-23/Jan/2000 1.6.2 1
+26/Jan/2000 1.6.2 1
-23/Jan/2000 1.6.2 2
+26/Jan/2000 1.6.2 2
-23/Jan/2000 1.6.2 3
+26/Jan/2000 1.6.2 3
F\bF\bF\bFl\bl\bl\bla\ba\ba\bag\bg\bg\bgs\bs\bs\bs:
long_otp_prompt
- Put OTP prompt on its own line
+ When validating with a One Time Password
+ scheme (S\bS\bS\bS/\b/\b/\b/K\bK\bK\bKe\be\be\bey\by\by\by or O\bO\bO\bOP\bP\bP\bPI\bI\bI\bIE\bE\bE\bE), a two-line prompt is
+ used to make it easier to cut and paste the
+ challenge to a local window. It's not as
+ pretty as the default but some people find it
+ more convenient. This flag is off by default.
- ignore_dot Ignore '.' in $PATH
+ ignore_dot If set, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will ignore '.' or '' (current
+ dir) in $PATH; the $PATH itself is not
+ modified. This flag is off by default.
- mail_always Always send mail when sudo is run
+ mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a
+ users runs sudo. This flag is off by default.
mail_no_user
- Send mail if the user is not in sudoers
+ If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
+ if the invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file. This flag is on by default.
mail_no_host
- Send mail if the user is not in sudoers for
- this host
+ If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
+ if the invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file, but is not allowed to run commands on
+ the current host. This flag is off by
+ default.
mail_no_perms
- Send mail if the user is not allowed to run a
- command
+ If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
+ if the invoking user allowed to use sudo but
+ the command they are trying is not listed in
+ their _\bs_\bu_\bd_\bo_\be_\br_\bs file entry. This flag is off by
- tty_tickets Use a separate timestamp for each user/tty
- combo
- lecture Lecture user the first time they run sudo
- authenticate
- Require users to authenticate by default
+26/Jan/2000 1.6.2 4
- root_sudo Root may run sudo
- log_host Log the hostname in the (non-syslog) log file
- log_year Log the year in the (non-syslog) log file
+sudoers(5) FILE FORMATS sudoers(5)
-23/Jan/2000 1.6.2 4
+ default.
+ tty_tickets If set, users must authenticate on a per-tty
+ basis. Normally, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo uses a directory in the
+ ticket dir with the same name as the user
+ running it. With this flag enabled, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will
+ use a file named for the tty the user is
+ logged in on in that directory. This flag is
+ off by default.
+ lecture If set, a user will receive a short lecture
+ the first time he/she runs s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo. This flag is
+ on by default.
+ authenticate
+ If set, users must authenticate themselves via
+ a password (or other means of authentication)
+ before they may run commands. This default
+ may be overridden via the PASSWD and NOPASSWD
+ tags. This flag is on by default.
+
+ root_sudo If set, root is allowed to run sudo too.
+ Disabling this prevents users from "chaining"
+ sudo commands to get a root shell by doing
+ something like "sudo sudo /bin/sh". This flag
+ is on by default.
+
+ log_host If set, the hostname will be logged in the
+ (non-syslog) s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo log file. This flag is off
+ by default.
+
+ log_year If set, the four-digit year will be logged in
+ the (non-syslog) s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo log file. This flag is
+ off by default.
+ shell_noargs
+ If set and s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo is invoked with no arguments
+ it acts as if the -s flag had been given.
+ That is, it runs a shell as root (the shell is
+ determined by the SHELL environment variable
+ if it is set, falling back on the shell listed
+ in the invoking user's /etc/passwd entry if
+ not). This flag is off by default.
-sudoers(5) FILE FORMATS sudoers(5)
+ set_home If set and s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo is invoked with the -s flag
+ the HOME environment variable will be set to
+ the home directory of the target user (which
+ is root unless the -u option is used). This
+ effectively makes the -s flag imply -H. This
+ flag is off by default.
+
+ path_info Normally, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will tell the user when a
+ command could not be found in their $PATH.
+ Some sites may wish to disable this as it
- shell_noargs
- If sudo is invoked with no arguments, start a
- shell
- set_home Set $HOME to the target user when starting a
- shell with -s
+26/Jan/2000 1.6.2 5
- path_info Allow some information gathering to give
- useful error messages
- fqdn Require fully-qualified hostnames in the
- sudoers file
- insults Insult the user when they enter an incorrect
- password
- requiretty Only allow the user to run sudo if they have a
- tty
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
+ could be used to gather information on the
+ location of executables that the normal user
+ does not have access to. The disadvantage is
+ that if the executable is simply not in the
+ user's $PATH, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will tell the user that
+ they are not allowed to run it, which can be
+ confusing. This flag is off by default.
