423 In other words, if the machine's host name is
1426 .Bd -literal -offset 4n
1427 #include /etc/sudoers.%h
1433 .Pa /etc/sudoers.xerxes .
1437 directive can be used to create a
1439 directory that the system package manager can drop
1442 into as part of package installation.
1444 .Bd -literal -offset 4n
1445 #includedir /etc/sudoers.d
1449 will read each file in
1450 .Pa /etc/sudoers.d ,
1451 skipping file names that end in
1455 character to avoid causing problems with package manager or editor
1456 temporary/backup files.
1457 Files are parsed in sorted lexical order.
1459 .Pa /etc/sudoers.d/01_first
1460 will be parsed before
1461 .Pa /etc/sudoers.d/10_second .
1462 Be aware that because the sorting is lexical, not numeric,
1463 .Pa /etc/sudoers.d/1_whoops
1466 .Pa /etc/sudoers.d/10_second .
1467 Using a consistent number of leading zeroes in the file names can be used
1468 to avoid such problems.
1470 Note that unlike files included via
1473 will not edit the files in a
1475 directory unless one of them contains a syntax error.
1476 It is still possible to run
1480 flag to edit the files directly.
1481 .Ss Other special characters and reserved words
1484 is used to indicate a comment (unless it is part of a #include
1485 directive or unless it occurs in the context of a user name and is
1486 followed by one or more digits, in which case it is treated as a
1488 Both the comment character and any text after it, up to the end of
1489 the line, are ignored.
1495 that always causes a match to succeed.
1496 It can be used wherever one might otherwise use a
1502 You should not try to define your own
1506 as the built-in alias will be used in preference to your own.
1507 Please note that using
1509 can be dangerous since in a command context, it allows the user to run
1511 command on the system.
1513 An exclamation point
1515 can be used as a logical
1517 operator in a list or
1519 as well as in front of a
1521 This allows one to exclude certain values.
1524 operator to be effective, there must be something for it to exclude.
1525 For example, to match all users except for root one would use:
1526 .Bd -literal -offset 4n
1533 .Bd -literal -offset 4n
1537 it would explicitly deny root but not match any other users.
1538 This is different from a true
1542 Note, however, that using a
1544 in conjunction with the built-in
1546 alias to allow a user to run
1548 commands rarely works as intended (see
1552 Long lines can be continued with a backslash
1554 as the last character on the line.
1556 White space between elements in a list as well as special syntactic
1558 .Em User Specification
1567 The following characters must be escaped with a backslash
1569 when used as part of a word (e.g.\& a user name or host name):
1579 behavior can be modified by
1581 lines, as explained earlier.
1582 A list of all supported Defaults parameters, grouped by type, are listed below.
1591 environment variable to the home directory of the target user
1592 (which is root unless the
1595 This effectively means that the
1597 option is always implied.
1600 is already set when the the
1602 option is enabled, so
1604 is only effective for configurations where either
1615 If set, users must authenticate themselves via a password (or other
1616 means of authentication) before they may run commands.
1617 This default may be overridden via the
1625 .It closefrom_override
1626 If set, the user may use
1629 option which overrides the default starting point at which
1631 begins closing open file descriptors.
1638 is configured to log a command's input or output,
1639 the I/O logs will be compressed using
1651 runs a command as the foreground process as long as
1653 itself is running in the foreground.
1656 flag is enabled and the command is being run in a pty (due to I/O logging
1659 flag), the command will be run as a background process.
1660 Attempts to read from the controlling terminal (or to change terminal
1661 settings) will result in the command being suspended with the
1665 in the case of terminal settings).
1666 If this happens when
1668 is a foreground process, the command will be granted the controlling terminal
1669 and resumed in the foreground with no user intervention required.
1670 The advantage of initially running the command in the background is that
1672 need not read from the terminal unless the command explicitly requests it.
1673 Otherwise, any terminal input must be passed to the command, whether it
1674 has required it or not (the kernel buffers terminals so it is not possible
1675 to tell whether the command really wants the input).
1676 This is different from historic
1678 behavior or when the command is not being run in a pty.
1680 For this to work seamlessly, the operating system must support the
1681 automatic restarting of system calls.
1682 Unfortunately, not all operating systems do this by default,
1683 and even those that do may have bugs.
1684 For example, Mac OS X fails to restart the
1688 system calls (this is a bug in Mac OS X).
1689 Furthermore, because this behavior depends on the command stopping with the
1693 signals, programs that catch these signals and suspend themselves
1694 with a different signal (usually
1696 will not be automatically foregrounded.
1697 Some versions of the linux
1699 command behave this way.
1701 This setting is only supported by version 1.8.7 or higher.
1702 It has no effect unless I/O logging is enabled or the
1708 will use the value of the
1712 environment variables before falling back on the default editor list.
1713 Note that this may create a security hole as it allows the user to
1714 run any arbitrary command as root without logging.
1715 A safer alternative is to place a colon-separated list of editors
1720 will then only use the
1724 if they match a value specified in
1733 will run the command in a minimal environment containing the
1746 variables in the caller's environment that match the
1750 lists are then added, followed by any variables present in the file
1754 The default contents of the
1758 lists are displayed when
1760 is run by root with the
1765 option is set, its value will be used for the
1767 environment variable.
1776 function to do shell-style globbing when matching path names.
1777 However, since it accesses the file system,
1779 can take a long time to complete for some patterns, especially
1780 when the pattern references a network file system that is mounted
1781 on demand (auto mounted).
1788 function, which does not access the file system to do its matching.
1791 is that it is unable to match relative path names such as
1795 This has security implications when path names that include globbing
1796 characters are used with the negation operator,
1798 as such rules can be trivially bypassed.
