2 .\" SPDX-License-Identifier: ISC
4 .\" Copyright (c) 1994-1996, 1998-2005, 2007-2019
5 .\" Todd C. Miller <Todd.Miller@sudo.ws>
7 .\" Permission to use, copy, modify, and distribute this software for any
8 .\" purpose with or without fee is hereby granted, provided that the above
9 .\" copyright notice and this permission notice appear in all copies.
11 .\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
12 .\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
13 .\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
14 .\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
15 .\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
16 .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
17 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 .\" Sponsored in part by the Defense Advanced Research Projects
20 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
21 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
28 .Dt SUDOERS @mansectform@
29 .Os Sudo @PACKAGE_VERSION@
32 .Nd default sudo security policy plugin
36 policy plugin determines a user's
42 The policy is driven by
44 .Pa @sysconfdir@/sudoers
45 file or, optionally in LDAP.
46 The policy format is described in detail in the
47 .Sx SUDOERS FILE FORMAT
49 For information on storing
53 .Xr sudoers.ldap @mansectform@ .
54 .Ss Configuring sudo.conf for sudoers
57 .Xr sudo.conf @mansectform@
58 file to determine which policy and I/O logging plugins to load.
60 .Xr sudo.conf @mansectform@
61 file is present, or if it contains no
65 will be used for policy decisions and I/O logging.
66 To explicitly configure
67 .Xr sudo.conf @mansectform@
70 plugin, the following configuration can be used.
71 .Bd -literal -offset indent
72 Plugin sudoers_policy sudoers.so
73 Plugin sudoers_io sudoers.so
78 1.8.5, it is possible to specify optional arguments to the
81 .Xr sudo.conf @mansectform@
83 These arguments, if present, should be listed after the path to the plugin
86 Multiple arguments may be specified, separated by white space.
88 .Bd -literal -offset indent
89 Plugin sudoers_policy sudoers.so sudoers_mode=0400
92 The following plugin arguments are supported:
94 .It ldap_conf=pathname
97 argument can be used to override the default path to the
100 .It ldap_secret=pathname
103 argument can be used to override the default path to the
106 .It sudoers_file=pathname
109 argument can be used to override the default path to the
115 argument can be used to override the default owner of the sudoers file.
116 It should be specified as a numeric user ID.
120 argument can be used to override the default group of the sudoers file.
121 It must be specified as a numeric group ID (not a group name).
122 .It sudoers_mode=mode
125 argument can be used to override the default file mode for the sudoers file.
126 It should be specified as an octal value.
129 For more information on configuring
130 .Xr sudo.conf @mansectform@ ,
131 please refer to its manual.
132 .Ss User Authentication
135 security policy requires that most users authenticate
136 themselves before they can use
138 A password is not required
139 if the invoking user is root, if the target user is the same as the
140 invoking user, or if the policy has disabled authentication for the
147 authentication, it validates the invoking user's credentials, not
148 the target user's (or root's) credentials.
149 This can be changed via
155 flags, described later.
157 If a user who is not listed in the policy tries to run a command
160 mail is sent to the proper authorities.
162 used for such mail is configurable via the
165 (described later) and defaults to
168 Note that no mail will be sent if an unauthorized user tries to run
174 option unless there is an authentication error and
181 determine for themselves whether or not they are allowed to use
186 will be logged, regardless of whether or not mail is sent.
190 is run by root and the
195 policy will use this value to determine who
197 This can be used by a user to log commands
198 through sudo even when a root shell has been invoked.
202 option to remain useful even when invoked via a
203 sudo-run script or program.
204 Note, however, that the
206 file lookup is still done for root, not the user specified by
210 uses per-user time stamp files for credential caching.
211 Once a user has been authenticated, a record is written
212 containing the user ID that was used to authenticate, the
213 terminal session ID, the start time of the session leader
214 (or parent process) and a time stamp
215 (using a monotonic clock if one is available).
216 The user may then use
218 without a password for a short period of time
221 minutes unless overridden by the
222 .Em timestamp_timeout
227 uses a separate record for each terminal, which means that
228 a user's login sessions are authenticated separately.
231 option can be used to select the type of time stamp record
236 can log both successful and unsuccessful attempts (as well
244 but this is changeable via the
251 for a description of the log file format.
254 is also capable of running a command in a pseudo-terminal and logging all
256 The standard input, standard output and standard error can be logged
257 even when not associated with a terminal.
258 I/O logging is not on by default but can be enabled using
263 options as well as the
270 for details on how I/O log files are stored.
271 .Ss Command environment
272 Since environment variables can influence program behavior,
274 provides a means to restrict which variables from the user's
275 environment are inherited by the command to be run.
279 can deal with environment variables.
285 to be executed with a new, minimal environment.
287 systems without PAM), the environment is initialized with the
296 option is enabled, the environment is initialized
302 .Pa /etc/login.conf .
311 environment variables are initialized based on the target user
314 variables are set based on the invoking user.
315 Additional variables, such as
320 are preserved from the invoking user's environment if permitted by the
325 This is effectively a whitelist for environment variables.
326 A few environment variables are treated specially.
331 variables are not preserved from the user's environment, they will be set
337 are handled as a single entity.
338 If one of them is preserved (or removed) from the user's environment,
339 the other will be as well.
344 are to be preserved but only one of them is present in the user's environment,
345 the other will be set to the same value.
346 This avoids an inconsistent environment where one of the variables
347 describing the user name is set to the invoking user and one is
348 set to the target user.
349 Environment variables with a value beginning with
351 are removed unless both the name and value parts are matched by
355 as they may be interpreted as functions by the
358 Prior to version 1.8.11, such variables were always removed.
362 option is disabled, any variables not
363 explicitly denied by the
368 inherited from the invoking process.
373 behave like a blacklist.
374 Prior to version 1.8.21, environment variables with a value beginning with
377 Beginning with version 1.8.21, a pattern in
381 shell functions instead.
382 Since it is not possible
383 to blacklist all potentially dangerous environment variables, use
386 behavior is encouraged.
388 Environment variables specified by
393 may include one or more
395 characters which will match zero or more characters.
396 No other wildcard characters are supported.
398 By default, environment variables are matched by name.
399 However, if the pattern includes an equal sign
401 both the variables name and value must match.
404 shell function could be matched as follows:
405 .Bd -literal -offset 4n
406 env_keep += "BASH_FUNC_my_func%%=()*"
411 suffix, this would not match, as
413 shell functions are not preserved by default.
415 The complete list of environment variables that are preserved or removed,
416 as modified by global Defaults parameters in
420 is run by root with the
423 Please note that the list of environment variables to remove
424 varies based on the operating system
430 options may influence the command environment, such as
431 .Em always_set_home ,
437 On systems that support PAM where the
439 module is enabled for
441 variables in the PAM environment may be merged in to the environment.
442 If a variable in the PAM environment is already present in the
443 user's environment, the value will only be overridden if the variable
448 is enabled, variables preserved from the invoking user's environment
451 list take precedence over those in the PAM environment.
454 is disabled, variables present the invoking user's environment
455 take precedence over those in the PAM environment unless they
456 match a pattern in the
460 Note that the dynamic linker on most operating systems will remove
461 variables that can control dynamic linking from the environment of
462 setuid executables, including
464 Depending on the operating
465 system this may include
473 These type of variables are
474 removed from the environment before
476 even begins execution
477 and, as such, it is not possible for
481 As a special case, if
484 option (initial login) is
487 will initialize the environment regardless
495 variables remain unchanged;
502 are set based on the target user.
504 systems without PAM), the contents of
522 All other environment variables are removed unless permitted by
529 .Em restricted_env_file
532 files are applied, if present.
534 .Em restricted_env_file
535 are applied first and are subject to the same restrictions as the
536 invoking user's environment, as detailed above.
539 are applied last and are not subject to these restrictions.
540 In both cases, variables present in the files will only be set to
541 their specified values if they would not conflict with an existing
542 environment variable.
543 .Sh SUDOERS FILE FORMAT
546 file is composed of two types of entries: aliases
547 (basically variables) and user specifications (which specify who
550 When multiple entries match for a user, they are applied in order.
551 Where there are multiple matches, the last match is used (which is
552 not necessarily the most specific match).
556 file grammar will be described below in Extended Backus-Naur
558 Don't despair if you are unfamiliar with EBNF; it is fairly simple,
559 and the definitions below are annotated.
560 .Ss Quick guide to EBNF
561 EBNF is a concise and exact way of describing the grammar of a language.
562 Each EBNF definition is made up of
563 .Em production rules .
566 .Li symbol ::= definition | alternate1 | alternate2 ...
570 references others and thus makes up a
571 grammar for the language.
572 EBNF also contains the following
573 operators, which many readers will recognize from regular
575 Do not, however, confuse them with
577 characters, which have different meanings.
580 Means that the preceding symbol (or group of symbols) is optional.
581 That is, it may appear once or not at all.
583 Means that the preceding symbol (or group of symbols) may appear
586 Means that the preceding symbol (or group of symbols) may appear
590 Parentheses may be used to group symbols together.
592 we will use single quotes
594 to designate what is a verbatim character string (as opposed to a symbol name).
596 There are four kinds of aliases:
603 Alias ::= 'User_Alias' User_Alias_Spec (':' User_Alias_Spec)* |
604 'Runas_Alias' Runas_Alias_Spec (':' Runas_Alias_Spec)* |
605 'Host_Alias' Host_Alias_Spec (':' Host_Alias_Spec)* |
606 'Cmnd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)*
610 User_Alias_Spec ::= User_Alias '=' User_List
614 Runas_Alias_Spec ::= Runas_Alias '=' Runas_List
618 Host_Alias_Spec ::= Host_Alias '=' Host_List
622 Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List
624 NAME ::= [A-Z]([A-Z][0-9]_)*
629 definition is of the form
631 Alias_Type NAME = item1, item2, ...
644 is a string of uppercase letters, numbers,
645 and underscore characters
652 It is possible to put several alias definitions
653 of the same type on a single line, joined by a colon
657 Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
660 It is a syntax error to redefine an existing
662 It is possible to use the same name for
664 of different types, but this is not recommended.
666 The definitions of what constitutes a valid
673 User ::= '!'* user name |
678 '!'* %:nonunix_group |
679 '!'* %:#nonunix_gid |
685 is made up of one or more user names, user IDs
688 system group names and IDs (prefixed with
692 respectively), netgroups (prefixed with
694 non-Unix group names and IDs (prefixed with
699 .Li User_Alias Ns es.
700 Each list item may be prefixed with zero or more
705 operators negate the value of
706 the item; an even number just cancel each other out.
707 User netgroups are matched using the user and domain members only;
708 the host member is not used when matching.
719 may be enclosed in double quotes to avoid the
720 need for escaping special characters.
721 Alternately, special characters
722 may be specified in escaped hex mode, e.g., \ex20 for space.
724 using double quotes, any prefix characters must be included inside
732 the underlying group provider plugin.
733 For instance, the QAS AD plugin supports the following formats:
734 .Bl -bullet -width 1n
736 Group in the same domain: "%:Group Name"
738 Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
740 Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
744 .Sx "GROUP PROVIDER PLUGINS"
745 for more information.
747 Note that quotes around group names are optional.
748 Unquoted strings must use a backslash
750 to escape spaces and special characters.
