specification section. All command or host aliases need
to start with their respective keywords (ie: Host_Alias,
User_Alias, Runas_Alias or Cmnd_Alias). If there are
- multiple occurrences of a user, the union of the entries
- will be used.
+ multiple occurrences of a user, the logical union of the
+ entries will be used. Note that if there is an entry that
+ denies access to a command that is followed by an entry
+ that grants access the user will be allowed to run the
+ command.
u\bu\bu\bus\bs\bs\bse\be\be\ber\br\br\br s\bs\bs\bsp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bif\bf\bf\bfi\bi\bi\bic\bc\bc\bca\ba\ba\bat\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn f\bf\bf\bfo\bo\bo\bor\br\br\brm\bm\bm\bma\ba\ba\bat\bt\bt\bt:\b:\b:\b:
user access_group [: access_group] ...
- access_group ::= host_type = [(runas_list)] [NOPASSWD:] [op]cmnd_type
- [,[(user_list)] [NOPASSWD:] [op]cmnd_type] ...
+ access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type
+ [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ...
host_type ::= a lower-case hostname, netgroup, ip address,
network number, network number/netmask,
or host alias.
- runas_list ::= comma-separated list of users, groups,
- netgroups or Runas_Aliases the user may run
- commands as (default is root).
cmnd_type ::= a command OR a command alias.
op ::= the logical "!" NOT operator.
Host_Alias ::= a keyword.
HOSTALIAS ::= an upper-case alias name.
host-list ::= a comma separated list of hosts, netgroups,
- ip addresses, networks.
+ ip addresses, networks. A logical "!"
+ NOT operator may be prefixed to any of these.
u\bu\bu\bus\bs\bs\bse\be\be\ber\br\br\br a\ba\ba\bal\bl\bl\bli\bi\bi\bia\ba\ba\bas\bs\bs\bs s\bs\bs\bse\be\be\bec\bc\bc\bct\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn f\bf\bf\bfo\bo\bo\bor\br\br\brm\bm\bm\bma\ba\ba\bat\bt\bt\bt:\b:\b:\b:
User_Alias ::= a keyword.
USERALIAS ::= an upper-case alias name.
user-list ::= a comma separated list of users, groups, netgroups.
+ A logical "!" NOT operator may be prefixed to any
+ of these.
- r\br\br\bru\bu\bu\bun\bn\bn\bna\ba\ba\bas\bs\bs\bs a\ba\ba\bal\bl\bl\bli\bi\bi\bia\ba\ba\bas\bs\bs\bs s\bs\bs\bse\be\be\bec\bc\bc\bct\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn f\bf\bf\bfo\bo\bo\bor\br\br\brm\bm\bm\bma\ba\ba\bat\bt\bt\bt:\b:\b:\b:
-
- Runas_Alias RUNASALIAS = runas-list
-17/Jan/99 1.6 1
+6/Apr/99 1.6 1
sudoers(5) FILE FORMATS sudoers(5)
+ r\br\br\bru\bu\bu\bun\bn\bn\bna\ba\ba\bas\bs\bs\bs a\ba\ba\bal\bl\bl\bli\bi\bi\bia\ba\ba\bas\bs\bs\bs s\bs\bs\bse\be\be\bec\bc\bc\bct\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn f\bf\bf\bfo\bo\bo\bor\br\br\brm\bm\bm\bma\ba\ba\bat\bt\bt\bt:\b:\b:\b:
+
+
+ Runas_Alias RUNASALIAS = runas-list
+
Runas_Alias ::= a keyword.
RUNASALIAS ::= an upper-case alias name.
runas-list ::= a comma separated list of users, groups, netgroups.
+ A logical "!" NOT operator may be prefixed to any
+ of these.
c\bc\bc\bco\bo\bo\bom\bm\bm\bmm\bm\bm\bma\ba\ba\ban\bn\bn\bnd\bd\bd\bd a\ba\ba\bal\bl\bl\bli\bi\bi\bia\ba\ba\bas\bs\bs\bs s\bs\bs\bse\be\be\bec\bc\bc\bct\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn f\bf\bf\bfo\bo\bo\bor\br\br\brm\bm\bm\bma\ba\ba\bat\bt\bt\bt:\b:\b:\b:
Cmnd_Alias ::= a keyword.
CMNDALIAS ::= an upper-case alias name.
cmnd-list ::= a comma separated list commands.
+ A logical "!" NOT operator may be prefixed to any
+ of these.
c\bc\bc\bco\bo\bo\bom\bm\bm\bmm\bm\bm\bma\ba\ba\ban\bn\bn\bnd\bd\bd\bd s\bs\bs\bsp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bif\bf\bf\bfi\bi\bi\bic\bc\bc\bca\ba\ba\bat\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn:\b:\b:\b:
arg[1..n] ::= optional command line arguments.
+ p\bp\bp\bpe\be\be\ber\br\br\brs\bs\bs\bsi\bi\bi\bis\bs\bs\bst\bt\bt\bte\be\be\ben\bn\bn\bnc\bc\bc\bce\be\be\be o\bo\bo\bof\bf\bf\bf m\bm\bm\bmo\bo\bo\bod\bd\bd\bdi\bi\bi\bif\bf\bf\bfi\bi\bi\bie\be\be\ber\br\br\brs\bs\bs\bs
+
+ When a _\br_\bu_\bn_\ba_\bs_\b-_\bl_\bi_\bs_\bt is specified for an _\ba_\bc_\bc_\be_\bs_\bs_\b__\bg_\br_\bo_\bu_\bp, it
+ affects all commands in the _\ba_\bc_\bc_\be_\bs_\bs_\b__\bg_\br_\bo_\bu_\bp. For example,
+ given:
+ oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
+ User oper will be able to run /usr/bin/kill and /bin/rm as
+ r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt or s\bs\bs\bsy\by\by\bys\bs\bs\bsa\ba\ba\bad\bd\bd\bdm\bm\bm\bm on the machine, bigserver. The _\br_\bu_\bn_\ba_\bs_\b-_\bl_\bi_\bs_\bt
+ is "sticky" across entries in the comma-separated
+ _\ba_\bc_\bc_\be_\bs_\bs_\b__\bg_\br_\bo_\bu_\bp. You can override the _\br_\bu_\bn_\ba_\bs_\b-_\bl_\bi_\bs_\bt with
+ another one, at which point the new _\br_\bu_\bn_\ba_\bs_\b-_\bl_\bi_\bs_\bt becomes the
+ default for that _\ba_\bc_\bc_\be_\bs_\bs_\b__\bg_\br_\bo_\bu_\bp. For example, given:
+ oper bigserver = (root, sysadm) /usr/bin/kill, (root)
+ /bin/rm, \ /bin/rmdir User oper can still run
+ /usr/bin/kill as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt or s\bs\bs\bsy\by\by\bys\bs\bs\bsa\ba\ba\bad\bd\bd\bdm\bm\bm\bm but can only run /bin/rm
+ and /bin/rmdir as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt.
