-Installation instructions for Sudo 1.7
-======================================
+Sudo installation instructions
+==============================
Sudo uses a `configure' script to probe the capabilities and type
of the system in question. In this release, `configure' takes many
+What's new in Sudo 1.7.7
+
+ * Group ownership of the sudoers file is now only enforced when
+ the file mode on sudoers allows group readability or writability.
+
+ * Visudo now checks the contents of an alias and warns about cycles
+ when the alias is expanded.
+
+ * If the user specifes a group via sudo's -g option that matches
+ the target user's group in the password database, it is now
+ allowed even if no groups are present in the Runas_Spec.
+
+ * Multi-factor authentication is now supported on AIX.
+
+ * Added support for non-RFC 4517 compliant LDAP servers that require
+ that seconds be present in a timestamp, such as Tivoli Directory Server.
+
+ * If the group vector is to be preserved, the PATH search for the
+ command is now done with the user's original group vector.
+
+ * For LDAP-based sudoers, the "runas_default" sudoOption now works
+ properly in a sudoRole that contains a sudoCommand.
+
+What's new in Sudo 1.7.6p2
+
+ * Two-character CIDR-style IPv4 netmasks are now matched correctly
+ in the sudoers file.
+
+ * A build error with MIT Kerberos V has been resolved.
+
What's new in Sudo 1.7.6p1
* A non-existent includedir is now treated the same as an empty
-This is Sudo version 1.7.5
-
The sudo philosophy
===================
Sudo is a program designed to allow a sysadmin to give limited root privileges
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for sudo 1.7.6p2.
+# Generated by GNU Autoconf 2.68 for sudo 1.7.7.
#
# Report bugs to <http://www.sudo.ws/bugs/>.
#
# Identity of this package.
PACKAGE_NAME='sudo'
PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.7.6p2'
-PACKAGE_STRING='sudo 1.7.6p2'
+PACKAGE_VERSION='1.7.7'
+PACKAGE_STRING='sudo 1.7.7'
PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/'
PACKAGE_URL=''
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures sudo 1.7.6p2 to adapt to many kinds of systems.
+\`configure' configures sudo 1.7.7 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of sudo 1.7.6p2:";;
+ short | recursive ) echo "Configuration of sudo 1.7.7:";;
esac
cat <<\_ACEOF
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-sudo configure 1.7.6p2
+sudo configure 1.7.7
generated by GNU Autoconf 2.68
Copyright (C) 2010 Free Software Foundation, Inc.
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by sudo $as_me 1.7.6p2, which was
+It was created by sudo $as_me 1.7.7, which was
generated by GNU Autoconf 2.68. Invocation command line was
$ $0 $@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by sudo $as_me 1.7.6p2, which was
+This file was extended by sudo $as_me 1.7.7, which was
generated by GNU Autoconf 2.68. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-sudo config.status 1.7.6p2
+sudo config.status 1.7.7
configured by $0, generated by GNU Autoconf 2.68,
with options \\"\$ac_cs_config\\"
dnl
dnl Copyright (c) 1994-1996,1998-2011 Todd C. Miller <Todd.Miller@courtesan.com>
dnl
-AC_INIT([sudo], [1.7.6p2], [http://www.sudo.ws/bugs/], [sudo])
+AC_INIT([sudo], [1.7.7], [http://www.sudo.ws/bugs/], [sudo])
AC_CONFIG_HEADER(config.h pathnames.h zlib/zconf.h)
dnl
dnl Note: this must come after AC_INIT
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
-N\bNA\bAM\bME\bE
+\e[1mNAME\e[0m
sudo, sudoedit - execute a command as another user
-S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-V\bV
+\e[1mSYNOPSIS\e[0m
+ \e[1msudo -h \e[22m| \e[1m-K \e[22m| \e[1m-k \e[22m| \e[1m-L \e[22m| \e[1m-V\e[0m
- s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
- [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd]
+ \e[1msudo -v \e[22m[\e[1m-AknS\e[22m] [\e[1m-a \e[4m\e[22mauth_type\e[24m] [\e[1m-g \e[4m\e[22mgroup\e[24m \e[4mname\e[24m|\e[4m#gid\e[24m] [\e[1m-p \e[4m\e[22mprompt\e[24m]
+ [\e[1m-u \e[4m\e[22musername\e[24m|\e[4m#uid\e[24m]
- s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
- [-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ \e[1msudo -l[l] \e[22m[\e[1m-AknS\e[22m] [\e[1m-a \e[4m\e[22mauth_type\e[24m] [\e[1m-g \e[4m\e[22mgroup\e[24m \e[4mname\e[24m|\e[4m#gid\e[24m] [\e[1m-p \e[4m\e[22mprompt\e[24m]
+ [\e[1m-U \e[4m\e[22muser\e[24m \e[4mname\e[24m] [\e[1m-u \e[4m\e[22muser\e[24m \e[4mname\e[24m|\e[4m#uid\e[24m] [\e[4mcommand\e[24m]
- s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
- [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be] [-\b-t\bt _\bt_\by_\bp_\be]
- [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ \e[1msudo \e[22m[\e[1m-AbEHnPS\e[22m] [\e[1m-a \e[4m\e[22mauth_type\e[24m] [\e[1m-C \e[4m\e[22mfd\e[24m] [\e[1m-c \e[4m\e[22mclass\e[24m|\e[4m-\e[24m]
+ [\e[1m-g \e[4m\e[22mgroup\e[24m \e[4mname\e[24m|\e[4m#gid\e[24m] [\e[1m-p \e[4m\e[22mprompt\e[24m] [\e[1m-r \e[4m\e[22mrole\e[24m] [\e[1m-t \e[4m\e[22mtype\e[24m]
+ [\e[1m-u \e[4m\e[22muser\e[24m \e[4mname\e[24m|\e[4m#uid\e[24m] [\e[1mVAR\e[22m=\e[4mvalue\e[24m] [\e[1m-i \e[22m| \e[1m-s\e[22m] [\e[4mcommand\e[24m]
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
- [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
+ \e[1msudoedit \e[22m[\e[1m-AnS\e[22m] [\e[1m-a \e[4m\e[22mauth_type\e[24m] [\e[1m-C \e[4m\e[22mfd\e[24m] [\e[1m-c \e[4m\e[22mclass\e[24m|\e[4m-\e[24m]
+ [\e[1m-g \e[4m\e[22mgroup\e[24m \e[4mname\e[24m|\e[4m#gid\e[24m] [\e[1m-p \e[4m\e[22mprompt\e[24m] [\e[1m-u \e[4m\e[22muser\e[24m \e[4mname\e[24m|\e[4m#uid\e[24m] file ...
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the superuser or
- another user, as specified in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. The real and effective
+\e[1mDESCRIPTION\e[0m
+ \e[1msudo \e[22mallows a permitted user to execute a \e[4mcommand\e[24m as the superuser or
+ another user, as specified in the \e[4msudoers\e[24m file. The real and effective
uid and gid are set to match those of the target user as specified in
the passwd file and the group vector is initialized based on the group
- file (unless the -\b-P\bP option was specified). If the invoking user is
+ file (unless the \e[1m-P \e[22moption was specified). If the invoking user is
root or if the target user is the same as the invoking user, no
- password is required. Otherwise, s\bsu\bud\bdo\bo requires that users authenticate
+ password is required. Otherwise, \e[1msudo \e[22mrequires that users authenticate
themselves with a password by default (NOTE: in the default
configuration this is the user's password, not the root password).
Once a user has been authenticated, a time stamp is updated and the
user may then use sudo without a password for a short period of time (5
- minutes unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
+ minutes unless overridden in \e[4msudoers\e[24m).
- When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below), is implied.
+ When invoked as \e[1msudoedit\e[22m, the \e[1m-e \e[22moption (described below), is implied.
- s\bsu\bud\bdo\bo determines who is an authorized user by consulting the file
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By running s\bsu\bud\bdo\bo with the -\b-v\bv option, a user can update
- the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd. If a password is required,
- s\bsu\bud\bdo\bo will exit if the user's password is not entered within a
+ \e[1msudo \e[22mdetermines who is an authorized user by consulting the file
+ \e[4m/etc/sudoers\e[24m. By running \e[1msudo \e[22mwith the \e[1m-v \e[22moption, a user can update
+ the time stamp without running a \e[4mcommand\e[24m. If a password is required,
+ \e[1msudo \e[22mwill exit if the user's password is not entered within a
configurable time limit. The default password prompt timeout is 5
minutes.