752 .Sx Other special characters and reserved words
754 characters that need to be escaped.
756 Runas_List ::= Runas_Member |
757 Runas_Member ',' Runas_List
759 Runas_Member ::= '!'* user name |
763 '!'* %:nonunix_group |
764 '!'* %:#nonunix_gid |
777 .Li Runas_Alias Ns es .
779 user names and groups are matched as strings.
781 users (groups) with the same uid (gid) are considered to be distinct.
782 If you wish to match all user names with the same uid (e.g.,
783 root and toor), you can use a uid instead (#0 in the example given).
788 Host ::= '!'* host name |
790 '!'* network(/netmask)? |
797 is made up of one or more host names, IP addresses,
798 network numbers, netgroups (prefixed with
801 Again, the value of an item may be negated with the
804 Host netgroups are matched using the host (both qualified and unqualified)
805 and domain members only; the user member is not used when matching.
806 If you specify a network number without a netmask,
808 will query each of the local host's network interfaces and,
809 if the network number corresponds to one of the hosts's network
810 interfaces, will use the netmask of that interface.
811 The netmask may be specified either in standard IP address notation
812 (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::),
813 or CIDR notation (number of bits, e.g., 24 or 64).
814 A host name may include shell-style wildcards (see the
819 command on your machine returns the fully
820 qualified host name, you'll need to use the
822 option for wildcards to be useful.
825 only inspects actual network interfaces; this means that IP address
826 127.0.0.1 (localhost) will never match.
829 will only match if that is the actual host name, which is usually
830 only the case for non-networked systems.
832 digest ::= [A-Fa-f0-9]+ |
835 Digest_Spec ::= "sha224" ':' digest |
836 "sha256" ':' digest |
837 "sha384" ':' digest |
843 command name ::= file name |
847 Cmnd ::= Digest_Spec? '!'* command name |
855 is a list of one or more command names, directories, and other aliases.
856 A command name is a fully qualified file name which may include
857 shell-style wildcards (see the
860 A simple file name allows the user to run the command with any
862 However, you may also specify command line arguments (including
864 Alternately, you can specify
866 to indicate that the command
869 command line arguments.
871 fully qualified path name ending in a
873 When you specify a directory in a
875 the user will be able to run any file within that directory
876 (but not in any sub-directories therein).
880 has associated command line arguments, then the arguments
883 must match exactly those given by the user on the command line
884 (or match the wildcards if there are any).
885 Note that the following characters must be escaped with a
887 if they are used in command arguments:
894 is used to permit a user to run
900 It may take command line arguments just as a normal command does.
903 is a command built into
905 itself and must be specified in the
907 file without a leading path.
913 the command will only match successfully if it can be verified
914 using the specified SHA-2 digest.
915 The following digest formats are supported: sha224, sha256, sha384 and sha512.
916 The string may be specified in either hex or base64 format
917 (base64 is more compact).
918 There are several utilities capable of generating SHA-2 digests in hex
919 format such as openssl, shasum, sha224sum, sha256sum, sha384sum, sha512sum.
921 For example, using openssl:
923 $ openssl dgst -sha224 /bin/ls
924 SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
927 It is also possible to use openssl to generate base64 output:
929 $ openssl dgst -binary -sha224 /bin/ls | openssl base64
930 EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
933 Warning, if the user has write access to the command itself (directly or via a
935 command), it may be possible for the user to replace the command after the
936 digest check has been performed but before the command is executed.
937 A similar race condition exists on systems that lack the
939 system call when the directory in which the command is located
940 is writable by the user.
941 See the description of the
943 setting for more information on how
945 executes commands that have an associated digest.
947 Command digests are only supported by version 1.8.7 or higher.
949 Certain configuration options may be changed from their default
950 values at run-time via one or more
953 These may affect all users on any host, all users on a specific host, a
954 specific user, a specific command, or commands being run as a specific user.
955 Note that per-command entries may not include command line arguments.
956 If you need to specify arguments, define a
961 Default_Type ::= 'Defaults' |
962 'Defaults' '@' Host_List |
963 'Defaults' ':' User_List |
964 'Defaults' '!' Cmnd_List |
965 'Defaults' '>' Runas_List
967 Default_Entry ::= Default_Type Parameter_List
969 Parameter_List ::= Parameter |
970 Parameter ',' Parameter_List
972 Parameter ::= Parameter '=' Value |
973 Parameter '+=' Value |
974 Parameter '-=' Value |
985 Flags are implicitly boolean and can be turned off via the
988 Some integer, string and list parameters may also be
989 used in a boolean context to disable them.
990 Values may be enclosed
993 when they contain multiple words.
994 Special characters may be escaped with a backslash
997 Lists have two additional assignment operators,
1001 These operators are used to add to and delete from a list respectively.
1002 It is not an error to use the
1004 operator to remove an element
1005 that does not exist in a list.
1007 Defaults entries are parsed in the following order: generic, host,
1008 user and runas Defaults first, then command defaults.
1009 If there are multiple Defaults settings of the same type, the last
1010 matching setting is used.
1011 The following Defaults settings are parsed before all others since
1012 they may affect subsequent entries:
1016 .Em sudoers_locale .
1020 for a list of supported Defaults parameters.
1021 .Ss User specification
1023 User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
1024 (':' Host_List '=' Cmnd_Spec_List)*
1026 Cmnd_Spec_List ::= Cmnd_Spec |
1027 Cmnd_Spec ',' Cmnd_Spec_List
1029 Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
1031 Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
1034 .ie \n(PS Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
1035 .el Option_Spec ::= (SELinux_Spec | Date_Spec | Timeout_Spec)
1038 .ie \n(PS Option_Spec ::= (Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
1039 .el Option_Spec ::= (Date_Spec | Timeout_Spec)
1043 SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
1047 Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
1050 Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
1052 Timeout_Spec ::= 'TIMEOUT=timeout'
1054 Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
1055 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
1056 'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
1057 'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
1061 .Sy user specification
1062 determines which commands a user may run
1063 (and as what user) on specified hosts.
1064 By default, commands are
1067 but this can be changed on a per-command basis.
1069 The basic structure of a user specification is
1070 .Dq who where = (as_whom) what .
1071 Let's break that down into its constituent parts:
1075 determines the user and/or the group that a command
1081 (as defined above) separated by a colon
1083 and enclosed in a set of parentheses.
1087 which users the command may be run as via
1091 The second defines a list of groups that can be specified via
1094 option in addition to any of the target user's groups.
1097 are specified, the command may be run with any combination of users
1098 and groups listed in their respective
1099 .Li Runas_List Ns s.
1100 If only the first is specified, the command may be run as any user
1108 second is specified, the command may be run as the invoking user
1109 with the group set to any listed in the
1113 are empty, the command may only be run as the invoking user.
1116 is specified the command may be run as
1119 no group may be specified.
1123 sets the default for the commands that follow it.
1124 What this means is that for the entry:
1126 dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
1137 .No boulder Ns \(em Ns but
1142 $ sudo -u operator /bin/ls
1145 It is also possible to override a
1147 later on in an entry.
1148 If we modify the entry like so:
1150 dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
1155 is now allowed to run
1166 We can extend this to allow
1171 the user or group set to
1174 dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
1178 Note that while the group portion of the
1181 user to run as command with that group, it does not force the user
1183 If no group is specified on the command line, the command
1184 will run with the group listed in the target user's password database
1186 The following would all be permitted by the sudoers entry above:
1188 $ sudo -u operator /bin/ls
1189 $ sudo -u operator -g operator /bin/ls
1190 $ sudo -g operator /bin/ls
1193 In the following example, user
1195 may run commands that access
1196 a modem device file with the dialer group.
1198 tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
1199 /usr/local/bin/minicom
1202 Note that in this example only the group will be set, the command
1207 $ sudo -g dialer /usr/bin/cu
1210 Multiple users and groups may be present in a
1212 in which case the user may select any combination of users and groups via the
1219 alan ALL = (root, bin : operator, system) ALL
1224 may run any command as either user root or bin,
1225 optionally setting the group to operator or system.
1229 may have zero or more options associated with it.
1230 Options may consist of
1232 SELinux roles and/or types,
1235 Solaris privileges sets,
1237 start and/or end dates and command timeouts.
1238 Once an option is set for a
1243 .Li Cmnd_Spec_List ,
1244 inherit that option unless it is overridden by another option.
1247 On systems with SELinux support,
1249 file entries may optionally have an SELinux role and/or type associated
1252 type is specified with the command it will override any default values
1255 A role or type specified on the command line,
1256 however, will supersede the values in
1260 .Ss Solaris_Priv_Spec
1263 file entries may optionally specify Solaris privilege set and/or limit
1264 privilege set associated with a command.
1265 If privileges or limit privileges are specified with the command
1266 it will override any default values specified in
1269 A privilege set is a comma-separated list of privilege names.
1272 command can be used to list all privileges known to the system.
1278 In addition, there are several
1285 the set of all privileges
1287 the set of all privileges available in the current zone
1289 the default set of privileges normal users are granted at login time
1292 Privileges can be excluded from a set by prefixing the privilege
1301 rules can be specified with a start and end date via the
1306 The time stamp must be specified in
1307 .Em Generalized Time
1308 as defined by RFC 4517.
1309 The format is effectively
1311 where the minutes and seconds are optional.
1314 suffix indicates that the time stamp is in Coordinated Universal Time (UTC).
1315 It is also possible to specify a timezone offset from UTC in hours
1316 and minutes instead of a
1320 would correspond to Eastern Standard time in the US.
1321 As an extension, if no
1323 or timezone offset is specified, local time will be used.
1325 The following are all valid time stamps:
1326 .Bd -literal -offset 4n
1333 A command may have a timeout associated with it.
1334 If the timeout expires before the command has exited, the
1335 command will be terminated.
1336 The timeout may be specified in combinations of days, hours,
1337 minutes and seconds with a single-letter case-insensitive suffix
1338 that indicates the unit of time.
1339 For example, a timeout of 7 days, 8 hours, 30 minutes and
1340 10 seconds would be written as
1342 If a number is specified without a unit, seconds are assumed.
1343 Any of the days, minutes, hours or seconds may be omitted.
1344 The order must be from largest to smallest unit and a unit
1345 may not be specified more than once.
1347 The following are all
1362 This option is only supported by version 1.8.20 or higher.
1364 A command may have zero or more tags associated with it.
1365 The following tag values are supported:
1381 Once a tag is set on a
1386 .Li Cmnd_Spec_List ,
1387 inherit the tag unless it is overridden by the opposite tag (in other words,
1396 .It Em EXEC No and Em NOEXEC
1400 has been compiled with
1402 support and the underlying operating system supports it, the
1404 tag can be used to prevent a dynamically-linked executable from
1405 running further commands itself.
1407 In the following example, user
1413 but shell escapes will be disabled.
1415 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
1419 .Sx Preventing shell escapes
1420 section below for more details on how
1422 works and whether or not it will work on your system.
1423 .It Em FOLLOW No and Em NOFOLLOW
1424 Starting with version 1.8.15,
1426 will not open a file that is a symbolic link unless the
1433 tags override the value of
1435 and can be used to permit (or deny) the editing of symbolic links
1436 on a per-command basis.
