#define I_FQDN 21
#define I_INSULTS 22
#define I_REQUIRETTY 23
-#define I_ENVEDITOR 24
+#define I_ENV_EDITOR 24
+#define I_ROOTPW 25
+#define I_RUNASPW 26
+#define I_TARGETPW 27
/* Integer values */
-#define I_LOGLEN 25 /* wrap log file line after N chars */
-#define I_TS_TIMEOUT 26 /* timestamp stale after N minutes */
-#define I_PW_TIMEOUT 27 /* exit if pass not entered in N minutes */
-#define I_PW_TRIES 28 /* exit after N bad password tries */
-#define I_UMASK 29 /* umask to use or 0777 to use user's */
+#define I_LOGLEN 28 /* wrap log file line after N chars */
+#define I_TS_TIMEOUT 29 /* timestamp stale after N minutes */
+#define I_PW_TIMEOUT 30 /* exit if pass not entered in N minutes */
+#define I_PW_TRIES 31 /* exit after N bad password tries */
+#define I_UMASK 32 /* umask to use or 0777 to use user's */
/* Strings */
-#define I_LOGFILE 30 /* path to logfile (or NULL for none) */
-#define I_MAILERPATH 31 /* path to sendmail or other mailer */
-#define I_MAILERFLAGS 32 /* flags to pass to the mailer */
-#define I_MAILTO 33 /* who to send bitch mail to */
-#define I_MAILSUB 34 /* subject line of mail msg */
-#define I_BADPASS_MSG 35 /* what to say when passwd is wrong */
-#define I_TIMESTAMPDIR 36 /* path to timestamp dir */
-#define I_EXEMPT_GRP 37 /* no password or PATH override for these */
-#define I_PASSPROMPT 38 /* password prompt */
-#define I_RUNAS_DEF 39 /* default user to run commands as */
-#define I_SECURE_PATH 40 /* set $PATH to this if not NULL */
-#define I_EDITOR 41 /* path to editor used by visudo */
+#define I_LOGFILE 33 /* path to logfile (or NULL for none) */
+#define I_MAILERPATH 34 /* path to sendmail or other mailer */
+#define I_MAILERFLAGS 35 /* flags to pass to the mailer */
+#define I_MAILTO 36 /* who to send bitch mail to */
+#define I_MAILSUB 37 /* subject line of mail msg */
+#define I_BADPASS_MSG 38 /* what to say when passwd is wrong */
+#define I_TIMESTAMPDIR 39 /* path to timestamp dir */
+#define I_EXEMPT_GRP 40 /* no password or PATH override for these */
+#define I_PASSPROMPT 41 /* password prompt */
+#define I_RUNAS_DEF 42 /* default user to run commands as */
+#define I_SECURE_PATH 43 /* set $PATH to this if not NULL */
+#define I_EDITOR 44 /* path to editor used by visudo */
/* Integer versions of list/verify options */
-#define I_LISTPW 42
-#define I_VERIFYPW 43
+#define I_LISTPW 45
+#define I_VERIFYPW 46
/* String versions of list/verify options */
-#define I_LISTPWSTR 44
-#define I_VERIFYPWSTR 45
+#define I_LISTPWSTR 47
+#define I_VERIFYPWSTR 48
/*
* Macros for accessing sudo_defs_table.
to get a shell (which would be a root shell
and not be logged).
- I\bI\bI\bIn\bn\bn\bnt\bt\bt\bte\be\be\beg\bg\bg\bge\be\be\ber\br\br\brs\bs\bs\bs:
-
- passwd_tries
- The number of tries a user gets to enter
- his/her password before sudo logs the failure
- and exits. The default is 3.
+ rootpw If set, sudo will prompt for the root password
+ instead of the password of the invoking user.
+ runaspw If set, sudo will prompt for the password of
+ the user defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option
+ (defaults to root) instead of the password of
+ the invoking user.
sudoers(5) FILE FORMATS sudoers(5)
+ targetpw If set, sudo will prompt for the password of
+ the user specified by the -u flag (defaults to
+ root) instead of the password of the invoking
+ user.
+
+ I\bI\bI\bIn\bn\bn\bnt\bt\bt\bte\be\be\beg\bg\bg\bge\be\be\ber\br\br\brs\bs\bs\bs:
+
+ passwd_tries
+ The number of tries a user gets to enter
+ his/her password before sudo logs the failure
+ and exits. The default is 3.
