#define I_FQDN 21
#define I_INSULTS 22
#define I_REQUIRETTY 23
+#define I_ENVEDITOR 24
/* Integer values */
-#define I_LOGLEN 24 /* wrap log file line after N chars */
-#define I_TS_TIMEOUT 25 /* timestamp stale after N minutes */
-#define I_PW_TIMEOUT 26 /* exit if pass not entered in N minutes */
-#define I_PW_TRIES 27 /* exit after N bad password tries */
-#define I_UMASK 28 /* umask to use or 0777 to use user's */
+#define I_LOGLEN 25 /* wrap log file line after N chars */
+#define I_TS_TIMEOUT 26 /* timestamp stale after N minutes */
+#define I_PW_TIMEOUT 27 /* exit if pass not entered in N minutes */
+#define I_PW_TRIES 28 /* exit after N bad password tries */
+#define I_UMASK 29 /* umask to use or 0777 to use user's */
/* Strings */
-#define I_LOGFILE 29 /* path to logfile (or NULL for none) */
-#define I_MAILERPATH 30 /* path to sendmail or other mailer */
-#define I_MAILERFLAGS 31 /* flags to pass to the mailer */
-#define I_MAILTO 32 /* who to send bitch mail to */
-#define I_MAILSUB 33 /* subject line of mail msg */
-#define I_BADPASS_MSG 34 /* what to say when passwd is wrong */
-#define I_TIMESTAMPDIR 35 /* path to timestamp dir */
-#define I_EXEMPT_GRP 36 /* no password or PATH override for these */
-#define I_PASSPROMPT 37 /* password prompt */
-#define I_RUNAS_DEF 38 /* default user to run commands as */
-#define I_SECURE_PATH 39 /* set $PATH to this if not NULL */
+#define I_LOGFILE 30 /* path to logfile (or NULL for none) */
+#define I_MAILERPATH 31 /* path to sendmail or other mailer */
+#define I_MAILERFLAGS 32 /* flags to pass to the mailer */
+#define I_MAILTO 33 /* who to send bitch mail to */
+#define I_MAILSUB 34 /* subject line of mail msg */
+#define I_BADPASS_MSG 35 /* what to say when passwd is wrong */
+#define I_TIMESTAMPDIR 36 /* path to timestamp dir */
+#define I_EXEMPT_GRP 37 /* no password or PATH override for these */
+#define I_PASSPROMPT 38 /* password prompt */
+#define I_RUNAS_DEF 39 /* default user to run commands as */
+#define I_SECURE_PATH 40 /* set $PATH to this if not NULL */
+#define I_EDITOR 41 /* path to editor used by visudo */
/* Integer versions of list/verify options */
-#define I_LISTPW 40
-#define I_VERIFYPW 41
+#define I_LISTPW 42
+#define I_VERIFYPW 43
/* String versions of list/verify options */
-#define I_LISTPWSTR 42
-#define I_VERIFYPWSTR 43
+#define I_LISTPWSTR 44
+#define I_VERIFYPWSTR 45
/*
* Macros for accessing sudo_defs_table.
-26/Jan/2000 1.6.2 1
+15/Feb/2000 1.6.2 1
-26/Jan/2000 1.6.2 2
+15/Feb/2000 1.6.2 2
-26/Jan/2000 1.6.2 3
+15/Feb/2000 1.6.2 3
-26/Jan/2000 1.6.2 4
+15/Feb/2000 1.6.2 4
-26/Jan/2000 1.6.2 5
+15/Feb/2000 1.6.2 5
flag to prevent a user from entering a visible
password. This flag is off by default.
+ enveditor If set, visudo will use the value of the
+ EDITOR or VISUAL environment falling back on
+ the default editor. Note that this may create
+ a security hole as most editors allow a user
+ to get a shell (which would be a root shell
+ and not be logged).
+
I\bI\bI\bIn\bn\bn\bnt\bt\bt\bte\be\be\beg\bg\bg\bge\be\be\ber\br\br\brs\bs\bs\bs:
passwd_tries
his/her password before sudo logs the failure
and exits. The default is 3.