1437 These tags are only effective for the
1439 command and are ignored for all other commands.
1440 .It Em LOG_INPUT No and Em NOLOG_INPUT
1442 These tags override the value of the
1444 option on a per-command basis.
1445 For more information, see the description of
1450 .It Em LOG_OUTPUT No and Em NOLOG_OUTPUT
1452 These tags override the value of the
1454 option on a per-command basis.
1455 For more information, see the description of
1460 .It Em MAIL No and Em NOMAIL
1462 These tags provide fine-grained control over whether
1463 mail will be sent when a user runs a command by
1464 overriding the value of the
1466 option on a per-command basis.
1467 They have no effect when
1476 tag will also override the
1481 For more information, see the descriptions of
1482 .Em mail_all_cmnds ,
1489 .It Em PASSWD No and Em NOPASSWD
1493 requires that a user authenticate him or herself
1494 before running a command.
1495 This behavior can be modified via the
1503 a default for the commands that follow it in the
1504 .Li Cmnd_Spec_List .
1507 tag can be used to reverse things.
1510 ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
1513 would allow the user
1522 on the machine rushmore without authenticating himself.
1528 without a password the entry would be:
1530 ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
1533 Note, however, that the
1535 tag has no effect on users who are in the group specified by the
1541 tag is applied to any of a user's entries for the current host,
1542 the user will be able to run
1545 Additionally, a user may only run
1547 without a password if all of the user's entries for the current
1551 This behavior may be overridden via the
1556 .It Em SETENV No and Em NOSETENV
1558 These tags override the value of the
1560 option on a per-command basis.
1563 has been set for a command, the user may disable the
1565 option from the command line via the
1568 Additionally, environment variables set on the command
1569 line are not subject to the restrictions imposed by
1574 As such, only trusted users should be allowed to set variables in this manner.
1575 If the command matched is
1579 tag is implied for that command; this default may be overridden by use of the
1587 (aka meta or glob characters)
1588 to be used in host names, path names and command line arguments in the
1591 Wildcard matching is done via the
1595 functions as specified by
1599 Matches any set of zero or more characters (including white space).
1601 Matches any single character (including white space).
1603 Matches any character in the specified range.
1605 Matches any character
1607 in the specified range.
1613 This is used to escape special characters such as:
1622 Note that these are not regular expressions.
1624 Unlike a regular expression there is no way to match one or more
1625 characters within a range.
1627 Character classes may be used if your system's
1631 functions support them.
1632 However, because the
1634 character has special meaning in
1639 .Bd -literal -offset 4n
1640 /bin/ls [[\e:\&alpha\e:\&]]*
1643 Would match any file name beginning with a letter.
1645 Note that a forward slash
1650 wildcards used in the file name portion of the command.
1651 This is to make a path like:
1652 .Bd -literal -offset 4n
1659 .Pa /usr/bin/X11/xterm .
1661 When matching the command line arguments, however, a slash
1663 get matched by wildcards since command line arguments may contain
1664 arbitrary strings and not just path names.
1667 Wildcards in command line arguments should be used with care.
1670 Command line arguments are matched as a single, concatenated string.
1671 This mean a wildcard character such as
1675 will match across word boundaries, which may be unexpected.
1676 For example, while a sudoers entry like:
1677 .Bd -literal -offset 4n
1678 %operator ALL = /bin/cat /var/log/messages*
1681 will allow command like:
1682 .Bd -literal -offset 4n
1683 $ sudo cat /var/log/messages.1
1687 .Bd -literal -offset 4n
1688 $ sudo cat /var/log/messages /etc/shadow
1691 which is probably not what was intended.
1692 In most cases it is better to do command line processing
1695 file in a scripting language.
1696 .Ss Exceptions to wildcard rules
1697 The following exceptions apply to the above rules:
1702 is the only command line argument in the
1704 file entry it means that command is not allowed to be run with
1708 Command line arguments to the
1710 built-in command should always be path names, so a forward slash
1712 will not be matched by a wildcard.
1714 .Ss Including other files from within sudoers
1715 It is possible to include other
1717 files from within the
1719 file currently being parsed using the
1725 This can be used, for example, to keep a site-wide
1727 file in addition to a local, per-machine file.
1728 For the sake of this example the site-wide
1732 and the per-machine one will be
1733 .Pa /etc/sudoers.local .
1735 .Pa /etc/sudoers.local
1741 .Bd -literal -offset 4n
1742 #include /etc/sudoers.local
1747 reaches this line it will suspend processing of the current file
1750 .Pa /etc/sudoers.local .
1751 Upon reaching the end of
1752 .Pa /etc/sudoers.local ,
1756 Files that are included may themselves include other files.
1757 A hard limit of 128 nested include files is enforced to prevent include
1760 If the path to the include file is not fully-qualified (does not
1763 it must be located in the same directory as the sudoers file it was
1768 .Bd -literal -offset 4n
1769 .Li #include sudoers.local
1772 the file that will be included is
1773 .Pa /etc/sudoers.local .
1775 The file name may also include the
1777 escape, signifying the short form of the host name.
1778 In other words, if the machine's host name is
1781 .Bd -literal -offset 4n
1782 #include /etc/sudoers.%h
1788 .Pa /etc/sudoers.xerxes .
1792 directive can be used to create a
1794 directory that the system package manager can drop
1796 file rules into as part of package installation.
1798 .Bd -literal -offset 4n
1799 #includedir /etc/sudoers.d
1803 will suspend processing of the current file and read each file in
1804 .Pa /etc/sudoers.d ,
1805 skipping file names that end in
1809 character to avoid causing problems with package manager or editor
1810 temporary/backup files.
1811 Files are parsed in sorted lexical order.
1813 .Pa /etc/sudoers.d/01_first
1814 will be parsed before
1815 .Pa /etc/sudoers.d/10_second .
1816 Be aware that because the sorting is lexical, not numeric,
1817 .Pa /etc/sudoers.d/1_whoops
1820 .Pa /etc/sudoers.d/10_second .
1821 Using a consistent number of leading zeroes in the file names can be used
1822 to avoid such problems.
1823 After parsing the files in the directory, control returns to the
1824 file that contained the
1828 Note that unlike files included via
1831 will not edit the files in a
1833 directory unless one of them contains a syntax error.
1834 It is still possible to run
1838 flag to edit the files directly, but this will not catch the
1841 that is also present in a different file.
1842 .Ss Other special characters and reserved words
1845 is used to indicate a comment (unless it is part of a #include
1846 directive or unless it occurs in the context of a user name and is
1847 followed by one or more digits, in which case it is treated as a
1849 Both the comment character and any text after it, up to the end of
1850 the line, are ignored.
1856 that always causes a match to succeed.
1857 It can be used wherever one might otherwise use a
1863 You should not try to define your own
1867 as the built-in alias will be used in preference to your own.
1868 Please note that using
1870 can be dangerous since in a command context, it allows the user to run
1872 command on the system.
1874 An exclamation point
1876 can be used as a logical
1878 operator in a list or
1880 as well as in front of a
1882 This allows one to exclude certain values.
1885 operator to be effective, there must be something for it to exclude.
1886 For example, to match all users except for root one would use:
1887 .Bd -literal -offset 4n
1894 .Bd -literal -offset 4n
1898 it would explicitly deny root but not match any other users.
1899 This is different from a true
1903 Note, however, that using a
1905 in conjunction with the built-in
1907 alias to allow a user to run
1909 commands rarely works as intended (see
1913 Long lines can be continued with a backslash
1915 as the last character on the line.
1917 White space between elements in a list as well as special syntactic
1919 .Em User Specification
1928 The following characters must be escaped with a backslash
1930 when used as part of a word (e.g., a user name or host name):
1940 behavior can be modified by
1942 lines, as explained earlier.
1943 A list of all supported Defaults parameters, grouped by type, are listed below.
1947 .It always_query_group_plugin
1950 is configured, use it to resolve groups of the form %group as long
1951 as there is not also a system group of the same name.
1952 Normally, only groups of the form %:group are passed to the
1962 environment variable to the home directory of the target user
1963 (which is root unless
1967 This option is largely obsolete and has no effect unless the
1969 option has been disabled or
1973 list, both of which are strongly discouraged.
1978 If set, users must authenticate themselves via a password (or other
1979 means of authentication) before they may run commands.
1980 This default may be overridden via the
1988 .It case_insensitive_group
1989 If enabled, group names in
1991 will be matched in a case insensitive manner.
1992 This may be necessary when users are stored in LDAP or AD.
1996 .It case_insensitive_user
1997 If enabled, user names in
1999 will be matched in a case insensitive manner.
2000 This may be necessary when groups are stored in LDAP or AD.
2004 .It closefrom_override
2005 If set, the user may use
2008 option which overrides the default starting point at which
2010 begins closing open file descriptors.
2017 is configured to log a command's input or output,
2018 the I/O logs will be compressed using
2030 runs a command as the foreground process as long as
2032 itself is running in the foreground.
2035 flag is enabled and the command is being run in a pseudo-terminal
2036 (due to I/O logging or the
2038 flag), the command will be run as a background process.
2039 Attempts to read from the controlling terminal (or to change terminal
2040 settings) will result in the command being suspended with the
2044 in the case of terminal settings).
2045 If this happens when
2047 is a foreground process, the command will be granted the controlling terminal
2048 and resumed in the foreground with no user intervention required.
2049 The advantage of initially running the command in the background is that
2051 need not read from the terminal unless the command explicitly requests it.
2052 Otherwise, any terminal input must be passed to the command, whether it
2053 has required it or not (the kernel buffers terminals so it is not possible
2054 to tell whether the command really wants the input).
2055 This is different from historic
2057 behavior or when the command is not being run in a pseudo-terminal.
2059 For this to work seamlessly, the operating system must support the
2060 automatic restarting of system calls.
2061 Unfortunately, not all operating systems do this by default,
2062 and even those that do may have bugs.
2063 For example, macOS fails to restart the
2067 system calls (this is a bug in macOS).
2068 Furthermore, because this behavior depends on the command stopping with the
2072 signals, programs that catch these signals and suspend themselves
2073 with a different signal (usually
2075 will not be automatically foregrounded.
2076 Some versions of the linux
2078 command behave this way.
2083 This setting is only supported by version 1.8.7 or higher.
2084 It has no effect unless I/O logging is enabled or the
2090 will use the value of the
2095 environment variables before falling back on the default editor list.
2098 is typically run as root so this option may allow a user with
2100 privileges to run arbitrary commands as root without logging.
2101 An alternative is to place a colon-separated list of
2112 if they match a value specified in
2116 flag is enabled, the
2121 environment variables must be present in the
2125 flag to function when
2135 will run the command in a minimal environment containing the
2146 Any variables in the caller's environment or in the file specified
2148 .Em restricted_env_file
2149 option that match the
2153 lists are then added, followed by any variables present in the file
2161 lists, as modified by global Defaults parameters in
2165 is run by root with the
2170 option is set, its value will be used for the
2172 environment variable.
2181 function to do shell-style globbing when matching path names.
2182 However, since it accesses the file system,
2184 can take a long time to complete for some patterns, especially
2185 when the pattern references a network file system that is mounted
2186 on demand (auto mounted).
2193 function, which does not access the file system to do its matching.