+
+ Similarly, the N\bN\bN\bNO\bO\bO\bOP\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD modifier is also persistent across
+ an _\ba_\bc_\bc_\be_\bs_\bs_\b__\bg_\br_\bo_\bu_\bp. For example given:
+ oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm,
+ /bin/rmdir User oper will be able to run /usr/bin/kill,
+
+
+
+6/Apr/99 1.6 2
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
+ /bin/rm, and /bin/rmdir as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt without a password. If we
+ change that to:
+ oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD:
+ /bin/rm, /bin/rmdir User oper can still run /usr/bin/kill
+ without a password but must give a password to run /bin/rm
+ and /bin/rmdir.
+
w\bw\bw\bwi\bi\bi\bil\bl\bl\bld\bd\bd\bdc\bc\bc\bca\ba\ba\bar\br\br\brd\bd\bd\bds\bs\bs\bs (\b(\b(\b(a\ba\ba\bak\bk\bk\bka\ba\ba\ba m\bm\bm\bme\be\be\bet\bt\bt\bta\ba\ba\ba c\bc\bc\bch\bh\bh\bha\ba\ba\bar\br\br\bra\ba\ba\bac\bc\bc\bct\bt\bt\bte\be\be\ber\br\br\brs\bs\bs\bs)\b)\b)\b):\b:\b:\b:
s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs along with command
Text after a pound sign (#\b#\b#\b#) is considered a comment.
Words that begin with a percent sign (%\b%\b%\b%) are assumed to be
+ UN*X groups (%staff refers to users in the group _\bs_\bt_\ba_\bf_\bf).
+ Words that begin with a plus sign (+\b+\b+\b+) are assumed to be
+ netgroups (+\b+\b+\b+c\bc\bc\bcs\bs\bs\bsh\bh\bh\bho\bo\bo\bos\bs\bs\bst\bt\bt\bts\bs\bs\bs refers to the netgroup _\bc_\bs_\bh_\bo_\bs_\bt_\bs). Long
+ lines can be newline escaped with the backslash \\b\\b\\b\
+ character.
+ The reserved word N\bN\bN\bNO\bO\bO\bOP\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD indicates that a user need not
+ enter a password for the command listed in that entry.
+ The N\bN\bN\bNO\bO\bO\bOP\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD modifier is persistent across entries in a
+ _\bu_\bs_\be_\br_\b-_\bl_\bi_\bs_\bt and can be reversed with the P\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD modifier.
+ The reserved alias _\bA_\bL_\bL can be used for both
+ {Host,User,Cmnd}_Alias. D\bD\bD\bDO\bO\bO\bO N\bN\bN\bNO\bO\bO\bOT\bT\bT\bT define an alias of _\bA_\bL_\bL, it
+ will N\bN\bN\bNO\bO\bO\bOT\bT\bT\bT be used. Note that _\bA_\bL_\bL implies the entire
+ universe of hosts/users/commands. You can subtract
+ elements from the universe by using the syntax:
+ user host=ALL,!ALIAS1,!/sbin/halt...
-17/Jan/99 1.6 2
+6/Apr/99 1.6 3
-sudoers(5) FILE FORMATS sudoers(5)
- UN*X groups (%staff refers to users in the group _\bs_\bt_\ba_\bf_\bf).
- Words that begin with a plus sign (+\b+\b+\b+) are assumed to be
- netgroups (+\b+\b+\b+c\bc\bc\bcs\bs\bs\bsh\bh\bh\bho\bo\bo\bos\bs\bs\bst\bt\bt\bts\bs\bs\bs refers to the netgroup _\bc_\bs_\bh_\bo_\bs_\bt_\bs). Long
- lines can be newline escaped with the backslash \\b\\b\\b\
- character. The reserved word N\bN\bN\bNO\bO\bO\bOP\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD indicates that a
- user need not enter a password for the command listed in
- that entry.
+sudoers(5) FILE FORMATS sudoers(5)
- The reserved alias _\bA_\bL_\bL can be used for both
- {Host,User,Cmnd}_Alias. D\bD\bD\bDO\bO\bO\bO N\bN\bN\bNO\bO\bO\bOT\bT\bT\bT define an alias of _\bA_\bL_\bL, it
- will N\bN\bN\bNO\bO\bO\bOT\bT\bT\bT be used. Note that _\bA_\bL_\bL implies the entire
- universe of hosts/users/commands. You can subtract
- elements from the universe by using the syntax:
- user host=ALL,!ALIAS1,!/etc/halt... Note that the "!"
- notation only works in a user's command list. You may not
- use it to subtract elements in a User_Alias, Host_Alias,
- Cmnd_Alias or user list.