+
I\bI\bI\bIn\bn\bn\bnt\bt\bt\bte\be\be\beg\bg\bg\bge\be\be\ber\br\br\brs\bs\bs\bs t\bt\bt\bth\bh\bh\bha\ba\ba\bat\bt\bt\bt c\bc\bc\bca\ba\ba\ban\bn\bn\bn b\bb\bb\bbe\be\be\be u\bu\bu\bus\bs\bs\bse\be\be\bed\bd\bd\bd i\bi\bi\bin\bn\bn\bn a\ba\ba\ba b\bb\bb\bbo\bo\bo\boo\bo\bo\bol\bl\bl\ble\be\be\bea\ba\ba\ban\bn\bn\bn c\bc\bc\bco\bo\bo\bon\bn\bn\bnt\bt\bt\bte\be\be\bex\bx\bx\bxt\bt\bt\bt:
loglinelen Number of characters per line for the file
timestamp files. The default is either
/var/run/sudo or /tmp/sudo.
- passprompt The default prompt to use when asking for a
- password; can be overridden via the -p option
- or the SUDO_PROMPT environment variable.
- Supports two escapes: "%u" expands to the
- user's login name and "%h" expands to the
- local hostname. The default value is
- "Password:".
-
- runas_default
- The default user to run commands as if the -u
- flag is not specified on the command line.
- This defaults to "root".
sudoers(5) FILE FORMATS sudoers(5)
+ passprompt The default prompt to use when asking for a
+ password; can be overridden via the -p option
+ or the SUDO_PROMPT environment variable.
+ Supports two escapes: "%u" expands to the
+ user's login name and "%h" expands to the
+ local hostname. The default value is
+ "Password:".
+
+ runas_default
+ The default user to run commands as if the -u
+ flag is not specified on the command line.
+ This defaults to "root".
+
syslog_goodpri
Syslog priority to use when user authenticates
successfully. Defaults to "notice".
verifypw This option controls when a password will be
required when a user runs sudo with the -\b-\b-\b-v\bv\bv\bv.
+
+
+
+18/Feb/2000 1.6.3 8
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
It has the following possible values:
all All the user's I<sudoers> entries for the
never The user need never enter a password to use
the B<-v> flag.
-
-
-18/Feb/2000 1.6.3 8
-
-
-
-
-
-sudoers(5) FILE FORMATS sudoers(5)
-
-
always The user must always enter a password to use
the B<-v> flag.
User_Spec ::= User_list Host_List '=' User_List Cmnd_Spec_List \
(':' User_Spec)*
- Cmnd_Spec_List ::= Cmnd_Spec |
- Cmnd_Spec ',' Cmnd_Spec_List
- Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
- Runas_Spec ::= '(' Runas_List ')'
- A u\bu\bu\bus\bs\bs\bse\be\be\ber\br\br\br s\bs\bs\bsp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bif\bf\bf\bfi\bi\bi\bic\bc\bc\bca\ba\ba\bat\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn determines which commands a user may
- run (and as what user) on specified hosts. By default,
- commands are run as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt but this can be changed on a per-
- command basis.
+18/Feb/2000 1.6.3 9
- Let's break that down into its constituent parts:
-18/Feb/2000 1.6.3 9
+sudoers(5) FILE FORMATS sudoers(5)
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+ Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
+ Runas_Spec ::= '(' Runas_List ')'
-sudoers(5) FILE FORMATS sudoers(5)
+ A u\bu\bu\bus\bs\bs\bse\be\be\ber\br\br\br s\bs\bs\bsp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bif\bf\bf\bfi\bi\bi\bic\bc\bc\bca\ba\ba\bat\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn determines which commands a user may
+ run (and as what user) on specified hosts. By default,
+ commands are run as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt but this can be changed on a per-
+ command basis.
+ Let's break that down into its constituent parts:
R\bR\bR\bRu\bu\bu\bun\bn\bn\bna\ba\ba\bas\bs\bs\bs_\b_\b_\b_S\bS\bS\bSp\bp\bp\bpe\be\be\bec\bc\bc\bc
able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry would
be:
+
+
+18/Feb/2000 1.6.3 10
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note however, that the PASSWD tag has no effect on users
pertain to the current host. This behavior may be
overridden via the verifypw and listpw options.
-
-
-
-18/Feb/2000 1.6.3 10
-
-
-
-
-
-sudoers(5) FILE FORMATS sudoers(5)
-
-
W\bW\bW\bWi\bi\bi\bil\bl\bl\bld\bd\bd\bdc\bc\bc\bca\ba\ba\bar\br\br\brd\bd\bd\bds\bs\bs\bs (\b(\b(\b(a\ba\ba\bak\bk\bk\bka\ba\ba\ba m\bm\bm\bme\be\be\bet\bt\bt\bta\ba\ba\ba c\bc\bc\bch\bh\bh\bha\ba\ba\bar\br\br\bra\ba\ba\bac\bc\bc\bct\bt\bt\bte\be\be\ber\br\br\brs\bs\bs\bs)\b)\b)\b):\b:\b:\b:
s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs to be used in pathnames
The pound sign ('#') is used to indicate a comment (unless
it occurs in the context of a user name and is followed by
+
+
+
+18/Feb/2000 1.6.3 11
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
one or more digits, in which case it is treated as a uid).