2196 is that it is unable to match relative path names such as
2200 This has security implications when path names that include globbing
2201 characters are used with the negation operator,
2203 as such rules can be trivially bypassed.
2204 As such, this option should not be used when the
2206 file contains rules that contain negated path names which include globbing
2212 Set this flag if you want to put fully qualified host names in the
2214 file when the local host name (as returned by the
2216 command) does not contain the domain name.
2217 In other words, instead of myhost you would use myhost.mydomain.edu.
2218 You may still use the short form if you wish (and even mix the two).
2219 This option is only effective when the
2221 host name, as returned by the
2225 function, is a fully-qualified domain name.
2226 This is usually the case when the system is configured to use DNS
2227 for host name resolution.
2229 If the system is configured to use the
2231 file in preference to DNS, the
2233 host name may not be fully-qualified.
2234 The order that sources are queried for host name resolution
2235 is usually specified in the
2236 .Pa @nsswitch_conf@ ,
2238 .Pa /etc/host.conf ,
2240 .Pa /etc/resolv.conf
2244 file, the first host name of the entry is considered to be the
2246 name; subsequent names are aliases that are not used by
2248 For example, the following hosts file line for the machine
2250 has the fully-qualified domain name as the
2252 host name, and the short version as an alias.
2254 .Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
2256 If the machine's hosts file entry is not formatted properly, the
2258 option will not be effective if it is queried before DNS.
2260 Beware that when using DNS for host name resolution, turning on
2264 to make DNS lookups which renders
2266 unusable if DNS stops working (for example if the machine is disconnected
2268 Also note that just like with the hosts file, you must use the
2270 name as DNS knows it.
2271 That is, you may not use a host alias
2276 due to performance issues and the fact that there is no way to get all
2282 .It ignore_audit_errors
2283 Allow commands to be run even if
2285 cannot write to the audit log.
2286 If enabled, an audit log write failure is not treated as a fatal error.
2287 If disabled, a command may only be run after the audit event is successfully
2289 This flag is only effective on systems for which
2291 supports audit logging, including
2293 Linux, macOS and Solaris.
2300 will ignore "." or "" (both denoting current directory) in the
2302 environment variable; the
2304 itself is not modified.
2308 .It ignore_iolog_errors
2309 Allow commands to be run even if
2311 cannot write to the I/O log.
2312 If enabled, an I/O log write failure is not treated as a fatal error.
2313 If disabled, the command will be terminated if the I/O log cannot be written to.
2317 .It ignore_logfile_errors
2318 Allow commands to be run even if
2320 cannot write to the log file.
2321 If enabled, a log file write failure is not treated as a fatal error.
2322 If disabled, a command may only be run after the log file entry is successfully
2324 This flag only has an effect when
2326 is configured to use file-based logging via the
2332 .It ignore_local_sudoers
2333 If set via LDAP, parsing of
2334 .Pa @sysconfdir@/sudoers
2336 This is intended for Enterprises that wish to prevent the usage of local
2337 sudoers files so that only LDAP is used.
2338 This thwarts the efforts of rogue operators who would attempt to add roles to
2339 .Pa @sysconfdir@/sudoers .
2340 When this option is present,
2341 .Pa @sysconfdir@/sudoers
2342 does not even need to exist.
2343 Since this option tells
2345 how to behave when no specific LDAP entries have been matched, this
2346 sudoOption is only meaningful for the
2352 .It ignore_unknown_defaults
2355 will not produce a warning if it encounters an unknown Defaults entry
2358 file or an unknown sudoOption in LDAP.
2365 will insult users when they enter an incorrect password.
2370 If set, the host name will be logged in the (non-syslog)
2379 will run the command in a pseudo-terminal and log all user input.
2380 If the standard input is not connected to the user's tty, due to
2381 I/O redirection or because the command is part of a pipeline, that
2382 input is also captured and stored in a separate log file.
2383 Anything sent to the standard input will be consumed, regardless of
2384 whether or not the command run via
2386 is actually reading the standard input.
2387 This may have unexpected results when using
2389 in a shell script that expects to process the standard input.
2390 For more information about I/O logging, see the
2399 will run the command in a pseudo-terminal and log all output that is sent
2400 to the screen, similar to the
2403 For more information about I/O logging, see the
2410 If set, the four-digit year will be logged in the (non-syslog)
2417 When validating with a One Time Password (OTP) scheme such as
2421 a two-line prompt is used to make it easier
2422 to cut and paste the challenge to a local window.
2423 It's not as pretty as the default but some people find it more convenient.
2425 .Em @long_otp_prompt@
2430 user every time a user attempts to run a command via
2434 No mail will be sent if the user runs
2440 option unless there is an authentication error and the
2449 user every time a user runs
2457 user if the user running
2459 does not enter the correct password.
2460 If the command the user is attempting to run is not permitted by
2463 .Em mail_all_cmnds ,
2469 flags are set, this flag will have no effect.
2474 If set, mail will be sent to the
2476 user if the invoking user exists in the
2478 file, but is not allowed to run commands on the current host.
2483 If set, mail will be sent to the
2485 user if the invoking user is allowed to use
2487 but the command they are trying is not listed in their
2489 file entry or is explicitly denied.
2494 If set, mail will be sent to the
2496 user if the invoking user is not in the
2502 .It match_group_by_gid
2505 will look up each group the user is a member of by group ID to
2506 determine the group name (this is only done once).
2507 The resulting list of the user's group names is used when matching
2508 groups listed in the
2511 This works well on systems where the number of groups listed in the
2513 file is larger than the number of groups a typical user belongs to.
2514 On systems where group lookups are slow, where users may belong
2515 to a large number of groups, and where the number of groups listed
2518 file is relatively small, it may be prohibitively expensive and
2519 running commands via
2521 may take longer than normal.
2522 On such systems it may be faster to use the
2523 .Em match_group_by_gid
2524 flag to avoid resolving the user's group IDs to group names.
2527 must look up any group name listed in the
2529 file and use the group ID instead of the group name when determining
2530 whether the user is a member of the group.
2533 .Em match_group_by_gid
2534 is enabled, group database lookups performed by
2536 will be keyed by group name as opposed to group ID.
2537 On systems where there are multiple sources for the group database,
2538 it is possible to have conflicting group names or group IDs in the local
2540 file and the remote group database.
2541 On such systems, enabling or disabling
2542 .Em match_group_by_gid
2543 can be used to choose whether group database queries are performed
2544 by name (enabled) or ID (disabled), which may aid in working around
2545 group entry conflicts.
2548 .Em match_group_by_gid
2549 flag has no effect when
2551 data is stored in LDAP.
2556 This setting is only supported by version 1.8.18 or higher.
2558 If set, netgroup lookups will be performed using the full netgroup
2559 tuple: host name, user name and domain (if one is set).
2562 only matched the user name and domain for netgroups used in a
2564 and only matched the host name and domain for netgroups used in a
2570 If set, all commands run via
2572 will behave as if the
2574 tag has been set, unless overridden by an
2577 See the description of
2579 above as well as the
2580 .Sx Preventing shell escapes
2581 section at the end of this manual.
2586 On systems that use PAM for authentication,
2588 will perform PAM account validation for the invoking user by default.
2589 The actual checks performed depend on which PAM modules are configured.
2590 If enabled, account validation will be performed regardless of whether
2591 or not a password is required.
2596 This setting is only supported by version 1.8.28 or higher.
2598 On systems that use PAM for authentication,
2600 will create a new PAM session for the command to be run in.
2603 may be needed on older PAM implementations or on operating systems where
2604 opening a PAM session changes the utmp or wtmp files.
2605 If PAM session support is disabled, resource limits may not be updated
2606 for the command being run.
2612 are disabled and I/O logging has not been configured,
2614 will execute the command directly instead of running it as a child
2620 This setting is only supported by version 1.8.7 or higher.
2622 On systems that use PAM for authentication,
2624 will attempt to establish credentials for the target user by default,
2625 if supported by the underlying authentication system.
2626 One example of a credential is a Kerberos ticket.
2632 are disabled and I/O logging has not been configured,
2634 will execute the command directly instead of running it as a child
2640 This setting is only supported by version 1.8.8 or higher.
2641 .It passprompt_override
2642 If set, the prompt specified by
2646 environment variable will always be used and will replace the
2647 prompt provided by a PAM module or other authentication method.
2654 will tell the user when a command could not be
2657 environment variable.
2658 Some sites may wish to disable this as it could be used to gather
2659 information on the location of executables that the normal user does
2661 The disadvantage is that if the executable is simply not in the user's
2664 will tell the user that they are not allowed to run it, which can be confusing.
2671 will initialize the group vector to the list of groups the target user is in.
2674 is set, the user's existing group vector is left unaltered.
2675 The real and effective group IDs, however, are still set to match the
2683 reads the password like most other Unix programs,
2684 by turning off echo until the user hits the return (or enter) key.
2685 Some users become confused by this as it appears to them that
2687 has hung at this point.
2692 will provide visual feedback when the user presses a key.
2693 Note that this does have a security impact as an onlooker may be able to
2694 determine the length of the password being entered.
2701 will only run when the user is logged in to a real tty.
2702 When this flag is set,
2704 can only be run from a login session and not via other means such as
2705 .Xr cron @mansectsu@
2711 If set, root is allowed to run
2714 Disabling this prevents users from
2717 commands to get a root shell by doing something like
2718 .Dq Li sudo sudo /bin/sh .
2719 Note, however, that turning off
2721 will also prevent root from running
2725 provides no real additional security; it exists purely for historical reasons.
2732 will prompt for the root password instead of the password of the invoking user
2733 when running a command or editing a file.
2740 will prompt for the password of the user defined by the
2743 .Li @runas_default@ )
2744 instead of the password of the invoking user
2745 when running a command or editing a file.
2756 environment variable will be set to the home directory of the target
2757 user (which is root unless
2761 This option is largely obsolete and has no effect unless the
2763 option has been disabled or
2767 list, both of which are strongly discouraged.
2778 environment variables to the name of the target user (usually root unless the
2781 However, since some programs (including the RCS revision control system) use
2783 to determine the real identity of the user, it may be desirable to
2784 change this behavior.
2785 This can be done by negating the set_logname option.
2791 option has not been disabled and the
2803 will create an entry in the utmp (or utmpx) file when a pseudo-terminal
2805 A pseudo-terminal is allocated by
2807 when it is running in a terminal and one or more of the
2813 By default, the new entry will be a copy of the user's existing utmp
2814 entry (if any), with the tty, time, type and pid fields updated.
2819 Allow the user to disable the
2821 option from the command line via the
2824 Additionally, environment variables set via the command line are
2825 not subject to the restrictions imposed by
2830 As such, only trusted users should be allowed to set variables in this manner.
2837 is invoked with no arguments it acts as if the
2839 option had been given.
2840 That is, it runs a shell as root (the shell is determined by the
2842 environment variable if it is set, falling back on the shell listed
2843 in the invoking user's /etc/passwd entry if not).
2850 executes a command the real and effective UIDs are set to the target
2851 user (root by default).
2852 This option changes that behavior such that the real UID is left
2853 as the invoking user's UID.
2854 In other words, this makes
2856 act as a setuid wrapper.
2857 This can be useful on systems that disable some potentially
2858 dangerous functionality when a program is run setuid.
