1 .\" Automatically generated from an mdoc input file. Do not edit.
3 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2019
4 .\" Todd C. Miller <Todd.Miller@sudo.ws>
6 .\" Permission to use, copy, modify, and distribute this software for any
7 .\" purpose with or without fee is hereby granted, provided that the above
8 .\" copyright notice and this permission notice appear in all copies.
10 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
18 .\" Sponsored in part by the Defense Advanced Research Projects
19 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
20 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
26 .TH "SUDOERS" "@mansectform@" "March 4, 2019" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
31 \- default sudo security policy plugin
35 policy plugin determines a user's
41 The policy is driven by
43 \fI@sysconfdir@/sudoers\fR
44 file or, optionally in LDAP.
45 The policy format is described in detail in the
46 \fISUDOERS FILE FORMAT\fR
48 For information on storing
52 sudoers.ldap(@mansectform@).
53 .SS "Configuring sudo.conf for sudoers"
56 sudo.conf(@mansectform@)
57 file to determine which policy and I/O logging plugins to load.
59 sudo.conf(@mansectform@)
60 file is present, or if it contains no
64 will be used for policy decisions and I/O logging.
65 To explicitly configure
66 sudo.conf(@mansectform@)
69 plugin, the following configuration can be used.
73 Plugin sudoers_policy sudoers.so
74 Plugin sudoers_io sudoers.so
80 1.8.5, it is possible to specify optional arguments to the
83 sudo.conf(@mansectform@)
85 These arguments, if present, should be listed after the path to the plugin
88 Multiple arguments may be specified, separated by white space.
93 Plugin sudoers_policy sudoers.so sudoers_mode=0400
97 The following plugin arguments are supported:
102 argument can be used to override the default path to the
109 argument can be used to override the default path to the
113 sudoers_file=pathname
116 argument can be used to override the default path to the
123 argument can be used to override the default owner of the sudoers file.
124 It should be specified as a numeric user ID.
129 argument can be used to override the default group of the sudoers file.
130 It must be specified as a numeric group ID (not a group name).
135 argument can be used to override the default file mode for the sudoers file.
136 It should be specified as an octal value.
138 For more information on configuring
139 sudo.conf(@mansectform@),
140 please refer to its manual.
141 .SS "User Authentication"
144 security policy requires that most users authenticate
145 themselves before they can use
147 A password is not required
148 if the invoking user is root, if the target user is the same as the
149 invoking user, or if the policy has disabled authentication for the
156 authentication, it validates the invoking user's credentials, not
157 the target user's (or root's) credentials.
158 This can be changed via
164 flags, described later.
166 If a user who is not listed in the policy tries to run a command
169 mail is sent to the proper authorities.
171 used for such mail is configurable via the
174 (described later) and defaults to
177 Note that no mail will be sent if an unauthorized user tries to run
183 option unless there is an authentication error and
190 determine for themselves whether or not they are allowed to use
195 will be logged, regardless of whether or not mail is sent.
199 is run by root and the
204 policy will use this value to determine who
206 This can be used by a user to log commands
207 through sudo even when a root shell has been invoked.
211 option to remain useful even when invoked via a
212 sudo-run script or program.
213 Note, however, that the
215 file lookup is still done for root, not the user specified by
219 uses per-user time stamp files for credential caching.
220 Once a user has been authenticated, a record is written
221 containing the user ID that was used to authenticate, the
222 terminal session ID, the start time of the session leader
223 (or parent process) and a time stamp
224 (using a monotonic clock if one is available).
225 The user may then use
227 without a password for a short period of time
229 minutes unless overridden by the
230 \fItimestamp_timeout\fR
235 uses a separate record for each terminal, which means that
236 a user's login sessions are authenticated separately.
239 option can be used to select the type of time stamp record
244 can log both successful and unsuccessful attempts (as well
252 but this is changeable via the
259 for a description of the log file format.
262 is also capable of running a command in a pseudo-tty and logging all
264 The standard input, standard output and standard error can be logged
265 even when not associated with a terminal.
266 I/O logging is not on by default but can be enabled using
271 options as well as the
278 for details on how I/O log files are stored.
279 .SS "Command environment"
280 Since environment variables can influence program behavior,
282 provides a means to restrict which variables from the user's
283 environment are inherited by the command to be run.
287 can deal with environment variables.
293 to be executed with a new, minimal environment.
295 systems without PAM), the environment is initialized with the
297 \fI/etc/environment\fR
304 option is enabled, the environment is initialized
310 \fI/etc/login.conf\fR.
312 The new environment contains the
323 in addition to variables from the invoking process permitted by the
328 This is effectively a whitelist
329 for environment variables.
330 The environment variables
334 are treated specially.
335 If one of them is preserved (or removed) from user's environment, the other
341 are to be preserved but only one of them is present in the user's environment,
342 the other will be set to the same value.
343 This avoids an inconsistent environment where one of the variables
344 describing the user name is set to the invoking user and one is
345 set to the target user.
347 are removed unless both the name and value parts are matched by
351 as they may be interpreted as functions by the
354 Prior to version 1.8.11, such variables were always removed.
358 option is disabled, any variables not
359 explicitly denied by the
364 inherited from the invoking process.
369 behave like a blacklist.
370 Prior to version 1.8.21, environment variables with a value beginning with
373 Beginning with version 1.8.21, a pattern in
377 shell functions instead.
378 Since it is not possible
379 to blacklist all potentially dangerous environment variables, use
382 behavior is encouraged.
384 Environment variables specified by
389 may include one or more
391 characters which will match zero or more characters.
392 No other wildcard characters are supported.
394 By default, environment variables are matched by name.
395 However, if the pattern includes an equal sign
397 both the variables name and value must match.
400 shell function could be matched as follows:
404 env_keep += "BASH_FUNC_my_func%%=()*"
410 suffix, this would not match, as
412 shell functions are not preserved by default.
414 The complete list of environment variables that
416 allows or denies is contained in the output of
417 \(lq\fRsudo -V\fR\(rq
419 Please note that this list varies based on the operating system
423 On systems that support PAM where the
425 module is enabled for
427 variables in the PAM environment may be merged in to the environment.
428 If a variable in the PAM environment is already present in the
429 user's environment, the value will only be overridden if the variable
434 is enabled, variables preserved from the invoking user's environment
437 list take precedence over those in the PAM environment.
440 is disabled, variables present the invoking user's environment
441 take precedence over those in the PAM environment unless they
442 match a pattern in the
446 Note that the dynamic linker on most operating systems will remove
447 variables that can control dynamic linking from the environment of
448 setuid executables, including
450 Depending on the operating
451 system this may include
459 These type of variables are
460 removed from the environment before
462 even begins execution
463 and, as such, it is not possible for
467 As a special case, if
470 option (initial login) is
473 will initialize the environment regardless
481 variables remain unchanged;
488 are set based on the target user.
490 systems without PAM), the contents of
491 \fI/etc/environment\fR
505 \fI/etc/login.conf\fR
508 All other environment variables are removed unless permitted by
515 \fIrestricted_env_file\fR
518 files are applied, if present.
520 \fIrestricted_env_file\fR
521 are applied first and are subject to the same restrictions as the
522 invoking user's environment, as detailed above.
525 are applied last and are not subject to these restrictions.
526 In both cases, variables present in the files will only be set to
527 their specified values if they would not conflict with an existing
528 environment variable.
529 .SH "SUDOERS FILE FORMAT"
532 file is composed of two types of entries: aliases
533 (basically variables) and user specifications (which specify who
536 When multiple entries match for a user, they are applied in order.
537 Where there are multiple matches, the last match is used (which is
538 not necessarily the most specific match).
542 file grammar will be described below in Extended Backus-Naur
544 Don't despair if you are unfamiliar with EBNF; it is fairly simple,
545 and the definitions below are annotated.
546 .SS "Quick guide to EBNF"
547 EBNF is a concise and exact way of describing the grammar of a language.
548 Each EBNF definition is made up of
549 \fIproduction rules\fR.
552 \fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR
555 \fIproduction rule\fR
556 references others and thus makes up a
557 grammar for the language.
558 EBNF also contains the following
559 operators, which many readers will recognize from regular
561 Do not, however, confuse them with
563 characters, which have different meanings.
566 Means that the preceding symbol (or group of symbols) is optional.
567 That is, it may appear once or not at all.
570 Means that the preceding symbol (or group of symbols) may appear
574 Means that the preceding symbol (or group of symbols) may appear
577 Parentheses may be used to group symbols together.
579 we will use single quotes
581 to designate what is a verbatim character string (as opposed to a symbol name).
583 There are four kinds of aliases:
592 Alias ::= 'User_Alias' User_Alias_Spec (':' User_Alias_Spec)* |
593 'Runas_Alias' Runas_Alias_Spec (':' Runas_Alias_Spec)* |
594 'Host_Alias' Host_Alias_Spec (':' Host_Alias_Spec)* |
595 'Cmnd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)*
599 User_Alias_Spec ::= User_Alias '=' User_List
603 Runas_Alias_Spec ::= Runas_Alias '=' Runas_List
607 Host_Alias_Spec ::= Host_Alias '=' Host_List
611 Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List
613 NAME ::= [A-Z]([A-Z][0-9]_)*
619 definition is of the form
623 Alias_Type NAME = item1, item2, ...
637 is a string of uppercase letters, numbers,
638 and underscore characters
645 It is possible to put several alias definitions
646 of the same type on a single line, joined by a colon
652 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
656 It is a syntax error to redefine an existing
658 It is possible to use the same name for
660 of different types, but this is not recommended.
662 The definitions of what constitutes a valid
671 User ::= '!'* user name |
676 '!'* %:nonunix_group |
677 '!'* %:#nonunix_gid |
684 is made up of one or more user names, user IDs
687 system group names and IDs (prefixed with
691 respectively), netgroups (prefixed with
693 non-Unix group names and IDs (prefixed with
699 Each list item may be prefixed with zero or more
704 operators negate the value of
705 the item; an even number just cancel each other out.
706 User netgroups are matched using the user and domain members only;
707 the host member is not used when matching.
718 may be enclosed in double quotes to avoid the
719 need for escaping special characters.
720 Alternately, special characters
721 may be specified in escaped hex mode, e.g., \ex20 for space.
723 using double quotes, any prefix characters must be included inside
731 the underlying group provider plugin.
732 For instance, the QAS AD plugin supports the following formats:
735 Group in the same domain: "%:Group Name"
738 Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
741 Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
744 \fIGROUP PROVIDER PLUGINS\fR
745 for more information.
747 Note that quotes around group names are optional.
748 Unquoted strings must use a backslash
750 to escape spaces and special characters.
752 \fIOther special characters and reserved words\fR
754 characters that need to be escaped.
758 Runas_List ::= Runas_Member |
759 Runas_Member ',' Runas_List
761 Runas_Member ::= '!'* user name |
765 '!'* %:nonunix_group |
766 '!'* %:#nonunix_gid |
782 user names and groups are matched as strings.
784 users (groups) with the same uid (gid) are considered to be distinct.
785 If you wish to match all user names with the same uid (e.g.,
786 root and toor), you can use a uid instead (#0 in the example given).