Both the comment character and any text after it, up to
the end of the line, are ignored.
dangerous since in a command context, it allows the user
to run a\ba\ba\ban\bn\bn\bny\by\by\by command on the system.
-
-
-
-18/Feb/2000 1.6.3 11
-
-
-
-
-
-sudoers(5) FILE FORMATS sudoers(5)
-
-
An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
allows one to exclude certain values. Note, however, that
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
+
+
+
+18/Feb/2000 1.6.3 12
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
-
-
-
-18/Feb/2000 1.6.3 12
-
-
-
-
-
-sudoers(5) FILE FORMATS sudoers(5)
-
-
Here we override some of the compiled in default values.
We want sudo to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility
in all cases. We don't want to subject the full time
_\bC_\bS_\bN_\bE_\bT_\bS alias (the networks 128.138.243.0, 128.138.204.0,
and 128.138.242.0). Of those networks, only
<128.138.204.0> has an explicit netmask (in CIDR notation)
- indicating it is a class C network. For the other
- networks in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be
- used during matching.
- lisa CUNETS = ALL
- The user l\bl\bl\bli\bi\bi\bis\bs\bs\bsa\ba\ba\ba may run any command on any host in the
- _\bC_\bU_\bN_\bE_\bT_\bS alias (the class B network 128.138.0.0).
- operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\
- /usr/oper/bin/
+18/Feb/2000 1.6.3 13
- The o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br user may run commands limited to simple
-18/Feb/2000 1.6.3 13
+sudoers(5) FILE FORMATS sudoers(5)
+ indicating it is a class C network. For the other
+ networks in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be
+ used during matching.
+ lisa CUNETS = ALL
-sudoers(5) FILE FORMATS sudoers(5)
+ The user l\bl\bl\bli\bi\bi\bis\bs\bs\bsa\ba\ba\ba may run any command on any host in the
+ _\bC_\bU_\bN_\bE_\bT_\bS alias (the class B network 128.138.0.0).
+ operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\
+ /usr/oper/bin/
+ The o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br user may run commands limited to simple
maintenance. Here, those are commands related to backups,
killing processes, the printing system, shutting down the
system, and any commands in the directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
On the _\bA_\bL_\bP_\bH_\bA machines, user j\bj\bj\bjo\bo\bo\boh\bh\bh\bhn\bn\bn\bn may su to anyone except
- root but he is not allowed to give _\bs_\bu(1) any flags.
- jen ALL, !SERVERS = ALL
- The user j\bj\bj\bje\be\be\ben\bn\bn\bn may run any command on any machine except for
- those in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and
- ns).
- jill SERVERS = /usr/bin/, !SU, !SHELLS
+18/Feb/2000 1.6.3 14
- For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bj\bj\bji\bi\bi\bil\bl\bl\bll\bl\bl\bl may run
- any commands in the directory /usr/bin/ except for those
- commands belonging to the _\bS_\bU and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
-18/Feb/2000 1.6.3 14
+sudoers(5) FILE FORMATS sudoers(5)
+ root but he is not allowed to give _\bs_\bu(1) any flags.
+ jen ALL, !SERVERS = ALL
-sudoers(5) FILE FORMATS sudoers(5)
+ The user j\bj\bj\bje\be\be\ben\bn\bn\bn may run any command on any machine except for
+ those in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and
+ ns).
+
+ jill SERVERS = /usr/bin/, !SU, !SHELLS
+ For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bj\bj\bji\bi\bi\bil\bl\bl\bll\bl\bl\bl may run
+ any commands in the directory /usr/bin/ except for those
+ commands belonging to the _\bS_\bU and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
steve CSNETS = (operator) /usr/local/op_commands/
restrictions should be considered advisory at best (and
reinforced by policy).
+
+
+
+18/Feb/2000 1.6.3 15
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
C\bC\bC\bCA\bA\bA\bAV\bV\bV\bVE\bE\bE\bEA\bA\bA\bAT\bT\bT\bTS\bS\bS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\ba\ba\bal\bl\bl\blw\bw\bw\bwa\ba\ba\bay\by\by\bys\bs\bs\bs be edited by the v\bv\bv\bvi\bi\bi\bis\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo
command which locks the file and does grammatical
hostname be fully-qualified as returned by the hostname
command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
-
-
-
-18/Feb/2000 1.6.3 15
-
-
-
-
-
-sudoers(5) FILE FORMATS sudoers(5)
-
-
F\bF\bF\bFI\bI\bI\bIL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
/etc/sudoers List of who can run what
/etc/group Local groups file
-
-
-
-
-
-
-
-
-
-
-
-
-
projects / sudo / commitdiff