1799 As such, this option should not be used when
1801 contains rules that contain negated path names which include globbing
1807 Set this flag if you want to put fully qualified host names in the
1809 file when the local host name (as returned by the
1811 command) does not contain the domain name.
1812 In other words, instead of myhost you would use myhost.mydomain.edu.
1813 You may still use the short form if you wish (and even mix the two).
1814 This option is only effective when the
1816 host name, as returned by the
1820 function, is a fully-qualified domain name.
1821 This is usually the case when the system is configured to use DNS
1822 for host name resolution.
1824 If the system is configured to use the
1826 file in preference to DNS, the
1828 host name may not be fully-qualified.
1829 The order that sources are queried for hosts name resolution
1830 is usually specified in the
1831 .Pa @nsswitch_conf@ ,
1833 .Pa /etc/host.conf ,
1835 .Pa /etc/resolv.conf
1839 file, the first host name of the entry is considered to be the
1841 name; subsequent names are aliases that are not used by
1843 For example, the following hosts file line for the machine
1845 has the fully-qualified domain name as the
1847 host name, and the short version as an alias.
1849 .Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
1851 If the machine's hosts file entry is not formatted properly, the
1853 option will not be effective if it is queried before DNS.
1855 Beware that when using DNS for host name resolution, turning on
1859 to make DNS lookups which renders
1861 unusable if DNS stops working (for example if the machine is disconnected
1863 Also note that just like with the hosts file, you must use the
1865 name as DNS knows it.
1866 That is, you may not use a host alias
1871 due to performance issues and the fact that there is no way to get all
1880 will ignore "." or "" (both denoting current directory) in the
1882 environment variable; the
1884 itself is not modified.
1888 .It ignore_local_sudoers
1889 If set via LDAP, parsing of
1890 .Pa @sysconfdir@/sudoers
1892 This is intended for Enterprises that wish to prevent the usage of local
1893 sudoers files so that only LDAP is used.
1894 This thwarts the efforts of rogue operators who would attempt to add roles to
1895 .Pa @sysconfdir@/sudoers .
1896 When this option is present,
1897 .Pa @sysconfdir@/sudoers
1898 does not even need to exist.
1899 Since this option tells
1901 how to behave when no specific LDAP entries have been matched, this
1902 sudoOption is only meaningful for the
1911 will insult users when they enter an incorrect password.
1916 If set, the host name will be logged in the (non-syslog)
1925 will run the command in a
1927 and log all user input.
1928 If the standard input is not connected to the user's tty, due to
1929 I/O redirection or because the command is part of a pipeline, that
1930 input is also captured and stored in a separate log file.
1932 Input is logged to the directory specified by the
1939 using a unique session ID that is included in the normal
1941 log line, prefixed with
1945 option may be used to control the format of the session ID.
1947 Note that user input may contain sensitive information such as
1948 passwords (even if they are not echoed to the screen), which will
1949 be stored in the log file unencrypted.
1950 In most cases, logging the command output via
1952 is all that is required.
1956 will run the command in a
1958 and log all output that is sent to the screen, similar to the
1961 If the standard output or standard error is not connected to the
1962 user's tty, due to I/O redirection or because the command is part
1963 of a pipeline, that output is also captured and stored in separate
1966 Output is logged to the directory specified by the
1973 using a unique session ID that is included in the normal
1975 log line, prefixed with
1979 option may be used to control the format of the session ID.
1981 Output logs may be viewed with the
1982 .Xr sudoreplay @mansectsu@
1983 utility, which can also be used to list or search the available logs.
1985 If set, the four-digit year will be logged in the (non-syslog)
1992 When validating with a One Time Password (OTP) scheme such as
1996 a two-line prompt is used to make it easier
1997 to cut and paste the challenge to a local window.
1998 It's not as pretty as the default but some people find it more convenient.
2000 .Em @long_otp_prompt@
2005 user every time a users runs
2013 user if the user running
2015 does not enter the correct password.
2016 If the command the user is attempting to run is not permitted by
2024 flags are set, this flag will have no effect.
2029 If set, mail will be sent to the
2031 user if the invoking user exists in the
2033 file, but is not allowed to run commands on the current host.
2038 If set, mail will be sent to the
2040 user if the invoking user is allowed to use
2042 but the command they are trying is not listed in their
2044 file entry or is explicitly denied.
2049 If set, mail will be sent to the
2051 user if the invoking user is not in the
2058 If set, all commands run via
2060 will behave as if the
2062 tag has been set, unless overridden by a
2065 See the description of
2067 below as well as the
2068 .Sx Preventing shell escapes
2069 section at the end of this manual.
2074 On systems that use PAM for authentication,
2076 will create a new PAM session for the command to be run in.
2079 may be needed on older PAM implementations or on operating systems where
2080 opening a PAM session changes the utmp or wtmp files.
2081 If PAM session support is disabled, resource limits may not be updated
2082 for the command being run.
2087 This setting is only supported by version 1.8.7 or higher.
2088 .It passprompt_override
2089 The password prompt specified by
2091 will normally only be used if the password prompt provided by systems
2092 such as PAM matches the string
2095 .Em passprompt_override
2098 will always be used.
2105 will tell the user when a command could not be
2108 environment variable.
2109 Some sites may wish to disable this as it could be used to gather
2110 information on the location of executables that the normal user does
2112 The disadvantage is that if the executable is simply not in the user's
2115 will tell the user that they are not allowed to run it, which can be confusing.
2122 will initialize the group vector to the list of groups the target user is in.
2125 is set, the user's existing group vector is left unaltered.