+
+ fqdn Set this flag if you want to put fully
+ qualified hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. Ie:
+ instead of myhost you would use
+ myhost.mydomain.edu. You may still use the
+ short form if you wish (and even mix the two).
+ Beware that turning on _\bf_\bq_\bd_\bn requires sudo to
+ make DNS lookups which may make s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo unusable
+ if DNS stops working (for example if the
+ machine is not plugged into the network).
+ Also note that you must use the host's
+ official name as DNS knows it. That is, you
+ may not use a host alias (CNAME entry) due to
+ performance issues and the fact that there is
+ no way to get all aliases from DNS. If your
+ machine's hostname (as returned by the
+ hostname command) is already fully qualified
+ you shouldn't need to set _\bf_\bq_\bf_\bn. This flag is
+ off by default.
+
+ insults If set, sudo will insult users when they enter
+ an incorrect password. This flag is off by
+ default.
+
+ requiretty If set, sudo will only run when the user is
+ logged in to a real tty. This will disallow
+ things like "rsh somehost sudo ls" since
+ _\br_\bs_\bh(1) does not allocate a tty. Because it is
+ not possible to turn of echo when there is no
+ tty present, some sites may with to set this
+ flag to prevent a user from entering a visible
+ password. This flag is off by default.
I\bI\bI\bIn\bn\bn\bnt\bt\bt\bte\be\be\beg\bg\bg\bge\be\be\ber\br\br\brs\bs\bs\bs:
passwd_tries
- Number of tries to enter a password
+ The number of tries a user gets to enter
+ his/her password before sudo logs the failure
+ and exits. The default is 3.
I\bI\bI\bIn\bn\bn\bnt\bt\bt\bte\be\be\beg\bg\bg\bge\be\be\ber\br\br\brs\bs\bs\bs t\bt\bt\bth\bh\bh\bha\ba\ba\bat\bt\bt\bt c\bc\bc\bca\ba\ba\ban\bn\bn\bn b\bb\bb\bbe\be\be\be u\bu\bu\bus\bs\bs\bse\be\be\bed\bd\bd\bd i\bi\bi\bin\bn\bn\bn a\ba\ba\ba b\bb\bb\bbo\bo\bo\boo\bo\bo\bol\bl\bl\ble\be\be\bea\ba\ba\ban\bn\bn\bn c\bc\bc\bco\bo\bo\bon\bn\bn\bnt\bt\bt\bte\be\be\bex\bx\bx\bxt\bt\bt\bt:
- loglinelen Length at which to wrap log file lines (use 0
- or negate for no wrap)
+ loglinelen Number of characters per line for the file
+ log. This value is used to decide when to
+ wrap lines for nicer log files. This has no
+ effect on the syslog log file, only the file
+ log. The default is 80 (use 0 or negate to
+
+
+
+26/Jan/2000 1.6.2 6
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
+ disable word wrap).
timestamp_timeout
- Authentication timestamp timeout
+ Number of minutes that can elapse before s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo
+ will ask for a passwd again. The default is
+ 5, set this to 0 to always prompt for a
+ password.
passwd_timeout
- Password prompt timeout
+ Number of minutes before the sudo password
+ prompt times out. The default is 5, set this
+ to 0 for no password timeout.
- umask Umask to use or 0777 to use user's
+ umask Umask to use when running the root command.
+ Set this to 0777 to not override the user's
+ umask. The default is 0022.
S\bS\bS\bSt\bt\bt\btr\br\br\bri\bi\bi\bin\bn\bn\bng\bg\bg\bgs\bs\bs\bs:
- mailsub Subject line for mail messages
+ mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user.
+ The escape %h will expand to the hostname of
+ the machine. Default is "*** SECURITY
+ information for %h ***".
badpass_message
- Incorrect password message
+ Message that is displayed if a user enters an
+ incorrect password. The default is "Sorry,
+ try again." unless insults are enabled.
timestampdir
- Path to authentication timestamp dir
-
- passprompt Default password prompt
+ The directory in which s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo stores its
+ timestamp files. The default is either
+ /var/run/sudo or /tmp/sudo.
+
+ passprompt The default prompt to use when asking for a
+ password; can be overridden via the -p option
+ or the SUDO_PROMPT environment variable.
+ Supports two escapes: "%u" expands to the
+ user's login name and "%h" expands to the
+ local hostname. The default value is
+ "Password:".
runas_default
- Default user to run commands as
+ The default user to run commands as if the -u
+ flag is not specified on the command line.