- If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to run a command
- via s\bsu\bud\bdo\bo, mail is sent to the proper authorities, as defined at
- configure time or in the _\bs_\bu_\bd_\bo_\be_\br_\bs file (defaults to root). Note that
+ If a user who is not listed in the \e[4msudoers\e[24m file tries to run a command
+ via \e[1msudo\e[22m, mail is sent to the proper authorities, as defined at
+ configure time or in the \e[4msudoers\e[24m file (defaults to root). Note that
the mail will not be sent if an unauthorized user tries to run sudo
- with the -\b-l\bl or -\b-v\bv option. This allows users to determine for
- themselves whether or not they are allowed to use s\bsu\bud\bdo\bo.
+ with the \e[1m-l \e[22mor \e[1m-v \e[22moption. This allows users to determine for
+ themselves whether or not they are allowed to use \e[1msudo\e[22m.
- If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment variable is set,
- s\bsu\bud\bdo\bo will use this value to determine who the actual user is. This can
+ If \e[1msudo \e[22mis run by root and the SUDO_USER environment variable is set,
+ \e[1msudo \e[22mwill use this value to determine who the actual user is. This can
be used by a user to log commands through sudo even when a root shell
- has been invoked. It also allows the -\b-e\be option to remain useful even
+ has been invoked. It also allows the \e[1m-e \e[22moption to remain useful even
when being run via a sudo-run script or program. Note however, that
-
-
-
-1.7.6 April 9, 2011 1
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
the sudoers lookup is still done for root, not the user specified by
SUDO_USER.
- s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as well as
- errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By default s\bsu\bud\bdo\bo will log
- via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable at configure time or via the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ \e[1msudo \e[22mcan log both successful and unsuccessful attempts (as well as
+ errors) to \e[4msyslog\e[24m(3), a log file, or both. By default \e[1msudo \e[22mwill log
+ via \e[4msyslog\e[24m(3) but this is changeable at configure time or via the
+ \e[4msudoers\e[24m file.
-O\bOP\bPT\bTI\bIO\bON\bNS\bS
- s\bsu\bud\bdo\bo accepts the following command line options:
+\e[1mOPTIONS\e[0m
+ \e[1msudo \e[22maccepts the following command line options:
- -A Normally, if s\bsu\bud\bdo\bo requires a password, it will read it from
- the current terminal. If the -\b-A\bA (_\ba_\bs_\bk_\bp_\ba_\bs_\bs) option is
+ -A Normally, if \e[1msudo \e[22mrequires a password, it will read it from
+ the current terminal. If the \e[1m-A \e[22m(\e[4maskpass\e[24m) option is
specified, a (possibly graphical) helper program is
executed to read the user's password and output the
password to the standard output. If the SUDO_ASKPASS
environment variable is set, it specifies the path to the
helper program. Otherwise, the value specified by the
- _\ba_\bs_\bk_\bp_\ba_\bs_\bs option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4) is used.
+ \e[4maskpass\e[24m option in \e[4msudoers\e[24m(4) is used.
- -a _\bt_\by_\bp_\be The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use the
+ -a \e[4mtype\e[24m The \e[1m-a \e[22m(\e[4mauthentication\e[24m \e[4mtype\e[24m) option causes \e[1msudo \e[22mto use the
specified authentication type when validating the user, as
- allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system administrator may
+ allowed by \e[4m/etc/login.conf\e[24m. The system administrator may
specify a list of sudo-specific authentication methods by
- adding an "auth-sudo" entry in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This
+ adding an "auth-sudo" entry in \e[4m/etc/login.conf\e[24m. This
option is only available on systems that support BSD
authentication.
- -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
- command in the background. Note that if you use the -\b-b\bb
+ -b The \e[1m-b \e[22m(\e[4mbackground\e[24m) option tells \e[1msudo \e[22mto run the given
+ command in the background. Note that if you use the \e[1m-b\e[0m
option you cannot use shell job control to manipulate the
process.
- -C _\bf_\bd Normally, s\bsu\bud\bdo\bo will close all open file descriptors other
+ -C \e[4mfd\e[24m Normally, \e[1msudo \e[22mwill close all open file descriptors other
than standard input, standard output and standard error.
- The -\b-C\bC (_\bc_\bl_\bo_\bs_\be _\bf_\br_\bo_\bm) option allows the user to specify a
+ The \e[1m-C \e[22m(\e[4mclose\e[24m \e[4mfrom\e[24m) option allows the user to specify a
starting point above the standard error (file descriptor
three). Values less than three are not permitted. This
option is only available if the administrator has enabled
- the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+ the \e[4mclosefrom_override\e[24m option in \e[4msudoers\e[24m(4).
- -c _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
+ -c \e[4mclass\e[24m The \e[1m-c \e[22m(\e[4mclass\e[24m) option causes \e[1msudo \e[22mto run the specified
command with resources limited by the specified login
- class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name as
- defined in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single '-' character.
- Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the command should
+ class. The \e[4mclass\e[24m argument can be either a class name as
+ defined in \e[4m/etc/login.conf\e[24m, or a single '-' character.
+ Specifying a \e[4mclass\e[24m of - indicates that the command should
be run restricted by the default login capabilities for the
- user the command is run as. If the _\bc_\bl_\ba_\bs_\bs argument
+ user the command is run as. If the \e[4mclass\e[24m argument
specifies an existing user class, the command must be run
- as root, or the s\bsu\bud\bdo\bo command must be run from a shell that
+ as root, or the \e[1msudo \e[22mcommand must be run from a shell that
is already root. This option is only available on systems
with BSD login classes.
- -E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
-
-
-
-1.7.6 April 9, 2011 2
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)). It is only available when
+ -E The \e[1m-E \e[22m(\e[4mpreserve\e[24m \e[4menvironment\e[24m) option will override the
+ \e[4menv_reset\e[24m option in \e[4msudoers\e[24m(4)). It is only available when
either the matching command has the SETENV tag or the
- _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+ \e[4msetenv\e[24m option is set in \e[4msudoers\e[24m(4).
- -e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
+ -e The \e[1m-e \e[22m(\e[4medit\e[24m) option indicates that, instead of running a
command, the user wishes to edit one or more files. In
lieu of a command, the string "sudoedit" is used when
- consulting the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is authorized by
- _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
+ consulting the \e[4msudoers\e[24m file. If the user is authorized by
+ \e[4msudoers\e[24m the following steps are taken:
1. Temporary copies are made of the files to be edited
with the owner set to the invoking user.
2. The editor specified by the SUDO_EDITOR, VISUAL or
EDITOR environment variables is run to edit the
temporary files. If none of SUDO_EDITOR, VISUAL or
- EDITOR are set, the first program listed in the _\be_\bd_\bi_\bt_\bo_\br
- _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
+ EDITOR are set, the first program listed in the \e[4meditor\e[0m
+ \e[4msudoers\e[24m variable is used.
3. If they have been modified, the temporary files are
copied back to their original location and the
temporary versions are removed.
If the specified file does not exist, it will be created.
- Note that unlike most commands run by s\bsu\bud\bdo\bo, the editor is
+ Note that unlike most commands run by \e[1msudo\e[22m, the editor is
run with the invoking user's environment unmodified. If,
- for some reason, s\bsu\bud\bdo\bo is unable to update a file with its
+ for some reason, \e[1msudo \e[22mis unable to update a file with its
edited version, the user will receive a warning and the
edited copy will remain in a temporary file.
- -g _\bg_\br_\bo_\bu_\bp Normally, s\bsu\bud\bdo\bo sets the primary group to the one specified
+ -g \e[4mgroup\e[24m Normally, \e[1msudo \e[22msets the primary group to the one specified
by the passwd database for the user the command is being
- run as (by default, root). The -\b-g\bg (_\bg_\br_\bo_\bu_\bp) option causes
- s\bsu\bud\bdo\bo to run the specified command with the primary group
- set to _\bg_\br_\bo_\bu_\bp. To specify a _\bg_\bi_\bd instead of a _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be,
- use _\b#_\bg_\bi_\bd. When running commands as a _\bg_\bi_\bd, many shells
+ run as (by default, root). The \e[1m-g \e[22m(\e[4mgroup\e[24m) option causes
+ \e[1msudo \e[22mto run the specified command with the primary group
+ set to \e[4mgroup\e[24m. To specify a \e[4mgid\e[24m instead of a \e[4mgroup\e[24m \e[4mname\e[24m,
+ use \e[4m#gid\e[24m. When running commands as a \e[4mgid\e[24m, many shells
require that the '#' be escaped with a backslash ('\'). If
- no -\b-u\bu option is specified, the command will be run as the
+ no \e[1m-u \e[22moption is specified, the command will be run as the
invoking user (not root). In either case, the primary
- group will be set to _\bg_\br_\bo_\bu_\bp.
+ group will be set to \e[4mgroup\e[24m.