793 Host ::= '!'* host name |
795 '!'* network(/netmask)? |
803 is made up of one or more host names, IP addresses,
804 network numbers, netgroups (prefixed with
807 Again, the value of an item may be negated with the
810 Host netgroups are matched using the host (both qualified and unqualified)
811 and domain members only; the user member is not used when matching.
812 If you specify a network number without a netmask,
814 will query each of the local host's network interfaces and,
815 if the network number corresponds to one of the hosts's network
816 interfaces, will use the netmask of that interface.
817 The netmask may be specified either in standard IP address notation
818 (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::),
819 or CIDR notation (number of bits, e.g., 24 or 64).
820 A host name may include shell-style wildcards (see the
825 command on your machine returns the fully
826 qualified host name, you'll need to use the
828 option for wildcards to be useful.
831 only inspects actual network interfaces; this means that IP address
832 127.0.0.1 (localhost) will never match.
835 will only match if that is the actual host name, which is usually
836 only the case for non-networked systems.
840 digest ::= [A-Fa-f0-9]+ |
843 Digest_Spec ::= "sha224" ':' digest |
844 "sha256" ':' digest |
845 "sha384" ':' digest |
851 command name ::= file name |
855 Cmnd ::= Digest_Spec? '!'* command name |
864 is a list of one or more command names, directories, and other aliases.
865 A command name is a fully qualified file name which may include
866 shell-style wildcards (see the
869 A simple file name allows the user to run the command with any
870 arguments he/she wishes.
871 However, you may also specify command line arguments (including
873 Alternately, you can specify
875 to indicate that the command
878 command line arguments.
880 fully qualified path name ending in a
882 When you specify a directory in a
884 the user will be able to run any file within that directory
885 (but not in any sub-directories therein).
889 has associated command line arguments, then the arguments
892 must match exactly those given by the user on the command line
893 (or match the wildcards if there are any).
894 Note that the following characters must be escaped with a
896 if they are used in command arguments:
902 \(lq\fRsudoedit\fR\(rq
903 is used to permit a user to run
909 It may take command line arguments just as a normal command does.
911 \(lq\fRsudoedit\fR\(rq
912 is a command built into
914 itself and must be specified in the
916 file without a leading path.
922 the command will only match successfully if it can be verified
923 using the specified SHA-2 digest.
924 The following digest formats are supported: sha224, sha256, sha384 and sha512.
925 The string may be specified in either hex or base64 format
926 (base64 is more compact).
927 There are several utilities capable of generating SHA-2 digests in hex
928 format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
930 For example, using openssl:
934 $ openssl dgst -sha224 /bin/ls
935 SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
939 It is also possible to use openssl to generate base64 output:
943 $ openssl dgst -binary -sha224 /bin/ls | openssl base64
944 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
948 Warning, if the user has write access to the command itself (directly or via a
950 command), it may be possible for the user to replace the command after the
951 digest check has been performed but before the command is executed.
952 A similar race condition exists on systems that lack the
954 system call when the directory in which the command is located
955 is writable by the user.
956 See the description of the
958 setting for more information on how
960 executes commands that have an associated digest.
962 Command digests are only supported by version 1.8.7 or higher.
964 Certain configuration options may be changed from their default
965 values at run-time via one or more
968 These may affect all users on any host, all users on a specific host, a
969 specific user, a specific command, or commands being run as a specific user.
970 Note that per-command entries may not include command line arguments.
971 If you need to specify arguments, define a
978 Default_Type ::= 'Defaults' |
979 'Defaults' '@' Host_List |
980 'Defaults' ':' User_List |
981 'Defaults' '!' Cmnd_List |
982 'Defaults' '>' Runas_List
984 Default_Entry ::= Default_Type Parameter_List
986 Parameter_List ::= Parameter |
987 Parameter ',' Parameter_List
989 Parameter ::= Parameter '=' Value |
990 Parameter '+=' Value |
991 Parameter '-=' Value |
1003 Flags are implicitly boolean and can be turned off via the
1006 Some integer, string and list parameters may also be
1007 used in a boolean context to disable them.
1008 Values may be enclosed
1011 when they contain multiple words.
1012 Special characters may be escaped with a backslash
1015 Lists have two additional assignment operators,
1019 These operators are used to add to and delete from a list respectively.
1020 It is not an error to use the
1022 operator to remove an element
1023 that does not exist in a list.
1025 Defaults entries are parsed in the following order: generic, host,
1026 user and runas Defaults first, then command defaults.
1027 If there are multiple Defaults settings of the same type, the last
1028 matching setting is used.
1029 The following Defaults settings are parsed before all others since
1030 they may affect subsequent entries:
1033 \fIrunas_default\fR,
1034 \fIsudoers_locale\fR.
1037 \fISUDOERS OPTIONS\fR
1038 for a list of supported Defaults parameters.
1039 .SS "User specification"
1042 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
1043 (':' Host_List '=' Cmnd_Spec_List)*
1045 Cmnd_Spec_List ::= Cmnd_Spec |
1046 Cmnd_Spec ',' Cmnd_Spec_List
1048 Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
1050 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
1053 .ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
1054 .el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec)
1057 .ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
1058 .el Option_Spec ::= (Date_Spec | Timeout_Spec)
1062 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
1066 Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
1069 Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
1071 Timeout_Spec ::= 'TIMEOUT=timeout'
1073 Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
1074 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
1075 'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
1076 'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
1081 \fBuser specification\fR
1082 determines which commands a user may run
1083 (and as what user) on specified hosts.
1084 By default, commands are
1087 but this can be changed on a per-command basis.
1089 The basic structure of a user specification is
1090 \(lqwho where = (as_whom) what\(rq.
1091 Let's break that down into its constituent parts:
1095 determines the user and/or the group that a command
1101 (as defined above) separated by a colon
1103 and enclosed in a set of parentheses.
1107 which users the command may be run as via
1111 The second defines a list of groups that can be specified via
1114 option in addition to any of the target user's groups.
1117 are specified, the command may be run with any combination of users
1118 and groups listed in their respective
1120 If only the first is specified, the command may be run as any user
1128 second is specified, the command may be run as the invoking user
1129 with the group set to any listed in the
1133 are empty, the command may only be run as the invoking user.
1136 is specified the command may be run as
1139 no group may be specified.
1143 sets the default for the commands that follow it.
1144 What this means is that for the entry:
1148 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
1167 $ sudo -u operator /bin/ls
1171 It is also possible to override a
1173 later on in an entry.
1174 If we modify the entry like so:
1178 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
1184 is now allowed to run
1195 We can extend this to allow
1200 the user or group set to
1205 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
1210 Note that while the group portion of the
1213 user to run as command with that group, it does not force the user
1215 If no group is specified on the command line, the command
1216 will run with the group listed in the target user's password database
1218 The following would all be permitted by the sudoers entry above:
1222 $ sudo -u operator /bin/ls
1223 $ sudo -u operator -g operator /bin/ls
1224 $ sudo -g operator /bin/ls
1228 In the following example, user
1230 may run commands that access
1231 a modem device file with the dialer group.
1235 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
1236 /usr/local/bin/minicom
1240 Note that in this example only the group will be set, the command
1247 $ sudo -g dialer /usr/bin/cu
1251 Multiple users and groups may be present in a
1253 in which case the user may select any combination of users and groups via the
1262 alan ALL = (root, bin : operator, system) ALL
1268 may run any command as either user root or bin,
1269 optionally setting the group to operator or system.
1273 may have zero or more options associated with it.
1274 Options may consist of
1276 SELinux roles and/or types,
1279 Solaris privileges sets,
1281 start and/or end dates and command timeouts.
1282 Once an option is set for a
1287 \fRCmnd_Spec_List\fR,
1288 inherit that option unless it is overridden by another option.
1291 On systems with SELinux support,
1293 file entries may optionally have an SELinux role and/or type associated
1296 type is specified with the command it will override any default values
1299 A role or type specified on the command line,
1300 however, will supersede the values in
1304 .SS "Solaris_Priv_Spec"
1307 file entries may optionally specify Solaris privilege set and/or limit
1308 privilege set associated with a command.
1309 If privileges or limit privileges are specified with the command
1310 it will override any default values specified in
1313 A privilege set is a comma-separated list of privilege names.
1316 command can be used to list all privileges known to the system.
1325 In addition, there are several
1333 the set of all privileges
1336 the set of all privileges available in the current zone
1339 the default set of privileges normal users are granted at login time
1341 Privileges can be excluded from a set by prefixing the privilege
1350 rules can be specified with a start and end date via the
1355 The time stamp must be specified in
1356 \fIGeneralized Time\fR
1357 as defined by RFC 4517.
1358 The format is effectively
1359 \fRyyyymmddHHMMSSZ\fR
1360 where the minutes and seconds are optional.
1363 suffix indicates that the time stamp is in Coordinated Universal Time (UTC).
1364 It is also possible to specify a timezone offset from UTC in hours
1365 and minutes instead of a
1369 would correspond to Eastern Standard time in the US.
1370 As an extension, if no
1372 or timezone offset is specified, local time will be used.
1374 The following are all valid time stamps:
1385 A command may have a timeout associated with it.
1386 If the timeout expires before the command has exited, the
1387 command will be terminated.
1388 The timeout may be specified in combinations of days, hours,
1389 minutes and seconds with a single-letter case-insensitive suffix
1390 that indicates the unit of time.
1391 For example, a timeout of 7 days, 8 hours, 30 minutes and
1392 10 seconds would be written as
1394 If a number is specified without a unit, seconds are assumed.
1395 Any of the days, minutes, hours or seconds may be omitted.
1396 The order must be from largest to smallest unit and a unit
1397 may not be specified more than once.
1399 The following are all
1414 This option is only supported by version 1.8.20 or higher.
1416 A command may have zero or more tags associated with it.
1417 The following tag values are supported:
1433 Once a tag is set on a
1438 \fRCmnd_Spec_List\fR,
1439 inherit the tag unless it is overridden by the opposite tag (in other words,
1448 \fIEXEC\fR and \fINOEXEC\fR
1452 has been compiled with
1454 support and the underlying operating system supports it, the
1456 tag can be used to prevent a dynamically-linked executable from
1457 running further commands itself.
1459 In the following example, user
1465 but shell escapes will be disabled.
1469 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1475 \fIPreventing shell escapes\fR
1476 section below for more details on how
1478 works and whether or not it will work on your system.
1481 \fIFOLLOW\fR and \fINOFOLLOW\fR
1482 Starting with version 1.8.15,
1484 will not open a file that is a symbolic link unless the
1485 \fIsudoedit_follow\fR
1491 tags override the value of
1492 \fIsudoedit_follow\fR
1493 and can be used to permit (or deny) the editing of symbolic links
1494 on a per-command basis.
1495 These tags are only effective for the
1497 command and are ignored for all other commands.
1499 \fILOG_INPUT\fR and \fINOLOG_INPUT\fR
1501 These tags override the value of the
1503 option on a per-command basis.
1504 For more information, see the description of
1507 \fISUDOERS OPTIONS\fR
1510 \fILOG_OUTPUT\fR and \fINOLOG_OUTPUT\fR
1512 These tags override the value of the
1514 option on a per-command basis.
1515 For more information, see the description of
1518 \fISUDOERS OPTIONS\fR
1521 \fIMAIL\fR and \fINOMAIL\fR
1523 These tags provide fine-grained control over whether
1524 mail will be sent when a user runs a command by
1525 overriding the value of the
1526 \fImail_all_cmnds\fR
1527 option on a per-command basis.