2126 The real and effective group IDs, however, are still set to match the
2134 reads the password like most other Unix programs,
2135 by turning off echo until the user hits the return (or enter) key.
2136 Some users become confused by this as it appears to them that
2138 has hung at this point.
2143 will provide visual feedback when the user presses a key.
2144 Note that this does have a security impact as an onlooker may be able to
2145 determine the length of the password being entered.
2152 will only run when the user is logged in to a real tty.
2153 When this flag is set,
2155 can only be run from a login session and not via other means such as
2156 .Xr cron @mansectsu@
2162 If set, root is allowed to run
2165 Disabling this prevents users from
2168 commands to get a root shell by doing something like
2169 .Dq Li sudo sudo /bin/sh .
2170 Note, however, that turning off
2172 will also prevent root from running
2176 provides no real additional security; it exists purely for historical reasons.
2183 will prompt for the root password instead of the password of the invoking user.
2190 will prompt for the password of the user defined by the
2193 .Li @runas_default@ )
2194 instead of the password of the invoking user.
2205 environment variable will be set to the home directory of the target
2206 user (which is root unless the
2209 This effectively makes the
2215 is already set when the the
2217 option is enabled, so
2219 is only effective for configurations where either
2238 environment variables to the name of the target user (usually root unless the
2241 However, since some programs (including the RCS revision control system) use
2243 to determine the real identity of the user, it may be desirable to
2244 change this behavior.
2245 This can be done by negating the set_logname option.
2248 option has not been disabled, entries in the
2250 list will override the value of
2258 will create an entry in the utmp (or utmpx) file when a pseudo-tty
2260 A pseudo-tty is allocated by
2268 By default, the new entry will be a copy of the user's existing utmp
2269 entry (if any), with the tty, time, type and pid fields updated.
2274 Allow the user to disable the
2276 option from the command line via the
2279 Additionally, environment variables set via the command line are
2280 not subject to the restrictions imposed by
2285 As such, only trusted users should be allowed to set variables in this manner.
2292 is invoked with no arguments it acts as if the
2294 option had been given.
2295 That is, it runs a shell as root (the shell is determined by the
2297 environment variable if it is set, falling back on the shell listed
2298 in the invoking user's /etc/passwd entry if not).
2305 executes a command the real and effective UIDs are set to the target
2306 user (root by default).
2307 This option changes that behavior such that the real UID is left
2308 as the invoking user's UID.
2309 In other words, this makes
2311 act as a setuid wrapper.
2312 This can be useful on systems that disable some potentially
2313 dangerous functionality when a program is run setuid.
2314 This option is only effective on systems that support either the
2325 will prompt for the password of the user specified
2330 instead of the password of the invoking user.
2331 In addition, the time stamp file name will include the target user's name.
2332 Note that this flag precludes the use of a uid not listed in the passwd
2333 database as an argument to the
2340 If set, users must authenticate on a per-tty basis.
2341 With this flag enabled,
2343 will use a file named for the tty the user is
2344 logged in on in the user's time stamp directory.
2345 If disabled, the time stamp of the directory is used instead.
2352 will set the umask as specified by
2354 without modification.
2355 This makes it possible to specify a more permissive umask in
2357 than the user's own umask and matches historical behavior.
2362 will set the umask to be the union of the user's umask and what is specified in
2365 .Em @umask_override@
2370 will apply the defaults specified for the target user's login class
2374 is configured with the
2383 will run the command in a pseudo-pty even if no I/O logging is being gone.
2384 A malicious program run under
2386 could conceivably fork a background process that retains to the user's
2387 terminal device after the main program has finished executing.
2388 Use of this option will make that impossible.
2395 will store the name of the runas user when updating the utmp (or utmpx) file.
2398 stores the name of the invoking user.
2405 will refuse to run if the user must enter a password but it is not
2406 possible to disable echo on the terminal.
2411 will prompt for a password even when it would be visible on the screen.
2412 This makes it possible to run things like
2413 .Dq Li ssh somehost sudo ls
2417 not allocate a tty when running a command.
2426 Before it executes a command,
2428 will close all open file descriptors other than standard input,
2429 standard output and standard error (ie: file descriptors 0-2).
2432 option can be used to specify a different file descriptor at which
2437 The number of tries a user gets to enter his/her password before
2439 logs the failure and exits.
2441 .Li @passwd_tries@ .
2444 .Sy Integers that can be used in a boolean context :
2447 Number of characters per line for the file log.
2448 This value is used to decide when to wrap lines for nicer log files.
2449 This has no effect on the syslog log file, only the file log.
2452 (use 0 or negate the option to disable word wrap).
2454 Number of minutes before the
2456 password prompt times out, or
2459 The timeout may include a fractional component
2460 if minute granularity is insufficient, for example
2464 .Li @password_timeout@ .
2465 .It timestamp_timeout
2466 Number of minutes that can elapse before
2468 will ask for a passwd again.
2469 The timeout may include a fractional component if
2470 minute granularity is insufficient, for example
2476 to always prompt for a password.
2477 If set to a value less than
2479 the user's time stamp will never expire.
2480 This can be used to allow users to create or delete their own time stamps via
2486 Umask to use when running the command.
2487 Negate this option or set it to 0777 to preserve the user's umask.
2488 The actual umask that is used will be the union of the user's umask
2489 and the value of the
2491 option, which defaults to
2496 never lowers the umask when running a command.
2497 Note: on systems that use PAM, the default PAM configuration may specify
2498 its own umask which will override the value set in
2505 Message that is displayed if a user enters an incorrect password.
2507 .Li @badpass_message@
2508 unless insults are enabled.