- I\bI\bI\bIn\bn\bn\bnt\bt\bt\bte\be\be\beg\bg\bg\bge\be\be\ber\br\br\brs\bs\bs\bs t\bt\bt\bth\bh\bh\bha\ba\ba\bat\bt\bt\bt c\bc\bc\bca\ba\ba\ban\bn\bn\bn b\bb\bb\bbe\be\be\be u\bu\bu\bus\bs\bs\bse\be\be\bed\bd\bd\bd i\bi\bi\bin\bn\bn\bn a\ba\ba\ba b\bb\bb\bbo\bo\bo\boo\bo\bo\bol\bl\bl\ble\be\be\bea\ba\ba\ban\bn\bn\bn c\bc\bc\bco\bo\bo\bon\bn\bn\bnt\bt\bt\bte\be\be\bex\bx\bx\bxt\bt\bt\bt:
- loglinelen Number of characters per line for the file
- log. This value is used to decide when to
- wrap lines for nicer log files. This has no
- effect on the syslog log file, only the file
- log. The default is 80 (use 0 or negate to
-
-26/Jan/2000 1.6.2 6
+15/Feb/2000 1.6.2 6
sudoers(5) FILE FORMATS sudoers(5)
+ I\bI\bI\bIn\bn\bn\bnt\bt\bt\bte\be\be\beg\bg\bg\bge\be\be\ber\br\br\brs\bs\bs\bs t\bt\bt\bth\bh\bh\bha\ba\ba\bat\bt\bt\bt c\bc\bc\bca\ba\ba\ban\bn\bn\bn b\bb\bb\bbe\be\be\be u\bu\bu\bus\bs\bs\bse\be\be\bed\bd\bd\bd i\bi\bi\bin\bn\bn\bn a\ba\ba\ba b\bb\bb\bbo\bo\bo\boo\bo\bo\bol\bl\bl\ble\be\be\bea\ba\ba\ban\bn\bn\bn c\bc\bc\bco\bo\bo\bon\bn\bn\bnt\bt\bt\bte\be\be\bex\bx\bx\bxt\bt\bt\bt:
+
+ loglinelen Number of characters per line for the file
+ log. This value is used to decide when to
+ wrap lines for nicer log files. This has no
+ effect on the syslog log file, only the file
+ log. The default is 80 (use 0 or negate to
disable word wrap).
timestamp_timeout
flag is not specified on the command line.
This defaults to "root".
- syslog_goodpri
- Syslog priority to use when user authenticates
- successfully. Defaults to "notice".
-
- syslog_badpri
- Syslog priority to use when user authenticates
- unsuccessfully. Defaults to "alert".
-26/Jan/2000 1.6.2 7
+15/Feb/2000 1.6.2 7
sudoers(5) FILE FORMATS sudoers(5)
+ syslog_goodpri
+ Syslog priority to use when user authenticates
+ successfully. Defaults to "notice".
+
+ syslog_badpri
+ Syslog priority to use when user authenticates
+ unsuccessfully. Defaults to "alert".
+
+ editor Path to the editor to be used by visudo. The
+ default is the path to vi on your system.
+
S\bS\bS\bSt\bt\bt\btr\br\br\bri\bi\bi\bin\bn\bn\bng\bg\bg\bgs\bs\bs\bs t\bt\bt\bth\bh\bh\bha\ba\ba\bat\bt\bt\bt c\bc\bc\bca\ba\ba\ban\bn\bn\bn b\bb\bb\bbe\be\be\be u\bu\bu\bus\bs\bs\bse\be\be\bed\bd\bd\bd i\bi\bi\bin\bn\bn\bn a\ba\ba\ba b\bb\bb\bbo\bo\bo\boo\bo\bo\bol\bl\bl\ble\be\be\bea\ba\ba\ban\bn\bn\bn c\bc\bc\bco\bo\bo\bon\bn\bn\bnt\bt\bt\bte\be\be\bex\bx\bx\bxt\bt\bt\bt:
syslog Syslog facility if syslog is being used for
never The user need never enter a password to use
the B<-v> flag.
- always The user must always enter a password to use
- the B<-v> flag.
-
- The default value is `all'.
- listpw This option controls when a password will be
- required when a user runs sudo with the -\b-\b-\b-l\bl\bl\bl.
- It has the following possible values:
+15/Feb/2000 1.6.2 8
-26/Jan/2000 1.6.2 8
-
+sudoers(5) FILE FORMATS sudoers(5)
+ always The user must always enter a password to use
+ the B<-v> flag.
-sudoers(5) FILE FORMATS sudoers(5)
+ The default value is `all'.
+ listpw This option controls when a password will be
+ required when a user runs sudo with the -\b-\b-\b-l\bl\bl\bl.