1528 They have no effect when
1537 tag will also override the
1542 For more information, see the descriptions of
1543 \fImail_all_cmnds\fR,
1548 \fISUDOERS OPTIONS\fR
1551 \fIPASSWD\fR and \fINOPASSWD\fR
1555 requires that a user authenticate him or herself
1556 before running a command.
1557 This behavior can be modified via the
1565 a default for the commands that follow it in the
1566 \fRCmnd_Spec_List\fR.
1569 tag can be used to reverse things.
1574 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1579 would allow the user
1588 on the machine rushmore without authenticating himself.
1594 without a password the entry would be:
1598 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1602 Note, however, that the
1604 tag has no effect on users who are in the group specified by the
1610 tag is applied to any of the entries for a user on the current host,
1611 he or she will be able to run
1612 \(lq\fRsudo -l\fR\(rq
1614 Additionally, a user may only run
1615 \(lq\fRsudo -v\fR\(rq
1616 without a password if the
1618 tag is present for all a user's entries that pertain to the current host.
1619 This behavior may be overridden via the
1626 \fISETENV\fR and \fINOSETENV\fR
1628 These tags override the value of the
1630 option on a per-command basis.
1633 has been set for a command, the user may disable the
1635 option from the command line via the
1638 Additionally, environment variables set on the command
1639 line are not subject to the restrictions imposed by
1644 As such, only trusted users should be allowed to set variables in this manner.
1645 If the command matched is
1649 tag is implied for that command; this default may be overridden by use of the
1656 (aka meta or glob characters)
1657 to be used in host names, path names and command line arguments in the
1660 Wildcard matching is done via the
1664 functions as specified by
1665 IEEE Std 1003.1 (\(lqPOSIX.1\(rq).
1668 Matches any set of zero or more characters (including white space).
1671 Matches any single character (including white space).
1674 Matches any character in the specified range.
1677 Matches any character
1679 in the specified range.
1686 This is used to escape special characters such as:
1693 \fBNote that these are not regular expressions.\fR
1694 Unlike a regular expression there is no way to match one or more
1695 characters within a range.
1697 Character classes may be used if your system's
1701 functions support them.
1702 However, because the
1704 character has special meaning in
1712 /bin/ls [[\e:\&alpha\e:\&]]*
1716 Would match any file name beginning with a letter.
1718 Note that a forward slash
1723 wildcards used in the file name portion of the command.
1724 This is to make a path like:
1735 \fI/usr/bin/X11/xterm\fR.
1737 When matching the command line arguments, however, a slash
1739 get matched by wildcards since command line arguments may contain
1740 arbitrary strings and not just path names.
1742 \fBWildcards in command line arguments should be used with care.\fR
1744 Command line arguments are matched as a single, concatenated string.
1745 This mean a wildcard character such as
1749 will match across word boundaries, which may be unexpected.
1750 For example, while a sudoers entry like:
1754 %operator ALL = /bin/cat /var/log/messages*
1758 will allow command like:
1762 $ sudo cat /var/log/messages.1
1770 $ sudo cat /var/log/messages /etc/shadow
1774 which is probably not what was intended.
1775 In most cases it is better to do command line processing
1778 file in a scripting language.
1779 .SS "Exceptions to wildcard rules"
1780 The following exceptions apply to the above rules:
1785 is the only command line argument in the
1787 file entry it means that command is not allowed to be run with
1792 Command line arguments to the
1794 built-in command should always be path names, so a forward slash
1796 will not be matched by a wildcard.
1797 .SS "Including other files from within sudoers"
1798 It is possible to include other
1800 files from within the
1802 file currently being parsed using the
1808 This can be used, for example, to keep a site-wide
1810 file in addition to a local, per-machine file.
1811 For the sake of this example the site-wide
1815 and the per-machine one will be
1816 \fI/etc/sudoers.local\fR.
1818 \fI/etc/sudoers.local\fR
1827 #include /etc/sudoers.local
1833 reaches this line it will suspend processing of the current file
1834 (\fI/etc/sudoers\fR)
1836 \fI/etc/sudoers.local\fR.
1837 Upon reaching the end of
1838 \fI/etc/sudoers.local\fR,
1842 Files that are included may themselves include other files.
1843 A hard limit of 128 nested include files is enforced to prevent include
1846 If the path to the include file is not fully-qualified (does not
1849 it must be located in the same directory as the sudoers file it was
1857 \fR#include sudoers.local\fR
1861 the file that will be included is
1862 \fI/etc/sudoers.local\fR.
1864 The file name may also include the
1866 escape, signifying the short form of the host name.
1867 In other words, if the machine's host name is
1873 #include /etc/sudoers.%h
1880 \fI/etc/sudoers.xerxes\fR.
1884 directive can be used to create a
1886 directory that the system package manager can drop
1888 file rules into as part of package installation.
1893 #includedir /etc/sudoers.d
1898 will suspend processing of the current file and read each file in
1899 \fI/etc/sudoers.d\fR,
1900 skipping file names that end in
1904 character to avoid causing problems with package manager or editor
1905 temporary/backup files.
1906 Files are parsed in sorted lexical order.
1908 \fI/etc/sudoers.d/01_first\fR
1909 will be parsed before
1910 \fI/etc/sudoers.d/10_second\fR.
1911 Be aware that because the sorting is lexical, not numeric,
1912 \fI/etc/sudoers.d/1_whoops\fR
1915 \fI/etc/sudoers.d/10_second\fR.
1916 Using a consistent number of leading zeroes in the file names can be used
1917 to avoid such problems.
1918 After parsing the files in the directory, control returns to the
1919 file that contained the
1923 Note that unlike files included via
1926 will not edit the files in a
1928 directory unless one of them contains a syntax error.
1929 It is still possible to run
1933 flag to edit the files directly, but this will not catch the
1936 that is also present in a different file.
1937 .SS "Other special characters and reserved words"
1940 is used to indicate a comment (unless it is part of a #include
1941 directive or unless it occurs in the context of a user name and is
1942 followed by one or more digits, in which case it is treated as a
1944 Both the comment character and any text after it, up to the end of
1945 the line, are ignored.
1951 that always causes a match to succeed.
1952 It can be used wherever one might otherwise use a
1958 You should not try to define your own
1962 as the built-in alias will be used in preference to your own.
1963 Please note that using
1965 can be dangerous since in a command context, it allows the user to run
1967 command on the system.
1969 An exclamation point
1971 can be used as a logical
1973 operator in a list or
1975 as well as in front of a
1977 This allows one to exclude certain values.
1980 operator to be effective, there must be something for it to exclude.
1981 For example, to match all users except for root one would use:
1999 it would explicitly deny root but not match any other users.
2000 This is different from a true
2004 Note, however, that using a
2006 in conjunction with the built-in
2008 alias to allow a user to run
2009 \(lqall but a few\(rq
2010 commands rarely works as intended (see
2011 \fISECURITY NOTES\fR
2014 Long lines can be continued with a backslash
2016 as the last character on the line.
2018 White space between elements in a list as well as special syntactic
2020 \fIUser Specification\fR
2027 The following characters must be escaped with a backslash
2029 when used as part of a word (e.g., a user name or host name):
2037 .SH "SUDOERS OPTIONS"
2039 behavior can be modified by
2041 lines, as explained earlier.
2042 A list of all supported Defaults parameters, grouped by type, are listed below.
2044 \fBBoolean Flags\fR:
2046 always_query_group_plugin
2049 is configured, use it to resolve groups of the form %group as long
2050 as there is not also a system group of the same name.
2051 Normally, only groups of the form %:group are passed to the
2062 environment variable to the home directory of the target user
2063 (which is root unless the
2066 This effectively means that the
2068 option is always implied.
2069 Note that by default,
2071 will be set to the home directory of the target user when the
2073 option is enabled, so
2074 \fIalways_set_home\fR
2075 only has an effect for configurations where either
2087 If set, users must authenticate themselves via a password (or other
2088 means of authentication) before they may run commands.
2089 This default may be overridden via the
2098 case_insensitive_group
2099 If enabled, group names in
2101 will be matched in a case insensitive manner.
2102 This may be necessary when users are stored in LDAP or AD.
2107 case_insensitive_user
2108 If enabled, user names in
2110 will be matched in a case insensitive manner.
2111 This may be necessary when groups are stored in LDAP or AD.
2117 If set, the user may use
2120 option which overrides the default starting point at which
2122 begins closing open file descriptors.
2130 is configured to log a command's input or output,
2131 the I/O logs will be compressed using
2144 runs a command as the foreground process as long as
2146 itself is running in the foreground.
2148 \fIexec_background\fR
2149 flag is enabled and the command is being run in a pty (due to I/O logging
2152 flag), the command will be run as a background process.
2153 Attempts to read from the controlling terminal (or to change terminal
2154 settings) will result in the command being suspended with the
2158 in the case of terminal settings).
2159 If this happens when
2161 is a foreground process, the command will be granted the controlling terminal
2162 and resumed in the foreground with no user intervention required.
2163 The advantage of initially running the command in the background is that
2165 need not read from the terminal unless the command explicitly requests it.
2166 Otherwise, any terminal input must be passed to the command, whether it
2167 has required it or not (the kernel buffers terminals so it is not possible
2168 to tell whether the command really wants the input).
2169 This is different from historic
2171 behavior or when the command is not being run in a pty.
2173 For this to work seamlessly, the operating system must support the
2174 automatic restarting of system calls.
2175 Unfortunately, not all operating systems do this by default,
2176 and even those that do may have bugs.
2177 For example, macOS fails to restart the
2181 system calls (this is a bug in macOS).
2182 Furthermore, because this behavior depends on the command stopping with the
2186 signals, programs that catch these signals and suspend themselves
2187 with a different signal (usually
2189 will not be automatically foregrounded.
2190 Some versions of the linux
2192 command behave this way.
2197 This setting is only supported by version 1.8.7 or higher.
2198 It has no effect unless I/O logging is enabled or the
2205 will use the value of the
2210 environment variables before falling back on the default editor list.
2211 Note that this may create a security hole as it allows the user to
2212 run any arbitrary command as root without logging.
2213 A safer alternative is to place a colon-separated list of editors
2223 if they match a value specified in
2227 flag is enabled, the
2232 environment variables must be present in the
2236 flag to function when
2247 will run the command in a minimal environment containing the
2258 Any variables in the caller's environment or in the file specified
2260 \fIrestricted_env_file\fR
2261 option that match the
2265 lists are then added, followed by any variables present in the file
2273 lists, as modified by global Defaults parameters in
2277 is run by root with the
2282 option is set, its value will be used for the
2284 environment variable.
2294 function to do shell-style globbing when matching path names.
2295 However, since it accesses the file system,
2297 can take a long time to complete for some patterns, especially
2298 when the pattern references a network file system that is mounted
2299 on demand (auto mounted).
2306 function, which does not access the file system to do its matching.
2309 is that it is unable to match relative path names such as
2313 This has security implications when path names that include globbing
2314 characters are used with the negation operator,
2316 as such rules can be trivially bypassed.
2317 As such, this option should not be used when the
2319 file contains rules that contain negated path names which include globbing
2326 Set this flag if you want to put fully qualified host names in the
2328 file when the local host name (as returned by the
2330 command) does not contain the domain name.
