it is overridden by the opposite tag (in other words, PASSWD overrides
NOPASSWD and NOEXEC overrides EXEC).
- _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
+ _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD and _\bP_\bA_\bS_\bS_\bW_\bD
- By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself before
- running a command. This behavior can be modified via the NOPASSWD tag.
- Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that
- follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used
- to reverse things. For example:
+ By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself
+ before running a command. This behavior can be modified via the
+ NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
+ the commands that follow it in the Cmnd_Spec_List. Conversely, the
+ PASSWD tag can be used to reverse things. For example:
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
- would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as
- r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we only
- want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry would
- be:
+ would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
+ as r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we
+ only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry
+ would be:
- ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
- Note, however, that the PASSWD tag has no effect on users who are in the
- group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
+ Note, however, that the PASSWD tag has no effect on users who are in
+ the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
- By default, if the NOPASSWD tag is applied to any of the entries for a
- user on the current host, he or she will be able to run ``sudo -l''
- without a password. Additionally, a user may only run ``sudo -v''
- without a password if the NOPASSWD tag is present for all a user's
- entries that pertain to the current host. This behavior may be
- overridden via the _\bv_\be_\br_\bi_\bf_\by_\bp_\bw and _\bl_\bi_\bs_\bt_\bp_\bw options.
+ By default, if the NOPASSWD tag is applied to any of the entries for a
+ user on the current host, he or she will be able to run ``sudo -l''
+ without a password. Additionally, a user may only run ``sudo -v''
+ without a password if the NOPASSWD tag is present for all a user's
+ entries that pertain to the current host. This behavior may be
+ overridden via the _\bv_\be_\br_\bi_\bf_\by_\bp_\bw and _\bl_\bi_\bs_\bt_\bp_\bw options.
- _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+ _\bN_\bO_\bE_\bX_\bE_\bC and _\bE_\bX_\bE_\bC
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
- operating system supports it, the NOEXEC tag can be used to prevent a
- dynamically-linked executable from running further commands itself.
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
+ operating system supports it, the NOEXEC tag can be used to prevent a
+ dynamically-linked executable from running further commands itself.
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- See the _\bP_\br_\be_\bv_\be_\bn_\bt_\bi_\bn_\bg _\bs_\bh_\be_\bl_\bl _\be_\bs_\bc_\ba_\bp_\be_\bs section below for more details on how
- NOEXEC works and whether or not it will work on your system.
+ See the _\bP_\br_\be_\bv_\be_\bn_\bt_\bi_\bn_\bg _\bs_\bh_\be_\bl_\bl _\be_\bs_\bc_\ba_\bp_\be_\bs section below for more details on how
+ NOEXEC works and whether or not it will work on your system.
- _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
+ _\bS_\bE_\bT_\bE_\bN_\bV and _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
- These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
- basis. Note that if SETENV has been set for a command, the user may
- disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
- Additionally, environment variables set on the command line are not
- subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set variables
- in this manner. If the command matched is A\bAL\bLL\bL, the SETENV tag is implied
- for that command; this default may be overridden by use of the NOSETENV
- tag.
+ These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
+ basis. Note that if SETENV has been set for a command, the user may
+ disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
+ Additionally, environment variables set on the command line are not
+ subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set
+ variables in this manner. If the command matched is A\bAL\bLL\bL, the SETENV
+ tag is implied for that command; this default may be overridden by use
+ of the NOSETENV tag.
- _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
+ _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT and _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
- These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
- basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
- _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
+ These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
+ _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
- _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
+ _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT and _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
- These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
- basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
- _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
+ These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
+ _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
used in host names, path names and command line arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX glob(3) and fnmatch(3)
- routines. Note that these are _\bn_\bo_\bt regular expressions.
+ file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
+ as specified by IEEE Std 1003.1 (``POSIX.1''). Note that these are _\bn_\bo_\bt
+ regular expressions.
* Matches any set of zero or more characters.
\x For any character `x', evaluates to `x'. This is used to
escape special characters such as: `*', `?', `[', and `]'.
- POSIX character classes may also be used if your system's glob(3) and
+ Character classes may also be used if your system's glob(3) and
fnmatch(3) functions support them. However, because the `:' character
has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
complete details.
-Sudo 1.8.6 September 15, 2012 Sudo 1.8.6
+Sudo 1.8.6 October 23, 2012 Sudo 1.8.6
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "@mansectsu@" "September 15, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
+.TH "SUDOERS" "@mansectsu@" "October 23, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
.nh
.if n .ad l
.SH "NAME"
\fRNOEXEC\fR
overrides
\fREXEC\fR).
-.PP
-\fINOPASSWD and PASSWD\fR
-.PP
+.TP 2n
+\fINOPASSWD\fR and \fIPASSWD\fR
+.sp
By default,
\fBsudo\fR
requires that a user authenticate him or herself
\fRPASSWD\fR
tag can be used to reverse things.
For example:
+.RS
.nf
.sp
.RS 0n
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
.RE
.fi
-.PP
+.sp
would allow the user
\fBray\fR
to run
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
.RE
.fi
-.PP
+.sp
Note, however, that the
\fRPASSWD\fR
tag has no effect on users who are in the group specified by the
\fIexempt_group\fR
option.
-.PP
+.sp
By default, if the
\fRNOPASSWD\fR
tag is applied to any of the entries for a user on the current host,
\fIlistpw\fR
options.
.PP
-\fINOEXEC and EXEC\fR
-.PP
+.RE
+.PD 0
+.TP 2n
+\fINOEXEC\fR and \fIEXEC\fR
+.sp
If
\fBsudo\fR
has been compiled with
\fRNOEXEC\fR
tag can be used to prevent a dynamically-linked executable from
running further commands itself.
-.PP
+.sp
In the following example, user
\fBaaron\fR
may run
and
\fI/usr/bin/vi\fR
but shell escapes will be disabled.
+.RS
.nf
.sp
.RS 0n
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
.RE
.fi
-.PP
+.sp
See the
\fIPreventing shell escapes\fR
section below for more details on how
\fRNOEXEC\fR
works and whether or not it will work on your system.
+.PD
.PP
-\fISETENV and NOSETENV\fR
-.PP
+.RE
+.PD 0
+.TP 2n
+\fISETENV\fR and \fINOSETENV\fR
+.sp
These tags override the value of the
\fIsetenv\fR
option on a per-command basis.
tag is implied for that command; this default may be overridden by use of the
\fRNOSETENV\fR
tag.
-.PP
-\fILOG_INPUT and NOLOG_INPUT\fR
-.PP
+.PD
+.TP 2n
+\fILOG_INPUT\fR and \fINOLOG_INPUT\fR
+.sp
These tags override the value of the
\fIlog_input\fR
option on a per-command basis.
in the
\fISUDOERS OPTIONS\fR
section below.
-.PP
-\fILOG_OUTPUT and NOLOG_OUTPUT\fR
-.PP
+.TP 2n
+\fILOG_OUTPUT\fR and \fINOLOG_OUTPUT\fR
+.sp
These tags override the value of the
\fIlog_output\fR
option on a per-command basis.
\fIsudoers\fR
file.
Wildcard matching is done via the
-\fBPOSIX\fR
glob(3)
and
fnmatch(3)
-routines.
+functions as specified by
+IEEE Std 1003.1 (\(lqPOSIX.1\(rq).
Note that these are
\fInot\fR
regular expressions.
and
`]\&'.
.PP
-POSIX character classes may also be used if your system's
+Character classes may also be used if your system's
glob(3)
and
fnmatch(3)
projects / sudo / commitdiff