+ This defaults to "root".
syslog_goodpri
Syslog priority to use when user authenticates
+ successfully. Defaults to "notice".
+ syslog_badpri
+ Syslog priority to use when user authenticates
+ unsuccessfully. Defaults to "alert".
-23/Jan/2000 1.6.2 5
-
+26/Jan/2000 1.6.2 7
-sudoers(5) FILE FORMATS sudoers(5)
- successfully
+sudoers(5) FILE FORMATS sudoers(5)
- syslog_badpri
- Syslog priority to use when user authenticates
- unsuccessfully
S\bS\bS\bSt\bt\bt\btr\br\br\bri\bi\bi\bin\bn\bn\bng\bg\bg\bgs\bs\bs\bs t\bt\bt\bth\bh\bh\bha\ba\ba\bat\bt\bt\bt c\bc\bc\bca\ba\ba\ban\bn\bn\bn b\bb\bb\bbe\be\be\be u\bu\bu\bus\bs\bs\bse\be\be\bed\bd\bd\bd i\bi\bi\bin\bn\bn\bn a\ba\ba\ba b\bb\bb\bbo\bo\bo\boo\bo\bo\bol\bl\bl\ble\be\be\bea\ba\ba\ban\bn\bn\bn c\bc\bc\bco\bo\bo\bon\bn\bn\bnt\bt\bt\bte\be\be\bex\bx\bx\bxt\bt\bt\bt:
syslog Syslog facility if syslog is being used for
- logging (negate to disable syslog)
+ logging (negate to disable syslog logging).
+ Defaults to "local2".
- mailerpath Path to mail program
+ mailerpath Path to mail program used to send warning
+ mail. Defaults to the path to sendmail found
+ at configure time.
- mailerflags Flags for mail program
+ mailerflags Flags to use when invoking mailer. Defaults to
+ -t.
- mailto Address to send mail to
+ mailto Address to send warning and erorr mail to.
+ Defaults to "root".
exempt_group
Users in this group are exempt from password
- and PATH requirements
+ and PATH requirements. This is not set by
+ default.
- secure_path Value to override user's $PATH with
+ secure_path Path used for every command run from s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo. If
+ you don't trust the people running sudo to
+ have a sane PATH environment variable you may
+ want to use this. Another use is if you want
+ to have the "root path" be separate from the
+ "user path." This is not set by default.
verifypw This option controls when a password will be
required when a user runs sudo with the -\b-\b-\b-v\bv\bv\bv.
It has the following possible values:
- all All the user's sudoers entries for the
+ all All the user's I<sudoers> entries for the
current host must have the C<NOPASSWD>
flag set to avoid entering a password.
- any At least one of the user's sudoers entries
+ any At least one of the user's I<sudoers> entries
for the current host must have the
C<NOPASSWD> flag set to avoid entering a
password.
required when a user runs sudo with the -\b-\b-\b-l\bl\bl\bl.
It has the following possible values:
- all All the user's sudoers entries for the
- current host must have the C<NOPASSWD>
- flag set to avoid entering a password.
-
-
-23/Jan/2000 1.6.2 6
+26/Jan/2000 1.6.2 8
sudoers(5) FILE FORMATS sudoers(5)
- any At least one of the user's sudoers entries
+ all All the user's I<sudoers> entries for the
+ current host must have the C<NOPASSWD>
+ flag set to avoid entering a password.
+
+ any At least one of the user's I<sudoers> entries
for the current host must have the
C<NOPASSWD> flag set to avoid entering a
password.
commands that follow it. What this means is that for the
entry:
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who
-
- The user d\bd\bd\bdg\bg\bg\bgb\bb\bb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
- -- but only as o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br. Eg.
-23/Jan/2000 1.6.2 7
+26/Jan/2000 1.6.2 9
sudoers(5) FILE FORMATS sudoers(5)
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who
+
+ The user d\bd\bd\bdg\bg\bg\bgb\bb\bb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
+ -- but only as o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br. Eg.
+
sudo -u operator /bin/ls.
It is also possible to override a Runas_Spec later on in
* Matches any set of zero or more characters.
- ? Matches any single character.
-
- [...] Matches any character in the specified range.
+26/Jan/2000 1.6.2 10
-23/Jan/2000 1.6.2 8
+sudoers(5) FILE FORMATS sudoers(5)
-sudoers(5) FILE FORMATS sudoers(5)
+ ? Matches any single character.
+ [...] Matches any character in the specified range.
[!...] Matches any character n\bn\bn\bno\bo\bo\bot\bt\bt\bt in the specified range.
Long lines can be continued with a backslash ('\') as the
last character on the line.