2331 In other words, instead of myhost you would use myhost.mydomain.edu.
2332 You may still use the short form if you wish (and even mix the two).
2333 This option is only effective when the
2335 host name, as returned by the
2338 \fBgethostbyname\fR()
2339 function, is a fully-qualified domain name.
2340 This is usually the case when the system is configured to use DNS
2341 for host name resolution.
2343 If the system is configured to use the
2345 file in preference to DNS, the
2347 host name may not be fully-qualified.
2348 The order that sources are queried for host name resolution
2349 is usually specified in the
2350 \fI@nsswitch_conf@\fR,
2351 \fI@netsvc_conf@\fR,
2352 \fI/etc/host.conf\fR,
2354 \fI/etc/resolv.conf\fR
2358 file, the first host name of the entry is considered to be the
2360 name; subsequent names are aliases that are not used by
2362 For example, the following hosts file line for the machine
2364 has the fully-qualified domain name as the
2366 host name, and the short version as an alias.
2369 192.168.1.1 xyzzy.sudo.ws xyzzy
2373 If the machine's hosts file entry is not formatted properly, the
2375 option will not be effective if it is queried before DNS.
2377 Beware that when using DNS for host name resolution, turning on
2381 to make DNS lookups which renders
2383 unusable if DNS stops working (for example if the machine is disconnected
2385 Also note that just like with the hosts file, you must use the
2387 name as DNS knows it.
2388 That is, you may not use a host alias
2391 due to performance issues and the fact that there is no way to get all
2400 Allow commands to be run even if
2402 cannot write to the audit log.
2403 If enabled, an audit log write failure is not treated as a fatal error.
2404 If disabled, a command may only be run after the audit event is successfully
2406 This flag is only effective on systems for which
2408 supports audit logging, including
2410 Linux, macOS and Solaris.
2418 will ignore "." or "" (both denoting current directory) in the
2420 environment variable; the
2422 itself is not modified.
2428 Allow commands to be run even if
2430 cannot write to the I/O log.
2431 If enabled, an I/O log write failure is not treated as a fatal error.
2432 If disabled, the command will be terminated if the I/O log cannot be written to.
2437 ignore_logfile_errors
2438 Allow commands to be run even if
2440 cannot write to the log file.
2441 If enabled, a log file write failure is not treated as a fatal error.
2442 If disabled, a command may only be run after the log file entry is successfully
2444 This flag only has an effect when
2446 is configured to use file-based logging via the
2453 ignore_local_sudoers
2454 If set via LDAP, parsing of
2455 \fI@sysconfdir@/sudoers\fR
2457 This is intended for Enterprises that wish to prevent the usage of local
2458 sudoers files so that only LDAP is used.
2459 This thwarts the efforts of rogue operators who would attempt to add roles to
2460 \fI@sysconfdir@/sudoers\fR.
2461 When this option is present,
2462 \fI@sysconfdir@/sudoers\fR
2463 does not even need to exist.
2464 Since this option tells
2466 how to behave when no specific LDAP entries have been matched, this
2467 sudoOption is only meaningful for the
2474 ignore_unknown_defaults
2477 will not produce a warning if it encounters an unknown Defaults entry
2480 file or an unknown sudoOption in LDAP.
2488 will insult users when they enter an incorrect password.
2494 If set, the host name will be logged in the (non-syslog)
2504 will run the command in a pseudo-tty and log all user input.
2505 If the standard input is not connected to the user's tty, due to
2506 I/O redirection or because the command is part of a pipeline, that
2507 input is also captured and stored in a separate log file.
2508 Anything sent to the standard input will be consumed, regardless of
2509 whether or not the command run via
2511 is actually reading the standard input.
2512 This may have unexpected results when using
2514 in a shell script that expects to process the standard input.
2515 For more information about I/O logging, see the
2525 will run the command in a pseudo-tty and log all output that is sent
2526 to the screen, similar to the
2529 For more information about I/O logging, see the
2537 If set, the four-digit year will be logged in the (non-syslog)
2545 When validating with a One Time Password (OTP) scheme such as
2549 a two-line prompt is used to make it easier
2550 to cut and paste the challenge to a local window.
2551 It's not as pretty as the default but some people find it more convenient.
2553 \fI@long_otp_prompt@\fR
2559 user every time a user attempts to run a command via
2563 No mail will be sent if the user runs
2569 option unless there is an authentication error and the
2579 user every time a user runs
2588 user if the user running
2590 does not enter the correct password.
2591 If the command the user is attempting to run is not permitted by
2594 \fImail_all_cmnds\fR,
2600 flags are set, this flag will have no effect.
2606 If set, mail will be sent to the
2608 user if the invoking user exists in the
2610 file, but is not allowed to run commands on the current host.
2612 \fI@mail_no_host@\fR
2616 If set, mail will be sent to the
2618 user if the invoking user is allowed to use
2620 but the command they are trying is not listed in their
2622 file entry or is explicitly denied.
2624 \fI@mail_no_perms@\fR
2628 If set, mail will be sent to the
2630 user if the invoking user is not in the
2634 \fI@mail_no_user@\fR
2640 will look up each group the user is a member of by group ID to
2641 determine the group name (this is only done once).
2642 The resulting list of the user's group names is used when matching
2643 groups listed in the
2646 This works well on systems where the number of groups listed in the
2648 file is larger than the number of groups a typical user belongs to.
2649 On systems where group lookups are slow, where users may belong
2650 to a large number of groups, and where the number of groups listed
2653 file is relatively small, it may be prohibitively expensive and
2654 running commands via
2656 may take longer than normal.
2657 On such systems it may be faster to use the
2658 \fImatch_group_by_gid\fR
2659 flag to avoid resolving the user's group IDs to group names.
2662 must look up any group name listed in the
2664 file and use the group ID instead of the group name when determining
2665 whether the user is a member of the group.
2668 \fImatch_group_by_gid\fR
2669 is enabled, group database lookups performed by
2671 will be keyed by group name as opposed to group ID.
2672 On systems where there are multiple sources for the group database,
2673 it is possible to have conflicting group names or group IDs in the local
2675 file and the remote group database.
2676 On such systems, enabling or disabling
2677 \fImatch_group_by_gid\fR
2678 can be used to choose whether group database queries are performed
2679 by name (enabled) or ID (disabled), which may aid in working around
2680 group entry conflicts.
2683 \fImatch_group_by_gid\fR
2684 flag has no effect when
2686 data is stored in LDAP.
2691 This setting is only supported by version 1.8.18 or higher.
2694 If set, netgroup lookups will be performed using the full netgroup
2695 tuple: host name, user name and domain (if one is set).
2698 only matched the user name and domain for netgroups used in a
2700 and only matched the host name and domain for netgroups used in a
2707 If set, all commands run via
2709 will behave as if the
2711 tag has been set, unless overridden by an
2714 See the description of
2715 \fIEXEC and NOEXEC\fR
2716 above as well as the
2717 \fIPreventing shell escapes\fR
2718 section at the end of this manual.
2724 On systems that use PAM for authentication,
2726 will create a new PAM session for the command to be run in.
2729 may be needed on older PAM implementations or on operating systems where
2730 opening a PAM session changes the utmp or wtmp files.
2731 If PAM session support is disabled, resource limits may not be updated
2732 for the command being run.
2738 are disabled and I/O logging has not been configured,
2740 will execute the command directly instead of running it as a child
2746 This setting is only supported by version 1.8.7 or higher.
2749 On systems that use PAM for authentication,
2751 will attempt to establish credentials for the target user by default,
2752 if supported by the underlying authentication system.
2753 One example of a credential is a Kerberos ticket.
2759 are disabled and I/O logging has not been configured,
2761 will execute the command directly instead of running it as a child
2767 This setting is only supported by version 1.8.8 or higher.
2770 If set, the prompt specified by
2774 environment variable will always be used and will replace the
2775 prompt provided by a PAM module or other authentication method.
2783 will tell the user when a command could not be
2786 environment variable.
2787 Some sites may wish to disable this as it could be used to gather
2788 information on the location of executables that the normal user does
2790 The disadvantage is that if the executable is simply not in the user's
2793 will tell the user that they are not allowed to run it, which can be confusing.
2801 will initialize the group vector to the list of groups the target user is in.
2803 \fIpreserve_groups\fR
2804 is set, the user's existing group vector is left unaltered.
2805 The real and effective group IDs, however, are still set to match the
2814 reads the password like most other Unix programs,
2815 by turning off echo until the user hits the return (or enter) key.
2816 Some users become confused by this as it appears to them that
2818 has hung at this point.
2823 will provide visual feedback when the user presses a key.
2824 Note that this does have a security impact as an onlooker may be able to
2825 determine the length of the password being entered.
2833 will only run when the user is logged in to a real tty.
2834 When this flag is set,
2836 can only be run from a login session and not via other means such as
2844 If set, root is allowed to run
2847 Disabling this prevents users from
2850 commands to get a root shell by doing something like
2851 \(lq\fRsudo sudo /bin/sh\fR\(rq.
2852 Note, however, that turning off
2854 will also prevent root from running
2858 provides no real additional security; it exists purely for historical reasons.
2866 will prompt for the root password instead of the password of the invoking user
2867 when running a command or editing a file.
2875 will prompt for the password of the user defined by the
2878 \fR@runas_default@\fR)
2879 instead of the password of the invoking user
2880 when running a command or editing a file.
2892 environment variable will be set to the home directory of the target
2893 user (which is root unless the
2896 This effectively makes the
2902 is already set when the
2904 option is enabled, so
2906 is only effective for configurations where either
2925 environment variables to the name of the target user (usually root unless the
2928 However, since some programs (including the RCS revision control system) use
2930 to determine the real identity of the user, it may be desirable to
2931 change this behavior.
2932 This can be done by negating the set_logname option.
2938 option has not been disabled and the
2951 will create an entry in the utmp (or utmpx) file when a pseudo-tty
2953 A pseudo-tty is allocated by
2961 By default, the new entry will be a copy of the user's existing utmp
2962 entry (if any), with the tty, time, type and pid fields updated.
2968 Allow the user to disable the
2970 option from the command line via the
2973 Additionally, environment variables set via the command line are
2974 not subject to the restrictions imposed by
2979 As such, only trusted users should be allowed to set variables in this manner.
2987 is invoked with no arguments it acts as if the
2989 option had been given.
2990 That is, it runs a shell as root (the shell is determined by the
2992 environment variable if it is set, falling back on the shell listed
2993 in the invoking user's /etc/passwd entry if not).
3001 executes a command the real and effective UIDs are set to the target
3002 user (root by default).
3003 This option changes that behavior such that the real UID is left
3004 as the invoking user's UID.
3005 In other words, this makes
3007 act as a setuid wrapper.
3008 This can be useful on systems that disable some potentially
3009 dangerous functionality when a program is run setuid.
3010 This option is only effective on systems that support either the
3023 will check all directory components of the path to be edited for writability
3024 by the invoking user.
3025 Symbolic links will not be followed in writable directories and
3027 will refuse to edit a file located in a writable directory.
3028 These restrictions are not enforced when
3031 On some systems, if all directory components of the path to be edited
3032 are not readable by the target user,
3034 will be unable to edit the file.