- -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment variable to
+ -H The \e[1m-H \e[22m(\e[4mHOME\e[24m) option sets the HOME environment variable to
the homedir of the target user (root by default) as
- specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). The default handling of the HOME
- environment variable depends on _\bs_\bu_\bd_\bo_\be_\br_\bs(4) settings. By
- default, s\bsu\bud\bdo\bo will set HOME if _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be
- are set, or if _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set and the -\b-s\bs option is
+ specified in \e[4mpasswd\e[24m(4). The default handling of the HOME
+ environment variable depends on \e[4msudoers\e[24m(4) settings. By
+ default, \e[1msudo \e[22mwill set HOME if \e[4menv_reset\e[24m or \e[4malways_set_home\e[0m
+ are set, or if \e[4mset_home\e[24m is set and the \e[1m-s \e[22moption is
specified on the command line.
- -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a short help
+ -h The \e[1m-h \e[22m(\e[4mhelp\e[24m) option causes \e[1msudo \e[22mto print a short help
message to the standard output and exit.
-i [command]
- The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
-
-
-
-1.7.6 April 9, 2011 3
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- specified in the _\bp_\ba_\bs_\bs_\bw_\bd(4) entry of the target user as a
+ The \e[1m-i \e[22m(\e[4msimulate\e[24m \e[4minitial\e[24m \e[4mlogin\e[24m) option runs the shell
+ specified in the \e[4mpasswd\e[24m(4) entry of the target user as a
login shell. This means that login-specific resource files
such as .profile or .login will be read by the shell. If a
command is specified, it is passed to the shell for
execution. Otherwise, an interactive shell is executed.
- s\bsu\bud\bdo\bo attempts to change to that user's home directory
+ \e[1msudo \e[22mattempts to change to that user's home directory
before running the shell. It also initializes the
- environment, leaving _\bD_\bI_\bS_\bP_\bL_\bA_\bY and _\bT_\bE_\bR_\bM unchanged, setting
- _\bH_\bO_\bM_\bE, _\bM_\bA_\bI_\bL, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and _\bP_\bA_\bT_\bH, as well as the
- contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt on Linux and AIX systems. All
+ environment, leaving \e[4mDISPLAY\e[24m and \e[4mTERM\e[24m unchanged, setting
+ \e[4mHOME\e[24m, \e[4mMAIL\e[24m, \e[4mSHELL\e[24m, \e[4mUSER\e[24m, \e[4mLOGNAME\e[24m, and \e[4mPATH\e[24m, as well as the
+ contents of \e[4m/etc/environment\e[24m on Linux and AIX systems. All
other environment variables are removed.
- -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
+ -K The \e[1m-K \e[22m(sure \e[4mkill\e[24m) option is like \e[1m-k \e[22mexcept that it removes
the user's time stamp entirely and may not be used in
conjunction with a command or other option. This option
does not require a password.
- -k When used by itself, the -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo
+ -k When used by itself, the \e[1m-k \e[22m(\e[4mkill\e[24m) option to \e[1msudo\e[0m
invalidates the user's time stamp by setting the time on it
- to the Epoch. The next time s\bsu\bud\bdo\bo is run a password will be
+ to the Epoch. The next time \e[1msudo \e[22mis run a password will be
required. This option does not require a password and was
- added to allow a user to revoke s\bsu\bud\bdo\bo permissions from a
+ added to allow a user to revoke \e[1msudo \e[22mpermissions from a
.logout file.
When used in conjunction with a command or an option that
- may require a password, the -\b-k\bk option will cause s\bsu\bud\bdo\bo to
- ignore the user's time stamp file. As a result, s\bsu\bud\bdo\bo will
- prompt for a password (if one is required by _\bs_\bu_\bd_\bo_\be_\br_\bs) and
+ may require a password, the \e[1m-k \e[22moption will cause \e[1msudo \e[22mto
+ ignore the user's time stamp file. As a result, \e[1msudo \e[22mwill
+ prompt for a password (if one is required by \e[4msudoers\e[24m) and
will not update the user's time stamp file.
- -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list the parameters that
- may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a short
+ -L The \e[1m-L \e[22m(\e[4mlist\e[24m defaults) option will list the parameters that
+ may be set in a \e[4mDefaults\e[24m line along with a short
description for each. This option will be removed from a
- future version of s\bsu\bud\bdo\bo.
+ future version of \e[1msudo\e[22m.
- -l[l] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt) option will list
+ -l[l] [\e[4mcommand\e[24m]
+ If no \e[4mcommand\e[24m is specified, the \e[1m-l \e[22m(\e[4mlist\e[24m) option will list
the allowed (and forbidden) commands for the invoking user
- (or the user specified by the -\b-U\bU option) on the current
- host. If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is permitted by
- _\bs_\bu_\bd_\bo_\be_\br_\bs, the fully-qualified path to the command is
+ (or the user specified by the \e[1m-U \e[22moption) on the current
+ host. If a \e[4mcommand\e[24m is specified and is permitted by
+ \e[4msudoers\e[24m, the fully-qualified path to the command is
displayed along with any command line arguments. If
- _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified but not allowed, s\bsu\bud\bdo\bo will exit with a
- status value of 1. If the -\b-l\bl option is specified with an l\bl
- argument (i.e. -\b-l\bll\bl), or if -\b-l\bl is specified multiple times,
+ \e[4mcommand\e[24m is specified but not allowed, \e[1msudo \e[22mwill exit with a
+ status value of 1. If the \e[1m-l \e[22moption is specified with an \e[1ml\e[0m
+ argument (i.e. \e[1m-ll\e[22m), or if \e[1m-l \e[22mis specified multiple times,
a longer list format is used.
- -n The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from
+ -n The \e[1m-n \e[22m(\e[4mnon-interactive\e[24m) option prevents \e[1msudo \e[22mfrom
prompting the user for a password. If a password is
- required for the command to run, s\bsu\bud\bdo\bo will display an error
+ required for the command to run, \e[1msudo \e[22mwill display an error
messages and exit.
- -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
+ -P The \e[1m-P \e[22m(\e[4mpreserve\e[24m \e[4mgroup\e[24m \e[4mvector\e[24m) option causes \e[1msudo \e[22mto
preserve the invoking user's group vector unaltered. By
-
-
-
-1.7.6 April 9, 2011 4
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- default, s\bsu\bud\bdo\bo will initialize the group vector to the list
+ default, \e[1msudo \e[22mwill initialize the group vector to the list
of groups the target user is in. The real and effective
group IDs, however, are still set to match the target user.
- -p _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
+ -p \e[4mprompt\e[24m The \e[1m-p \e[22m(\e[4mprompt\e[24m) option allows you to override the default
password prompt and use a custom one. The following
percent (`%') escapes are supported:
%H expanded to the local host name including the domain
name (on if the machine's host name is fully qualified
- or the _\bf_\bq_\bd_\bn _\bs_\bu_\bd_\bo_\be_\br_\bs option is set)
+ or the \e[4mfqdn\e[24m \e[4msudoers\e[24m option is set)
%h expanded to the local host name without the domain name
%p expanded to the user whose password is being asked for
- (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in
- _\bs_\bu_\bd_\bo_\be_\br_\bs)
+ (respects the \e[4mrootpw\e[24m, \e[4mtargetpw\e[24m and \e[4mrunaspw\e[24m flags in
+ \e[4msudoers\e[24m)
%U expanded to the login name of the user the command will
be run as (defaults to root)
%% two consecutive % characters are collapsed into a
single % character
- The prompt specified by the -\b-p\bp option will override the
+ The prompt specified by the \e[1m-p \e[22moption will override the
system password prompt on systems that support PAM unless
- the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ the \e[4mpassprompt_override\e[24m flag is disabled in \e[4msudoers\e[24m.
- -r _\br_\bo_\bl_\be The -\b-r\br (_\br_\bo_\bl_\be) option causes the new (SELinux) security
- context to have the role specified by _\br_\bo_\bl_\be.
+ -r \e[4mrole\e[24m The \e[1m-r \e[22m(\e[4mrole\e[24m) option causes the new (SELinux) security
+ context to have the role specified by \e[4mrole\e[24m.
- -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
+ -S The \e[1m-S \e[22m(\e[4mstdin\e[24m) option causes \e[1msudo \e[22mto read the password from
the standard input instead of the terminal device. The
password must be followed by a newline character.
-s [command]
- The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the _\bS_\bH_\bE_\bL_\bL
+ The \e[1m-s \e[22m(\e[4mshell\e[24m) option runs the shell specified by the \e[4mSHELL\e[0m
environment variable if it is set or the shell as specified
- in _\bp_\ba_\bs_\bs_\bw_\bd(4). If a command is specified, it is passed to
+ in \e[4mpasswd\e[24m(4). If a command is specified, it is passed to
the shell for execution. Otherwise, an interactive shell
is executed.