Commands may have optional command line arguments. If
they do, then the arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs file must
Runas_Alias OP=root,operator
# Command alias specification
- Cmnd_Alias LPCS=/usr/etc/lpc,/usr/ucb/lprm
+ Cmnd_Alias LPCS=/usr/sbin/lpc,/usr/bin/lprm
Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
- Cmnd_Alias SU=/bin/su
+ Cmnd_Alias SU=/usr/bin/su
Cmnd_Alias MISC=/bin/rm,/bin/cat:\
- SHUTDOWN=/etc/halt,/etc/shutdown
-
-
-
-
-
-
-
-
-
-17/Jan/99 1.6 3
-
-
-
-
-
-sudoers(5) FILE FORMATS sudoers(5)
-
+ SHUTDOWN=/sbin/halt,/sbin/shutdown
# User specification
FULLTIME ALL=(ALL) NOPASSWD: ALL
PARTTIME ALL=ALL,!SHELLS,!SU
+interns +openlabs=ALL,!SHELLS,!SU
britt REMOTE=SHUTDOWN:ALL=LPCS
- jimbo CUNETS=/bin/su ?*,!/bin/su *root*
- nieusma SERVERS=SHUTDOWN,/etc/reboot:\
+ jimbo CUNETS=/usr/bin/su [!-]*,!/usr/bin/su *root*
+ nieusma SERVERS=SHUTDOWN,/sbin/reboot:\
HUB=ALL,!SHELLS
- jill houdini=/etc/shutdown -[hr] now,MISC
- markm HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt
- davehieb merlin=(OP) ALL:SERVERS=/etc/halt:\
+ jill houdini=/sbin/shutdown -[hr] now,MISC
+ markm HUB=ALL,!MISC,!/sbin/shutdown,!/sbin/halt
+ davehieb merlin=(OP) ALL:SERVERS=/sbin/halt:\
kodiakthorn=NOPASSWD: ALL
steve CSNETS=(operator) /usr/op_commands/
three machines merlin, kodiakthorn and spirit. Similarly,
SERVERS is set to the machines houdini, merlin,
kodiakthorn and spirit. The CSNETS alias will match any
+
+
+
+6/Apr/99 1.6 4
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
host on the 128.138.243.0, 128.138.204.0, or
128.138.205.192 nets. The CUNETS alias will match any
host on the 128.138.0.0 (class B) network. Note that
these are n\bn\bn\bne\be\be\bet\bt\bt\btw\bw\bw\bwo\bo\bo\bor\br\br\brk\bk\bk\bk addresses, not ip addresses. Unless an
- explicate netmask is given, the local _\bn_\be_\bt_\bm_\ba_\bs_\bk is used to
+ explicit netmask is given, the local _\bn_\be_\bt_\bm_\ba_\bs_\bk is used to
determine whether or not the current host belongs to a
network.
PARTTIME Part-time sysadmins in the PARTTIME alias
may run any command except those in the
-
-
-
-17/Jan/99 1.6 4
-
-
-
-
-
-sudoers(5) FILE FORMATS sudoers(5)
-
-
SHELLS and SU aliases on any host.
+interns Any user in the netgroup interns may run
jimbo The user jimbo may su to any user save
root on the machines on CUNETS (which is
- explicately listed as a class B network).
+ explicitly listed as a class B network).
nieusma The user nieusma may run commands in the
- SHUTDOWN alias as well as _\b/_\be_\bt_\bc_\b/_\br_\be_\bb_\bo_\bo_\bt on
+ SHUTDOWN alias as well as _\b/_\bs_\bb_\bi_\bn_\b/_\br_\be_\bb_\bo_\bo_\bt on
the SERVER machines and any command except
those in the SHELLS alias on the HUB
machines.
- jill The user jill may run /etc/shutdown -h now
- or /etc/shutdown -r now as well as the
- commands in the MISC alias on houdini.
+ jill The user jill may run /sbin/shutdown -h
+ now or /sbin/shutdown -r now as well as
+
+
+
+6/Apr/99 1.6 5
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
+ the commands in the MISC alias on houdini.
markm The user markm may run any command on the
- HUB machines except _\b/_\be_\bt_\bc_\b/_\bs_\bh_\bu_\bt_\bd_\bo_\bw_\bn,
- _\b/_\be_\bt_\bc_\b/_\bh_\ba_\bl_\bt, and commands listed in the MISC
- alias.
+ HUB machines except _\b/_\bs_\bb_\bi_\bn_\b/_\bs_\bh_\bu_\bt_\bd_\bo_\bw_\bn,
+ _\b/_\bs_\bb_\bi_\bn_\b/_\bh_\ba_\bl_\bt, and commands listed in the
+ MISC alias.
davehieb The user davehieb may run any command on
merlin as any user in the Runas_Alias OP
(ie: root or operator). He may also run
- _\b/_\be_\bt_\bc_\b/_\bh_\ba_\bl_\bt on the SERVERS and any command
+ _\b/_\bs_\bb_\bi_\bn_\b/_\bh_\ba_\bl_\bt on the SERVERS and any command
on kodiakthorn (no password required on
kodiakthorn).
/etc/netgroup list of network groups.
+S\bS\bS\bSE\bE\bE\bEE\bE\bE\bE A\bA\bA\bAL\bL\bL\bLS\bS\bS\bSO\bO\bO\bO
+ _\bs_\bu_\bd_\bo(8), _\bv_\bi_\bs_\bu_\bd_\bo(8), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3).
+
+
+
+
+
+
+
+
+
+
+
-17/Jan/99 1.6 5
+
+
+
+
+
+
+
+
+
+
+6/Apr/99 1.6 6
sudoers(5) FILE FORMATS sudoers(5)
-S\bS\bS\bSE\bE\bE\bEE\bE\bE\bE A\bA\bA\bAL\bL\bL\bLS\bS\bS\bSO\bO\bO\bO
- _\bs_\bu_\bd_\bo(8), _\bv_\bi_\bs_\bu_\bd_\bo(8), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3).