3039 This setting was first introduced in version 1.8.15 but initially
3040 suffered from a race condition.
3041 The check for symbolic links in writable intermediate directories
3042 was added in version 1.8.16.
3047 will not follow symbolic links when opening files.
3049 \fIsudoedit_follow\fR
3050 option can be enabled to allow
3052 to open symbolic links.
3053 It may be overridden on a per-command basis by the
3062 This setting is only supported by version 1.8.15 or higher.
3067 include the process ID in the log entry.
3072 This setting is only supported by version 1.8.21 or higher.
3077 will prompt for the password of the user specified
3082 instead of the password of the invoking user
3083 when running a command or editing a file.
3084 Note that this flag precludes the use of a uid not listed in the passwd
3085 database as an argument to the
3093 If set, users must authenticate on a per-tty basis.
3094 With this flag enabled,
3096 will use a separate record in the time stamp file for each terminal.
3097 If disabled, a single record is used for all login sessions.
3099 This option has been superseded by the
3100 \fItimestamp_type\fR
3106 will set the umask as specified in the
3108 file without modification.
3109 This makes it possible to specify a umask in the
3111 file that is more permissive than the user's own umask and matches
3112 historical behavior.
3114 \fIumask_override\fR
3117 will set the umask to be the union of the user's umask and what is specified in
3120 \fI@umask_override@\fR
3127 will apply the defaults specified for the target user's login class
3131 is configured with the
3132 \fR--with-logincap\fR
3140 If set, netgroups (prefixed with
3142 may be used in place of a user or host.
3143 For LDAP-based sudoers, netgroup support requires an expensive
3144 sub-string match on the server unless the
3146 directive is present in the
3149 If netgroups are not needed, this option can be disabled to reduce the
3150 load on the LDAP server.
3158 is running in a terminal, the command will be run in a pseudo-pty
3159 (even if no I/O logging is being done).
3162 process is not attached to a terminal,
3166 A malicious program run under
3168 may be capable of injecting commands into the user's
3169 terminal or running a background process that retains access to the
3170 user's terminal device even after the main program has finished
3172 By running the command in a separate pseudo-pty, this attack is
3178 user_command_timeouts
3179 If set, the user may specify a timeout on the command line.
3180 If the timeout expires before the command has exited, the
3181 command will be terminated.
3182 If a timeout is specified both in the
3184 file and on the command line, the smaller of the two timeouts will be used.
3187 section for a description of the timeout syntax.
3192 This setting is only supported by version 1.8.20 or higher.
3197 will store the name of the runas user when updating the utmp (or utmpx) file.
3200 stores the name of the invoking user.
3208 will refuse to run if the user must enter a password but it is not
3209 possible to disable echo on the terminal.
3214 will prompt for a password even when it would be visible on the screen.
3215 This makes it possible to run things like
3216 \(lq\fRssh somehost sudo ls\fR\(rq
3220 not allocate a tty when running a command.
3228 Before it executes a command,
3230 will close all open file descriptors other than standard input,
3231 standard output and standard error (ie: file descriptors 0-2).
3234 option can be used to specify a different file descriptor at which
3240 The maximum amount of time a command is allowed to run before
3244 section for a description of the timeout syntax.
3246 This setting is only supported by version 1.8.20 or higher.
3249 The maximum sequence number that will be substituted for the
3250 \(lq\fR%{seq}\fR\(rq
3251 escape in the I/O log file (see the
3253 description below for more information).
3254 While the value substituted for
3255 \(lq\fR%{seq}\fR\(rq
3258 itself should be expressed in decimal.
3259 Values larger than 2176782336 (which corresponds to the
3260 base 36 sequence number
3262 will be silently truncated to 2176782336.
3263 The default value is 2176782336.
3265 Once the local sequence number reaches the value of
3269 to zero, after which
3271 will truncate and re-use any existing I/O log path names.
3273 This setting is only supported by version 1.8.7 or higher.
3276 The number of tries a user gets to enter his/her password before
3278 logs the failure and exits.
3280 \fR@passwd_tries@\fR.
3285 has a relatively small log buffer.
3286 IETF RFC 5424 states that syslog servers must support messages of
3287 at least 480 bytes and should support messages up to 2048 bytes.
3290 creates log messages up to 980 bytes which corresponds to the
3293 syslog implementation which used a 1024 byte buffer
3294 to store the message, date, hostname and program name.
3295 To prevent syslog messages from being truncated,
3297 will split up log messages that are larger than
3300 When a message is split, additional parts will include the string
3301 \(lq(command continued)\(rq
3302 after the user name and before the continued command line arguments.
3304 This setting is only supported by version 1.8.19 or higher.
3306 \fBIntegers that can be used in a boolean context\fR:
3309 Number of characters per line for the file log.
3310 This value is used to decide when to wrap lines for nicer log files.
3311 This has no effect on the syslog log file, only the file log.
3314 (use 0 or negate the option to disable word wrap).
3317 Number of minutes before the
3319 password prompt times out, or
3322 The timeout may include a fractional component
3323 if minute granularity is insufficient, for example
3327 \fR@password_timeout@\fR.
3331 Number of minutes that can elapse before
3333 will ask for a passwd again.
3334 The timeout may include a fractional component if
3335 minute granularity is insufficient, for example
3341 to always prompt for a password.
3342 If set to a value less than
3344 the user's time stamp will not expire until the system is rebooted.
3345 This can be used to allow users to create or delete their own time stamps via
3346 \(lq\fRsudo -v\fR\(rq
3348 \(lq\fRsudo -k\fR\(rq
3352 Umask to use when running the command.
3353 Negate this option or set it to 0777 to preserve the user's umask.
3354 The actual umask that is used will be the union of the user's umask
3355 and the value of the
3357 option, which defaults to
3362 never lowers the umask when running a command.
3363 Note: on systems that use PAM, the default PAM configuration may specify
3364 its own umask which will override the value set in
3370 Message that is displayed after a user fails to authenticate.
3371 The message may include the
3373 escape which will expand to the number of failed password attempts.
3374 If set, it overrides the default message,
3375 \fR%d incorrect password attempt(s)\fR.
3378 Message that is displayed if a user enters an incorrect password.
3380 \fR@badpass_message@\fR
3381 unless insults are enabled.
3386 separated list of editors path names used by
3392 this list is used to find an editor when none of the
3397 environment variables are set to an editor that exists and is executable.
3400 it is used as a white list of allowed editors;
3402 will choose the editor that matches the user's
3407 environment variable if possible, or the first editor in the
3408 list that exists and is executable if not.
3412 does not preserve the
3417 environment variables by default, even when the
3424 The top-level directory to use when constructing the path name for
3425 the input/output log directory.
3430 options are enabled or when the
3434 tags are present for a command.
3435 The session sequence number, if any, is stored in the directory.
3439 The following percent
3441 escape sequences are supported:
3447 expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
3448 where every two digits are used to form a new directory, e.g.,
3453 expanded to the invoking user's login name
3456 expanded to the name of the invoking user's real group ID
3459 expanded to the login name of the user the command will
3460 be run as (e.g., root)
3462 \fR%{runas_group}\fR
3463 expanded to the group name of the user the command will
3464 be run as (e.g., wheel)
3467 expanded to the local host name without the domain name
3470 expanded to the base name of the command being run
3472 In addition, any escape sequences supported by the system's
3474 function will be expanded.
3476 To include a literal
3478 character, the string
3484 The path name, relative to
3486 in which to store input/output logs when the
3490 options are enabled or when the
3494 tags are present for a command.
3497 may contain directory components.
3499 \(lq\fR%{seq}\fR\(rq.
3503 option above for a list of supported percent
3507 In addition to the escape sequences, path names that end in six or
3512 replaced with a unique combination of digits and letters, similar to the
3516 If the path created by concatenating
3520 already exists, the existing I/O log file will be truncated and
3530 will flush I/O log data to disk after each write instead of buffering it.
3531 This makes it possible to view the logs in real-time as the program
3532 is executing but may significantly reduce the effectiveness of I/O
3538 This setting is only supported by version 1.8.20 or higher.
3541 The group name to look up when setting the group ID on new I/O log
3542 files and directories.
3546 the primary group ID of the user specified by
3553 are set, I/O log files and directories are created with group ID 0.
3555 This setting is only supported by version 1.8.19 or higher.
3558 The file mode to use when creating I/O log files.
3559 Mode bits for read and write permissions for owner, group or other
3560 are honored, everything else is ignored.
3561 The file permissions will always include the owner read and
3562 write bits, even if they are not present in the specified mode.
3563 When creating I/O log directories, search (execute) bits are added
3564 to match the read and write bits specified by
3566 Defaults to 0600 (read and write by user only).
3568 This setting is only supported by version 1.8.19 or higher.
3571 The user name to look up when setting the user and group IDs on new
3572 I/O log files and directories.
3575 is set, it will be used instead of the user's primary group ID.
3576 By default, I/O log files and directories are created with user and
3579 This setting can be useful when the I/O logs are stored on a Network
3580 File System (NFS) share.
3581 Having a dedicated user own the I/O log files means that
3583 does not write to the log files as user ID 0, which is usually
3584 not permitted by NFS.
3586 This setting is only supported by version 1.8.19 or higher.
3589 The directory in which
3591 stores per-user lecture status files.
3592 Once a user has received the lecture, a zero-length file is
3593 created in this directory so that
3595 will not lecture the user again.
3596 This directory should
3598 be cleared when the system reboots.
3600 \fI@vardir@/lectured\fR.
3604 The default Solaris limit privileges to use when constructing a new
3605 privilege set for a command.
3606 This bounds all privileges of the executing process.
3607 The default limit privileges may be overridden on a per-command basis in
3609 This option is only available if
3611 is built on Solaris 10 or higher.
3615 Subject of the mail sent to the
3620 will expand to the host name of the machine.
3622 \(lq\fR@mailsub@\fR\(rq.
3627 version 1.8.1 this option is no longer supported.
3628 The path to the noexec file should now be set in the
3629 sudo.conf(@mansectform@)
3634 On systems that use PAM for authentication, this is the service
3637 option is specified.
3638 The default value is
3639 \(lq\fR@pam_login_service@\fR\(rq.
3640 See the description of
3642 for more information.
3644 This setting is only supported by version 1.8.8 or higher.
3647 On systems that use PAM for authentication, the service name
3648 specifies the PAM policy to apply.
3649 This usually corresponds to an entry in the
3651 file or a file in the
3654 The default value is
3657 This setting is only supported by version 1.8.8 or higher.
3660 The default prompt to use when asking for a password; can be overridden via the
3664 environment variable.
3665 The following percent
3667 escape sequences are supported:
3673 expanded to the local host name including the domain name
3674 (only if the machine's host name is fully qualified or the
3680 expanded to the local host name without the domain name
3683 expanded to the user whose password is being asked for (respects the
3692 expanded to the login name of the user the command will
3693 be run as (defaults to root)
3696 expanded to the invoking user's login name
3701 characters are collapsed into a single
3705 On systems that use PAM for authentication,
3707 will only be used if the prompt provided by the PAM module matches the string
3710 \(lqusername's Password: \(rq.
3711 This ensures that the
3713 setting does not interfere with challenge-response style authentication.
3715 \fIpassprompt_override\fR
3716 flag can be used to change this behavior.