- Whitespace between elements in a list as well as specicial
- syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
- '(', ')') is optional.
-
-23/Jan/2000 1.6.2 9
+26/Jan/2000 1.6.2 11
sudoers(5) FILE FORMATS sudoers(5)
+ Whitespace between elements in a list as well as specicial
+ syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
+ '(', ')') is optional.
+
The following characters must be escaped with a backslash
('\') when used as part of a word (eg. a username or
hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
sure we log the year in each log line since the log
entries will be kept around for several years.
- # Override builtin defaults
- Defaults syslog=auth
- Defaults:FULLTIMERS !lecture
- Defaults:millert !authenticate
- Defaults@SERVERS log_year, logfile=/var/log/sudo.log
-23/Jan/2000 1.6.2 10
+
+26/Jan/2000 1.6.2 12
sudoers(5) FILE FORMATS sudoers(5)
+ # Override builtin defaults
+ Defaults syslog=auth
+ Defaults:FULLTIMERS !lecture
+ Defaults:millert !authenticate
+ Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+
The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually
determines who may run what.
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
- The user p\bp\bp\bpe\be\be\bet\bt\bt\bte\be\be\be is allowed to change anyone's password
- except for root on the _\bH_\bP_\bP_\bA machines. Note that this
- assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take multiple usernames on the
- command line.
-
-
-23/Jan/2000 1.6.2 11
+26/Jan/2000 1.6.2 13
sudoers(5) FILE FORMATS sudoers(5)
+ The user p\bp\bp\bpe\be\be\bet\bt\bt\bte\be\be\be is allowed to change anyone's password
+ except for root on the _\bH_\bP_\bP_\bA machines. Note that this
+ assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take multiple usernames on the
+ command line.
+
bob SPARC = (OP) ALL : SGI = (OP) ALL
The user b\bb\bb\bbo\bo\bo\bob\bb\bb\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
On his personal workstation, valkyrie, m\bm\bm\bma\ba\ba\bat\bt\bt\btt\bt\bt\bt needs to be
able to kill hung processes.
- WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
-
- On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias
- (will, wendy, and wim), may run any command as user www
-
-23/Jan/2000 1.6.2 12
+26/Jan/2000 1.6.2 14
sudoers(5) FILE FORMATS sudoers(5)
+ WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+
+ On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias
+ (will, wendy, and wim), may run any command as user www
(which owns the web pages) or simply _\bs_\bu(1) to www.
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
-
-
-
-
-23/Jan/2000 1.6.2 13
+26/Jan/2000 1.6.2 15
-23/Jan/2000 1.6.2 14
+26/Jan/2000 1.6.2 16
''' $RCSfile$$Revision$$Date$
'''
''' $Log$
-''' Revision 1.22 2000/01/24 03:57:49 millert
-''' Add netgroup caveat
+''' Revision 1.23 2000/01/26 21:21:28 millert
+''' Expanded docs on sudoers 'defaults' options based on INSTALL file info.
'''
'''
.de Sh
.nr % 0
.rr F
.\}
-.TH sudoers 5 "1.6.2" "23/Jan/2000" "FILE FORMATS"
+.TH sudoers 5 "1.6.2" "26/Jan/2000" "FILE FORMATS"
.UC
.if n .hy 0
.if n .na
.PP
\fBFlags\fR:
.Ip "long_otp_prompt" 12
-Put \s-1OTP\s0 prompt on its own line
+When validating with a One Time Password scheme (\fBS/Key\fR or \fB\s-1OPIE\s0\fR),
+a two-line prompt is used to make it easier to cut and paste the
+challenge to a local window. It's not as pretty as the default but
+some people find it more convenient. This flag is off by default.
.Ip "ignore_dot" 12
-Ignore \*(L'.\*(R' in \f(CW$PATH\fR
+If set, \fBsudo\fR will ignore \*(L'.\*(R' or \*(L'\*(R' (current dir) in \f(CW$PATH\fR;
+the \f(CW$PATH\fR itself is not modified. This flag is off by default.
.Ip "mail_always" 12
-Always send mail when sudo is run
+Send mail to the \fImailto\fR user every time a users runs sudo.
+This flag is off by default.
.Ip "mail_no_user" 12
-Send mail if the user is not in sudoers
+If set, mail will be sent to the \fImailto\fR user if the invoking
+user is not in the \fIsudoers\fR file. This flag is on by default.
.Ip "mail_no_host" 12
-Send mail if the user is not in sudoers for this host
+If set, mail will be sent to the \fImailto\fR user if the invoking
+user exists in the \fIsudoers\fR file, but is not allowed to run
+commands on the current host. This flag is off by default.