-17/Jan/99 1.6 6
+
+
+6/Apr/99 1.6 7
<LI><A HREF="#runas_alias_section_format_">runas alias section format:</A>
<LI><A HREF="#command_alias_section_format_">command alias section format:</A>
<LI><A HREF="#command_specification_">command specification:</A>
+ <LI><A HREF="#persistence_of_modifiers">persistence of modifiers</A>
<LI><A HREF="#wildcards_aka_meta_characters_">wildcards (aka meta characters):</A>
<LI><A HREF="#exceptions_to_wildcard_rules_">exceptions to wildcard rules:</A>
<LI><A HREF="#other_special_characters_and_res">other special characters and reserved words:</A>
alias section and the user specification section. All command or host
aliases need to start with their respective keywords (ie: Host_Alias,
User_Alias, Runas_Alias or Cmnd_Alias). If there are multiple occurrences
-of a user, the union of the entries will be used.
+of a user, the logical union of the entries will be used. Note that if
+there is an entry that denies access to a command that is followed by an
+entry that grants access the user will be allowed to run the command.
<P>
<P>
-<PRE> access_group ::= host_type = [(runas_list)] [NOPASSWD:] [op]cmnd_type
- [,[(user_list)] [NOPASSWD:] [op]cmnd_type] ...
+<PRE> access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type
+ [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ...
host_type ::= a lower-case hostname, netgroup, ip address,
network number, network number/netmask,
or host alias.
- runas_list ::= comma-separated list of users, groups,
- netgroups or Runas_Aliases the user may run
- commands as (default is root).
cmnd_type ::= a command OR a command alias.
op ::= the logical "!" NOT operator.
</PRE>
<PRE> Host_Alias ::= a keyword.
HOSTALIAS ::= an upper-case alias name.
host-list ::= a comma separated list of hosts, netgroups,
- ip addresses, networks.
+ ip addresses, networks. A logical "!"
+ NOT operator may be prefixed to any of these.
</PRE>
<P>
<PRE> User_Alias ::= a keyword.
USERALIAS ::= an upper-case alias name.
user-list ::= a comma separated list of users, groups, netgroups.
+ A logical "!" NOT operator may be prefixed to any
+ of these.
</PRE>
<P>
<PRE> Runas_Alias ::= a keyword.
RUNASALIAS ::= an upper-case alias name.
runas-list ::= a comma separated list of users, groups, netgroups.
+ A logical "!" NOT operator may be prefixed to any
+ of these.
</PRE>
<P>
<PRE> Cmnd_Alias ::= a keyword.
CMNDALIAS ::= an upper-case alias name.
cmnd-list ::= a comma separated list commands.
+ A logical "!" NOT operator may be prefixed to any
+ of these.
</PRE>
<P>
arg[1..n] ::= optional command line arguments.
</PRE>
+<P>
+
+<P>
+<HR>
+<H2><A NAME="persistence_of_modifiers">persistence of modifiers
+
+</A></H2>
+When a <EM>runas-list</EM> is specified for an <EM>access_group</EM>, it affects all commands in the <EM>access_group</EM>. For example, given: oper bigserver = (root, sysadm) /usr/bin/kill,
+/bin/rm User <CODE>oper</CODE> will be able to run <CODE>/usr/bin/kill</CODE> and <CODE>/bin/rm</CODE>
+as <STRONG>root</STRONG> or <STRONG>sysadm</STRONG> on the machine, <CODE>bigserver</CODE>. The
+<EM>runas-list</EM> is ``sticky'' across entries in the comma-separated
+<EM>access_group</EM>. You can override the <EM>runas-list</EM> with another one, at which point the new <EM>runas-list</EM> becomes the default for that <EM>access_group</EM>. For example, given: oper bigserver = (root, sysadm) /usr/bin/kill, (root)
+/bin/rm, \ /bin/rmdir User <CODE>oper</CODE> can still run <CODE>/usr/bin/kill</CODE> as <STRONG>root</STRONG> or <STRONG>sysadm</STRONG> but can only run <CODE>/bin/rm</CODE> and <CODE>/bin/rmdir</CODE> as <STRONG>root</STRONG>.
+
+
+<P>
+
+Similarly, the <STRONG>NOPASSWD</STRONG> modifier is also persistent across an
+<EM>access_group</EM>. For example given: oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm,
+/bin/rmdir User <CODE>oper</CODE> will be able to run <CODE>/usr/bin/kill</CODE>, <CODE>/bin/rm</CODE>, and
+<CODE>/bin/rmdir</CODE> as <STRONG>root</STRONG> without a password. If we change that to: oper bigserver = NOPASSWD:
+/usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir User <CODE>oper</CODE> can still run <CODE>/usr/bin/kill</CODE> without a password but must give a password to run <CODE>/bin/rm</CODE> and <CODE>/bin/rmdir</CODE>.
+
+
<P>
<P>
<H2><A NAME="other_special_characters_and_res">other special characters and reserved words:
</A></H2>
-Text after a pound sign (<STRONG>#</STRONG>) is considered a comment. Words that begin with a percent sign (<STRONG>%</STRONG>) are assumed to be UN*X groups (%staff refers to users in the group <EM>staff</EM>). Words that begin with a plus sign (<STRONG>+</STRONG>) are assumed to be netgroups (<STRONG>+cshosts</STRONG> refers to the netgroup <EM>cshosts</EM>). Long lines can be newline escaped with the backslash <STRONG>\</STRONG> character. The reserved word <STRONG>NOPASSWD</STRONG> indicates that a user need not enter a password for the command listed in
-that entry.
+Text after a pound sign (<STRONG>#</STRONG>) is considered a comment. Words that begin with a percent sign (<STRONG>%</STRONG>) are assumed to be UN*X groups (%staff refers to users in the group <EM>staff</EM>). Words that begin with a plus sign (<STRONG>+</STRONG>) are assumed to be netgroups (<STRONG>+cshosts</STRONG> refers to the netgroup <EM>cshosts</EM>). Long lines can be newline escaped with the backslash <STRONG>\</STRONG> character.