2859 This option is only effective on systems that support either the
2867 .It sudoedit_checkdir
2870 will check all directory components of the path to be edited for writability
2871 by the invoking user.
2872 Symbolic links will not be followed in writable directories and
2874 will refuse to edit a file located in a writable directory.
2875 These restrictions are not enforced when
2878 On some systems, if all directory components of the path to be edited
2879 are not readable by the target user,
2881 will be unable to edit the file.
2886 This setting was first introduced in version 1.8.15 but initially
2887 suffered from a race condition.
2888 The check for symbolic links in writable intermediate directories
2889 was added in version 1.8.16.
2893 will not follow symbolic links when opening files.
2896 option can be enabled to allow
2898 to open symbolic links.
2899 It may be overridden on a per-command basis by the
2908 This setting is only supported by version 1.8.15 or higher.
2912 include the process ID in the log entry.
2917 This setting is only supported by version 1.8.21 or higher.
2921 will prompt for the password of the user specified
2926 instead of the password of the invoking user
2927 when running a command or editing a file.
2928 Note that this flag precludes the use of a uid not listed in the passwd
2929 database as an argument to the
2936 If set, users must authenticate on a per-tty basis.
2937 With this flag enabled,
2939 will use a separate record in the time stamp file for each terminal.
2940 If disabled, a single record is used for all login sessions.
2942 This option has been superseded by the
2948 will set the umask as specified in the
2950 file without modification.
2951 This makes it possible to specify a umask in the
2953 file that is more permissive than the user's own umask and matches
2954 historical behavior.
2959 will set the umask to be the union of the user's umask and what is specified in
2962 .Em @umask_override@
2968 will apply the defaults specified for the target user's login class
2972 is configured with the
2980 If set, netgroups (prefixed with
2982 may be used in place of a user or host.
2983 For LDAP-based sudoers, netgroup support requires an expensive
2984 sub-string match on the server unless the
2986 directive is present in the
2989 If netgroups are not needed, this option can be disabled to reduce the
2990 load on the LDAP server.
2997 is running in a terminal, the command will be run in a pseudo-terminal
2998 (even if no I/O logging is being done).
3001 process is not attached to a terminal,
3005 A malicious program run under
3007 may be capable of injecting commands into the user's
3008 terminal or running a background process that retains access to the
3009 user's terminal device even after the main program has finished
3011 By running the command in a separate pseudo-terminal, this attack is
3016 .It user_command_timeouts
3017 If set, the user may specify a timeout on the command line.
3018 If the timeout expires before the command has exited, the
3019 command will be terminated.
3020 If a timeout is specified both in the
3022 file and on the command line, the smaller of the two timeouts will be used.
3025 section for a description of the timeout syntax.
3030 This setting is only supported by version 1.8.20 or higher.
3034 will store the name of the runas user when updating the utmp (or utmpx) file.
3037 stores the name of the invoking user.
3044 will refuse to run if the user must enter a password but it is not
3045 possible to disable echo on the terminal.
3050 will prompt for a password even when it would be visible on the screen.
3051 This makes it possible to run things like
3052 .Dq Li ssh somehost sudo ls
3056 not allocate a tty when running a command.
3065 Before it executes a command,
3067 will close all open file descriptors other than standard input,
3068 standard output and standard error (ie: file descriptors 0-2).
3071 option can be used to specify a different file descriptor at which
3076 The maximum amount of time a command is allowed to run before
3080 section for a description of the timeout syntax.
3082 This setting is only supported by version 1.8.20 or higher.
3084 The maximum sequence number that will be substituted for the
3086 escape in the I/O log file (see the
3088 description below for more information).
3089 While the value substituted for
3093 itself should be expressed in decimal.
3094 Values larger than 2176782336 (which corresponds to the
3095 base 36 sequence number
3097 will be silently truncated to 2176782336.
3098 The default value is 2176782336.
3100 Once the local sequence number reaches the value of
3104 to zero, after which
3106 will truncate and re-use any existing I/O log path names.
3108 This setting is only supported by version 1.8.7 or higher.
3110 The number of tries a user gets to enter his/her password before
3112 logs the failure and exits.
3114 .Li @passwd_tries@ .
3118 has a relatively small log buffer.
3119 IETF RFC 5424 states that syslog servers must support messages of
3120 at least 480 bytes and should support messages up to 2048 bytes.
3123 creates log messages up to 980 bytes which corresponds to the
3126 syslog implementation which used a 1024 byte buffer
3127 to store the message, date, hostname and program name.
3128 To prevent syslog messages from being truncated,
3130 will split up log messages that are larger than
3133 When a message is split, additional parts will include the string
3134 .Dq Pq command continued
3135 after the user name and before the continued command line arguments.
3137 This setting is only supported by version 1.8.19 or higher.
3140 .Sy Integers that can be used in a boolean context :
3143 Number of characters per line for the file log.
3144 This value is used to decide when to wrap lines for nicer log files.
3145 This has no effect on the syslog log file, only the file log.
3148 (use 0 or negate the option to disable word wrap).
3150 Number of minutes before the
3152 password prompt times out, or
3155 The timeout may include a fractional component
3156 if minute granularity is insufficient, for example
3160 .Li @password_timeout@ .
3161 .It timestamp_timeout
3162 Number of minutes that can elapse before
3164 will ask for a passwd again.
3165 The timeout may include a fractional component if
3166 minute granularity is insufficient, for example
3172 to always prompt for a password.
3173 If set to a value less than
3175 the user's time stamp will not expire until the system is rebooted.
3176 This can be used to allow users to create or delete their own time stamps via
3182 Umask to use when running the command.
3183 Negate this option or set it to 0777 to preserve the user's umask.
3184 The actual umask that is used will be the union of the user's umask
3185 and the value of the
3187 option, which defaults to
3192 never lowers the umask when running a command.
3193 Note: on systems that use PAM, the default PAM configuration may specify
3194 its own umask which will override the value set in
3200 .It authfail_message
3201 Message that is displayed after a user fails to authenticate.
3202 The message may include the
3204 escape which will expand to the number of failed password attempts.
3205 If set, it overrides the default message,
3206 .Li %d incorrect password attempt(s) .
3208 Message that is displayed if a user enters an incorrect password.
3210 .Li @badpass_message@
3211 unless insults are enabled.
3215 separated list of editors path names used by
3221 this list is used to find an editor when none of the
3226 environment variables are set to an editor that exists and is executable.
3229 it is used as a white list of allowed editors;
3231 will choose the editor that matches the user's
3236 environment variable if possible, or the first editor in the
3237 list that exists and is executable if not.
3241 does not preserve the
3246 environment variables unless they are present in the
3254 The top-level directory to use when constructing the path name for
3255 the input/output log directory.
3260 options are enabled or when the
3264 tags are present for a command.
3265 The session sequence number, if any, is stored in the directory.
3269 The following percent
3271 escape sequences are supported:
3274 expanded to a monotonically increasing base-36 sequence number, such as 0100A5,
3275 where every two digits are used to form a new directory, e.g.,
3278 expanded to the invoking user's login name
3280 expanded to the name of the invoking user's real group ID
3281 .It Li %{runas_user}
3282 expanded to the login name of the user the command will
3283 be run as (e.g., root)
3284 .It Li %{runas_group}
3285 expanded to the group name of the user the command will
3286 be run as (e.g., wheel)
3288 expanded to the local host name without the domain name
3290 expanded to the base name of the command being run
3293 In addition, any escape sequences supported by the system's
3295 function will be expanded.
3297 To include a literal
3299 character, the string
3303 The path name, relative to
3305 in which to store input/output logs when the
3309 options are enabled or when the
3313 tags are present for a command.
3316 may contain directory components.
3322 option above for a list of supported percent
3326 In addition to the escape sequences, path names that end in six or
3331 replaced with a unique combination of digits and letters, similar to the
3335 If the path created by concatenating
3339 already exists, the existing I/O log file will be truncated and
3348 will flush I/O log data to disk after each write instead of buffering it.
3349 This makes it possible to view the logs in real-time as the program
3350 is executing but may significantly reduce the effectiveness of I/O
3356 This setting is only supported by version 1.8.20 or higher.
3358 The group name to look up when setting the group ID on new I/O log
3359 files and directories.
3363 the primary group ID of the user specified by
3370 are set, I/O log files and directories are created with group ID 0.
3372 This setting is only supported by version 1.8.19 or higher.
3374 The file mode to use when creating I/O log files.
3375 Mode bits for read and write permissions for owner, group or other
3376 are honored, everything else is ignored.
3377 The file permissions will always include the owner read and
3378 write bits, even if they are not present in the specified mode.
3379 When creating I/O log directories, search (execute) bits are added
3380 to match the read and write bits specified by
3382 Defaults to 0600 (read and write by user only).
3384 This setting is only supported by version 1.8.19 or higher.
3386 The user name to look up when setting the user and group IDs on new
3387 I/O log files and directories.
3390 is set, it will be used instead of the user's primary group ID.
3391 By default, I/O log files and directories are created with user and
3394 This setting can be useful when the I/O logs are stored on a Network
3395 File System (NFS) share.
3396 Having a dedicated user own the I/O log files means that
3398 does not write to the log files as user ID 0, which is usually
3399 not permitted by NFS.
3401 This setting is only supported by version 1.8.19 or higher.
3402 .It lecture_status_dir
3403 The directory in which
3405 stores per-user lecture status files.
3406 Once a user has received the lecture, a zero-length file is
3407 created in this directory so that
3409 will not lecture the user again.
3410 This directory should
3412 be cleared when the system reboots.
3414 .Pa @vardir@/lectured .
3417 The default Solaris limit privileges to use when constructing a new
3418 privilege set for a command.
3419 This bounds all privileges of the executing process.
3420 The default limit privileges may be overridden on a per-command basis in
3422 This option is only available if
3424 is built on Solaris 10 or higher.
3427 Subject of the mail sent to the
3432 will expand to the host name of the machine.
3438 version 1.8.1 this option is no longer supported.
3439 The path to the noexec file should now be set in the
3440 .Xr sudo.conf @mansectform@
3442 .It pam_login_service
3443 On systems that use PAM for authentication, this is the service
3446 option is specified.
3447 The default value is
3448 .Dq Li @pam_login_service@ .
3449 See the description of
3451 for more information.
3453 This setting is only supported by version 1.8.8 or higher.
3455 On systems that use PAM for authentication, the service name
3456 specifies the PAM policy to apply.
3457 This usually corresponds to an entry in the
3459 file or a file in the
3462 The default value is
3465 This setting is only supported by version 1.8.8 or higher.
3467 The default prompt to use when asking for a password; can be overridden via the
3471 environment variable.
3472 The following percent
3474 escape sequences are supported:
3477 expanded to the local host name including the domain name
3478 (only if the machine's host name is fully qualified or the
3482 expanded to the local host name without the domain name
3484 expanded to the user whose password is being asked for (respects the
3492 expanded to the login name of the user the command will
3493 be run as (defaults to root)
3495 expanded to the invoking user's login name
3499 characters are collapsed into a single
3504 On systems that use PAM for authentication,
3506 will only be used if the prompt provided by the PAM module matches the string
3509 .Dq "username's Password: " .