2512 separated list of editors allowed to be used with
2515 will choose the editor that matches the user's
2517 environment variable if possible, or the first editor in the
2518 list that exists and is executable.
2522 The top-level directory to use when constructing the path name for
2523 the input/output log directory.
2528 options are enabled or when the
2532 tags are present for a command.
2533 The session sequence number, if any, is stored in the directory.
2537 The following percent
2539 escape sequences are supported:
2542 expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
2543 where every two digits are used to form a new directory, e.g.\&
2546 expanded to the invoking user's login name
2548 expanded to the name of the invoking user's real group ID
2549 .It Li %{runas_user}
2550 expanded to the login name of the user the command will
2551 be run as (e.g.\& root)
2552 .It Li %{runas_group}
2553 expanded to the group name of the user the command will
2554 be run as (e.g.\& wheel)
2556 expanded to the local host name without the domain name
2558 expanded to the base name of the command being run
2561 In addition, any escape sequences supported by the system's
2563 function will be expanded.
2565 To include a literal
2567 character, the string
2571 The path name, relative to
2573 in which to store input/output logs when the
2577 options are enabled or when the
2581 tags are present for a command.
2584 may contain directory components.
2590 option above for a list of supported percent
2594 In addition to the escape sequences, path names that end in six or
2599 replaced with a unique combination of digits and letters, similar to the
2603 If the path created by concatenating
2607 already exists, the existing I/O log file will be truncated and
2614 The default Solaris limit privileges to use when constructing a new
2615 privilege set for a command.
2616 This bounds all privileges of the executing process.
2617 The default limit privileges may be overridden on a per-command basis in
2619 This option is only available if
2621 is built on Solaris 10 or higher.
2623 Subject of the mail sent to the
2628 will expand to the host name of the machine.
2632 The maximum sequence number that will be substituted for the
2634 escape in the I/O log file (see the
2636 description above for more information).
2637 While the value substituted for
2641 itself should be expressed in decimal.
2642 Values larger than 2176782336 (which corresponds to the
2643 base 36 sequence number
2645 will be silently truncated to 2176782336.
2646 The default value is 2176782336.
2648 Once the local sequence number reaches the value of
2652 to zero, after which
2654 will truncate and re-use any existing I/O log pathnames.
2656 This setting is only supported by version 1.8.7 or higher.
2660 version 1.8.1 this option is no longer supported.
2661 The path to the noexec file should now be set in the
2662 .Xr sudo.conf @mansectform@
2665 The default prompt to use when asking for a password; can be overridden via the
2669 environment variable.
2670 The following percent
2672 escape sequences are supported:
2675 expanded to the local host name including the domain name
2676 (only if the machine's host name is fully qualified or the
2680 expanded to the local host name without the domain name
2682 expanded to the user whose password is being asked for (respects the
2690 expanded to the login name of the user the command will
2691 be run as (defaults to root)
2693 expanded to the invoking user's login name
2697 characters are collapsed into a single
2702 The default value is
2703 .Dq Li @passprompt@ .
2705 The default Solaris privileges to use when constructing a new
2706 privilege set for a command.
2707 This is passed to the executing process via the inherited privilege set,
2708 but is bounded by the limit privileges.
2711 option is specified but the
2713 option is not, the limit privileges of the executing process is set to
2715 The default privileges may be overridden on a per-command basis in
2717 This option is only available if
2719 is built on Solaris 10 or higher.
2721 The default SELinux role to use when constructing a new security
2722 context to run the command.
2723 The default role may be overridden on a per-command basis in
2725 or via command line options.
2726 This option is only available when
2728 is built with SELinux support.
2730 The default user to run commands as if the
2732 option is not specified on the command line.
2734 .Li @runas_default@ .
2736 Syslog priority to use when user authenticates unsuccessfully.
2740 The following syslog priorities are supported:
2751 Syslog priority to use when user authenticates successfully.
2757 for the list of supported syslog priorities.
2759 Locale to use when parsing the sudoers file, logging commands, and
2761 Note that changing the locale may affect how sudoers is interpreted.
2765 The directory in which
2767 stores its time stamp files.
2771 The owner of the time stamp directory and the time stamps stored therein.
2775 The default SELinux type to use when constructing a new security
2776 context to run the command.
2777 The default type may be overridden on a per-command basis in
2779 or via command line options.
2780 This option is only available when
2782 is built with SELinux support.
2785 .Sy Strings that can be used in a boolean context :
2790 option specifies the fully qualified path to a file containing variables
2791 to be set in the environment of the program being run.
2792 Entries in this file should either be of the form
2793 .Dq Li VARIABLE=value
2795 .Dq Li export VARIABLE=value .
2796 The value may optionally be surrounded by single or double quotes.
2797 Variables in this file are subject to other
2799 environment settings such as
2804 Users in this group are exempt from password and PATH requirements.
2805 The group name specified should not include a
2808 This is not set by default.
2810 A string containing a
2812 group plugin with optional arguments.
2813 The string should consist of the plugin
2814 path, either fully-qualified or relative to the
2816 directory, followed by any configuration arguments the plugin requires.
2817 These arguments (if any) will be passed to the plugin's initialization function.
2818 If arguments are present, the string must be enclosed in double quotes
2821 For more information see
2822 .Xr "GROUP PROVIDER PLUGINS" .
2824 This option controls when a short lecture will be printed along with
2825 the password prompt.
2826 It has the following possible values:
2829 Always lecture the user.
2831 Never lecture the user.
2833 Only lecture the user the first time they run
2837 If no value is specified, a value of
2840 Negating the option results in a value of
2843 The default value is
2846 Path to a file containing an alternate
2848 lecture that will be used in place of the standard lecture if the named
2852 uses a built-in lecture.