+ It has the following possible values:
all All the user's I<sudoers> entries for the
current host must have the C<NOPASSWD>
Let's break that down into its constituent parts:
- R\bR\bR\bRu\bu\bu\bun\bn\bn\bna\ba\ba\bas\bs\bs\bs_\b_\b_\b_S\bS\bS\bSp\bp\bp\bpe\be\be\bec\bc\bc\bc
- A Runas_Spec is simply a Runas_List (as defined above)
- enclosed in a set of parentheses. If you do not specify a
- Runas_Spec in the user specification, a default Runas_Spec
- of r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt will be used. A Runas_Spec sets the default for
- commands that follow it. What this means is that for the
- entry:
+15/Feb/2000 1.6.2 9
-26/Jan/2000 1.6.2 9
+sudoers(5) FILE FORMATS sudoers(5)
-sudoers(5) FILE FORMATS sudoers(5)
+ R\bR\bR\bRu\bu\bu\bun\bn\bn\bna\ba\ba\bas\bs\bs\bs_\b_\b_\b_S\bS\bS\bSp\bp\bp\bpe\be\be\bec\bc\bc\bc
+ A Runas_Spec is simply a Runas_List (as defined above)
+ enclosed in a set of parentheses. If you do not specify a
+ Runas_Spec in the user specification, a default Runas_Spec
+ of r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt will be used. A Runas_Spec sets the default for
+ commands that follow it. What this means is that for the
+ entry:
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who
pertain to the current host. This behavior may be
overridden via the verifypw and listpw options.
- W\bW\bW\bWi\bi\bi\bil\bl\bl\bld\bd\bd\bdc\bc\bc\bca\ba\ba\bar\br\br\brd\bd\bd\bds\bs\bs\bs (\b(\b(\b(a\ba\ba\bak\bk\bk\bka\ba\ba\ba m\bm\bm\bme\be\be\bet\bt\bt\bta\ba\ba\ba c\bc\bc\bch\bh\bh\bha\ba\ba\bar\br\br\bra\ba\ba\bac\bc\bc\bct\bt\bt\bte\be\be\ber\br\br\brs\bs\bs\bs)\b)\b)\b):\b:\b:\b:
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs to be used in pathnames
- as well as command line arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
- Wildcard matching is done via the P\bP\bP\bPO\bO\bO\bOS\bS\bS\bSI\bI\bI\bIX\bX\bX\bX fnmatch(3)
- routine. Note that these are _\bn_\bo_\bt regular expressions.
- * Matches any set of zero or more characters.
+15/Feb/2000 1.6.2 10
-26/Jan/2000 1.6.2 10
+sudoers(5) FILE FORMATS sudoers(5)
+ W\bW\bW\bWi\bi\bi\bil\bl\bl\bld\bd\bd\bdc\bc\bc\bca\ba\ba\bar\br\br\brd\bd\bd\bds\bs\bs\bs (\b(\b(\b(a\ba\ba\bak\bk\bk\bka\ba\ba\ba m\bm\bm\bme\be\be\bet\bt\bt\bta\ba\ba\ba c\bc\bc\bch\bh\bh\bha\ba\ba\bar\br\br\bra\ba\ba\bac\bc\bc\bct\bt\bt\bte\be\be\ber\br\br\brs\bs\bs\bs)\b)\b)\b):\b:\b:\b:
-sudoers(5) FILE FORMATS sudoers(5)
+ s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs to be used in pathnames
+ as well as command line arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ Wildcard matching is done via the P\bP\bP\bPO\bO\bO\bOS\bS\bS\bSI\bI\bI\bIX\bX\bX\bX fnmatch(3)
+ routine. Note that these are _\bn_\bo_\bt regular expressions.
+ * Matches any set of zero or more characters.
? Matches any single character.
dangerous since in a command context, it allows the user
to run a\ba\ba\ban\bn\bn\bny\by\by\by command on the system.
- An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
- operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
- allows one to exclude certain values. Note, however, that
- using a ! in conjunction with the built in ALL alias to
- allow a user to run "all but a few" commands rarely works
- as intended (see SECURITY NOTES below).
-
- Long lines can be continued with a backslash ('\') as the
- last character on the line.