3510 This ensures that the
3512 setting does not interfere with challenge-response style authentication.
3514 .Em passprompt_override
3515 flag can be used to change this behavior.
3517 The default value is
3518 .Dq Li "@passprompt@" .
3521 The default Solaris privileges to use when constructing a new
3522 privilege set for a command.
3523 This is passed to the executing process via the inherited privilege set,
3524 but is bounded by the limit privileges.
3527 option is specified but the
3529 option is not, the limit privileges of the executing process is set to
3531 The default privileges may be overridden on a per-command basis in
3533 This option is only available if
3535 is built on Solaris 10 or higher.
3539 The default SELinux role to use when constructing a new security
3540 context to run the command.
3541 The default role may be overridden on a per-command basis in the
3543 file or via command line options.
3544 This option is only available when
3546 is built with SELinux support.
3549 The default user to run commands as if the
3551 option is not specified on the command line.
3553 .Li @runas_default@ .
3555 Locale to use when parsing the sudoers file, logging commands, and
3557 Note that changing the locale may affect how sudoers is interpreted.
3562 uses per-user time stamp files for credential caching.
3565 option can be used to specify the type of time stamp record used.
3566 It has the following possible values:
3569 A single time stamp record is used for all of a user's login sessions,
3570 regardless of the terminal or parent process ID.
3571 An additional record is used to serialize password prompts when
3573 is used multiple times in a pipeline, but this does not affect authentication.
3575 A single time stamp record is used for all processes with the same parent
3576 process ID (usually the shell).
3577 Commands run from the same shell (or other common parent process)
3578 will not require a password for
3579 .Em timestamp_timeout
3587 with a different parent process ID, for example from a shell script,
3588 will be authenticated separately.
3590 One time stamp record is used for each terminal,
3591 which means that a user's login sessions are authenticated separately.
3592 If no terminal is present, the behavior is the same as
3594 Commands run from the same terminal will not require a password for
3595 .Em timestamp_timeout
3602 The time stamp is stored in the kernel as an attribute of the terminal
3604 If no terminal is present, the behavior is the same as
3607 .Em timestamp_timeout
3608 values are not supported and positive values are limited to a maximum
3610 This is currently only supported on
3614 The default value is
3615 .Em @timestamp_type@ .
3617 This setting is only supported by version 1.8.21 or higher.
3619 The directory in which
3621 stores its time stamp files.
3622 This directory should be cleared when the system reboots.
3626 The owner of the lecture status directory, time stamp directory and all
3627 files stored therein.
3632 The default SELinux type to use when constructing a new security
3633 context to run the command.
3634 The default type may be overridden on a per-command basis in the
3636 file or via command line options.
3637 This option is only available when
3639 is built with SELinux support.
3643 .Sy Strings that can be used in a boolean context :
3648 option specifies the fully qualified path to a file containing variables
3649 to be set in the environment of the program being run.
3650 Entries in this file should either be of the form
3651 .Dq Li VARIABLE=value
3653 .Dq Li export VARIABLE=value .
3654 The value may optionally be surrounded by single or double quotes.
3655 Variables in this file are only added if the variable does not already
3656 exist in the environment.
3657 This file is considered to be part of the security policy,
3658 its contents are not subject to other
3660 environment restrictions such as
3665 Users in this group are exempt from password and PATH requirements.
3666 The group name specified should not include a
3669 This is not set by default.
3673 will execute a command by its path or by an open file descriptor.
3674 It has the following possible values:
3677 Always execute by file descriptor.
3679 Never execute by file descriptor.
3681 Only execute by file descriptor if the command has an associated digest
3687 The default value is
3689 This avoids a time of check versus time of use race condition when
3690 the command is located in a directory writable by the invoking user.
3694 will change the first element of the argument vector for scripts
3695 ($0 in the shell) due to the way the kernel runs script interpreters.
3696 Instead of being a normal path, it will refer to a file descriptor.
3702 A workaround is to use the
3704 environment variable instead.
3708 setting is only used when the command is matched by path name.
3709 It has no effect if the command is matched by the built-in
3713 This setting is only supported by version 1.8.20 or higher.
3714 If the operating system does not support the
3716 system call, this setting has no effect.
3718 A string containing a
3720 group plugin with optional arguments.
3721 The string should consist of the plugin
3722 path, either fully-qualified or relative to the
3724 directory, followed by any configuration arguments the plugin requires.
3725 These arguments (if any) will be passed to the plugin's initialization function.
3726 If arguments are present, the string must be enclosed in double quotes
3729 For more information see
3730 .Sx "GROUP PROVIDER PLUGINS" .
3732 This option controls when a short lecture will be printed along with
3733 the password prompt.
3734 It has the following possible values:
3737 Always lecture the user.
3739 Never lecture the user.
3741 Only lecture the user the first time they run
3745 If no value is specified, a value of
3748 Negating the option results in a value of
3751 The default value is
3754 Path to a file containing an alternate
3756 lecture that will be used in place of the standard lecture if the named
3760 uses a built-in lecture.
3762 This option controls when a password will be required when a user runs
3767 It has the following possible values:
3772 file entries for the current host must have
3775 flag set to avoid entering a password.
3777 The user must always enter a password to use the
3781 At least one of the user's
3783 file entries for the current host
3786 flag set to avoid entering a password.
3788 The user need never enter a password to use the
3793 If no value is specified, a value of
3796 Negating the option results in a value of
3799 The default value is
3804 log file (not the syslog log file).
3805 Setting a path turns on logging to a file;
3806 negating this option turns it off.
3811 Flags to use when invoking mailer.
3815 Path to mail program used to send warning mail.
3816 Defaults to the path to sendmail found at configure time.
3818 Address to use for the
3820 address when sending warning and error mail.
3821 The address should be enclosed in double quotes
3828 Defaults to the name of the user running
3831 Address to send warning and error mail to.
3832 The address should be enclosed in double quotes
3841 .It restricted_env_file
3843 .Em restricted_env_file
3844 option specifies the fully qualified path to a file containing variables
3845 to be set in the environment of the program being run.
3846 Entries in this file should either be of the form
3847 .Dq Li VARIABLE=value
3849 .Dq Li export VARIABLE=value .
3850 The value may optionally be surrounded by single or double quotes.
3851 Variables in this file are only added if the variable does not already
3852 exist in the environment.
3855 the file's contents are not trusted and are processed in a manner
3856 similar to that of the invoking user's environment.
3859 is enabled, variables in the file will only be added if they are
3860 matched by either the
3867 is disabled, variables in the file are added as long as they
3868 are not matched by the
3871 In either case, the contents of
3872 .Em restricted_env_file
3873 are processed before the contents of
3878 will use this value in place of the user's
3880 environment variable.
3881 This option can be used to reset the
3883 to a known good value that contains directories for system administrator
3887 Users in the group specified by the
3889 option are not affected by
3891 This option is @secure_path@ by default.
3893 Syslog facility if syslog is being used for logging (negate to
3894 disable syslog logging).
3898 The following syslog facilities are supported:
3915 Syslog priority to use when the user is not allowed to run a command or
3916 when authentication is unsuccessful.
3920 The following syslog priorities are supported:
3931 Negating the option or setting it to a value of
3933 will disable logging of unsuccessful commands.
3935 Syslog priority to use when the user is allowed to run a command and
3936 authentication is successful.
3942 for the list of supported syslog priorities.
3943 Negating the option or setting it to a value of
3945 will disable logging of successful commands.
3947 This option controls when a password will be required when a user runs
3952 It has the following possible values:
3957 file entries for the current host must have the
3959 flag set to avoid entering a password.
3961 The user must always enter a password to use the
3965 At least one of the user's
3967 file entries for the current host must have the
3969 flag set to avoid entering a password.
3971 The user need never enter a password to use the
3976 If no value is specified, a value of
3979 Negating the option results in a value of
3982 The default value is
3986 .Sy Lists that can be used in a boolean context :
3989 Environment variables to be removed from the user's environment
3990 unless they are considered
3992 For all variables except
3995 means that the variable's value does not contain any
4000 This can be used to guard against printf-style format vulnerabilities
4001 in poorly-written programs.
4004 variable is considered unsafe if any of the following are true:
4005 .Bl -bullet -width 1n
4007 It consists of a fully-qualified path name,
4008 optionally prefixed with a colon
4010 that does not match the location of the
4018 It contains white space or non-printable characters.
4020 It is longer than the value of
4024 The argument may be a double-quoted, space-separated list or a
4025 single value without double-quotes.
4026 The list can be replaced, added to, deleted from, or disabled by using
4033 operators respectively.
4034 Regardless of whether the
4036 option is enabled or disabled, variables specified by
4038 will be preserved in the environment if they pass the aforementioned check.
4039 The global list of environment variables to check is displayed when
4046 Environment variables to be removed from the user's environment when the
4048 option is not in effect.
4049 The argument may be a double-quoted, space-separated list or a
4050 single value without double-quotes.
4051 The list can be replaced, added to, deleted from, or disabled by using the
4057 operators respectively.
4058 The global list of environment variables to remove is displayed when
4060 is run by root with the
4063 Note that many operating systems will remove potentially dangerous
4064 variables from the environment of any setuid process (such as
4067 Environment variables to be preserved in the user's environment when the
4069 option is in effect.
4070 This allows fine-grained control over the environment
4071 .Nm sudo Ns -spawned
4072 processes will receive.
4073 The argument may be a double-quoted, space-separated list or a
4074 single value without double-quotes.
4075 The list can be replaced, added to, deleted from, or disabled by using the
4081 operators respectively.
4082 The global list of variables to keep
4085 is run by root with the
4091 environment variable has security implications since many programs use it
4092 when searching for configuration or data files.
4097 may enable a user to run unrestricted commands via
4099 and is strongly discouraged.
4100 Users wishing to edit files with
4106 to get their accustomed editor configuration instead of
4107 invoking the editor directly.
4109 .Sh GROUP PROVIDER PLUGINS
4112 plugin supports its own plugin interface to allow non-Unix
4113 group lookups which can query a group source other
4114 than the standard Unix group database.
4115 This can be used to implement support for the
4117 syntax described earlier.
4119 Group provider plugins are specified via the
4124 should consist of the plugin path, either fully-qualified or relative to the
4126 directory, followed by any configuration options the plugin requires.
4127 These options (if specified) will be passed to the plugin's initialization
4129 If options are present, the string must be enclosed in double quotes
4132 The following group provider plugins are installed by default:
4137 plugin supports an alternate group file that uses the same syntax as the
4140 The path to the group file should be specified as an option
4142 For example, if the group file to be used is
4143 .Pa /etc/sudo-group :
4145 Defaults group_plugin="group_file.so /etc/sudo-group"
4150 plugin supports group lookups via the standard C library functions
4154 This plugin can be used in instances where the user belongs to
4155 groups not present in the user's supplemental group vector.
4156 This plugin takes no options:
4158 Defaults group_plugin=system_group.so
4162 The group provider plugin API is described in detail in
4163 .Xr sudo_plugin @mansectform@ .
4166 can log events using either
4168 or a simple log file.