2854 This option controls when a password will be required when a user runs
2859 It has the following possible values:
2864 entries for the current host must have
2867 flag set to avoid entering a password.
2869 The user must always enter a password to use the
2873 At least one of the user's
2875 entries for the current host
2878 flag set to avoid entering a password.
2880 The user need never enter a password to use the
2885 If no value is specified, a value of
2888 Negating the option results in a value of
2891 The default value is
2896 log file (not the syslog log file).
2897 Setting a path turns on logging to a file;
2898 negating this option turns it off.
2903 Flags to use when invoking mailer. Defaults to
2906 Path to mail program used to send warning mail.
2907 Defaults to the path to sendmail found at configure time.
2909 Address to use for the
2911 address when sending warning and error mail.
2912 The address should be enclosed in double quotes
2919 Defaults to the name of the user running
2922 Address to send warning and error mail to.
2923 The address should be enclosed in double quotes
2933 Path used for every command run from
2935 If you don't trust the
2940 environment variable you may want to use this.
2941 Another use is if you want to have the
2943 be separate from the
2945 Users in the group specified by the
2947 option are not affected by
2949 This option is @secure_path@ by default.
2951 Syslog facility if syslog is being used for logging (negate to
2952 disable syslog logging).
2956 The following syslog facilities are supported:
2973 This option controls when a password will be required when a user runs
2978 It has the following possible values:
2983 entries for the current host must have the
2985 flag set to avoid entering a password.
2987 The user must always enter a password to use the
2991 At least one of the user's
2993 entries for the current host must have the
2995 flag set to avoid entering a password.
2997 The user need never enter a password to use the
3002 If no value is specified, a value of
3005 Negating the option results in a value of
3008 The default value is
3012 .Sy Lists that can be used in a boolean context :
3015 Environment variables to be removed from the user's environment if
3016 the variable's value contains
3021 This can be used to guard against printf-style format vulnerabilities
3022 in poorly-written programs.
3023 The argument may be a double-quoted, space-separated list or a
3024 single value without double-quotes.
3025 The list can be replaced, added to, deleted from, or disabled by using
3032 operators respectively.
3033 Regardless of whether the
3035 option is enabled or disabled, variables specified by
3037 will be preserved in the environment if they pass the aforementioned check.
3038 The default list of environment variables to check is displayed when
3045 Environment variables to be removed from the user's environment when the
3047 option is not in effect.
3048 The argument may be a double-quoted, space-separated list or a
3049 single value without double-quotes.
3050 The list can be replaced, added to, deleted from, or disabled by using the
3056 operators respectively.
3057 The default list of environment variables to remove is displayed when
3059 is run by root with the
3062 Note that many operating systems will remove potentially dangerous
3063 variables from the environment of any setuid process (such as
3066 Environment variables to be preserved in the user's environment when the
3068 option is in effect.
3069 This allows fine-grained control over the environment
3070 .Nm sudo Ns No -spawned
3071 processes will receive.
3072 The argument may be a double-quoted, space-separated list or a
3073 single value without double-quotes.
3074 The list can be replaced, added to, deleted from, or disabled by using the
3080 operators respectively.
3081 The default list of variables to keep
3084 is run by root with the
3088 .Sh GROUP PROVIDER PLUGINS
3091 plugin supports its own plugin interface to allow non-Unix
3092 group lookups which can query a group source other
3093 than the standard Unix group database.
3094 This can be used to implement support for the
3096 syntax described earlier.
3098 Group provider plugins are specified via the
3103 should consist of the plugin path, either fully-qualified or relative to the
3105 directory, followed by any configuration options the plugin requires.
3106 These options (if specified) will be passed to the plugin's initialization
3108 If options are present, the string must be enclosed in double quotes
3111 The following group provider plugins are installed by default:
3116 plugin supports an alternate group file that uses the same syntax as the
3119 The path to the group file should be specified as an option
3121 For example, if the group file to be used is
3122 .Pa /etc/sudo-group :
3124 Defaults group_plugin="group_file.so /etc/sudo-group"
3129 plugin supports group lookups via the standard C library functions
3133 This plugin can be used in instances where the user belongs to
3134 groups not present in the user's supplemental group vector.
3135 This plugin takes no options:
3137 Defaults group_plugin=system_group.so
3141 The group provider plugin API is described in detail in
3142 .Xr sudo_plugin @mansectsu@ .
3145 can log events using either
3147 or a simple log file.
3148 In each case the log format is almost identical.
3149 .Ss Accepted command log entries
3150 Commands that sudo runs are logged using the following format (split
3151 into multiple lines for readability):
3152 .Bd -literal -offset 4n
3153 date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
3154 USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
3155 ENV=env_vars COMMAND=command
3158 Where the fields are as follows:
3161 The date the command was run.
3162 Typically, this is in the format
3163 .Dq MMM, DD, HH:MM:SS .
3166 the actual date format is controlled by the syslog daemon.
3167 If logging to a file and the
3170 the date will also include the year.
3172 The name of the host
3175 This field is only present when logging via
3178 The name of the program, usually
3182 This field is only present when logging via
3185 The login name of the user who ran
3188 The short name of the terminal (e.g.\&
3196 if there was no terminal present.
3198 The current working directory that
3202 The user the command was run as.
3204 The group the command was run as if one was specified on the command line.
3206 An I/O log identifier that can be used to replay the command's output.
3207 This is only present when the
3213 A list of environment variables specified on the command line,
3216 The actual command that was executed.
3219 Messages are logged using the locale specified by
3220 .Em sudoers_locale ,
3221 which defaults to the
3224 .Ss Denied command log entries
3225 If the user is not allowed to run the command, the reason for the denial
3226 will follow the user name.