-26/Jan/2000 1.6.2 11
+15/Feb/2000 1.6.2 11
sudoers(5) FILE FORMATS sudoers(5)
+ An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
+ operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
+ allows one to exclude certain values. Note, however, that
+ using a ! in conjunction with the built in ALL alias to
+ allow a user to run "all but a few" commands rarely works
+ as intended (see SECURITY NOTES below).
+
+ Long lines can be continued with a backslash ('\') as the
+ last character on the line.
+
Whitespace between elements in a list as well as specicial
syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
'(', ')') is optional.
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
- Here we override some of the compiled in default values.
- We want sudo to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility
- in all cases. We don't want to subject the full time
- staff to the s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo lecture, and user m\bm\bm\bmi\bi\bi\bil\bl\bl\bll\bl\bl\ble\be\be\ber\br\br\brt\bt\bt\bt need not give
- a password. In addition, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS
- Host_Alias, we keep an additional local log file and make
- sure we log the year in each log line since the log
- entries will be kept around for several years.
-
-
-26/Jan/2000 1.6.2 12
+15/Feb/2000 1.6.2 12
sudoers(5) FILE FORMATS sudoers(5)
+ Here we override some of the compiled in default values.
+ We want sudo to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility
+ in all cases. We don't want to subject the full time
+ staff to the s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo lecture, and user m\bm\bm\bmi\bi\bi\bil\bl\bl\bll\bl\bl\ble\be\be\ber\br\br\brt\bt\bt\bt need not give
+ a password. In addition, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS
+ Host_Alias, we keep an additional local log file and make
+ sure we log the year in each log line since the log
+ entries will be kept around for several years.
+
# Override builtin defaults
Defaults syslog=auth
Defaults:FULLTIMERS !lecture
/usr/oper/bin/
The o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br user may run commands limited to simple
- maintenance. Here, those are commands related to backups,
- killing processes, the printing system, shutting down the
- system, and any commands in the directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
- joe ALL = /usr/bin/su operator
- The user j\bj\bj\bjo\bo\bo\boe\be\be\be may only _\bs_\bu(1) to operator.
- pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
+15/Feb/2000 1.6.2 13
+
-26/Jan/2000 1.6.2 13
+sudoers(5) FILE FORMATS sudoers(5)
+ maintenance. Here, those are commands related to backups,
+ killing processes, the printing system, shutting down the
+ system, and any commands in the directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
+ joe ALL = /usr/bin/su operator
-sudoers(5) FILE FORMATS sudoers(5)
+ The user j\bj\bj\bjo\bo\bo\boe\be\be\be may only _\bs_\bu(1) to operator.
+ pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
The user p\bp\bp\bpe\be\be\bet\bt\bt\bte\be\be\be is allowed to change anyone's password
except for root on the _\bH_\bP_\bP_\bA machines. Note that this
any commands in the directory /usr/bin/ except for those
commands belonging to the _\bS_\bU and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
- steve CSNETS = (operator) /usr/local/op_commands/
- The user s\bs\bs\bst\bt\bt\bte\be\be\bev\bv\bv\bve\be\be\be may run any command in the directory
- /usr/local/op_commands/ but only as user operator.
- matt valkyrie = KILL
+15/Feb/2000 1.6.2 14
- On his personal workstation, valkyrie, m\bm\bm\bma\ba\ba\bat\bt\bt\btt\bt\bt\bt needs to be
- able to kill hung processes.
-26/Jan/2000 1.6.2 14
+sudoers(5) FILE FORMATS sudoers(5)
+ steve CSNETS = (operator) /usr/local/op_commands/
+ The user s\bs\bs\bst\bt\bt\bte\be\be\bev\bv\bv\bve\be\be\be may run any command in the directory
+ /usr/local/op_commands/ but only as user operator.
-sudoers(5) FILE FORMATS sudoers(5)
+ matt valkyrie = KILL
+ On his personal workstation, valkyrie, m\bm\bm\bma\ba\ba\bat\bt\bt\btt\bt\bt\bt needs to be
+ able to kill hung processes.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
hostname be fully-qualified as returned by the hostname
command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+
+
+
+15/Feb/2000 1.6.2 15
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
F\bF\bF\bFI\bI\bI\bIL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
/etc/sudoers List of who can run what
/etc/group Local groups file
-26/Jan/2000 1.6.2 15
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+15/Feb/2000 1.6.2 16
-26/Jan/2000 1.6.2 16
+15/Feb/2000 1.6.2 17
projects / sudo / commitdiff