3718 The default value is
3719 \(lq\fR@passprompt@\fR\(rq.
3724 The default Solaris privileges to use when constructing a new
3725 privilege set for a command.
3726 This is passed to the executing process via the inherited privilege set,
3727 but is bounded by the limit privileges.
3730 option is specified but the
3732 option is not, the limit privileges of the executing process is set to
3734 The default privileges may be overridden on a per-command basis in
3736 This option is only available if
3738 is built on Solaris 10 or higher.
3743 The default SELinux role to use when constructing a new security
3744 context to run the command.
3745 The default role may be overridden on a per-command basis in the
3747 file or via command line options.
3748 This option is only available when
3750 is built with SELinux support.
3754 The default user to run commands as if the
3756 option is not specified on the command line.
3758 \fR@runas_default@\fR.
3761 Locale to use when parsing the sudoers file, logging commands, and
3763 Note that changing the locale may affect how sudoers is interpreted.
3769 uses per-user time stamp files for credential caching.
3771 \fItimestamp_type\fR
3772 option can be used to specify the type of time stamp record used.
3773 It has the following possible values:
3779 A single time stamp record is used for all of a user's login sessions,
3780 regardless of the terminal or parent process ID.
3781 An additional record is used to serialize password prompts when
3783 is used multiple times in a pipeline, but this does not affect authentication.
3787 A single time stamp record is used for all processes with the same parent
3788 process ID (usually the shell).
3789 Commands run from the same shell (or other common parent process)
3790 will not require a password for
3791 \fItimestamp_timeout\fR
3798 with a different parent process ID, for example from a shell script,
3799 will be authenticated separately.
3802 One time stamp record is used for each terminal,
3803 which means that a user's login sessions are authenticated separately.
3804 If no terminal is present, the behavior is the same as
3806 Commands run from the same terminal will not require a password for
3807 \fItimestamp_timeout\fR
3814 The time stamp is stored in the kernel as an attribute of the terminal
3816 If no terminal is present, the behavior is the same as
3819 \fItimestamp_timeout\fR
3820 values are not supported and positive values are limited to a maximum
3822 This is currently only supported on
3825 The default value is
3826 \fI@timestamp_type@\fR.
3828 This setting is only supported by version 1.8.21 or higher.
3832 The directory in which
3834 stores its time stamp files.
3835 This directory should be cleared when the system reboots.
3840 The owner of the lecture status directory, time stamp directory and all
3841 files stored therein.
3847 The default SELinux type to use when constructing a new security
3848 context to run the command.
3849 The default type may be overridden on a per-command basis in the
3851 file or via command line options.
3852 This option is only available when
3854 is built with SELinux support.
3856 \fBStrings that can be used in a boolean context\fR:
3861 option specifies the fully qualified path to a file containing variables
3862 to be set in the environment of the program being run.
3863 Entries in this file should either be of the form
3864 \(lq\fRVARIABLE=value\fR\(rq
3866 \(lq\fRexport VARIABLE=value\fR\(rq.
3867 The value may optionally be surrounded by single or double quotes.
3868 Variables in this file are only added if the variable does not already
3869 exist in the environment.
3870 This file is considered to be part of the security policy,
3871 its contents are not subject to other
3873 environment restrictions such as
3879 Users in this group are exempt from password and PATH requirements.
3880 The group name specified should not include a
3883 This is not set by default.
3888 will execute a command by its path or by an open file descriptor.
3889 It has the following possible values:
3895 Always execute by file descriptor.
3899 Never execute by file descriptor.
3902 Only execute by file descriptor if the command has an associated digest
3907 The default value is
3909 This avoids a time of check versus time of use race condition when
3910 the command is located in a directory writable by the invoking user.
3914 will change the first element of the argument vector for scripts
3915 ($0 in the shell) due to the way the kernel runs script interpreters.
3916 Instead of being a normal path, it will refer to a file descriptor.
3920 \fI/proc/self/fd/4\fR
3922 A workaround is to use the
3924 environment variable instead.
3928 setting is only used when the command is matched by path name.
3929 It has no effect if the command is matched by the built-in
3933 This setting is only supported by version 1.8.20 or higher.
3934 If the operating system does not support the
3936 system call, this setting has no effect.
3940 A string containing a
3942 group plugin with optional arguments.
3943 The string should consist of the plugin
3944 path, either fully-qualified or relative to the
3946 directory, followed by any configuration arguments the plugin requires.
3947 These arguments (if any) will be passed to the plugin's initialization function.
3948 If arguments are present, the string must be enclosed in double quotes
3951 For more information see
3952 \fIGROUP PROVIDER PLUGINS\fR.
3955 This option controls when a short lecture will be printed along with
3956 the password prompt.
3957 It has the following possible values:
3963 Always lecture the user.
3967 Never lecture the user.
3970 Only lecture the user the first time they run
3973 If no value is specified, a value of
3976 Negating the option results in a value of
3979 The default value is
3984 Path to a file containing an alternate
3986 lecture that will be used in place of the standard lecture if the named
3990 uses a built-in lecture.
3993 This option controls when a password will be required when a user runs
3998 It has the following possible values:
4006 file entries for the current host must have
4009 flag set to avoid entering a password.
4013 The user must always enter a password to use the
4018 At least one of the user's
4020 file entries for the current host
4023 flag set to avoid entering a password.
4026 The user need never enter a password to use the
4030 If no value is specified, a value of
4033 Negating the option results in a value of
4036 The default value is
4043 log file (not the syslog log file).
4044 Setting a path turns on logging to a file;
4045 negating this option turns it off.
4051 Flags to use when invoking mailer.
4056 Path to mail program used to send warning mail.
4057 Defaults to the path to sendmail found at configure time.
4060 Address to use for the
4062 address when sending warning and error mail.
4063 The address should be enclosed in double quotes
4070 Defaults to the name of the user running
4074 Address to send warning and error mail to.
4075 The address should be enclosed in double quotes
4087 \fIrestricted_env_file\fR
4088 option specifies the fully qualified path to a file containing variables
4089 to be set in the environment of the program being run.
4090 Entries in this file should either be of the form
4091 \(lq\fRVARIABLE=value\fR\(rq
4093 \(lq\fRexport VARIABLE=value\fR\(rq.
4094 The value may optionally be surrounded by single or double quotes.
4095 Variables in this file are only added if the variable does not already
4096 exist in the environment.
4099 the file's contents are not trusted and are processed in a manner
4100 similar to that of the invoking user's environment.
4103 is enabled, variables in the file will only be added if they are
4104 matched by either the
4111 is disabled, variables in the file are added as long as they
4112 are not matched by the
4115 In either case, the contents of
4116 \fIrestricted_env_file\fR
4117 are processed before the contents of
4121 Path used for every command run from
4123 If you don't trust the
4128 environment variable you may want to use this.
4129 Another use is if you want to have the
4131 be separate from the
4133 Users in the group specified by the
4135 option are not affected by
4137 This option is @secure_path@ by default.
4140 Syslog facility if syslog is being used for logging (negate to
4141 disable syslog logging).
4145 The following syslog facilities are supported:
4164 Syslog priority to use when the user is not allowed to run a command or
4165 when authentication is unsuccessful.
4169 The following syslog priorities are supported:
4180 Negating the option or setting it to a value of
4182 will disable logging of unsuccessful commands.
4185 Syslog priority to use when the user is allowed to run a command and
4186 authentication is successful.
4192 for the list of supported syslog priorities.
4193 Negating the option or setting it to a value of
4195 will disable logging of successful commands.
4198 This option controls when a password will be required when a user runs
4203 It has the following possible values:
4211 file entries for the current host must have the
4213 flag set to avoid entering a password.
4217 The user must always enter a password to use the
4222 At least one of the user's
4224 file entries for the current host must have the
4226 flag set to avoid entering a password.
4229 The user need never enter a password to use the
4233 If no value is specified, a value of
4236 Negating the option results in a value of
4239 The default value is
4243 \fBLists that can be used in a boolean context\fR:
4247 Environment variables to be removed from the user's environment
4248 unless they are considered
4250 For all variables except
4253 means that the variable's value does not contain any
4258 This can be used to guard against printf-style format vulnerabilities
4259 in poorly-written programs.
4262 variable is considered unsafe if any of the following are true:
4268 It consists of a fully-qualified path name,
4269 optionally prefixed with a colon
4271 that does not match the location of the
4282 It contains white space or non-printable characters.
4285 It is longer than the value of
4288 The argument may be a double-quoted, space-separated list or a
4289 single value without double-quotes.
4290 The list can be replaced, added to, deleted from, or disabled by using
4297 operators respectively.
4298 Regardless of whether the
4300 option is enabled or disabled, variables specified by
4302 will be preserved in the environment if they pass the aforementioned check.
4303 The global list of environment variables to check is displayed when
4312 Environment variables to be removed from the user's environment when the
4314 option is not in effect.
4315 The argument may be a double-quoted, space-separated list or a
4316 single value without double-quotes.
4317 The list can be replaced, added to, deleted from, or disabled by using the
4323 operators respectively.
4324 The global list of environment variables to remove is displayed when
4326 is run by root with the
4329 Note that many operating systems will remove potentially dangerous
4330 variables from the environment of any setuid process (such as
4334 Environment variables to be preserved in the user's environment when the
4336 option is in effect.
4337 This allows fine-grained control over the environment
4339 processes will receive.
4340 The argument may be a double-quoted, space-separated list or a
4341 single value without double-quotes.
4342 The list can be replaced, added to, deleted from, or disabled by using the
4348 operators respectively.
4349 The global list of variables to keep
4352 is run by root with the
4355 .SH "GROUP PROVIDER PLUGINS"
4358 plugin supports its own plugin interface to allow non-Unix
4359 group lookups which can query a group source other
4360 than the standard Unix group database.
4361 This can be used to implement support for the
4363 syntax described earlier.
4365 Group provider plugins are specified via the
4370 should consist of the plugin path, either fully-qualified or relative to the
4372 directory, followed by any configuration options the plugin requires.
4373 These options (if specified) will be passed to the plugin's initialization
4375 If options are present, the string must be enclosed in double quotes
4378 The following group provider plugins are installed by default:
4383 plugin supports an alternate group file that uses the same syntax as the
4386 The path to the group file should be specified as an option
4388 For example, if the group file to be used is
4389 \fI/etc/sudo-group\fR:
4393 Defaults group_plugin="group_file.so /etc/sudo-group"
4400 plugin supports group lookups via the standard C library functions
4404 This plugin can be used in instances where the user belongs to
4405 groups not present in the user's supplemental group vector.
4406 This plugin takes no options:
4410 Defaults group_plugin=system_group.so
4414 The group provider plugin API is described in detail in
4415 sudo_plugin(@mansectform@).
4418 can log events using either
4420 or a simple log file.
4421 The log format is almost identical in both cases.
4422 .SS "Accepted command log entries"
4423 Commands that sudo runs are logged using the following format (split
4424 into multiple lines for readability):
4428 date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
4429 USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
4430 ENV=env_vars COMMAND=command
4434 Where the fields are as follows:
4437 The date the command was run.
4438 Typically, this is in the format
4439 \(lqMMM, DD, HH:MM:SS\(rq.
4442 the actual date format is controlled by the syslog daemon.