3227 Possible reasons include:
3229 .It user NOT in sudoers
3230 The user is not listed in the
3233 .It user NOT authorized on host
3234 The user is listed in the
3236 file but is not allowed to run commands on the host.
3237 .It command not allowed
3238 The user is listed in the
3240 file for the host but they are not allowed to run the specified command.
3241 .It 3 incorrect password attempts
3242 The user failed to enter their password after 3 tries.
3243 The actual number of tries will vary based on the number of
3244 failed attempts and the value of the
3247 .It a password is required
3250 option was specified but a password was required.
3251 .It sorry, you are not allowed to set the following environment variables
3252 The user specified environment variables on the command line that
3256 .Ss Error log entries
3259 will log a message and, in most cases, send a message to the
3260 administrator via email.
3261 Possible errors include:
3263 .It parse error in @sysconfdir@/sudoers near line N
3265 encountered an error when parsing the specified file.
3266 In some cases, the actual error may be one line above or below the
3267 line number listed, depending on the type of error.
3268 .It problem with defaults entries
3271 file contains one or more unknown Defaults settings.
3272 This does not prevent
3274 from running, but the
3276 file should be checked using
3278 .It timestamp owner (username): \&No such user
3279 The time stamp directory owner, as specified by the
3281 setting, could not be found in the password database.
3282 .It unable to open/read @sysconfdir@/sudoers
3285 file could not be opened for reading.
3286 This can happen when the
3288 file is located on a remote file system that maps user ID 0 to
3294 using group permissions to avoid this problem.
3295 Consider either changing the ownership of
3296 .Pa @sysconfdir@/sudoers
3297 or adding an argument like
3301 is the user ID that owns the
3303 file) to the end of the
3307 .Xr sudo.conf @mansectform@
3309 .It unable to stat @sysconfdir@/sudoers
3311 .Pa @sysconfdir@/sudoers
3313 .It @sysconfdir@/sudoers is not a regular file
3315 .Pa @sysconfdir@/sudoers
3316 file exists but is not a regular file or symbolic link.
3317 .It @sysconfdir@/sudoers is owned by uid N, should be 0
3320 file has the wrong owner.
3321 If you wish to change the
3323 file owner, please add
3327 is the user ID that owns the
3333 .Xr sudo.conf @mansectform@
3335 .It @sysconfdir@/sudoers is world writable
3336 The permissions on the
3338 file allow all users to write to it.
3341 file must not be world-writable, the default file mode
3342 is 0440 (readable by owner and group, writable by none).
3343 The default mode may be changed via the
3349 .Xr sudo.conf @mansectform@
3351 .It @sysconfdir@/sudoers is owned by gid N, should be 1
3354 file has the wrong group ownership.
3355 If you wish to change the
3357 file group ownership, please add
3361 is the group ID that owns the
3367 .Xr sudo.conf @mansectform@
3369 .It unable to open @timedir@/username/ttyname
3371 was unable to read or create the user's time stamp file.
3372 .It unable to write to @timedir@/username/ttyname
3374 was unable to write to the user's time stamp file.
3375 .It unable to mkdir to @timedir@/username
3377 was unable to create the user's time stamp directory.
3379 .Ss Notes on logging via syslog
3389 fields are added by the syslog daemon, not
3392 As such, they may vary in format on different systems.
3396 has a relatively small log buffer.
3397 To prevent the command line arguments from being truncated,
3399 will split up log messages that are larger than 960 characters
3400 (not including the date, hostname, and the string
3402 When a message is split, additional parts will include the string
3403 .Dq Pq command continued
3404 after the user name and before the continued command line arguments.
3405 .Ss Notes on logging to a file
3410 will log to a local file, such as
3412 When logging to a file,
3414 uses a format similar to
3416 with a few important differences:
3423 fields are not present.
3428 the date will also include the year.
3430 Lines that are longer than
3432 characters (80 by default) are word-wrapped and continued on the
3433 next line with a four character indent.
3434 This makes entries easier to read for a human being, but makes it
3435 more difficult to use
3440 option is set to 0 (or negated with a
3442 word wrap will be disabled.
3446 .It Pa @sysconfdir@/sudo.conf
3447 Sudo front end configuration
3448 .It Pa @sysconfdir@/sudoers
3449 List of who can run what
3452 .It Pa /etc/netgroup
3453 List of network groups
3457 Directory containing time stamps for the
3460 .It Pa /etc/environment
3461 Initial environment for
3463 mode on AIX and Linux systems
3469 Admittedly, some of these are a bit contrived.
3470 First, we allow a few environment variables to pass and then define our
3473 # Run X applications through sudo; HOME is used to find the
3474 # .Xauthority file. Note that other programs use HOME to find
3475 # configuration files and this may lead to privilege escalation!
3476 Defaults env_keep += "DISPLAY HOME"
3478 # User alias specification
3479 User_Alias FULLTIMERS = millert, mikef, dowdy
3480 User_Alias PARTTIMERS = bostley, jwfox, crawl
3481 User_Alias WEBMASTERS = will, wendy, wim
3483 # Runas alias specification
3484 Runas_Alias OP = root, operator
3485 Runas_Alias DB = oracle, sybase
3486 Runas_Alias ADMINGRP = adm, oper
3488 # Host alias specification
3489 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
3490 SGI = grolsch, dandelion, black :\e
3491 ALPHA = widget, thalamus, foobar :\e
3492 HPPA = boa, nag, python
3493 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
3494 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
3495 Host_Alias SERVERS = master, mail, www, ns
3496 Host_Alias CDROM = orion, perseus, hercules
3498 # Cmnd alias specification
3499 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
3500 /usr/sbin/restore, /usr/sbin/rrestore,\e
3501 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
3502 /home/operator/bin/start_backups
3503 Cmnd_Alias KILL = /usr/bin/kill
3504 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
3505 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
3506 Cmnd_Alias HALT = /usr/sbin/halt
3507 Cmnd_Alias REBOOT = /usr/sbin/reboot
3508 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
3509 /usr/local/bin/tcsh, /usr/bin/rsh,\e
3511 Cmnd_Alias SU = /usr/bin/su
3512 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
3515 Here we override some of the compiled in default values.
3522 facility in all cases.