+
+
+<P>
+
+The reserved word <STRONG>NOPASSWD</STRONG> indicates that a user need not enter a password for the command listed in
+that entry. The
+<STRONG>NOPASSWD</STRONG> modifier is persistent across entries in a <EM>user-list</EM>
+and can be reversed with the <STRONG>PASSWD</STRONG> modifier.
<P>
The reserved alias <EM>ALL</EM> can be used for both {Host,User,Cmnd}_Alias.
<STRONG>DO NOT</STRONG> define an alias of <EM>ALL</EM>, it will <STRONG>NOT</STRONG> be used. Note that <EM>ALL</EM> implies the entire universe of hosts/users/commands. You can subtract
elements from the universe by using the syntax: user
-host=ALL,!ALIAS1,!/etc/halt... Note that the ``!'' notation only works in a
-user's command list. You may not use it to subtract elements in a
-User_Alias, Host_Alias, Cmnd_Alias or user list.
+host=ALL,!ALIAS1,!/sbin/halt...
<P>
<P>
<PRE> # Command alias specification
- Cmnd_Alias LPCS=/usr/etc/lpc,/usr/ucb/lprm
+ Cmnd_Alias LPCS=/usr/sbin/lpc,/usr/bin/lprm
Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
- Cmnd_Alias SU=/bin/su
+ Cmnd_Alias SU=/usr/bin/su
Cmnd_Alias MISC=/bin/rm,/bin/cat:\
- SHUTDOWN=/etc/halt,/etc/shutdown
+ SHUTDOWN=/sbin/halt,/sbin/shutdown
</PRE>
<P>
PARTTIME ALL=ALL,!SHELLS,!SU
+interns +openlabs=ALL,!SHELLS,!SU
britt REMOTE=SHUTDOWN:ALL=LPCS
- jimbo CUNETS=/bin/su ?*,!/bin/su *root*
- nieusma SERVERS=SHUTDOWN,/etc/reboot:\
+ jimbo CUNETS=/usr/bin/su [!-]*,!/usr/bin/su *root*
+ nieusma SERVERS=SHUTDOWN,/sbin/reboot:\
HUB=ALL,!SHELLS
- jill houdini=/etc/shutdown -[hr] now,MISC
- markm HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt
- davehieb merlin=(OP) ALL:SERVERS=/etc/halt:\
+ jill houdini=/sbin/shutdown -[hr] now,MISC
+ markm HUB=ALL,!MISC,!/sbin/shutdown,!/sbin/halt
+ davehieb merlin=(OP) ALL:SERVERS=/sbin/halt:\
kodiakthorn=NOPASSWD: ALL
steve CSNETS=(operator) /usr/op_commands/
</PRE>
to the three machines <CODE>merlin</CODE>, <CODE>kodiakthorn</CODE> and <CODE>spirit</CODE>. Similarly, <CODE>SERVERS</CODE> is set to the machines <CODE>houdini</CODE>, <CODE>merlin</CODE>,
<CODE>kodiakthorn</CODE> and <CODE>spirit</CODE>. The <CODE>CSNETS</CODE> alias will match any host on the 128.138.243.0, 128.138.204.0, or
128.138.205.192 nets. The <CODE>CUNETS</CODE> alias will match any host on the 128.138.0.0 (class B) network. Note that
-these are <STRONG>network</STRONG> addresses, not ip addresses. Unless an explicate netmask is given, the
-local <EM>netmask</EM>
+these are <STRONG>network</STRONG> addresses, not ip addresses. Unless an explicit netmask is given, the local <EM>netmask</EM>
is used to determine whether or not the current host belongs to a network.
<DT><STRONG><A NAME="item_jimbo">jimbo
</A></STRONG><DD>
-The user <A HREF="#item_jimbo">jimbo</A> may <CODE>su</CODE> to any user save root on the machines on <CODE>CUNETS</CODE> (which is explicately listed as a class B network).
+The user <A HREF="#item_jimbo">jimbo</A> may <CODE>su</CODE> to any user save root on the machines on <CODE>CUNETS</CODE> (which is explicitly listed as a class B network).
<P>
<DT><STRONG><A NAME="item_nieusma">nieusma
</A></STRONG><DD>
-The user <A HREF="#item_nieusma">nieusma</A> may run commands in the <CODE>SHUTDOWN</CODE> alias as well as <EM>/etc/reboot</EM> on the <CODE>SERVER</CODE> machines and any command except those in the <CODE>SHELLS</CODE> alias on the <CODE>HUB</CODE>
+The user <A HREF="#item_nieusma">nieusma</A> may run commands in the <CODE>SHUTDOWN</CODE> alias as well as <EM>/sbin/reboot</EM> on the <CODE>SERVER</CODE> machines and any command except those in the <CODE>SHELLS</CODE> alias on the <CODE>HUB</CODE>
machines.
<DT><STRONG><A NAME="item_jill">jill
</A></STRONG><DD>
-The user <A HREF="#item_jill">jill</A> may run <CODE>/etc/shutdown -h now</CODE> or
-<CODE>/etc/shutdown -r now</CODE> as well as the commands in the
+The user <A HREF="#item_jill">jill</A> may run <CODE>/sbin/shutdown -h now</CODE> or
+<CODE>/sbin/shutdown -r now</CODE> as well as the commands in the
<CODE>MISC</CODE> alias on houdini.
<DT><STRONG><A NAME="item_markm">markm
</A></STRONG><DD>
-The user <A HREF="#item_markm">markm</A> may run any command on the <CODE>HUB</CODE> machines except <EM>/etc/shutdown</EM>, <EM>/etc/halt</EM>, and commands listed in the <CODE>MISC</CODE> alias.
+The user <A HREF="#item_markm">markm</A> may run any command on the <CODE>HUB</CODE> machines except <EM>/sbin/shutdown</EM>, <EM>/sbin/halt</EM>, and commands listed in the <CODE>MISC</CODE> alias.