.Ip "mail_no_perms" 12
-Send mail if the user is not allowed to run a command
+If set, mail will be sent to the \fImailto\fR user if the invoking
+user allowed to use sudo but the command they are trying is not
+listed in their \fIsudoers\fR file entry. This flag is off by default.
.Ip "tty_tickets" 12
-Use a separate timestamp for each user/tty combo
+If set, users must authenticate on a per-tty basis. Normally,
+\fBsudo\fR uses a directory in the ticket dir with the same name as
+the user running it. With this flag enabled, \fBsudo\fR will use a
+file named for the tty the user is logged in on in that directory.
+This flag is off by default.
.Ip "lecture" 12
-Lecture user the first time they run sudo
+If set, a user will receive a short lecture the first time he/she
+runs \fBsudo\fR. This flag is on by default.
.Ip "authenticate" 12
-Require users to authenticate by default
+If set, users must authenticate themselves via a password (or other
+means of authentication) before they may run commands. This default
+may be overridden via the \f(CWPASSWD\fR and \f(CWNOPASSWD\fR tags.
+This flag is on by default.
.Ip "root_sudo" 12
-Root may run sudo
+If set, root is allowed to run sudo too. Disabling this prevents users
+from \*(L"chaining\*(R" sudo commands to get a root shell by doing something
+like \f(CW"sudo sudo /bin/sh"\fR.
+This flag is on by default.
.Ip "log_host" 12
-Log the hostname in the (non-syslog) log file
+If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file.
+This flag is off by default.
.Ip "log_year" 12
-Log the year in the (non-syslog) log file
+If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
+This flag is off by default.
.Ip "shell_noargs" 12
-If sudo is invoked with no arguments, start a shell
+If set and \fBsudo\fR is invoked with no arguments it acts as if the
+\f(CW-s\fR flag had been given. That is, it runs a shell as root (the
+shell is determined by the \f(CWSHELL\fR environment variable if it is
+set, falling back on the shell listed in the invoking user's
+/etc/passwd entry if not). This flag is off by default.
.Ip "set_home" 12
-Set \f(CW$HOME\fR to the target user when starting a shell with \f(CW-s\fR
+If set and \fBsudo\fR is invoked with the \f(CW-s\fR flag the \f(CWHOME\fR
+environment variable will be set to the home directory of the target
+user (which is root unless the \f(CW-u\fR option is used). This effectively
+makes the \f(CW-s\fR flag imply \f(CW-H\fR. This flag is off by default.
.Ip "path_info" 12
-Allow some information gathering to give useful error messages
+Normally, \fBsudo\fR will tell the user when a command could not be
+found in their \f(CW$PATH\fR. Some sites may wish to disable this as
+it could be used to gather information on the location of executables
+that the normal user does not have access to. The disadvantage is
+that if the executable is simply not in the user's \f(CW$PATH\fR, \fBsudo\fR
+will tell the user that they are not allowed to run it, which can
+be confusing. This flag is off by default.
.Ip "fqdn" 12
-Require fully-qualified hostnames in the sudoers file
+Set this flag if you want to put fully qualified hostnames in the
+\fIsudoers\fR file. Ie: instead of myhost you would use myhost.mydomain.edu.
+You may still use the short form if you wish (and even mix the two).
+Beware that turning on \fIfqdn\fR requires sudo to make \s-1DNS\s0 lookups
+which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
+if the machine is not plugged into the network). Also note that
+you must use the host's official name as \s-1DNS\s0 knows it. That is,
+you may not use a host alias (\f(CWCNAME\fR entry) due to performance
+issues and the fact that there is no way to get all aliases from
+\s-1DNS\s0. If your machine's hostname (as returned by the \f(CWhostname\fR
+command) is already fully qualified you shouldn't need to set
+\fIfqfn\fR. This flag is off by default.
.Ip "insults" 12
-Insult the user when they enter an incorrect password
+If set, sudo will insult users when they enter an incorrect
+password. This flag is off by default.
.Ip "requiretty" 12
-Only allow the user to run sudo if they have a tty
+If set, sudo will only run when the user is logged in to a real
+tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since
+\fIrsh\fR\|(1) does not allocate a tty. Because it is not possible to turn
+of echo when there is no tty present, some sites may with to set
+this flag to prevent a user from entering a visible password. This
+flag is off by default.
.PP
\fBIntegers\fR:
.Ip "passwd_tries" 12
-Number of tries to enter a password
+The number of tries a user gets to enter his/her password before
+sudo logs the failure and exits. The default is 3.