3523 We don't want to subject the full time staff to the
3527 need not give a password, and we don't want to reset the
3532 environment variables when running commands as root.
3533 Additionally, on the machines in the
3536 we keep an additional local log file and make sure we log the year
3537 in each log line since the log entries will be kept around for several years.
3538 Lastly, we disable shell escapes for the commands in the PAGERS
3547 # Override built-in defaults
3548 Defaults syslog=auth
3549 Defaults>root !set_logname
3550 Defaults:FULLTIMERS !lecture
3551 Defaults:millert !authenticate
3552 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
3553 Defaults!PAGERS noexec
3557 .Em User specification
3558 is the part that actually determines who may run what.
3560 root ALL = (ALL) ALL
3561 %wheel ALL = (ALL) ALL
3566 and any user in group
3568 run any command on any host as any user.
3570 FULLTIMERS ALL = NOPASSWD: ALL
3580 may run any command on any host without authenticating themselves.
3582 PARTTIMERS ALL = ALL
3590 may run any command on any host but they must authenticate themselves
3591 first (since the entry lacks the
3600 may run any command on the machines in the
3606 .Li 128.138.242.0 ) .
3607 Of those networks, only
3609 has an explicit netmask (in CIDR notation) indicating it is a class C network.
3610 For the other networks in
3612 the local machine's netmask will be used during matching.
3619 may run any command on any host in the
3621 alias (the class B network
3624 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
3625 sudoedit /etc/printcap, /usr/oper/bin/
3630 user may run commands limited to simple maintenance.
3631 Here, those are commands related to backups, killing processes, the
3632 printing system, shutting down the system, and any commands in the
3634 .Pa /usr/oper/bin/ .
3635 Note that one command in the
3637 Cmnd_Alias includes a sha224 digest,
3638 .Pa /home/operator/bin/start_backups .
3639 This is because the directory containing the script is writable by the
3641 If the script is modified (resulting in a digest mismatch) it will no longer
3642 be possible to run it via
3645 joe ALL = /usr/bin/su operator
3654 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
3656 %opers ALL = (: ADMINGRP) /usr/sbin/
3661 group may run commands in
3664 with any group in the
3675 is allowed to change anyone's password except for
3679 Note that this assumes
3681 does not take multiple user names on the command line.
3683 bob SPARC = (OP) ALL : SGI = (OP) ALL
3688 may run anything on the
3692 machines as any user listed in the
3706 may run any command on machines in the
3712 is a netgroup due to the
3716 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
3721 netgroup need to help manage the printers as well as add and remove users,
3722 so they are allowed to run those commands on all machines.
3724 fred ALL = (DB) NOPASSWD: ALL
3729 can run commands as any user in the
3737 without giving a password.
3739 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
3746 may su to anyone except root but he is not allowed to specify any options
3751 jen ALL, !SERVERS = ALL
3756 may run any command on any machine except for those in the
3759 (master, mail, www and ns).
3761 jill SERVERS = /usr/bin/, !SU, !SHELLS
3764 For any machine in the
3769 any commands in the directory
3771 except for those commands
3778 steve CSNETS = (operator) /usr/local/op_commands/
3783 may run any command in the directory /usr/local/op_commands/
3784 but only as user operator.
3786 matt valkyrie = KILL
3789 On his personal workstation, valkyrie,
3791 needs to be able to kill hung processes.
3793 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
3796 On the host www, any user in the
3799 (will, wendy, and wim), may run any command as user www (which owns the
3800 web pages) or simply
3804 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
3805 /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
3808 Any user may mount or unmount a CD-ROM on the machines in the CDROM
3810 (orion, perseus, hercules) without entering a password.
3811 This is a bit tedious for users to type, so it is a prime candidate
3812 for encapsulating in a shell script.
3814 .Ss Limitations of the So !\& Sc operator
3815 It is generally not effective to
3822 A user can trivially circumvent this by copying the desired command
3823 to a different name and then executing that.
3826 bill ALL = ALL, !SU, !SHELLS
3829 Doesn't really prevent
3831 from running the commands listed in
3835 since he can simply copy those commands to a different name, or use
3836 a shell escape from an editor or other program.
3837 Therefore, these kind of restrictions should be considered
3838 advisory at best (and reinforced by policy).
3840 In general, if a user has sudo
3842 there is nothing to prevent them from creating their own program that gives
3843 them a root shell (or making their own copy of a shell) regardless of any
3845 elements in the user specification.
3846 .Ss Security implications of Em fast_glob
3849 option is in use, it is not possible to reliably negate commands where the
3850 path name includes globbing (aka wildcard) characters.
3851 This is because the C library's
3853 function cannot resolve relative paths.
3854 While this is typically only an inconvenience for rules that grant privileges,
3855 it can result in a security issue for rules that subtract or revoke privileges.
3857 For example, given the following
3861 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
3862 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
3868 .Li /usr/bin/passwd root
3871 is enabled by changing to
3876 .Ss Preventing shell escapes
3879 executes a program, that program is free to do whatever
3880 it pleases, including run other programs.