- -t _\bt_\by_\bp_\be The -\b-t\bt (_\bt_\by_\bp_\be) option causes the new (SELinux) security
- context to have the type specified by _\bt_\by_\bp_\be. If no type is
+ -t \e[4mtype\e[24m The \e[1m-t \e[22m(\e[4mtype\e[24m) option causes the new (SELinux) security
+ context to have the type specified by \e[4mtype\e[24m. If no type is
specified, the default type is derived from the specified
role.
- -U _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the
- -\b-l\bl option to specify the user whose privileges should be
- listed. Only root or a user with s\bsu\bud\bdo\bo ALL on the current
+ -U \e[4muser\e[24m The \e[1m-U \e[22m(\e[4mother\e[24m \e[4muser\e[24m) option is used in conjunction with the
+ \e[1m-l \e[22moption to specify the user whose privileges should be
+ listed. Only root or a user with \e[1msudo \e[22mALL on the current
host may use this option.
-
-
-
-1.7.6 April 9, 2011 5
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- -u _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
- command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
- instead of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as
- a _\bu_\bi_\bd, many shells require that the '#' be escaped with a
- backslash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option
- is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
+ -u \e[4muser\e[24m The \e[1m-u \e[22m(\e[4muser\e[24m) option causes \e[1msudo \e[22mto run the specified
+ command as a user other than \e[4mroot\e[24m. To specify a \e[4muid\e[0m
+ instead of a \e[4muser\e[24m \e[4mname\e[24m, use \e[4m#uid\e[24m. When running commands as
+ a \e[4muid\e[24m, many shells require that the '#' be escaped with a
+ backslash ('\'). Note that if the \e[4mtargetpw\e[24m Defaults option
+ is set (see \e[4msudoers\e[24m(4)) it is not possible to run commands
with a uid not listed in the password database.
- -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the version
+ -V The \e[1m-V \e[22m(\e[4mversion\e[24m) option causes \e[1msudo \e[22mto print the version
number and exit. If the invoking user is already root the
- -\b-V\bV option will print out a list of the defaults s\bsu\bud\bdo\bo was
+ \e[1m-V \e[22moption will print out a list of the defaults \e[1msudo \e[22mwas
compiled with as well as the machine's local network
addresses.
- -v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
+ -v If given the \e[1m-v \e[22m(\e[4mvalidate\e[24m) option, \e[1msudo \e[22mwill update the
user's time stamp, prompting for the user's password if
- necessary. This extends the s\bsu\bud\bdo\bo timeout for another 5
- minutes (or whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but
+ necessary. This extends the \e[1msudo \e[22mtimeout for another 5
+ minutes (or whatever the timeout is set to in \e[4msudoers\e[24m) but
does not run a command.
- -- The -\b--\b- option indicates that s\bsu\bud\bdo\bo should stop processing
+ -- The \e[1m-- \e[22moption indicates that \e[1msudo \e[22mshould stop processing
command line arguments.
Environment variables to be set for the command may also be passed on
- the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be, e.g.
- L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables passed on the command
+ the command line in the form of \e[1mVAR\e[22m=\e[4mvalue\e[24m, e.g.
+ \e[1mLD_LIBRARY_PATH\e[22m=\e[4m/usr/local/pkg/lib\e[24m. Variables passed on the command
line are subject to the same restrictions as normal environment
- variables with one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in
- _\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run has the SETENV tag set or the command
+ variables with one important exception. If the \e[4msetenv\e[24m option is set in
+ \e[4msudoers\e[24m, the command to be run has the SETENV tag set or the command
matched is ALL, the user may set variables that would overwise be
- forbidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
+ forbidden. See \e[4msudoers\e[24m(4) for more information.
-R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
- Upon successful execution of a program, the exit status from s\bsu\bud\bdo\bo will
+\e[1mRETURN VALUES\e[0m
+ Upon successful execution of a program, the exit status from \e[1msudo \e[22mwill
simply be the exit status of the program that was executed.
- Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is a
- configuration/permission problem or if s\bsu\bud\bdo\bo cannot execute the given
+ Otherwise, \e[1msudo \e[22mquits with an exit value of 1 if there is a
+ configuration/permission problem or if \e[1msudo \e[22mcannot execute the given
command. In the latter case the error string is printed to stderr. If
- s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one or more entries in the user's PATH an error is
+ \e[1msudo \e[22mcannot \e[4mstat\e[24m(2) one or more entries in the user's PATH an error is
printed on stderr. (If the directory does not exist or if it is not
really a directory, the entry is ignored and no error is printed.)
This should not happen under normal circumstances. The most common
- reason for _\bs_\bt_\ba_\bt(2) to return "permission denied" is if you are running
+ reason for \e[4mstat\e[24m(2) to return "permission denied" is if you are running
an automounter and one of the directories in your PATH is on a machine
that is currently unreachable.
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- s\bsu\bud\bdo\bo tries to be safe when executing external commands.
+\e[1mSECURITY NOTES\e[0m
+ \e[1msudo \e[22mtries to be safe when executing external commands.
There are two distinct ways to deal with environment variables. By
- default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt _\bs_\bu_\bd_\bo_\be_\br_\bs option is enabled. This causes commands
+ default, the \e[4menv_reset\e[24m \e[4msudoers\e[24m option is enabled. This causes commands
to be executed with a minimal environment containing TERM, PATH, HOME,
SHELL, LOGNAME, USER and USERNAME in addition to variables from the
-
-
-
-1.7.6 April 9, 2011 6
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp _\bs_\bu_\bd_\bo_\be_\br_\bs
+ invoking process permitted by the \e[4menv_check\e[24m and \e[4menv_keep\e[24m \e[4msudoers\e[0m
options. There is effectively a whitelist for environment variables.
- If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, any variables
- not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are
- inherited from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
- _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave like a blacklist. Since it is not possible to
+ If, however, the \e[4menv_reset\e[24m option is disabled in \e[4msudoers\e[24m, any variables
+ not explicitly denied by the \e[4menv_check\e[24m and \e[4menv_delete\e[24m options are
+ inherited from the invoking process. In this case, \e[4menv_check\e[24m and
+ \e[4menv_delete\e[24m behave like a blacklist. Since it is not possible to
blacklist all potentially dangerous environment variables, use of the
- default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
+ default \e[4menv_reset\e[24m behavior is encouraged.
In all cases, environment variables with a value beginning with () are
- removed as they could be interpreted as b\bba\bas\bsh\bh functions. The list of
- environment variables that s\bsu\bud\bdo\bo allows or denies is contained in the
+ removed as they could be interpreted as \e[1mbash \e[22mfunctions. The list of
+ environment variables that \e[1msudo \e[22mallows or denies is contained in the
output of sudo -V when run as root.
Note that the dynamic linker on most operating systems will remove
variables that can control dynamic linking from the environment of
- setuid executables, including s\bsu\bud\bdo\bo. Depending on the operating system
+ setuid executables, including \e[1msudo\e[22m. Depending on the operating system
this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
others. These type of variables are removed from the environment
- before s\bsu\bud\bdo\bo even begins execution and, as such, it is not possible for
- s\bsu\bud\bdo\bo to preserve them.
+ before \e[1msudo \e[22meven begins execution and, as such, it is not possible for
+ \e[1msudo \e[22mto preserve them.
- To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting
+ To prevent command spoofing, \e[1msudo \e[22mchecks "." and "" (both denoting
current directory) last when searching for a command in the user's PATH
(if one or both are in the PATH). Note, however, that the actual PATH
- environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
- program that s\bsu\bud\bdo\bo executes.
+ environment variable is \e[4mnot\e[24m modified and is passed unchanged to the
+ program that \e[1msudo \e[22mexecutes.
- s\bsu\bud\bdo\bo will check the ownership of its time stamp directory
- (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
+ \e[1msudo \e[22mwill check the ownership of its time stamp directory
+ (\e[4m/var/adm/sudo\e[24m by default) and ignore the directory's contents if it is
not owned by root or if it is writable by a user other than root. On
- systems that allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if
+ systems that allow non-root users to give away files via \e[4mchown\e[24m(2), if
the time stamp directory is located in a directory writable by anyone
- (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the time stamp
- directory before s\bsu\bud\bdo\bo is run. However, because s\bsu\bud\bdo\bo checks the
+ (e.g., \e[4m/tmp\e[24m), it is possible for a user to create the time stamp
+ directory before \e[1msudo \e[22mis run. However, because \e[1msudo \e[22mchecks the
ownership and mode of the directory and its contents, the only damage
that can be done is to "hide" files by putting them in the time stamp
dir. This is unlikely to happen since once the time stamp dir is owned
by root and inaccessible by any other user, the user placing files
there would be unable to get them back out. To get around this issue
you can use a directory that is not world-writable for the time stamps
- (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or create _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo with the
+ (\e[4m/var/adm/sudo\e[24m for instance) or create \e[4m/var/adm/sudo\e[24m with the
appropriate owner (root) and permissions (0700) in the system startup
files.