.PP
\fBIntegers that can be used in a boolean context\fR:
.Ip "loglinelen" 12
-Length at which to wrap log file lines (use 0 or negate for no wrap)
+Number of characters per line for the file log. This value is used
+to decide when to wrap lines for nicer log files. This has no
+effect on the syslog log file, only the file log. The default is
+80 (use 0 or negate to disable word wrap).
.Ip "timestamp_timeout" 12
-Authentication timestamp timeout
+Number of minutes that can elapse before \fBsudo\fR will ask for a passwd
+again. The default is 5, set this to 0 to always prompt for a password.
.Ip "passwd_timeout" 12
-Password prompt timeout
+Number of minutes before the sudo password prompt times out.
+The default is 5, set this to 0 for no password timeout.
.Ip "umask" 12
-Umask to use or 0777 to use user's
+Umask to use when running the root command. Set this to 0777 to
+not override the user's umask. The default is 0022.
.PP
\fBStrings\fR:
.Ip "mailsub" 12
-Subject line for mail messages
+Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
+will expand to the hostname of the machine.
+Default is \*(L"*** \s-1SECURITY\s0 information for \f(CW%h\fR ***\*(R".
.Ip "badpass_message" 12
-Incorrect password message
+Message that is displayed if a user enters an incorrect password.
+The default is \*(L"Sorry, try again.\*(R" unless insults are enabled.
.Ip "timestampdir" 12
-Path to authentication timestamp dir
+The directory in which \fBsudo\fR stores its timestamp files.
+The default is either \f(CW/var/run/sudo\fR or \f(CW/tmp/sudo\fR.
.Ip "passprompt" 12
-Default password prompt
+The default prompt to use when asking for a password; can be overridden
+via the \f(CW-p\fR option or the \f(CWSUDO_PROMPT\fR environment variable. Supports
+two escapes: \*(L"%u\*(R" expands to the user's login name and \*(L"%h\*(R" expands
+to the local hostname. The default value is \*(L"Password:\*(R".
.Ip "runas_default" 12
-Default user to run commands as
+The default user to run commands as if the \f(CW-u\fR flag is not specified
+on the command line. This defaults to \*(L"root\*(R".
.Ip "syslog_goodpri" 12
-Syslog priority to use when user authenticates successfully
+Syslog priority to use when user authenticates successfully.
+Defaults to \*(L"notice\*(R".
.Ip "syslog_badpri" 12
-Syslog priority to use when user authenticates unsuccessfully
+Syslog priority to use when user authenticates unsuccessfully.
+Defaults to \*(L"alert\*(R".
.PP
\fBStrings that can be used in a boolean context\fR:
.Ip "syslog" 12
-Syslog facility if syslog is being used for logging (negate to disable syslog)
+Syslog facility if syslog is being used for logging (negate to
+disable syslog logging). Defaults to \*(L"local2\*(R".
.Ip "mailerpath" 12
-Path to mail program
+Path to mail program used to send warning mail.
+Defaults to the path to sendmail found at configure time.
.Ip "mailerflags" 12
-Flags for mail program
+Flags to use when invoking mailer. Defaults to \f(CW-t\fR.
.Ip "mailto" 12
-Address to send mail to
+Address to send warning and erorr mail to. Defaults to \*(L"root\*(R".
.Ip "exempt_group" 12
-Users in this group are exempt from password and \s-1PATH\s0 requirements
+Users in this group are exempt from password and \s-1PATH\s0 requirements.
+This is not set by default.
.Ip "secure_path" 12
-Value to override user's \f(CW$PATH\fR with
+Path used for every command run from \fBsudo\fR. If you don't trust the
+people running sudo to have a sane \f(CWPATH\fR environment variable you may
+want to use this. Another use is if you want to have the \*(L"root path\*(R"
+be separate from the \*(L"user path.\*(R" This is not set by default.
.Ip "verifypw" 12
This option controls when a password will be required when a
user runs sudo with the \fB\-v\fR. It has the following possible values:
.Sp
.Vb 3
-\& all All the user's sudoers entries for the
+\& all All the user's I<sudoers> entries for the
\& current host must have the C<NOPASSWD>
\& flag set to avoid entering a password.
.Ve
.Vb 4
-\& any At least one of the user's sudoers entries
+\& any At least one of the user's I<sudoers> entries
\& for the current host must have the
\& C<NOPASSWD> flag set to avoid entering a
\& password.
user runs sudo with the \fB\-l\fR. It has the following possible values:
.Sp
.Vb 3
-\& all All the user's sudoers entries for the
+\& all All the user's I<sudoers> entries for the
\& current host must have the C<NOPASSWD>
\& flag set to avoid entering a password.