<P>
<DT><STRONG><A NAME="item_davehieb">davehieb
</A></STRONG><DD>
-The user <A HREF="#item_davehieb">davehieb</A> may run any command on <CODE>merlin</CODE> as any user in the Runas_Alias OP (ie: root or operator). He may also run <EM>/etc/halt</EM> on the <CODE>SERVERS</CODE> and any command on <CODE>kodiakthorn</CODE> (no password required on <CODE>kodiakthorn</CODE>).
+The user <A HREF="#item_davehieb">davehieb</A> may run any command on <CODE>merlin</CODE> as any user in the Runas_Alias OP (ie: root or operator). He may also run <EM>/sbin/halt</EM> on the <CODE>SERVERS</CODE> and any command on <CODE>kodiakthorn</CODE> (no password required on <CODE>kodiakthorn</CODE>).
<P>
''' $RCSfile$$Revision$$Date$
'''
''' $Log$
-''' Revision 1.7 1999/04/05 20:57:23 millert
-''' Crank version to 1.6 and combine copyright statements
+''' Revision 1.8 1999/04/07 00:24:35 millert
+''' runas-lists and NOPASSWD/PASSWD modifiers are now sticky and you can use "!" most everywhere
'''
'''
.de Sh
.nr % 0
.rr F
.\}
-.TH sudoers 5 "1.6" "17/Jan/99" "FILE FORMATS"
+.TH sudoers 5 "1.6" "6/Apr/99" "FILE FORMATS"
.UC
.if n .hy 0
.if n .na
an optional command alias section and the user specification section.
All command or host aliases need to start with their respective keywords
(ie: Host_Alias, User_Alias, Runas_Alias or Cmnd_Alias).
-If there are multiple occurrences of a user, the union of the entries
-will be used.
+If there are multiple occurrences of a user, the logical union of the
+entries will be used. Note that if there is an entry that denies access
+to a command that is followed by an entry that grants access the user
+will be allowed to run the command.
.Sh "user specification format:"
.PP
.Vb 1
\& user access_group [: access_group] ...
.Ve
-.Vb 10
-\& access_group ::= host_type = [(runas_list)] [NOPASSWD:] [op]cmnd_type
-\& [,[(user_list)] [NOPASSWD:] [op]cmnd_type] ...
+.Vb 7
+\& access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type
+\& [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ...
\& host_type ::= a lower-case hostname, netgroup, ip address,
\& network number, network number/netmask,
\& or host alias.
-\& runas_list ::= comma-separated list of users, groups,
-\& netgroups or Runas_Aliases the user may run
-\& commands as (default is root).
\& cmnd_type ::= a command OR a command alias.
\& op ::= the logical "!" NOT operator.
.Ve
.Vb 1
\& Host_Alias HOSTALIAS = host-list
.Ve
-.Vb 4
+.Vb 5
\& Host_Alias ::= a keyword.
\& HOSTALIAS ::= an upper-case alias name.
\& host-list ::= a comma separated list of hosts, netgroups,
-\& ip addresses, networks.
+\& ip addresses, networks. A logical "!"
+\& NOT operator may be prefixed to any of these.
.Ve
.Sh "user alias section format:"
.PP
.Vb 1
\& User_Alias USERALIAS = user-list
.Ve
-.Vb 3
+.Vb 5
\& User_Alias ::= a keyword.
\& USERALIAS ::= an upper-case alias name.
\& user-list ::= a comma separated list of users, groups, netgroups.
+\& A logical "!" NOT operator may be prefixed to any
+\& of these.
.Ve
.Sh "runas alias section format:"
.PP
.Vb 1
\& Runas_Alias RUNASALIAS = runas-list
.Ve
-.Vb 3
+.Vb 5
\& Runas_Alias ::= a keyword.
\& RUNASALIAS ::= an upper-case alias name.
\& runas-list ::= a comma separated list of users, groups, netgroups.
+\& A logical "!" NOT operator may be prefixed to any
+\& of these.
.Ve
.Sh "command alias section format:"
.PP
.Vb 1
\& Cmnd_Alias CMNDALIAS = cmnd-list
.Ve
-.Vb 3
+.Vb 5
\& Cmnd_Alias ::= a keyword.
\& CMNDALIAS ::= an upper-case alias name.
\& cmnd-list ::= a comma separated list commands.
+\& A logical "!" NOT operator may be prefixed to any
+\& of these.
.Ve
.Sh "command specification:"
.PP
\& path ::= a fully qualified pathname.
\& arg[1..n] ::= optional command line arguments.
.Ve
+.Sh "persistence of modifiers"
+When a \fIrunas-list\fR is specified for an \fIaccess_group\fR, it
+affects all commands in the \fIaccess_group\fR. For example, given:
+ oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
+User \f(CWoper\fR will be able to run \f(CW/usr/bin/kill\fR and \f(CW/bin/rm\fR
+as \fBroot\fR or \fBsysadm\fR on the machine, \f(CWbigserver\fR. The
+\fIrunas-list\fR is \*(L"sticky\*(R" across entries in the comma-separated
+\fIaccess_group\fR. You can override the \fIrunas-list\fR with another
+one, at which point the new \fIrunas-list\fR becomes the default for
+that \fIaccess_group\fR. For example, given:
+ oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \e
+ /bin/rmdir
+User \f(CWoper\fR can still run \f(CW/usr/bin/kill\fR as \fBroot\fR or \fBsysadm\fR but
+can only run \f(CW/bin/rm\fR and \f(CW/bin/rmdir\fR as \fBroot\fR.
+.PP
+Similarly, the \fB\s-1NOPASSWD\s0\fR modifier is also persistent across an
+\fIaccess_group\fR. For example given:
+ oper bigserver = \s-1NOPASSWD\s0: /usr/bin/kill, /bin/rm, /bin/rmdir
+User \f(CWoper\fR will be able to run \f(CW/usr/bin/kill\fR, \f(CW/bin/rm\fR, and
+\f(CW/bin/rmdir\fR as \fBroot\fR without a password. If we change that to:
+ oper bigserver = \s-1NOPASSWD\s0: /usr/bin/kill, \s-1PASSWD\s0: /bin/rm, /bin/rmdir
+User \f(CWoper\fR can still run \f(CW/usr/bin/kill\fR without a password but
+must give a password to run \f(CW/bin/rm\fR and \f(CW/bin/rmdir\fR.