3881 This can be a security issue since it is not uncommon for a program to
3882 allow shell escapes, which lets a user bypass
3884 access control and logging.
3885 Common programs that permit shell escapes include shells (obviously),
3886 editors, paginators, mail and terminal programs.
3888 There are two basic approaches to this problem:
3891 Avoid giving users access to commands that allow the user to run
3893 Many editors have a restricted mode where shell
3894 escapes are disabled, though
3896 is a better solution to
3899 Due to the large number of programs that
3900 offer shell escapes, restricting users to the set of programs that
3901 do not is often unworkable.
3903 Many systems that support shared libraries have the ability to
3904 override default library functions by pointing an environment
3907 to an alternate shared library.
3911 functionality can be used to prevent a program run by
3913 from executing any other programs.
3914 Note, however, that this applies only to native dynamically-linked
3916 Statically-linked executables and foreign executables
3917 running under binary emulation are not affected.
3921 feature is known to work on SunOS, Solaris, *BSD,
3922 Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
3923 It should be supported on most operating systems that support the
3925 environment variable.
3926 Check your operating system's manual pages for the dynamic linker
3927 (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
3931 On Solaris 10 and higher,
3933 uses Solaris privileges instead of the
3935 environment variable.
3939 for a command, use the
3942 in the User Specification section above.
3943 Here is that example again:
3945 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
3957 This will prevent those two commands from
3958 executing other commands (such as a shell).
3959 If you are unsure whether or not your system is capable of supporting
3961 you can always just try it out and check whether shell escapes work when
3966 Note that restricting shell escapes is not a panacea.
3967 Programs running as root are still capable of many potentially hazardous
3968 operations (such as changing or overwriting files) that could lead
3969 to unintended privilege escalation.
3970 In the specific case of an editor, a safer approach is to give the
3971 user permission to run
3973 .Ss Time stamp file checks
3975 will check the ownership of its time stamp directory
3980 and ignore the directory's contents if it is not owned by root or
3981 if it is writable by a user other than root.
3982 On systems that allow non-root users to give away files via
3984 if the time stamp directory is located in a world-writable
3987 it is possible for a user to create the time stamp directory before
3992 checks the ownership and mode of the directory and its
3993 contents, the only damage that can be done is to
3995 files by putting them in the time stamp dir.
3996 This is unlikely to happen since once the time stamp dir is owned by root
3997 and inaccessible by any other user, the user placing files there would be
3998 unable to get them back out.
4001 will not honor time stamps set far in the future.
4002 Time stamps with a date greater than current_time + 2 *
4004 will be ignored and sudo will log and complain.
4005 This is done to keep a user from creating his/her own time stamp with a
4006 bogus date on systems that allow users to give away files if the time
4007 stamp directory is located in a world-writable directory.
4009 On systems where the boot time is available,
4011 will ignore time stamps that date from before the machine booted.
4013 Since time stamp files live in the file system, they can outlive a
4014 user's login session.
4015 As a result, a user may be able to login, run a command with
4017 after authenticating, logout, login again, and run
4019 without authenticating so long as the time stamp file's modification
4022 minutes (or whatever the timeout is set to in
4026 option is enabled, the time stamp has per-tty granularity but still
4027 may outlive the user's session.
4028 On Linux systems where the devpts filesystem is used, Solaris systems
4029 with the devices filesystem, as well as other systems that utilize a
4030 devfs filesystem that monotonically increase the inode number of devices
4031 as they are created (such as Mac OS X),
4033 is able to determine when a tty-based time stamp file is stale and will
4035 Administrators should not rely on this feature as it is not universally
4038 Versions 1.8.4 and higher of the
4040 plugin support a flexible debugging framework that can help track
4041 down what the plugin is doing internally if there is a problem.
4042 This can be configured in the
4043 .Xr sudo.conf @mansectform@
4048 plugin uses the same debug flag format as the
4051 .Em subsystem Ns No @ Ns Em priority .
4053 The priorities used by
4055 in order of decreasing severity,
4057 .Em crit , err , warn , notice , diag , info , trace
4060 Each priority, when specified, also includes all priorities higher
4062 For example, a priority of
4064 would include debug messages logged at
4068 The following subsystems are used by the
4080 matches every subsystem
4082 BSM and Linux audit code
4090 environment handling
4096 matching of users, groups, hosts and netgroups in
4099 network interface handling
4101 network service switch handling in
4113 pseudo-tty related code
4115 redblack tree internals
4121 Debug sudo /var/log/sudo_debug match@info,nss@info
4124 For more information, see the
4125 .Xr sudo.conf @mansectform@
4134 .Xr sudo.conf @mansectform@ ,
4135 .Xr sudoers.ldap @mansectform@ ,
4136 .Xr sudo_plugin @mansectsu@ ,
4137 .Xr sudo @mansectsu@ ,
4138 .Xr visudo @mansectsu@
4146 command which locks the file and does grammatical checking.
4150 be free of syntax errors since
4152 will not run with a syntactically incorrect
4156 When using netgroups of machines (as opposed to users), if you
4157 store fully qualified host name in the netgroup (as is usually the
4158 case), you either need to have the machine's host name be fully qualified
4166 If you feel you have found a bug in
4168 please submit a bug report at http://www.sudo.ws/sudo/bugs/
4170 Limited free support is available via the sudo-users mailing list,
4171 see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
4172 search the archives.
4177 and any express or implied warranties, including, but not limited
4178 to, the implied warranties of merchantability and fitness for a
4179 particular purpose are disclaimed.
4180 See the LICENSE file distributed with
4182 or http://www.sudo.ws/sudo/license.html for complete details.