.Ve
.Vb 4
-\& any At least one of the user's sudoers entries
+\& any At least one of the user's I<sudoers> entries
\& for the current host must have the
\& C<NOPASSWD> flag set to avoid entering a
\& password.
=item long_otp_prompt
-Put OTP prompt on its own line
+When validating with a One Time Password scheme (B<S/Key> or B<OPIE>),
+a two-line prompt is used to make it easier to cut and paste the
+challenge to a local window. It's not as pretty as the default but
+some people find it more convenient. This flag is off by default.
=item ignore_dot
-Ignore '.' in $PATH
+If set, B<sudo> will ignore '.' or '' (current dir) in C<$PATH>;
+the C<$PATH> itself is not modified. This flag is off by default.
=item mail_always
-Always send mail when sudo is run
+Send mail to the I<mailto> user every time a users runs sudo.
+This flag is off by default.
=item mail_no_user
-Send mail if the user is not in sudoers
+If set, mail will be sent to the I<mailto> user if the invoking
+user is not in the I<sudoers> file. This flag is on by default.
=item mail_no_host
-Send mail if the user is not in sudoers for this host
+If set, mail will be sent to the I<mailto> user if the invoking
+user exists in the I<sudoers> file, but is not allowed to run
+commands on the current host. This flag is off by default.
=item mail_no_perms
-Send mail if the user is not allowed to run a command
+If set, mail will be sent to the I<mailto> user if the invoking
+user allowed to use sudo but the command they are trying is not
+listed in their I<sudoers> file entry. This flag is off by default.
=item tty_tickets
-Use a separate timestamp for each user/tty combo
+If set, users must authenticate on a per-tty basis. Normally,
+B<sudo> uses a directory in the ticket dir with the same name as
+the user running it. With this flag enabled, B<sudo> will use a
+file named for the tty the user is logged in on in that directory.
+This flag is off by default.
=item lecture
-Lecture user the first time they run sudo
+If set, a user will receive a short lecture the first time he/she
+runs B<sudo>. This flag is on by default.
=item authenticate
-Require users to authenticate by default
+If set, users must authenticate themselves via a password (or other
+means of authentication) before they may run commands. This default
+may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
+This flag is on by default.
=item root_sudo
-Root may run sudo
+If set, root is allowed to run sudo too. Disabling this prevents users
+from "chaining" sudo commands to get a root shell by doing something
+like C<"sudo sudo /bin/sh">.
+This flag is on by default.
=item log_host
-Log the hostname in the (non-syslog) log file
+If set, the hostname will be logged in the (non-syslog) B<sudo> log file.
+This flag is off by default.
=item log_year
-Log the year in the (non-syslog) log file
+If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
+This flag is off by default.
=item shell_noargs
-If sudo is invoked with no arguments, start a shell
+If set and B<sudo> is invoked with no arguments it acts as if the
+C<-s> flag had been given. That is, it runs a shell as root (the
+shell is determined by the C<SHELL> environment variable if it is
+set, falling back on the shell listed in the invoking user's
+/etc/passwd entry if not). This flag is off by default.
=item set_home
-Set $HOME to the target user when starting a shell with C<-s>
+If set and B<sudo> is invoked with the C<-s> flag the C<HOME>
+environment variable will be set to the home directory of the target
+user (which is root unless the C<-u> option is used). This effectively
+makes the C<-s> flag imply C<-H>. This flag is off by default.
=item path_info
-Allow some information gathering to give useful error messages
+Normally, B<sudo> will tell the user when a command could not be
+found in their C<$PATH>. Some sites may wish to disable this as
+it could be used to gather information on the location of executables
+that the normal user does not have access to. The disadvantage is
+that if the executable is simply not in the user's C<$PATH>, B<sudo>
+will tell the user that they are not allowed to run it, which can
+be confusing. This flag is off by default.
=item fqdn
-Require fully-qualified hostnames in the sudoers file
+Set this flag if you want to put fully qualified hostnames in the
+I<sudoers> file. Ie: instead of myhost you would use myhost.mydomain.edu.
+You may still use the short form if you wish (and even mix the two).
+Beware that turning on I<fqdn> requires sudo to make DNS lookups
+which may make B<sudo> unusable if DNS stops working (for example
+if the machine is not plugged into the network). Also note that
+you must use the host's official name as DNS knows it. That is,
+you may not use a host alias (C<CNAME> entry) due to performance
+issues and the fact that there is no way to get all aliases from
+DNS. If your machine's hostname (as returned by the C<hostname>
+command) is already fully qualified you shouldn't need to set
+I<fqfn>. This flag is off by default.