4169 The log format is almost identical in both cases.
4170 .Ss Accepted command log entries
4171 Commands that sudo runs are logged using the following format (split
4172 into multiple lines for readability):
4173 .Bd -literal -offset 4n
4174 date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
4175 USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
4176 ENV=env_vars COMMAND=command
4179 Where the fields are as follows:
4182 The date the command was run.
4183 Typically, this is in the format
4184 .Dq MMM, DD, HH:MM:SS .
4187 the actual date format is controlled by the syslog daemon.
4188 If logging to a file and the
4191 the date will also include the year.
4193 The name of the host
4196 This field is only present when logging via
4199 The name of the program, usually
4203 This field is only present when logging via
4206 The login name of the user who ran
4209 The short name of the terminal (e.g.,
4217 if there was no terminal present.
4219 The current working directory that
4223 The user the command was run as.
4225 The group the command was run as if one was specified on the command line.
4227 An I/O log identifier that can be used to replay the command's output.
4228 This is only present when the
4234 A list of environment variables specified on the command line,
4237 The actual command that was executed.
4240 Messages are logged using the locale specified by
4241 .Em sudoers_locale ,
4242 which defaults to the
4245 .Ss Denied command log entries
4246 If the user is not allowed to run the command, the reason for the denial
4247 will follow the user name.
4248 Possible reasons include:
4250 .It user NOT in sudoers
4251 The user is not listed in the
4254 .It user NOT authorized on host
4255 The user is listed in the
4257 file but is not allowed to run commands on the host.
4258 .It command not allowed
4259 The user is listed in the
4261 file for the host but they are not allowed to run the specified command.
4262 .It 3 incorrect password attempts
4263 The user failed to enter their password after 3 tries.
4264 The actual number of tries will vary based on the number of
4265 failed attempts and the value of the
4268 .It a password is required
4271 option was specified but a password was required.
4272 .It sorry, you are not allowed to set the following environment variables
4273 The user specified environment variables on the command line that
4277 .Ss Error log entries
4280 will log a message and, in most cases, send a message to the
4281 administrator via email.
4282 Possible errors include:
4284 .It parse error in @sysconfdir@/sudoers near line N
4286 encountered an error when parsing the specified file.
4287 In some cases, the actual error may be one line above or below the
4288 line number listed, depending on the type of error.
4289 .It problem with defaults entries
4292 file contains one or more unknown Defaults settings.
4293 This does not prevent
4295 from running, but the
4297 file should be checked using
4299 .It timestamp owner (username): \&No such user
4300 The time stamp directory owner, as specified by the
4302 setting, could not be found in the password database.
4303 .It unable to open/read @sysconfdir@/sudoers
4306 file could not be opened for reading.
4307 This can happen when the
4309 file is located on a remote file system that maps user ID 0 to
4315 file using group permissions to avoid this problem.
4316 Consider either changing the ownership of
4317 .Pa @sysconfdir@/sudoers
4318 or adding an argument like
4322 is the user ID that owns the
4324 file) to the end of the
4328 .Xr sudo.conf @mansectform@
4330 .It unable to stat @sysconfdir@/sudoers
4332 .Pa @sysconfdir@/sudoers
4334 .It @sysconfdir@/sudoers is not a regular file
4336 .Pa @sysconfdir@/sudoers
4337 file exists but is not a regular file or symbolic link.
4338 .It @sysconfdir@/sudoers is owned by uid N, should be 0
4341 file has the wrong owner.
4342 If you wish to change the
4344 file owner, please add
4348 is the user ID that owns the
4354 .Xr sudo.conf @mansectform@
4356 .It @sysconfdir@/sudoers is world writable
4357 The permissions on the
4359 file allow all users to write to it.
4362 file must not be world-writable, the default file mode
4363 is 0440 (readable by owner and group, writable by none).
4364 The default mode may be changed via the
4370 .Xr sudo.conf @mansectform@
4372 .It @sysconfdir@/sudoers is owned by gid N, should be 1
4375 file has the wrong group ownership.
4376 If you wish to change the
4378 file group ownership, please add
4382 is the group ID that owns the
4388 .Xr sudo.conf @mansectform@
4390 .It unable to open @rundir@/ts/username
4392 was unable to read or create the user's time stamp file.
4393 This can happen when
4395 is set to a user other than root and the mode on
4397 is not searchable by group or other.
4398 The default mode for
4401 .It unable to write to @rundir@/ts/username
4403 was unable to write to the user's time stamp file.
4404 .It @rundir@/ts is owned by uid X, should be Y
4405 The time stamp directory is owned by a user other than
4406 .Em timestampowner .
4407 This can occur when the value of
4411 will ignore the time stamp directory until the owner is corrected.
4412 .It @rundir@/ts is group writable
4413 The time stamp directory is group-writable; it should be writable only by
4414 .Em timestampowner .
4415 The default mode for the time stamp directory is 0700.
4417 will ignore the time stamp directory until the mode is corrected.
4419 .Ss Notes on logging via syslog
4429 fields are added by the system's
4434 As such, they may vary in format on different systems.
4436 The maximum size of syslog messages varies from system to system.
4439 setting can be used to change the maximum syslog message size
4440 from the default value of 980 bytes.
4441 For more information, see the description of
4443 .Ss Notes on logging to a file
4448 will log to a local file, such as
4450 When logging to a file,
4452 uses a format similar to
4454 with a few important differences:
4461 fields are not present.
4466 the date will also include the year.
4468 Lines that are longer than
4470 characters (80 by default) are word-wrapped and continued on the
4471 next line with a four character indent.
4472 This makes entries easier to read for a human being, but makes it
4473 more difficult to use
4478 option is set to 0 (or negated with a
4480 word wrap will be disabled.
4483 When I/O logging is enabled,
4485 will run the command in a pseudo-terminal and log all user input and/or output,
4486 depending on which options are enabled.
4487 I/O is logged to the directory specified by the
4494 using a unique session ID that is included in the
4496 log line, prefixed with
4500 option may be used to control the format of the session ID.
4502 Each I/O log is stored in a separate directory that contains the
4506 a text file containing the time the command was run, the name of the user
4509 the name of the target user, the name of the target group (optional),
4512 was run from, the number of rows and columns of the terminal,
4513 the working directory the command was run from and the path name of
4514 the command itself (with arguments if present)
4516 a log of the amount of time between, and the number of bytes in, each
4517 I/O log entry (used for session playback)
4519 input from the user's tty (what the user types)
4521 input from a pipe or file
4523 output from the pseudo-terminal (what the command writes to the screen)
4525 standard output to a pipe or redirected to a file
4527 standard error to a pipe or redirected to a file
4530 All files other than
4532 are compressed in gzip format unless the
4534 flag has been disabled.
4535 Due to buffering, it is not normally possible to display the I/O logs in
4536 real-time as the program is executing
4537 The I/O log data will not be complete until the program run by
4539 has exited or has been terminated by a signal.
4542 flag can be used to disable buffering, in which case I/O log data
4543 is written to disk as soon as it is available.
4544 The output portion of an I/O log file can be viewed with the
4545 .Xr sudoreplay @mansectsu@
4546 utility, which can also be used to list or search the available logs.
4548 Note that user input may contain sensitive information such as
4549 passwords (even if they are not echoed to the screen), which will
4550 be stored in the log file unencrypted.
4551 In most cases, logging the command output via
4555 is all that is required.
4557 Since each session's I/O logs are stored in a separate directory,
4558 traditional log rotation utilities cannot be used to limit the
4560 The simplest way to limit the number of I/O is by setting the
4562 option to the maximum number of logs you wish to store.
4563 Once the I/O log sequence number reaches
4565 it will be reset to zero and
4567 will truncate and re-use any existing I/O logs.
4570 .It Pa @sysconfdir@/sudo.conf
4571 Sudo front end configuration
4572 .It Pa @sysconfdir@/sudoers
4573 List of who can run what
4576 .It Pa /etc/netgroup
4577 List of network groups
4581 Directory containing time stamps for the
4584 .It Pa @vardir@/lectured
4585 Directory containing lecture status files for the
4588 .It Pa /etc/environment
4589 Initial environment for
4591 mode on AIX and Linux systems
4597 Admittedly, some of these are a bit contrived.
4598 First, we allow a few environment variables to pass and then define our
4601 # Run X applications through sudo; HOME is used to find the
4602 # .Xauthority file. Note that other programs use HOME to find
4603 # configuration files and this may lead to privilege escalation!
4604 Defaults env_keep += "DISPLAY HOME"
4606 # User alias specification
4607 User_Alias FULLTIMERS = millert, mikef, dowdy
4608 User_Alias PARTTIMERS = bostley, jwfox, crawl
4609 User_Alias WEBMASTERS = will, wendy, wim
4611 # Runas alias specification
4612 Runas_Alias OP = root, operator
4613 Runas_Alias DB = oracle, sybase
4614 Runas_Alias ADMINGRP = adm, oper
4616 # Host alias specification
4617 Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
4618 SGI = grolsch, dandelion, black :\e
4619 ALPHA = widget, thalamus, foobar :\e
4620 HPPA = boa, nag, python
4621 Host_Alias CUNETS = 128.138.0.0/255.255.0.0
4622 Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
4623 Host_Alias SERVERS = master, mail, www, ns
4624 Host_Alias CDROM = orion, perseus, hercules
4626 # Cmnd alias specification
4627 Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
4628 /usr/sbin/restore, /usr/sbin/rrestore,\e
4629 sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \e
4630 /home/operator/bin/start_backups
4631 Cmnd_Alias KILL = /usr/bin/kill
4632 Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
4633 Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
4634 Cmnd_Alias HALT = /usr/sbin/halt
4635 Cmnd_Alias REBOOT = /usr/sbin/reboot
4636 Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
4637 /usr/local/bin/tcsh, /usr/bin/rsh,\e
4639 Cmnd_Alias SU = /usr/bin/su
4640 Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
4643 Here we override some of the compiled in default values.
4650 facility in all cases.
4651 We don't want to subject the full time staff to the
4655 need not give a password, and we don't want to reset the
4659 environment variables when running commands as root.
4660 Additionally, on the machines in the
4663 we keep an additional local log file and make sure we log the year
4664 in each log line since the log entries will be kept around for several years.
4665 Lastly, we disable shell escapes for the commands in the PAGERS
4673 Note that this will not effectively constrain users with
4678 # Override built-in defaults
4679 Defaults syslog=auth
4680 Defaults>root !set_logname
4681 Defaults:FULLTIMERS !lecture
4682 Defaults:millert !authenticate
4683 Defaults@SERVERS log_year, logfile=/var/log/sudo.log
4684 Defaults!PAGERS noexec
4688 .Em User specification
4689 is the part that actually determines who may run what.
4691 root ALL = (ALL) ALL
4692 %wheel ALL = (ALL) ALL
4697 and any user in group
4699 run any command on any host as any user.
4701 FULLTIMERS ALL = NOPASSWD: ALL
4711 may run any command on any host without authenticating themselves.
4713 PARTTIMERS ALL = ALL
4721 may run any command on any host but they must authenticate themselves
4722 first (since the entry lacks the
4731 may run any command on the machines in the
4737 .Li 128.138.242.0 ) .
4738 Of those networks, only
4740 has an explicit netmask (in CIDR notation) indicating it is a class C network.
4741 For the other networks in
4743 the local machine's netmask will be used during matching.