4443 If logging to a file and the
4446 the date will also include the year.
4449 The name of the host
4452 This field is only present when logging via
4456 The name of the program, usually
4460 This field is only present when logging via
4464 The login name of the user who ran
4468 The short name of the terminal (e.g.,
4476 if there was no terminal present.
4479 The current working directory that
4484 The user the command was run as.
4487 The group the command was run as if one was specified on the command line.
4490 An I/O log identifier that can be used to replay the command's output.
4491 This is only present when the
4498 A list of environment variables specified on the command line,
4502 The actual command that was executed.
4504 Messages are logged using the locale specified by
4505 \fIsudoers_locale\fR,
4506 which defaults to the
4509 .SS "Denied command log entries"
4510 If the user is not allowed to run the command, the reason for the denial
4511 will follow the user name.
4512 Possible reasons include:
4515 The user is not listed in the
4519 user NOT authorized on host
4520 The user is listed in the
4522 file but is not allowed to run commands on the host.
4525 The user is listed in the
4527 file for the host but they are not allowed to run the specified command.
4529 3 incorrect password attempts
4530 The user failed to enter their password after 3 tries.
4531 The actual number of tries will vary based on the number of
4532 failed attempts and the value of the
4536 a password is required
4539 option was specified but a password was required.
4541 sorry, you are not allowed to set the following environment variables
4542 The user specified environment variables on the command line that
4545 .SS "Error log entries"
4548 will log a message and, in most cases, send a message to the
4549 administrator via email.
4550 Possible errors include:
4552 parse error in @sysconfdir@/sudoers near line N
4554 encountered an error when parsing the specified file.
4555 In some cases, the actual error may be one line above or below the
4556 line number listed, depending on the type of error.
4558 problem with defaults entries
4561 file contains one or more unknown Defaults settings.
4562 This does not prevent
4564 from running, but the
4566 file should be checked using
4569 timestamp owner (username): \&No such user
4570 The time stamp directory owner, as specified by the
4571 \fItimestampowner\fR
4572 setting, could not be found in the password database.
4574 unable to open/read @sysconfdir@/sudoers
4577 file could not be opened for reading.
4578 This can happen when the
4580 file is located on a remote file system that maps user ID 0 to
4586 file using group permissions to avoid this problem.
4587 Consider either changing the ownership of
4588 \fI@sysconfdir@/sudoers\fR
4589 or adding an argument like
4590 \(lqsudoers_uid=N\(rq
4593 is the user ID that owns the
4595 file) to the end of the
4599 sudo.conf(@mansectform@)
4602 unable to stat @sysconfdir@/sudoers
4604 \fI@sysconfdir@/sudoers\fR
4607 @sysconfdir@/sudoers is not a regular file
4609 \fI@sysconfdir@/sudoers\fR
4610 file exists but is not a regular file or symbolic link.
4612 @sysconfdir@/sudoers is owned by uid N, should be 0
4615 file has the wrong owner.
4616 If you wish to change the
4618 file owner, please add
4619 \(lqsudoers_uid=N\(rq
4622 is the user ID that owns the
4628 sudo.conf(@mansectform@)
4631 @sysconfdir@/sudoers is world writable
4632 The permissions on the
4634 file allow all users to write to it.
4637 file must not be world-writable, the default file mode
4638 is 0440 (readable by owner and group, writable by none).
4639 The default mode may be changed via the
4640 \(lqsudoers_mode\(rq
4645 sudo.conf(@mansectform@)
4648 @sysconfdir@/sudoers is owned by gid N, should be 1
4651 file has the wrong group ownership.
4652 If you wish to change the
4654 file group ownership, please add
4655 \(lqsudoers_gid=N\(rq
4658 is the group ID that owns the
4664 sudo.conf(@mansectform@)
4667 unable to open @rundir@/ts/username
4669 was unable to read or create the user's time stamp file.
4670 This can happen when
4671 \fItimestampowner\fR
4672 is set to a user other than root and the mode on
4674 is not searchable by group or other.
4675 The default mode for
4679 unable to write to @rundir@/ts/username
4681 was unable to write to the user's time stamp file.
4683 @rundir@/ts is owned by uid X, should be Y
4684 The time stamp directory is owned by a user other than
4685 \fItimestampowner\fR.
4686 This can occur when the value of
4687 \fItimestampowner\fR
4690 will ignore the time stamp directory until the owner is corrected.
4692 @rundir@/ts is group writable
4693 The time stamp directory is group-writable; it should be writable only by
4694 \fItimestampowner\fR.
4695 The default mode for the time stamp directory is 0700.
4697 will ignore the time stamp directory until the mode is corrected.
4698 .SS "Notes on logging via syslog"
4708 fields are added by the system's
4713 As such, they may vary in format on different systems.
4715 The maximum size of syslog messages varies from system to system.
4718 setting can be used to change the maximum syslog message size
4719 from the default value of 980 bytes.
4720 For more information, see the description of
4721 \fIsyslog_maxlen\fR.
4722 .SS "Notes on logging to a file"
4727 will log to a local file, such as
4728 \fI/var/log/sudo\fR.
4729 When logging to a file,
4731 uses a format similar to
4733 with a few important differences:
4740 fields are not present.
4746 the date will also include the year.
4749 Lines that are longer than
4751 characters (80 by default) are word-wrapped and continued on the
4752 next line with a four character indent.
4753 This makes entries easier to read for a human being, but makes it
4754 more difficult to use
4759 option is set to 0 (or negated with a
4761 word wrap will be disabled.
4763 When I/O logging is enabled,
4765 will run the command in a pseudo-tty and log all user input and/or output,
4766 depending on which options are enabled.
4767 I/O is logged to the directory specified by the
4772 using a unique session ID that is included in the
4774 log line, prefixed with
4775 \(lq\fRTSID=\fR\(rq.
4778 option may be used to control the format of the session ID.
4780 Each I/O log is stored in a separate directory that contains the
4784 a text file containing the time the command was run, the name of the user
4787 the name of the target user, the name of the target group (optional),
4790 was run from, the number of rows and columns of the terminal,
4791 the working directory the command was run from and the path name of
4792 the command itself (with arguments if present)
4795 a log of the amount of time between, and the number of bytes in, each
4796 I/O log entry (used for session playback)
4799 input from the user's tty (what the user types)
4802 input from a pipe or file
4805 output from the pseudo-tty (what the command writes to the screen)
4808 standard output to a pipe or redirected to a file
4811 standard error to a pipe or redirected to a file
4813 All files other than
4815 are compressed in gzip format unless the
4817 flag has been disabled.
4818 Due to buffering, it is not normally possible to display the I/O logs in
4819 real-time as the program is executing
4820 The I/O log data will not be complete until the program run by
4822 has exited or has been terminated by a signal.
4825 flag can be used to disable buffering, in which case I/O log data
4826 is written to disk as soon as it is available.
4827 The output portion of an I/O log file can be viewed with the
4828 sudoreplay(@mansectsu@)
4829 utility, which can also be used to list or search the available logs.
4831 Note that user input may contain sensitive information such as
4832 passwords (even if they are not echoed to the screen), which will
4833 be stored in the log file unencrypted.
4834 In most cases, logging the command output via
4838 is all that is required.
4840 Since each session's I/O logs are stored in a separate directory,
4841 traditional log rotation utilities cannot be used to limit the
4843 The simplest way to limit the number of I/O is by setting the
4845 option to the maximum number of logs you wish to store.
4846 Once the I/O log sequence number reaches
4848 it will be reset to zero and
4850 will truncate and re-use any existing I/O logs.
4853 \fI@sysconfdir@/sudo.conf\fR
4854 Sudo front end configuration
4856 \fI@sysconfdir@/sudoers\fR
4857 List of who can run what
4863 List of network groups
4869 Directory containing time stamps for the
4873 \fI@vardir@/lectured\fR
4874 Directory containing lecture status files for the
4878 \fI/etc/environment\fR
4879 Initial environment for
4881 mode on AIX and Linux systems
4886 Admittedly, some of these are a bit contrived.
4887 First, we allow a few environment variables to pass and then define our
4892 # Run X applications through sudo; HOME is used to find the
4893 # .Xauthority file. Note that other programs use HOME to find
4894 # configuration files and this may lead to privilege escalation!
4895 Defaults env_keep += "DISPLAY HOME"
4897 # User alias specification
4898 User_Alias FULLTIMERS = millert, mikef, dowdy
4899 User_Alias PARTTIMERS = bostley, jwfox, crawl
4900 User_Alias WEBMASTERS = will, wendy, wim
4902 # Runas alias specification
4903 Runas_Alias OP = root, operator
4904 Runas_Alias DB = oracle, sybase
4905 Runas_Alias ADMINGRP = adm, oper
4907 # Host alias specification
4908 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
4909 SGI = grolsch, dandelion, black :\e
4910 ALPHA = widget, thalamus, foobar :\e
4911 HPPA = boa, nag, python
4912 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
4913 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
4914 Host_Alias SERVERS = master, mail, www, ns
4915 Host_Alias CDROM = orion, perseus, hercules
4917 # Cmnd alias specification
4918 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
4919 /usr/sbin/restore, /usr/sbin/rrestore,\e
4920 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
4921 /home/operator/bin/start_backups
4922 Cmnd_Alias KILL = /usr/bin/kill
4923 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
4924 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
4925 Cmnd_Alias HALT = /usr/sbin/halt
4926 Cmnd_Alias REBOOT = /usr/sbin/reboot
4927 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
4928 /usr/local/bin/tcsh, /usr/bin/rsh,\e
4930 Cmnd_Alias SU = /usr/bin/su
4931 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
4935 Here we override some of the compiled in default values.
4942 facility in all cases.
4943 We don't want to subject the full time staff to the
4947 need not give a password, and we don't want to reset the
4951 environment variables when running commands as root.
4952 Additionally, on the machines in the
4955 we keep an additional local log file and make sure we log the year
4956 in each log line since the log entries will be kept around for several years.
4957 Lastly, we disable shell escapes for the commands in the PAGERS
4959 (\fI/usr/bin/more\fR,
4962 \fI/usr/bin/less\fR)
4964 Note that this will not effectively constrain users with
4971 # Override built-in defaults
4972 Defaults syslog=auth
4973 Defaults>root !set_logname
4974 Defaults:FULLTIMERS !lecture
4975 Defaults:millert !authenticate
4976 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
4977 Defaults!PAGERS noexec
4982 \fIUser specification\fR
4983 is the part that actually determines who may run what.
4987 root ALL = (ALL) ALL
4988 %wheel ALL = (ALL) ALL
4994 and any user in group
4996 run any command on any host as any user.
5000 FULLTIMERS ALL = NOPASSWD: ALL
5009 may run any command on any host without authenticating themselves.
5013 PARTTIMERS ALL = ALL
5022 may run any command on any host but they must authenticate themselves
5023 first (since the entry lacks the
5035 may run any command on the machines in the
5038 \fR128.138.243.0\fR,
5039 \fR128.138.204.0\fR,
5041 \fR128.138.242.0\fR).
5042 Of those networks, only
5044 has an explicit netmask (in CIDR notation) indicating it is a class C network.
5045 For the other networks in
5047 the local machine's netmask will be used during matching.