=item insults
-Insult the user when they enter an incorrect password
+If set, sudo will insult users when they enter an incorrect
+password. This flag is off by default.
=item requiretty
-Only allow the user to run sudo if they have a tty
+If set, sudo will only run when the user is logged in to a real
+tty. This will disallow things like C<"rsh somehost sudo ls"> since
+rsh(1) does not allocate a tty. Because it is not possible to turn
+of echo when there is no tty present, some sites may with to set
+this flag to prevent a user from entering a visible password. This
+flag is off by default.
=back
=item passwd_tries
-Number of tries to enter a password
+The number of tries a user gets to enter his/her password before
+sudo logs the failure and exits. The default is 3.
=back
=item loglinelen
-Length at which to wrap log file lines (use 0 or negate for no wrap)
+Number of characters per line for the file log. This value is used
+to decide when to wrap lines for nicer log files. This has no
+effect on the syslog log file, only the file log. The default is
+80 (use 0 or negate to disable word wrap).
=item timestamp_timeout
-Authentication timestamp timeout
+Number of minutes that can elapse before B<sudo> will ask for a passwd
+again. The default is 5, set this to 0 to always prompt for a password.
=item passwd_timeout
-Password prompt timeout
+Number of minutes before the sudo password prompt times out.
+The default is 5, set this to 0 for no password timeout.
=item umask
-Umask to use or 0777 to use user's
+Umask to use when running the root command. Set this to 0777 to
+not override the user's umask. The default is 0022.
=back
=item mailsub
-Subject line for mail messages
+Subject of the mail sent to the I<mailto> user. The escape C<%h>
+will expand to the hostname of the machine.
+Default is "*** SECURITY information for %h ***".
=item badpass_message
-Incorrect password message
+Message that is displayed if a user enters an incorrect password.
+The default is "Sorry, try again." unless insults are enabled.
=item timestampdir
-Path to authentication timestamp dir
+The directory in which B<sudo> stores its timestamp files.
+The default is either C</var/run/sudo> or C</tmp/sudo>.
=item passprompt
-Default password prompt
+The default prompt to use when asking for a password; can be overridden
+via the C<-p> option or the C<SUDO_PROMPT> environment variable. Supports
+two escapes: "%u" expands to the user's login name and "%h" expands
+to the local hostname. The default value is "Password:".
=item runas_default
-Default user to run commands as
+The default user to run commands as if the C<-u> flag is not specified
+on the command line. This defaults to "root".
=item syslog_goodpri
-Syslog priority to use when user authenticates successfully
+Syslog priority to use when user authenticates successfully.
+Defaults to "notice".
=item syslog_badpri
-Syslog priority to use when user authenticates unsuccessfully
+Syslog priority to use when user authenticates unsuccessfully.
+Defaults to "alert".
=back 12
=item syslog
-Syslog facility if syslog is being used for logging (negate to disable syslog)
+Syslog facility if syslog is being used for logging (negate to
+disable syslog logging). Defaults to "local2".
=item mailerpath
-Path to mail program
+Path to mail program used to send warning mail.
+Defaults to the path to sendmail found at configure time.
=item mailerflags
-Flags for mail program
+Flags to use when invoking mailer. Defaults to C<-t>.
=item mailto
-Address to send mail to
+Address to send warning and erorr mail to. Defaults to "root".
=item exempt_group
-Users in this group are exempt from password and PATH requirements
+Users in this group are exempt from password and PATH requirements.
+This is not set by default.
=item secure_path
-Value to override user's $PATH with
+Path used for every command run from B<sudo>. If you don't trust the
+people running sudo to have a sane C<PATH> environment variable you may
+want to use this. Another use is if you want to have the "root path"
+be separate from the "user path." This is not set by default.
=item verifypw
This option controls when a password will be required when a
user runs sudo with the B<-v>. It has the following possible values:
- all All the user's sudoers entries for the
+ all All the user's I<sudoers> entries for the
current host must have the C<NOPASSWD>
flag set to avoid entering a password.
- any At least one of the user's sudoers entries
+ any At least one of the user's I<sudoers> entries
for the current host must have the
C<NOPASSWD> flag set to avoid entering a
password.
This option controls when a password will be required when a
user runs sudo with the B<-l>. It has the following possible values:
- all All the user's sudoers entries for the
+ all All the user's I<sudoers> entries for the
current host must have the C<NOPASSWD>
flag set to avoid entering a password.
- any At least one of the user's sudoers entries
+ any At least one of the user's I<sudoers> entries
for the current host must have the
C<NOPASSWD> flag set to avoid entering a
password.
projects / sudo / commitdiff