- s\bsu\bud\bdo\bo will not honor time stamps set far in the future. Timestamps with
+ \e[1msudo \e[22mwill not honor time stamps set far in the future. Timestamps with
a date greater than current_time + 2 * TIMEOUT will be ignored and sudo
will log and complain. This is done to keep a user from creating
his/her own time stamp with a bogus date on systems that allow users to
give away files.
- On systems where the boot time is available, s\bsu\bud\bdo\bo will also not honor
+ On systems where the boot time is available, \e[1msudo \e[22mwill also not honor
time stamps from before the machine booted.
-
-
-1.7.6 April 9, 2011 7
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
Since time stamp files live in the file system, they can outlive a
user's login session. As a result, a user may be able to login, run a
- command with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run
- s\bsu\bud\bdo\bo without authenticating so long as the time stamp file's
+ command with \e[1msudo \e[22mafter authenticating, logout, login again, and run
+ \e[1msudo \e[22mwithout authenticating so long as the time stamp file's
modification time is within 5 minutes (or whatever the timeout is set
- to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, the
+ to in \e[4msudoers\e[24m). When the \e[4mtty_tickets\e[24m option is enabled in \e[4msudoers\e[24m, the
time stamp has per-tty granularity but still may outlive the user's
session. On Linux systems where the devpts filesystem is used, Solaris
systems with the devices filesystem, as well as other systems that
utilize a devfs filesystem that monotonically increase the inode number
- of devices as they are created (such as Mac OS X), s\bsu\bud\bdo\bo is able to
+ of devices as they are created (such as Mac OS X), \e[1msudo \e[22mis able to
determine when a tty-based time stamp file is stale and will ignore it.
Administrators should not rely on this feature as it is not universally
available.
- Please note that s\bsu\bud\bdo\bo will normally only log the command it explicitly
+ Please note that \e[1msudo \e[22mwill normally only log the command it explicitly
runs. If a user runs a command such as sudo su or sudo sh, subsequent
- commands run from that shell will _\bn_\bo_\bt be logged, nor will s\bsu\bud\bdo\bo's access
+ commands run from that shell will \e[4mnot\e[24m be logged, nor will \e[1msudo\e[22m's access
control affect them. The same is true for commands that offer shell
escapes (including most editors). Because of this, care must be taken
- when giving users access to commands via s\bsu\bud\bdo\bo to verify that the
+ when giving users access to commands via \e[1msudo \e[22mto verify that the
command does not inadvertently give the user an effective root shell.
For more information, please see the PREVENTING SHELL ESCAPES section
- in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+ in \e[4msudoers\e[24m(4).
-E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
- s\bsu\bud\bdo\bo utilizes the following environment variables:
+\e[1mENVIRONMENT\e[0m
+ \e[1msudo \e[22mutilizes the following environment variables:
- EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
+ EDITOR Default editor to use in \e[1m-e \e[22m(sudoedit) mode if neither
SUDO_EDITOR nor VISUAL is set
- MAIL In -\b-i\bi mode or when _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, set
+ MAIL In \e[1m-i \e[22mmode or when \e[4menv_reset\e[24m is enabled in \e[4msudoers\e[24m, set
to the mail spool of the target user
- HOME Set to the home directory of the target user if -\b-i\bi or
- -\b-H\bH are specified, _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be are set
- in _\bs_\bu_\bd_\bo_\be_\br_\bs, or when the -\b-s\bs option is specified and
- _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set in _\bs_\bu_\bd_\bo_\be_\br_\bs
+ HOME Set to the home directory of the target user if \e[1m-i \e[22mor
+ \e[1m-H \e[22mare specified, \e[4menv_reset\e[24m or \e[4malways_set_home\e[24m are set
+ in \e[4msudoers\e[24m, or when the \e[1m-s \e[22moption is specified and
+ \e[4mset_home\e[24m is set in \e[4msudoers\e[0m
- PATH Set to a sane value if the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh sudoers option
+ PATH Set to a sane value if the \e[4msecure_path\e[24m sudoers option
is set.
SHELL Used to determine shell to run with -s option
SUDO_COMMAND Set to the command run by sudo
- SUDO_EDITOR Default editor to use in -\b-e\be (sudoedit) mode
+ SUDO_EDITOR Default editor to use in \e[1m-e \e[22m(sudoedit) mode
SUDO_GID Set to the group ID of the user who invoked sudo
-
-
-
-1.7.6 April 9, 2011 8
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
SUDO_PROMPT Used as the default password prompt
SUDO_PS1 If set, PS1 will be set to its value for the program
SUDO_USER Set to the login of the user who invoked sudo
- USER Set to the target user (root unless the -\b-u\bu option is
+ USER Set to the target user (root unless the \e[1m-u \e[22moption is
specified)
- VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
+ VISUAL Default editor to use in \e[1m-e \e[22m(sudoedit) mode if
SUDO_EDITOR is not set
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+\e[1mFILES\e[0m
+ \e[4m/etc/sudoers\e[24m List of who can run what
- _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo Directory containing time stamps
+ \e[4m/var/adm/sudo\e[24m Directory containing time stamps
- _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on Linux and
+ \e[4m/etc/environment\e[24m Initial environment for \e[1m-i \e[22mmode on Linux and
AIX
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4) entries.
+\e[1mEXAMPLES\e[0m
+ Note: the following examples assume suitable \e[4msudoers\e[24m(4) entries.
To get a file listing of an unreadable directory:
$ sudo -u yaz ls ~yaz
- To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
+ To edit the \e[4mindex.html\e[24m file as user www:
$ sudo -u www vi ~www/htdocs/index.html
Note that this runs the commands in a sub-shell to make the cd and file
redirection work.
-
-
-1.7.6 April 9, 2011 9
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5),
- _\bv_\bi_\bs_\bu_\bd_\bo(1m)
+\e[1mSEE ALSO\e[0m
+ \e[4mgrep\e[24m(1), \e[4msu\e[24m(1), \e[4mstat\e[24m(2), \e[4mlogin_cap\e[24m(3), \e[4mpasswd\e[24m(4), \e[4msudoers\e[24m(5),
+ \e[4mvisudo\e[24m(1m)
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
+\e[1mAUTHORS\e[0m
+ Many people have worked on \e[1msudo \e[22mover the years; this version consists
of code written primarily by:
Todd C. Miller
- See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
- http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
+ See the HISTORY file in the \e[1msudo \e[22mdistribution or visit
+ http://www.sudo.ws/sudo/history.html for a short history of \e[1msudo\e[22m.
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
+\e[1mCAVEATS\e[0m
There is no easy way to prevent a user from gaining a root shell if
- that user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many
+ that user is allowed to run arbitrary commands via \e[1msudo\e[22m. Also, many
programs (such as editors) allow the user to run commands via shell
- escapes, thus avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is
- possible to prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
- See the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual for details.
+ escapes, thus avoiding \e[1msudo\e[22m's checks. However, on most systems it is
+ possible to prevent shell escapes with \e[1msudo\e[22m's \e[4mnoexec\e[24m functionality.
+ See the \e[4msudoers\e[24m(4) manual for details.
It is not meaningful to run the cd command directly via sudo, e.g.,
their own program that gives them a root shell regardless of any '!'
elements in the user specification.
- Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that
+ Running shell scripts via \e[1msudo \e[22mcan expose the same kernel bugs that
make setuid shell scripts unsafe on some operating systems (if your OS
has a /dev/fd/ directory, setuid shell scripts are generally safe).
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+\e[1mBUGS\e[0m
+ If you feel you have found a bug in \e[1msudo\e[22m, please submit a bug report at
http://www.sudo.ws/sudo/bugs/
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+\e[1mSUPPORT\e[0m
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+\e[1mDISCLAIMER\e[0m
+ \e[1msudo \e[22mis provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
+ See the LICENSE file distributed with \e[1msudo \e[22mor
http://www.sudo.ws/sudo/license.html for complete details.
-
-1.7.6 April 9, 2011 10
-
-
+1.7.7 August 13, 2011 SUDO(1m)
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
-N\bNA\bAM\bME\bE
+\e[1mNAME\e[0m
sudoers - list of which users may execute what
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases
+\e[1mDESCRIPTION\e[0m
+ The \e[4msudoers\e[24m file is composed of two types of entries: aliases
(basically variables) and user specifications (which specify who may
run what).
Where there are multiple matches, the last match is used (which is not
necessarily the most specific match).
- The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended Backus-Naur
+ The \e[4msudoers\e[24m grammar will be described below in Extended Backus-Naur
Form (EBNF). Don't despair if you don't know what EBNF is; it is
fairly simple, and the definitions below are annotated.
- Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
+ \e[1mQuick guide to EBNF\e[0m
EBNF is a concise and exact way of describing the grammar of a
- language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
+ language. Each EBNF definition is made up of \e[4mproduction\e[24m \e[4mrules\e[24m. E.g.,
symbol ::= definition | alternate1 | alternate2 ...
- Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a grammar for
+ Each \e[4mproduction\e[24m \e[4mrule\e[24m references others and thus makes up a grammar for
the language. EBNF also contains the following operators, which many
readers will recognize from regular expressions. Do not, however,
confuse them with "wildcard" characters, which have different meanings.
will use single quotes ('') to designate what is a verbatim character
string (as opposed to a symbol name).
- A\bAl\bli\bia\bas\bse\bes\bs
+ \e[1mAliases\e[0m
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
and Cmnd_Alias.
Host_Alias ::= NAME '=' Host_List
-
-
-1.7.6 April 9, 2011 1
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
-
Cmnd_Alias ::= NAME '=' Cmnd_List
NAME ::= [A-Z]([A-Z][0-9]_)*
- Each _\ba_\bl_\bi_\ba_\bs definition is of the form
+ Each \e[4malias\e[24m definition is of the form
Alias_Type NAME = item1, item2, ...
- where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias, Host_Alias, or
+ where \e[4mAlias_Type\e[24m is one of User_Alias, Runas_Alias, Host_Alias, or
Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
- underscore characters ('_'). A NAME m\bmu\bus\bst\bt start with an uppercase
+ underscore characters ('_'). A NAME \e[1mmust \e[22mstart with an uppercase
letter. It is possible to put several alias definitions of the same
type on a single line, joined by a colon (':'). E.g.,
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
- The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member follow.
+ The definitions of what constitutes a valid \e[4malias\e[24m member follow.
User_List ::= User |
User ',' User_List
+\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
-
-
-1.7.6 April 9, 2011 2
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
Note that quotes around group names are optional. Unquoted strings
must use a backslash (\) to escape spaces and special characters. See
"Other special characters and reserved words" for a list of characters
A Host_List is made up of one or more host names, IP addresses, network
numbers, netgroups (prefixed with '+') and other aliases. Again, the
value of an item may be negated with the '!' operator. If you do not
- specify a netmask along with the network number, s\bsu\bud\bdo\bo will query each
+ specify a netmask along with the network number, \e[1msudo \e[22mwill query each
of the local host's network interfaces and, if the network number
corresponds to one of the hosts's network interfaces, the corresponding
netmask will be used. The netmask may be specified either in standard
CIDR notation (number of bits, e.g. 24 or 64). A host name may include
shell-style wildcards (see the Wildcards section below), but unless the
host name command on your machine returns the fully qualified host
- name, you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
- Note s\bsu\bud\bdo\bo only inspects actual network interfaces; this means that IP
+ name, you'll need to use the \e[4mfqdn\e[24m option for wildcards to be useful.
+ Note \e[1msudo \e[22monly inspects actual network interfaces; this means that IP
address 127.0.0.1 (localhost) will never match. Also, the host name
"localhost" will only match if that is the actual host name, which is
usually only the case for non-networked systems.
Cmnd ',' Cmnd_List
commandname ::= file name |
-
-
-
-1.7.6 April 9, 2011 3
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
file name args |
file name '""'
simple file name allows the user to run the command with any arguments
he/she wishes. However, you may also specify command line arguments
(including wildcards). Alternately, you can specify "" to indicate
- that the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A
+ that the command may only be run \e[1mwithout \e[22mcommand line arguments. A
directory is a fully qualified path name ending in a '/'. When you
specify a directory in a Cmnd_List, the user will be able to run any
file within that directory (but not in any subdirectories therein).
(or match the wildcards if there are any). Note that the following
characters must be escaped with a '\' if they are used in command
arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
- to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It
+ to permit a user to run \e[1msudo \e[22mwith the \e[1m-e \e[22moption (or as \e[1msudoedit\e[22m). It
may take command line arguments just as a normal command does.
- D\bDe\bef\bfa\bau\bul\blt\bts\bs
+ \e[1mDefaults\e[0m
Certain configuration options may be changed from their default values
at runtime via one or more Default_Entry lines. These may affect all
users on any host, all users on a specific host, a specific user, a
Parameter '-=' Value |
'!'* Parameter
- Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
+ Parameters may be \e[1mflags\e[22m, \e[1minteger \e[22mvalues, \e[1mstrings\e[22m, or \e[1mlists\e[22m. Flags are
implicitly boolean and can be turned off via the '!' operator. Some
-
-
-
-1.7.6 April 9, 2011 4
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
integer, string and list parameters may also be used in a boolean
context to disable them. Values may be enclosed in double quotes (")
when they contain multiple words. Special characters may be escaped
See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
- U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
+ \e[1mUser Specification\e[0m
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
(':' Host_List '=' Cmnd_Spec_List)*
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
- A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
- what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
+ A \e[1muser specification \e[22mdetermines which commands a user may run (and as
+ what user) on specified hosts. By default, commands are run as \e[1mroot\e[22m,
but this can be changed on a per-command basis.
The basic structure of a user specification is `who where = (as_whom)
what'. Let's break that down into its constituent parts:
- R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
+ \e[1mRunas_Spec\e[0m
A Runas_Spec determines the user and/or the group that a command may be
run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
defined above) separated by a colon (':') and enclosed in a set of
parentheses. The first Runas_List indicates which users the command
- may be run as via s\bsu\bud\bdo\bo's -\b-u\bu option. The second defines a list of
- groups that can be specified via s\bsu\bud\bdo\bo's -\b-g\bg option. If both Runas_Lists
+ may be run as via \e[1msudo\e[22m's \e[1m-u \e[22moption. The second defines a list of
+ groups that can be specified via \e[1msudo\e[22m's \e[1m-g \e[22moption. If both Runas_Lists
are specified, the command may be run with any combination of users and
groups listed in their respective Runas_Lists. If only the first is
- specified, the command may be run as any user in the list but no -\b-g\bg
+ specified, the command may be run as any user in the list but no \e[1m-g\e[0m
option may be specified. If the first Runas_List is empty but the
second is specified, the command may be run as the invoking user with
the group set to any listed in the Runas_List. If no Runas_Spec is
- specified the command may be run as r\bro\boo\bot\bt and no group may be specified.
-
-
-
-
-1.7.6 April 9, 2011 5
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
+ specified the command may be run as \e[1mroot \e[22mand no group may be specified.
A Runas_Spec sets the default for the commands that follow it. What
this means is that for the entry:
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
- The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm -- but only
- as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+ The user \e[1mdgb \e[22mmay run \e[4m/bin/ls\e[24m, \e[4m/bin/kill\e[24m, and \e[4m/usr/bin/lprm\e[24m -- but only
+ as \e[1moperator\e[22m. E.g.,
$ sudo -u operator /bin/ls
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
- Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
- and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
+ Then user \e[1mdgb \e[22mis now allowed to run \e[4m/bin/ls\e[24m as \e[1moperator\e[22m, but \e[4m/bin/kill\e[0m
+ and \e[4m/usr/bin/lprm\e[24m as \e[1mroot\e[22m.
- We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
- group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
+ We can extend this to allow \e[1mdgb \e[22mto run /bin/ls with either the user or
+ group set to \e[1moperator\e[22m:
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
/usr/bin/lprm
$ sudo -u operator -g operator /bin/ls
$ sudo -g operator /bin/ls
- In the following example, user t\btc\bcm\bm may run commands that access a modem
+ In the following example, user \e[1mtcm \e[22mmay run commands that access a modem
device file with the dialer group.
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
Note that in this example only the group will be set, the command still
- runs as user t\btc\bcm\bm. E.g.
+ runs as user \e[1mtcm\e[22m. E.g.
$ sudo -g dialer /usr/bin/cu
Multiple users and groups may be present in a Runas_Spec, in which case
- the user may select any combination of users and groups via the -\b-u\bu and
- -\b-g\bg options. In this example:
+ the user may select any combination of users and groups via the \e[1m-u \e[22mand
+ \e[1m-g \e[22moptions. In this example:
alan ALL = (root, bin : operator, system) ALL
- user a\bal\bla\ban\bn may run any command as either user root or bin, optionally
+ user \e[1malan \e[22mmay run any command as either user root or bin, optionally
setting the group to operator or system.
-
-
-
-1.7.6 April 9, 2011 6
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
- On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
+ \e[1mSELinux_Spec\e[0m
+ On systems with SELinux support, \e[4msudoers\e[24m entries may optionally have an
SELinux role and/or type associated with a command. If a role or type
is specified with the command it will override any default values
- specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line,
- however, will supercede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ specified in \e[4msudoers\e[24m. A role or type specified on the command line,
+ however, will supercede the values in \e[4msudoers\e[24m.