.Sh "wildcards (aka meta characters):"
\fBsudo\fR allows shell-style \fIwildcards\fR along with command arguments
in the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
Words that begin with a plus sign (\fB+\fR) are assumed to
be netgroups (\fB+cshosts\fR refers to the netgroup \fIcshosts\fR).
Long lines can be newline escaped with the backslash \fB\e\fR character.
+.PP
The reserved word \fB\s-1NOPASSWD\s0\fR indicates that a user need not
-enter a password for the command listed in that entry.
+enter a password for the command listed in that entry. The
+\fB\s-1NOPASSWD\s0\fR modifier is persistent across entries in a \fIuser-list\fR
+and can be reversed with the \fB\s-1PASSWD\s0\fR modifier.
.PP
The reserved alias \fI\s-1ALL\s0\fR can be used for both {Host,User,Cmnd}_Alias.
\fB\s-1DO\s0 \s-1NOT\s0\fR define an alias of \fI\s-1ALL\s0\fR, it will \fB\s-1NOT\s0\fR be used.
Note that \fI\s-1ALL\s0\fR implies the entire universe of hosts/users/commands.
You can subtract elements from the universe by using the syntax:
- user host=\s-1ALL\s0,!\s-1ALIAS1\s0,!/etc/halt...
-Note that the \*(L"!\*(R" notation only works in a user's command list. You
-may not use it to subtract elements in a User_Alias, Host_Alias,
-Cmnd_Alias or user list.
+ user host=\s-1ALL\s0,!\s-1ALIAS1\s0,!/sbin/halt...
.PP
Commands may have optional command line arguments. If they do,
then the arguments in the \fIsudoers\fR file must exactly match those
.Ve
.Vb 6
\& # Command alias specification
-\& Cmnd_Alias LPCS=/usr/etc/lpc,/usr/ucb/lprm
+\& Cmnd_Alias LPCS=/usr/sbin/lpc,/usr/bin/lprm
\& Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
-\& Cmnd_Alias SU=/bin/su
+\& Cmnd_Alias SU=/usr/bin/su
\& Cmnd_Alias MISC=/bin/rm,/bin/cat:\e
-\& SHUTDOWN=/etc/halt,/etc/shutdown
+\& SHUTDOWN=/sbin/halt,/sbin/shutdown
.Ve
.Vb 14
\& # User specification
\& PARTTIME ALL=ALL,!SHELLS,!SU
\& +interns +openlabs=ALL,!SHELLS,!SU
\& britt REMOTE=SHUTDOWN:ALL=LPCS
-\& jimbo CUNETS=/bin/su ?*,!/bin/su *root*
-\& nieusma SERVERS=SHUTDOWN,/etc/reboot:\e
+\& jimbo CUNETS=/usr/bin/su [!-]*,!/usr/bin/su *root*
+\& nieusma SERVERS=SHUTDOWN,/sbin/reboot:\e
\& HUB=ALL,!SHELLS
-\& jill houdini=/etc/shutdown -[hr] now,MISC
-\& markm HUB=ALL,!MISC,!/etc/shutdown,!/etc/halt
-\& davehieb merlin=(OP) ALL:SERVERS=/etc/halt:\e
+\& jill houdini=/sbin/shutdown -[hr] now,MISC
+\& markm HUB=ALL,!MISC,!/sbin/shutdown,!/sbin/halt
+\& davehieb merlin=(OP) ALL:SERVERS=/sbin/halt:\e
\& kodiakthorn=NOPASSWD: ALL
\& steve CSNETS=(operator) /usr/op_commands/
.Ve
any host on the 128.138.243.0, 128.138.204.0, or 128.138.205.192
nets. The \f(CWCUNETS\fR alias will match any host on the 128.138.0.0
(class B) network. Note that these are \fBnetwork\fR addresses, not ip
-addresses. Unless an explicate netmask is given, the local \fInetmask\fR
+addresses. Unless an explicit netmask is given, the local \fInetmask\fR
is used to determine whether or not the current host belongs to a network.
.Sh "User Alias specifications:"
The two \fIuser aliases\fR simply groups the \f(CWFULLTIME\fR and
on any machine.
.Ip "jimbo" 16
The user \f(CWjimbo\fR may \f(CWsu\fR to any user save root on the
-machines on \f(CWCUNETS\fR (which is explicately listed as a class
+machines on \f(CWCUNETS\fR (which is explicitly listed as a class
B network).
.Ip "nieusma" 16
The user \f(CWnieusma\fR may run commands in the \f(CWSHUTDOWN\fR alias
-as well as \fI/etc/reboot\fR on the \f(CWSERVER\fR machines and
+as well as \fI/sbin/reboot\fR on the \f(CWSERVER\fR machines and
any command except those in the \f(CWSHELLS\fR alias on the \f(CWHUB\fR
machines.
.Ip "jill" 16
-The user \f(CWjill\fR may run \f(CW/etc/shutdown -h now\fR or
-\f(CW/etc/shutdown -r now\fR as well as the commands in the
+The user \f(CWjill\fR may run \f(CW/sbin/shutdown -h now\fR or
+\f(CW/sbin/shutdown -r now\fR as well as the commands in the
\f(CWMISC\fR alias on houdini.
.Ip "markm" 16
The user \f(CWmarkm\fR may run any command on the \f(CWHUB\fR machines
-except \fI/etc/shutdown\fR, \fI/etc/halt\fR, and commands listed
+except \fI/sbin/shutdown\fR, \fI/sbin/halt\fR, and commands listed
in the \f(CWMISC\fR alias.