5057 may run any command on any host in the
5059 alias (the class B network
5064 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
5065 sudoedit /etc/printcap, /usr/oper/bin/
5071 user may run commands limited to simple maintenance.
5072 Here, those are commands related to backups, killing processes, the
5073 printing system, shutting down the system, and any commands in the
5075 \fI/usr/oper/bin/\fR.
5076 Note that one command in the
5078 Cmnd_Alias includes a sha224 digest,
5079 \fI/home/operator/bin/start_backups\fR.
5080 This is because the directory containing the script is writable by the
5082 If the script is modified (resulting in a digest mismatch) it will no longer
5083 be possible to run it via
5088 joe ALL = /usr/bin/su operator
5100 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
5102 %opers ALL = (: ADMINGRP) /usr/sbin/
5108 group may run commands in
5111 with any group in the
5122 is allowed to change anyone's password except for
5126 Because command line arguments are matched as a single,
5127 concatenated string, the
5132 This example assumes that
5134 does not take multiple user names on the command line.
5135 Note that on GNU systems, options to
5137 may be specified after the user argument.
5138 As a result, this rule will also allow:
5142 passwd username --expire
5146 which may not be desirable.
5150 bob SPARC = (OP) ALL : SGI = (OP) ALL
5156 may run anything on the
5160 machines as any user listed in the
5175 may run any command on machines in the
5181 is a netgroup due to the
5187 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
5193 netgroup need to help manage the printers as well as add and remove users,
5194 so they are allowed to run those commands on all machines.
5198 fred ALL = (DB) NOPASSWD: ALL
5204 can run commands as any user in the
5210 without giving a password.
5214 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
5222 may su to anyone except root but he is not allowed to specify any options
5229 jen ALL, !SERVERS = ALL
5235 may run any command on any machine except for those in the
5238 (master, mail, www and ns).
5242 jill SERVERS = /usr/bin/, !SU, !SHELLS
5246 For any machine in the
5251 any commands in the directory
5253 except for those commands
5259 While not specifically mentioned in the rule, the commands in the
5270 steve CSNETS = (operator) /usr/local/op_commands/
5276 may run any command in the directory /usr/local/op_commands/
5277 but only as user operator.
5281 matt valkyrie = KILL
5285 On his personal workstation, valkyrie,
5287 needs to be able to kill hung processes.
5291 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
5295 On the host www, any user in the
5298 (will, wendy, and wim), may run any command as user www (which owns the
5299 web pages) or simply
5305 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
5306 /sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM
5310 Any user may mount or unmount a CD-ROM on the machines in the CDROM
5312 (orion, perseus, hercules) without entering a password.
5313 This is a bit tedious for users to type, so it is a prime candidate
5314 for encapsulating in a shell script.
5315 .SH "SECURITY NOTES"
5316 .SS "Limitations of the \(oq!\&\(cq operator"
5317 It is generally not effective to
5324 A user can trivially circumvent this by copying the desired command
5325 to a different name and then executing that.
5330 bill ALL = ALL, !SU, !SHELLS
5334 Doesn't really prevent
5336 from running the commands listed in
5340 since he can simply copy those commands to a different name, or use
5341 a shell escape from an editor or other program.
5342 Therefore, these kind of restrictions should be considered
5343 advisory at best (and reinforced by policy).
5345 In general, if a user has sudo
5347 there is nothing to prevent them from creating their own program that gives
5348 them a root shell (or making their own copy of a shell) regardless of any
5350 elements in the user specification.
5351 .SS "Security implications of \fIfast_glob\fR"
5354 option is in use, it is not possible to reliably negate commands where the
5355 path name includes globbing (aka wildcard) characters.
5356 This is because the C library's
5358 function cannot resolve relative paths.
5359 While this is typically only an inconvenience for rules that grant privileges,
5360 it can result in a security issue for rules that subtract or revoke privileges.
5362 For example, given the following
5368 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
5369 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
5376 \fR/usr/bin/passwd root\fR
5379 is enabled by changing to
5384 .SS "Preventing shell escapes"
5387 executes a program, that program is free to do whatever
5388 it pleases, including run other programs.
5389 This can be a security issue since it is not uncommon for a program to
5390 allow shell escapes, which lets a user bypass
5392 access control and logging.
5393 Common programs that permit shell escapes include shells (obviously),
5394 editors, paginators, mail and terminal programs.
5396 There are two basic approaches to this problem:
5399 Avoid giving users access to commands that allow the user to run
5401 Many editors have a restricted mode where shell
5402 escapes are disabled, though
5404 is a better solution to
5407 Due to the large number of programs that
5408 offer shell escapes, restricting users to the set of programs that
5409 do not is often unworkable.
5412 Many systems that support shared libraries have the ability to
5413 override default library functions by pointing an environment
5416 to an alternate shared library.
5420 functionality can be used to prevent a program run by
5422 from executing any other programs.
5423 Note, however, that this applies only to native dynamically-linked
5425 Statically-linked executables and foreign executables
5426 running under binary emulation are not affected.
5430 feature is known to work on SunOS, Solaris, *BSD,
5431 Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and above.
5432 It should be supported on most operating systems that support the
5434 environment variable.
5435 Check your operating system's manual pages for the dynamic linker
5436 (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
5440 On Solaris 10 and higher,
5442 uses Solaris privileges instead of the
5444 environment variable.
5448 for a command, use the
5451 in the User Specification section above.
5452 Here is that example again:
5456 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
5470 This will prevent those two commands from
5471 executing other commands (such as a shell).
5472 If you are unsure whether or not your system is capable of supporting
5474 you can always just try it out and check whether shell escapes work when
5479 Note that restricting shell escapes is not a panacea.
5480 Programs running as root are still capable of many potentially hazardous
5481 operations (such as changing or overwriting files) that could lead
5482 to unintended privilege escalation.
5483 In the specific case of an editor, a safer approach is to give the
5484 user permission to run
5487 .SS "Secure editing"
5492 support which allows users to securely edit files with the editor
5496 is a built-in command, it must be specified in the
5498 file without a leading path.
5499 However, it may take command line arguments just as a normal command does.
5502 command line arguments are expected to be path names, so a forward slash
5504 will not be matched by a wildcard.
5508 commands, the editor is run with the permissions of the invoking
5509 user and with the environment unmodified.
5510 More information may be found in the description of the
5515 For example, to allow user operator to edit the
5516 \(lqmessage of the day\(rq
5521 operator sudoedit /etc/motd
5525 The operator user then runs
5531 $ sudoedit /etc/motd
5535 The editor will run as the operator user, not root, on a temporary copy of
5537 After the file has been edited,
5539 will be updated with the contents of the temporary copy.
5545 permission to edit a file that resides in a directory the user
5546 has write access to, either directly or via a wildcard.
5547 If the user has write access to the directory it is possible to
5548 replace the legitimate file with a link to another file,
5549 allowing the editing of arbitrary files.
5550 To prevent this, starting with version 1.8.16, symbolic links will
5551 not be followed in writable directories and
5553 will refuse to edit a file located in a writable directory
5555 \fIsudoedit_checkdir\fR
5556 option has been disabled or the invoking user is root.
5557 Additionally, in version 1.8.15 and higher,
5559 will refuse to open a symbolic link unless either the
5560 \fIsudoedit_follow\fR
5561 option is enabled or the
5563 command is prefixed with the
5568 .SS "Time stamp file checks"
5570 will check the ownership of its time stamp directory
5573 and ignore the directory's contents if it is not owned by root or
5574 if it is writable by a user other than root.
5577 stored time stamp files in
5579 this is no longer recommended as it may be possible for a user
5580 to create the time stamp themselves on systems that allow
5581 unprivileged users to change the ownership of files they create.
5583 While the time stamp directory
5585 be cleared at reboot time, not all systems contain a
5590 To avoid potential problems,
5592 will ignore time stamp files that date from before the machine booted
5593 on systems where the boot time is available.
5595 Some systems with graphical desktop environments allow unprivileged
5596 users to change the system clock.
5599 relies on the system clock for time stamp validation, it may be
5600 possible on such systems for a user to run
5603 \fItimestamp_timeout\fR
5604 by setting the clock back.
5607 uses a monotonic clock (which never moves backwards) for its time stamps
5608 if the system supports it.
5611 will not honor time stamps set far in the future.
5612 Time stamps with a date greater than current_time + 2 *
5616 will log and complain.
5619 \fItimestamp_type\fR
5622 the time stamp record includes the device number of the terminal
5623 the user authenticated with.
5624 This provides per-terminal granularity but time stamp records may still
5625 outlive the user's session.
5628 \fItimestamp_type\fR
5631 the time stamp record also includes the session ID of the process
5632 that last authenticated.
5633 This prevents processes in different terminal sessions from using
5634 the same time stamp record.
5635 On systems where a process's start time can be queried,
5636 the start time of the session leader
5637 is recorded in the time stamp record.
5638 If no terminal is present or the
5639 \fItimestamp_type\fR
5642 the start time of the parent process is used instead.
5643 In most cases this will prevent a time stamp record from being re-used
5644 without the user entering a password when logging out and back in again.
5646 Versions 1.8.4 and higher of the
5648 plugin support a flexible debugging framework that can help track
5649 down what the plugin is doing internally if there is a problem.
5650 This can be configured in the
5651 sudo.conf(@mansectform@)
5656 plugin uses the same debug flag format as the
5659 \fIsubsystem\fR@\fIpriority\fR.
5661 The priorities used by
5663 in order of decreasing severity,
5665 \fIcrit\fR, \fIerr\fR, \fIwarn\fR, \fInotice\fR, \fIdiag\fR, \fIinfo\fR, \fItrace\fR
5668 Each priority, when specified, also includes all priorities higher
5670 For example, a priority of
5672 would include debug messages logged at
5676 The following subsystems are used by the
5689 matches every subsystem
5692 BSM and Linux audit code
5704 environment handling
5713 matching of users, groups, hosts and netgroups in the
5718 network interface handling
5721 network service switch handling in
5737 pseudo-tty related code
5740 redblack tree internals
5753 Debug sudo /var/log/sudo_debug match@info,nss@info
5758 For more information, see the
5759 sudo.conf(@mansectform@)
5768 sudo.conf(@mansectform@),
5769 sudo_plugin(@mansectform@),
5770 sudoers.ldap(@mansectform@),
5771 sudoers_timestamp(@mansectform@),
5775 Many people have worked on
5777 over the years; this version consists of code written primarily by:
5783 See the CONTRIBUTORS file in the
5785 distribution (https://www.sudo.ws/contributors.html) for an
5786 exhaustive list of people who have contributed to
5795 command which locks the file and does grammatical checking.
5799 file be free of syntax errors since
5801 will not run with a syntactically incorrect
5805 When using netgroups of machines (as opposed to users), if you
5806 store fully qualified host name in the netgroup (as is usually the
5807 case), you either need to have the machine's host name be fully qualified
5815 If you feel you have found a bug in
5817 please submit a bug report at https://bugzilla.sudo.ws/
5819 Limited free support is available via the sudo-users mailing list,
5820 see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
5821 search the archives.
5826 and any express or implied warranties, including, but not limited
5827 to, the implied warranties of merchantability and fitness for a
5828 particular purpose are disclaimed.
5829 See the LICENSE file distributed with
5831 or https://www.sudo.ws/license.html for complete details.