- T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
+ \e[1mTag_Spec\e[0m
A command may have zero or more tags associated with it. There are
eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
the tag unless it is overridden by the opposite tag (i.e.: PASSWD
overrides NOPASSWD and NOEXEC overrides EXEC).
- _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
+ \e[4mNOPASSWD\e[24m \e[4mand\e[24m \e[4mPASSWD\e[0m
- By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself
+ By default, \e[1msudo \e[22mrequires that a user authenticate him or herself
before running a command. This behavior can be modified via the
NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
the commands that follow it in the Cmnd_Spec_List. Conversely, the
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
- would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
- as r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we
- only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry
+ would allow the user \e[1mray \e[22mto run \e[4m/bin/kill\e[24m, \e[4m/bin/ls\e[24m, and \e[4m/usr/bin/lprm\e[0m
+ as \e[1mroot \e[22mon the machine rushmore without authenticating himself. If we
+ only want \e[1mray \e[22mto be able to run \e[4m/bin/kill\e[24m without a password the entry
would be:
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note, however, that the PASSWD tag has no effect on users who are in
- the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
+ the group specified by the \e[4mexempt_group\e[24m option.
By default, if the NOPASSWD tag is applied to any of the entries for a
user on the current host, he or she will be able to run sudo -l without
pertain to the current host. This behavior may be overridden via the
verifypw and listpw options.
- _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+ \e[4mNOEXEC\e[24m \e[4mand\e[24m \e[4mEXEC\e[0m
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
+ If \e[1msudo \e[22mhas been compiled with \e[4mnoexec\e[24m support and the underlying
operating system supports it, the NOEXEC tag can be used to prevent a
dynamically-linked executable from running further commands itself.
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+ In the following example, user \e[1maaron \e[22mmay run \e[4m/usr/bin/more\e[24m and
+ \e[4m/usr/bin/vi\e[24m but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more details on
-
-
-
-1.7.6 April 9, 2011 7
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
how NOEXEC works and whether or not it will work on your system.
- _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
+ \e[4mSETENV\e[24m \e[4mand\e[24m \e[4mNOSETENV\e[0m
- These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
+ These tags override the value of the \e[4msetenv\e[24m option on a per-command
basis. Note that if SETENV has been set for a command, the user may
- disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
+ disable the \e[4menv_reset\e[24m option from the command line via the \e[1m-E \e[22moption.
Additionally, environment variables set on the command line are not
- subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set
- variables in this manner. If the command matched is A\bAL\bLL\bL, the SETENV
+ subject to the restrictions imposed by \e[4menv_check\e[24m, \e[4menv_delete\e[24m, or
+ \e[4menv_keep\e[24m. As such, only trusted users should be allowed to set
+ variables in this manner. If the command matched is \e[1mALL\e[22m, the SETENV
tag is implied for that command; this default may be overridden by use
of the NOSETENV tag.
- _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
+ \e[4mLOG_INPUT\e[24m \e[4mand\e[24m \e[4mNOLOG_INPUT\e[0m
- These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
- basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
+ These tags override the value of the \e[4mlog_input\e[24m option on a per-command
+ basis. For more information, see the description of \e[4mlog_input\e[24m in the
"SUDOERS OPTIONS" section below.
- _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
+ \e[4mLOG_OUTPUT\e[24m \e[4mand\e[24m \e[4mNOLOG_OUTPUT\e[0m
- These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
- basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
+ These tags override the value of the \e[4mlog_output\e[24m option on a per-command
+ basis. For more information, see the description of \e[4mlog_output\e[24m in the
"SUDOERS OPTIONS" section below.
- W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
- s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
+ \e[1mWildcards\e[0m
+ \e[1msudo \e[22mallows shell-style \e[4mwildcards\e[24m (aka meta or glob characters) to be
used in host names, path names and command line arguments in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX _\bg_\bl_\bo_\bb(3) and
- _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routines. Note that these are _\bn_\bo_\bt regular expressions.
+ \e[4msudoers\e[24m file. Wildcard matching is done via the \e[1mPOSIX \e[4m\e[22mglob\e[24m(3) and
+ \e[4mfnmatch\e[24m(3) routines. Note that these are \e[4mnot\e[24m regular expressions.
* Matches any set of zero or more characters.
[...] Matches any character in the specified range.
- [!...] Matches any character n\bno\bot\bt in the specified range.
+ [!...] Matches any character \e[1mnot \e[22min the specified range.
\x For any character "x", evaluates to "x". This is used to
escape special characters such as: "*", "?", "[", and "}".
- POSIX character classes may also be used if your system's _\bg_\bl_\bo_\bb(3) and
- _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) functions support them. However, because the ':' character
- has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
+ POSIX character classes may also be used if your system's \e[4mglob\e[24m(3) and
+ \e[4mfnmatch\e[24m(3) functions support them. However, because the ':' character
+ has special meaning in \e[4msudoers\e[24m, it must be escaped. For example:
/bin/ls [[\:alpha\:]]*
Would match any file name beginning with a letter.
- Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
+ Note that a forward slash ('/') will \e[1mnot \e[22mbe matched by wildcards used
in the path name. When matching the command line arguments, however, a
- slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
-
-
-
-1.7.6 April 9, 2011 8
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
+ slash \e[1mdoes \e[22mget matched by wildcards. This is to make a path like:
/usr/bin/*
- match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
+ match \e[4m/usr/bin/who\e[24m but not \e[4m/usr/bin/X11/xterm\e[24m.
- E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
+ \e[1mExceptions to wildcard rules\e[0m
The following exceptions apply to the above rules:
"" If the empty string "" is the only command line argument in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
- with a\ban\bny\by arguments.
+ \e[4msudoers\e[24m entry it means that command is not allowed to be run
+ with \e[1many \e[22marguments.
- I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
- It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ \e[1mIncluding other files from within sudoers\e[0m
+ It is possible to include other \e[4msudoers\e[24m files from within the \e[4msudoers\e[0m
file currently being parsed using the #include and #includedir
directives.
- This can be used, for example, to keep a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in
+ This can be used, for example, to keep a site-wide \e[4msudoers\e[24m file in
addition to a local, per-machine file. For the sake of this example
- the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will
- be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from within
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
+ the site-wide \e[4msudoers\e[24m will be \e[4m/etc/sudoers\e[24m and the per-machine one will
+ be \e[4m/etc/sudoers.local\e[24m. To include \e[4m/etc/sudoers.local\e[24m from within
+ \e[4m/etc/sudoers\e[24m we would use the following line in \e[4m/etc/sudoers\e[24m:
#include /etc/sudoers.local
- When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
- file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching
- the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ When \e[1msudo \e[22mreaches this line it will suspend processing of the current
+ file (\e[4m/etc/sudoers\e[24m) and switch to \e[4m/etc/sudoers.local\e[24m. Upon reaching
+ the end of \e[4m/etc/sudoers.local\e[24m, the rest of \e[4m/etc/sudoers\e[24m will be
processed. Files that are included may themselves include other files.
A hard limit of 128 nested include files is enforced to prevent include
file loops.
#include /etc/sudoers.%h
- will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
+ will cause \e[1msudo \e[22mto include the file \e[4m/etc/sudoers.xerxes\e[24m.
- The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
- the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
+ The #includedir directive can be used to create a \e[4msudo.d\e[24m directory that
+ the system package manager can drop \e[4msudoers\e[24m rules into as part of
package installation. For example, given:
#includedir /etc/sudoers.d
- s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
+ \e[1msudo \e[22mwill read each file in \e[4m/etc/sudoers.d\e[24m, skipping file names that
end in ~ or contain a . character to avoid causing problems with
package manager or editor temporary/backup files. Files are parsed in
- sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
- before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
- lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
+ sorted lexical order. That is, \e[4m/etc/sudoers.d/01_first\e[24m will be parsed
+ before \e[4m/etc/sudoers.d/10_second\e[24m. Be aware that because the sorting is
+ lexical, not numeric, \e[4m/etc/sudoers.d/1_whoops\e[24m would be loaded \e[1mafter\e[0m
+ \e[4m/etc/sudoers.d/10_second\e[24m. Using a consistent number of leading zeroes
in the file names can be used to avoid such problems.
- Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
-
-
-
-1.7.6 April 9, 2011 9
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
+ Note that unlike files included via #include, \e[1mvisudo \e[22mwill not edit the
files in a #includedir directory unless one of them contains a syntax
- error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
+ error. It is still possible to run \e[1mvisudo \e[22mwith the -f flag to edit the
files directly.
- O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
+ \e[1mOther special characters and reserved words\e[0m
The pound sign ('#') is used to indicate a comment (unless it is part
of a #include directive or unless it occurs in the context of a user
name and is followed by one or more digits, in which case it is treated
as a uid). Both the comment character and any text after it, up to the
end of the line, are ignored.