.Ip "davehieb" 16
The user \f(CWdavehieb\fR may run any command on \f(CWmerlin\fR as any
user in the Runas_Alias \s-1OP\s0 (ie: root or operator). He may
-also run \fI/etc/halt\fR on the \f(CWSERVERS\fR and any command
+also run \fI/sbin/halt\fR on the \f(CWSERVERS\fR and any command
on \f(CWkodiakthorn\fR (no password required on \f(CWkodiakthorn\fR).
.Ip "steve" 16
The user \f(CWsteve\fR may run any command in the \fI/usr/op_commands/\fR
.IX Subsection "command specification:"
+.IX Subsection "persistence of modifiers"
+
.IX Subsection "wildcards (aka meta characters):"
.IX Item "\f(CW*\fR"
an optional command alias section and the user specification section.
All command or host aliases need to start with their respective keywords
(ie: Host_Alias, User_Alias, Runas_Alias or Cmnd_Alias).
-If there are multiple occurrences of a user, the union of the entries
-will be used.
+If there are multiple occurrences of a user, the logical union of the
+entries will be used. Note that if there is an entry that denies access
+to a command that is followed by an entry that grants access the user
+will be allowed to run the command.
=head2 user specification format:
user access_group [: access_group] ...
- access_group ::= host_type = [(runas_list)] [NOPASSWD:] [op]cmnd_type
- [,[(user_list)] [NOPASSWD:] [op]cmnd_type] ...
+ access_group ::= host_type = [(runas-list)] [NOPASSWD:] [op]cmnd_type
+ [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ...
host_type ::= a lower-case hostname, netgroup, ip address,
network number, network number/netmask,
or host alias.
- runas_list ::= comma-separated list of users, groups,
- netgroups or Runas_Aliases the user may run
- commands as (default is root).
cmnd_type ::= a command OR a command alias.
op ::= the logical "!" NOT operator.
Host_Alias ::= a keyword.
HOSTALIAS ::= an upper-case alias name.
host-list ::= a comma separated list of hosts, netgroups,
- ip addresses, networks.
+ ip addresses, networks. A logical "!"
+ NOT operator may be prefixed to any of these.
=head2 user alias section format:
User_Alias ::= a keyword.
USERALIAS ::= an upper-case alias name.
user-list ::= a comma separated list of users, groups, netgroups.
+ A logical "!" NOT operator may be prefixed to any
+ of these.
=head2 runas alias section format:
Runas_Alias ::= a keyword.
RUNASALIAS ::= an upper-case alias name.
runas-list ::= a comma separated list of users, groups, netgroups.
+ A logical "!" NOT operator may be prefixed to any
+ of these.
=head2 command alias section format:
Cmnd_Alias ::= a keyword.
CMNDALIAS ::= an upper-case alias name.
cmnd-list ::= a comma separated list commands.
+ A logical "!" NOT operator may be prefixed to any
+ of these.
=head2 command specification:
path ::= a fully qualified pathname.
arg[1..n] ::= optional command line arguments.
+=head2 persistence of modifiers
+
+When a I<runas-list> is specified for an I<access_group>, it
+affects all commands in the I<access_group>. For example, given:
+ oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
+User C<oper> will be able to run C</usr/bin/kill> and C</bin/rm>
+as B<root> or B<sysadm> on the machine, C<bigserver>. The
+I<runas-list> is "sticky" across entries in the comma-separated
+I<access_group>. You can override the I<runas-list> with another
+one, at which point the new I<runas-list> becomes the default for
+that I<access_group>. For example, given:
+ oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \
+ /bin/rmdir
+User C<oper> can still run C</usr/bin/kill> as B<root> or B<sysadm> but
+can only run C</bin/rm> and C</bin/rmdir> as B<root>.
+
+Similarly, the B<NOPASSWD> modifier is also persistent across an
+I<access_group>. For example given:
+ oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir
+User C<oper> will be able to run C</usr/bin/kill>, C</bin/rm>, and
+C</bin/rmdir> as B<root> without a password. If we change that to:
+ oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir
+User C<oper> can still run C</usr/bin/kill> without a password but
+must give a password to run C</bin/rm> and C</bin/rmdir>.
+
=head2 wildcards (aka meta characters):
B<sudo> allows shell-style I<wildcards> along with command arguments
Words that begin with a plus sign (B<+>) are assumed to
be netgroups (B<+cshosts> refers to the netgroup I<cshosts>).
Long lines can be newline escaped with the backslash B<\> character.
+
The reserved word B<NOPASSWD> indicates that a user need not
-enter a password for the command listed in that entry.
+enter a password for the command listed in that entry. The
+B<NOPASSWD> modifier is persistent across entries in a I<user-list>
+and can be reversed with the B<PASSWD> modifier.
The reserved alias I<ALL> can be used for both {Host,User,Cmnd}_Alias.
B<DO NOT> define an alias of I<ALL>, it will B<NOT> be used.
Note that I<ALL> implies the entire universe of hosts/users/commands.
You can subtract elements from the universe by using the syntax:
user host=ALL,!ALIAS1,!/sbin/halt...
-Note that the "!" notation only works in a user's command list. You
-may not use it to subtract elements in a User_Alias, Host_Alias,
-Cmnd_Alias or user list.
Commands may have optional command line arguments. If they do,
then the arguments in the I<sudoers> file must exactly match those
any host on the 128.138.243.0, 128.138.204.0, or 128.138.205.192
nets. The C<CUNETS> alias will match any host on the 128.138.0.0
(class B) network. Note that these are B<network> addresses, not ip
-addresses. Unless an explicate netmask is given, the local I<netmask>
+addresses. Unless an explicit netmask is given, the local I<netmask>
is used to determine whether or not the current host belongs to a network.
=head2 User Alias specifications:
=item jimbo
The user C<jimbo> may C<su> to any user save root on the
-machines on C<CUNETS> (which is explicately listed as a class
+machines on C<CUNETS> (which is explicitly listed as a class
B network).
=item nieusma
projects / sudo / commitdiff