4750 may run any command on any host in the
4752 alias (the class B network
4755 operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
4756 sudoedit /etc/printcap, /usr/oper/bin/
4761 user may run commands limited to simple maintenance.
4762 Here, those are commands related to backups, killing processes, the
4763 printing system, shutting down the system, and any commands in the
4765 .Pa /usr/oper/bin/ .
4766 Note that one command in the
4768 Cmnd_Alias includes a sha224 digest,
4769 .Pa /home/operator/bin/start_backups .
4770 This is because the directory containing the script is writable by the
4772 If the script is modified (resulting in a digest mismatch) it will no longer
4773 be possible to run it via
4776 joe ALL = /usr/bin/su operator
4785 pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
4787 %opers ALL = (: ADMINGRP) /usr/sbin/
4792 group may run commands in
4795 with any group in the
4806 is allowed to change anyone's password except for
4810 Because command line arguments are matched as a single,
4811 concatenated string, the
4816 This example assumes that
4818 does not take multiple user names on the command line.
4819 Note that on GNU systems, options to
4821 may be specified after the user argument.
4822 As a result, this rule will also allow:
4823 .Bd -literal -offset 4n
4824 passwd username --expire
4827 which may not be desirable.
4829 bob SPARC = (OP) ALL : SGI = (OP) ALL
4834 may run anything on the
4838 machines as any user listed in the
4852 may run any command on machines in the
4858 is a netgroup due to the
4862 +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
4867 netgroup need to help manage the printers as well as add and remove users,
4868 so they are allowed to run those commands on all machines.
4870 fred ALL = (DB) NOPASSWD: ALL
4875 can run commands as any user in the
4883 without giving a password.
4885 john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
4892 may su to anyone except root but he is not allowed to specify any options
4897 jen ALL, !SERVERS = ALL
4902 may run any command on any machine except for those in the
4905 (master, mail, www and ns).
4907 jill SERVERS = /usr/bin/, !SU, !SHELLS
4910 For any machine in the
4915 any commands in the directory
4917 except for those commands
4923 While not specifically mentioned in the rule, the commands in the
4932 steve CSNETS = (operator) /usr/local/op_commands/
4937 may run any command in the directory /usr/local/op_commands/
4938 but only as user operator.
4940 matt valkyrie = KILL
4943 On his personal workstation, valkyrie,
4945 needs to be able to kill hung processes.
4947 WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
4950 On the host www, any user in the
4953 (will, wendy, and wim), may run any command as user www (which owns the
4954 web pages) or simply
4958 ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
4959 /sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM
4962 Any user may mount or unmount a CD-ROM on the machines in the CDROM
4964 (orion, perseus, hercules) without entering a password.
4965 This is a bit tedious for users to type, so it is a prime candidate
4966 for encapsulating in a shell script.
4968 .Ss Limitations of the So !\& Sc operator
4969 It is generally not effective to
4976 A user can trivially circumvent this by copying the desired command
4977 to a different name and then executing that.
4980 bill ALL = ALL, !SU, !SHELLS
4983 Doesn't really prevent
4985 from running the commands listed in
4989 since he can simply copy those commands to a different name, or use
4990 a shell escape from an editor or other program.
4991 Therefore, these kind of restrictions should be considered
4992 advisory at best (and reinforced by policy).
4994 In general, if a user has sudo
4996 there is nothing to prevent them from creating their own program that gives
4997 them a root shell (or making their own copy of a shell) regardless of any
4999 elements in the user specification.
5000 .Ss Security implications of Em fast_glob
5003 option is in use, it is not possible to reliably negate commands where the
5004 path name includes globbing (aka wildcard) characters.
5005 This is because the C library's
5007 function cannot resolve relative paths.
5008 While this is typically only an inconvenience for rules that grant privileges,
5009 it can result in a security issue for rules that subtract or revoke privileges.
5011 For example, given the following
5015 john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
5016 /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
5022 .Li /usr/bin/passwd root
5025 is enabled by changing to
5030 .Ss Preventing shell escapes
5033 executes a program, that program is free to do whatever
5034 it pleases, including run other programs.
5035 This can be a security issue since it is not uncommon for a program to
5036 allow shell escapes, which lets a user bypass
5038 access control and logging.
5039 Common programs that permit shell escapes include shells (obviously),
5040 editors, paginators, mail and terminal programs.
5042 There are two basic approaches to this problem:
5045 Avoid giving users access to commands that allow the user to run
5047 Many editors have a restricted mode where shell
5048 escapes are disabled, though
5050 is a better solution to
5053 Due to the large number of programs that
5054 offer shell escapes, restricting users to the set of programs that
5055 do not is often unworkable.
5057 Many systems that support shared libraries have the ability to
5058 override default library functions by pointing an environment
5061 to an alternate shared library.
5065 functionality can be used to prevent a program run by
5067 from executing any other programs.
5068 Note, however, that this applies only to native dynamically-linked
5070 Statically-linked executables and foreign executables
5071 running under binary emulation are not affected.
5075 feature is known to work on SunOS, Solaris, *BSD,
5076 Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and above.
5077 It should be supported on most operating systems that support the
5079 environment variable.
5080 Check your operating system's manual pages for the dynamic linker
5081 (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
5085 On Solaris 10 and higher,
5087 uses Solaris privileges instead of the
5089 environment variable.
5093 for a command, use the
5096 in the User Specification section above.
5097 Here is that example again:
5099 aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
5111 This will prevent those two commands from
5112 executing other commands (such as a shell).
5113 If you are unsure whether or not your system is capable of supporting
5115 you can always just try it out and check whether shell escapes work when
5120 Note that restricting shell escapes is not a panacea.
5121 Programs running as root are still capable of many potentially hazardous
5122 operations (such as changing or overwriting files) that could lead
5123 to unintended privilege escalation.
5124 In the specific case of an editor, a safer approach is to give the
5125 user permission to run
5133 support which allows users to securely edit files with the editor
5137 is a built-in command, it must be specified in the
5139 file without a leading path.
5140 However, it may take command line arguments just as a normal command does.
5143 command line arguments are expected to be path names, so a forward slash
5145 will not be matched by a wildcard.
5149 commands, the editor is run with the permissions of the invoking
5150 user and with the environment unmodified.
5151 More information may be found in the description of the
5154 .Xr sudo @mansectsu@ .
5156 For example, to allow user operator to edit the
5157 .Dq message of the day
5159 .Bd -literal -offset indent
5160 operator sudoedit /etc/motd
5163 The operator user then runs
5166 .Bd -literal -offset indent
5167 $ sudoedit /etc/motd
5170 The editor will run as the operator user, not root, on a temporary copy of
5172 After the file has been edited,
5174 will be updated with the contents of the temporary copy.
5180 permission to edit a file that resides in a directory the user
5181 has write access to, either directly or via a wildcard.
5182 If the user has write access to the directory it is possible to
5183 replace the legitimate file with a link to another file,
5184 allowing the editing of arbitrary files.
5185 To prevent this, starting with version 1.8.16, symbolic links will
5186 not be followed in writable directories and
5188 will refuse to edit a file located in a writable directory
5190 .Em sudoedit_checkdir
5191 option has been disabled or the invoking user is root.
5192 Additionally, in version 1.8.15 and higher,
5194 will refuse to open a symbolic link unless either the
5196 option is enabled or the
5198 command is prefixed with the
5203 .Ss Time stamp file checks
5205 will check the ownership of its time stamp directory
5210 and ignore the directory's contents if it is not owned by root or
5211 if it is writable by a user other than root.
5214 stored time stamp files in
5216 this is no longer recommended as it may be possible for a user
5217 to create the time stamp themselves on systems that allow
5218 unprivileged users to change the ownership of files they create.
5220 While the time stamp directory
5222 be cleared at reboot time, not all systems contain a
5227 To avoid potential problems,
5229 will ignore time stamp files that date from before the machine booted
5230 on systems where the boot time is available.
5232 Some systems with graphical desktop environments allow unprivileged
5233 users to change the system clock.
5236 relies on the system clock for time stamp validation, it may be
5237 possible on such systems for a user to run
5240 .Em timestamp_timeout
5241 by setting the clock back.
5244 uses a monotonic clock (which never moves backwards) for its time stamps
5245 if the system supports it.
5248 will not honor time stamps set far in the future.
5249 Time stamps with a date greater than current_time + 2 *
5253 will log and complain.
5259 the time stamp record includes the device number of the terminal
5260 the user authenticated with.
5261 This provides per-terminal granularity but time stamp records may still
5262 outlive the user's session.
5268 the time stamp record also includes the session ID of the process
5269 that last authenticated.
5270 This prevents processes in different terminal sessions from using
5271 the same time stamp record.
5272 On systems where a process's start time can be queried,
5273 the start time of the session leader
5274 is recorded in the time stamp record.
5275 If no terminal is present or the
5279 the start time of the parent process is used instead.
5280 In most cases this will prevent a time stamp record from being re-used
5281 without the user entering a password when logging out and back in again.
5283 Versions 1.8.4 and higher of the
5285 plugin support a flexible debugging framework that can help track
5286 down what the plugin is doing internally if there is a problem.
5287 This can be configured in the
5288 .Xr sudo.conf @mansectform@
5293 plugin uses the same debug flag format as the
5296 .Em subsystem Ns @ Ns Em priority .
5298 The priorities used by
5300 in order of decreasing severity,
5302 .Em crit , err , warn , notice , diag , info , trace
5305 Each priority, when specified, also includes all priorities higher
5307 For example, a priority of
5309 would include debug messages logged at
5313 The following subsystems are used by the
5325 matches every subsystem
5327 BSM and Linux audit code
5336 environment handling
5342 matching of users, groups, hosts and netgroups in the
5346 network interface handling
5348 network service switch handling in
5360 pseudo-terminal related code
5362 redblack tree internals
5370 Debug sudo /var/log/sudo_debug match@info,nss@info
5373 For more information, see the
5374 .Xr sudo.conf @mansectform@
5383 .Xr sudo.conf @mansectform@ ,
5384 .Xr sudo_plugin @mansectform@ ,
5385 .Xr sudoers.ldap @mansectform@ ,
5386 .Xr sudoers_timestamp @mansectform@ ,
5387 .Xr sudo @mansectsu@ ,
5388 .Xr visudo @mansectsu@
5390 Many people have worked on
5392 over the years; this version consists of code written primarily by:
5393 .Bd -ragged -offset indent
5397 See the CONTRIBUTORS file in the
5399 distribution (https://www.sudo.ws/contributors.html) for an
5400 exhaustive list of people who have contributed to
5409 command which locks the file and does grammatical checking.
5413 file be free of syntax errors since
5415 will not run with a syntactically incorrect
5419 When using netgroups of machines (as opposed to users), if you
5420 store fully qualified host name in the netgroup (as is usually the
5421 case), you either need to have the machine's host name be fully qualified
5429 If you feel you have found a bug in
5431 please submit a bug report at https://bugzilla.sudo.ws/
5433 Limited free support is available via the sudo-users mailing list,
5434 see https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
5435 search the archives.
5440 and any express or implied warranties, including, but not limited
5441 to, the implied warranties of merchantability and fitness for a
5442 particular purpose are disclaimed.
5443 See the LICENSE file distributed with
5445 or https://www.sudo.ws/license.html for complete details.