- The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
+ The reserved word \e[1mALL \e[22mis a built-in \e[4malias\e[24m that always causes a match to
succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
User_Alias, Runas_Alias, or Host_Alias. You should not try to define
- your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
- preference to your own. Please note that using A\bAL\bLL\bL can be dangerous
- since in a command context, it allows the user to run a\ban\bny\by command on
+ your own \e[4malias\e[24m called \e[1mALL \e[22mas the built-in alias will be used in
+ preference to your own. Please note that using \e[1mALL \e[22mcan be dangerous
+ since in a command context, it allows the user to run \e[1many \e[22mcommand on
the system.
- An exclamation point ('!') can be used as a logical _\bn_\bo_\bt operator both
- in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This allows one to exclude certain
+ An exclamation point ('!') can be used as a logical \e[4mnot\e[24m operator both
+ in an \e[4malias\e[24m and in front of a Cmnd. This allows one to exclude certain
values. Note, however, that using a ! in conjunction with the built-in
ALL alias to allow a user to run "all but a few" commands rarely works
as intended (see SECURITY NOTES below).
character on the line.
Whitespace between elements in a list as well as special syntactic
- characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':', '(', ')') is optional.
+ characters in a \e[4mUser\e[24m \e[4mSpecification\e[24m ('=', ':', '(', ')') is optional.
The following characters must be escaped with a backslash ('\') when
used as part of a word (e.g. a user name or host name): '!', '=', ':',
',', '(', ')', '\'.
-S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
- s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
+\e[1mSUDOERS OPTIONS\e[0m
+ \e[1msudo\e[22m's behavior can be modified by Default_Entry lines, as explained
earlier. A list of all supported Defaults parameters, grouped by type,
are listed below.
- B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
+ \e[1mBoolean Flags\e[22m:
- always_set_home If enabled, s\bsu\bud\bdo\bo will set the HOME environment variable
+ always_set_home If enabled, \e[1msudo \e[22mwill set the HOME environment variable
to the home directory of the target user (which is root
- unless the -\b-u\bu option is used). This effectively means
- that the -\b-H\bH option is always implied. Note that HOME
- is already set when the the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is
- enabled, so _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be is only effective for
- configurations where either _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled or
- HOME is present in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This flag is _\bo_\bf_\bf
+ unless the \e[1m-u \e[22moption is used). This effectively means
+ that the \e[1m-H \e[22moption is always implied. Note that HOME
+ is already set when the the \e[4menv_reset\e[24m option is
+ enabled, so \e[4malways_set_home\e[24m is only effective for
+ configurations where either \e[4menv_reset\e[24m is disabled or
+ HOME is present in the \e[4menv_keep\e[24m list. This flag is \e[4moff\e[0m
by default.
authenticate If set, users must authenticate themselves via a
password (or other means of authentication) before they
-
-
-
-1.7.6 April 9, 2011 10
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
may run commands. This default may be overridden via
- the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
+ the PASSWD and NOPASSWD tags. This flag is \e[4mon\e[24m by
default.
closefrom_override
- If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
- overrides the default starting point at which s\bsu\bud\bdo\bo
- begins closing open file descriptors. This flag is _\bo_\bf_\bf
+ If set, the user may use \e[1msudo\e[22m's \e[1m-C \e[22moption which
+ overrides the default starting point at which \e[1msudo\e[0m
+ begins closing open file descriptors. This flag is \e[4moff\e[0m
by default.
- compress_io If set, and s\bsu\bud\bdo\bo is configured to log a command's input
- or output, the I/O logs will be compressed using z\bzl\bli\bib\bb.
- This flag is _\bo_\bn by default when s\bsu\bud\bdo\bo is compiled with
- z\bzl\bli\bib\bb support.
+ compress_io If set, and \e[1msudo \e[22mis configured to log a command's input
+ or output, the I/O logs will be compressed using \e[1mzlib\e[22m.
+ This flag is \e[4mon\e[24m by default when \e[1msudo \e[22mis compiled with
+ \e[1mzlib \e[22msupport.
- env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
+ env_editor If set, \e[1mvisudo \e[22mwill use the value of the EDITOR or
VISUAL environment variables before falling back on the
default editor list. Note that this may create a
security hole as it allows the user to run any
arbitrary command as root without logging. A safer
alternative is to place a colon-separated list of
- editors in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
+ editors in the editor variable. \e[1mvisudo \e[22mwill then only
use the EDITOR or VISUAL if they match a value
- specified in editor. This flag is _\bo_\bf_\bf by default.
+ specified in editor. This flag is \e[4moff\e[24m by default.
- env_reset If set, s\bsu\bud\bdo\bo will reset the environment to only contain
+ env_reset If set, \e[1msudo \e[22mwill reset the environment to only contain
the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
variables. Any variables in the caller's environment
that match the env_keep and env_check lists are then
added. The default contents of the env_keep and
- env_check lists are displayed when s\bsu\bud\bdo\bo is run by root
- with the _\b-_\bV option. If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set,
+ env_check lists are displayed when \e[1msudo \e[22mis run by root
+ with the \e[4m-V\e[24m option. If the \e[4msecure_path\e[24m option is set,
its value will be used for the PATH environment
- variable. This flag is _\bo_\bn by default.
+ variable. This flag is \e[4mon\e[24m by default.
- fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
+ fast_glob Normally, \e[1msudo \e[22muses the \e[4mglob\e[24m(3) function to do shell-
style globbing when matching path names. However,
- since it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a
+ since it accesses the file system, \e[4mglob\e[24m(3) can take a
long time to complete for some patterns, especially
when the pattern references a network file system that
- is mounted on demand (automounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
- option causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function,
+ is mounted on demand (automounted). The \e[4mfast_glob\e[0m
+ option causes \e[1msudo \e[22mto use the \e[4mfnmatch\e[24m(3) function,
which does not access the file system to do its
- matching. The disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is
- unable to match relative path names such as _\b._\b/_\bl_\bs or
- _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has security implications when path
+ matching. The disadvantage of \e[4mfast_glob\e[24m is that it is
+ unable to match relative path names such as \e[4m./ls\e[24m or
+ \e[4m../bin/ls\e[24m. This has security implications when path
names that include globbing characters are used with
the negation operator, '!', as such rules can be
trivially bypassed. As such, this option should not be
- used when _\bs_\bu_\bd_\bo_\be_\br_\bs contains rules that contain negated
+ used when \e[4msudoers\e[24m contains rules that contain negated
path names which include globbing characters. This
- flag is _\bo_\bf_\bf by default.
+ flag is \e[4moff\e[24m by default.
fqdn Set this flag if you want to put fully qualified host
-
-
-
-1.7.6 April 9, 2011 11
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
+ names in the \e[4msudoers\e[24m file. I.e., instead of myhost you
would use myhost.mydomain.edu. You may still use the
short form if you wish (and even mix the two). Beware
- that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
- which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
+ that turning on \e[4mfqdn\e[24m requires \e[1msudo \e[22mto make DNS lookups
+ which may make \e[1msudo \e[22munusable if DNS stops working (for
example if the machine is not plugged into the
network). Also note that you must use the host's
official name as DNS knows it. That is, you may not
issues and the fact that there is no way to get all
aliases from DNS. If your machine's host name (as
returned by the hostname command) is already fully
- qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
- _\bo_\bf_\bf by default.
+ qualified you shouldn't need to set \e[4mfqdn\e[24m. This flag is
+ \e[4moff\e[24m by default.
- ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current dir) in the
+ ignore_dot If set, \e[1msudo \e[22mwill ignore '.' or '' (current dir) in the
PATH environment variable; the PATH itself is not
- modified. This flag is _\bo_\bf_\bf by default.
+ modified. This flag is \e[4moff\e[24m by default.
ignore_local_sudoers
- If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ If set via LDAP, parsing of \e[4m/etc/sudoers\e[24m will be
skipped. This is intended for Enterprises that wish to
prevent the usage of local sudoers files so that only
LDAP is used. This thwarts the efforts of rogue
operators who would attempt to add roles to
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option is present,
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
- option tells s\bsu\bud\bdo\bo how to behave when no specific LDAP
+ \e[4m/etc/sudoers\e[24m. When this option is present,
+ \e[4m/etc/sudoers\e[24m does not even need to exist. Since this
+ option tells \e[1msudo \e[22mhow to behave when no specific LDAP
entries have been matched, this sudoOption is only
meaningful for the cn=defaults section. This flag is
- _\bo_\bf_\bf by default.
+ \e[4moff\e[24m by default.
- insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
- incorrect password. This flag is _\bo_\bf_\bf by default.
+ insults If set, \e[1msudo \e[22mwill insult users when they enter an
+ incorrect password. This flag is \e[4moff\e[24m by default.
log_host If set, the host name will be logged in the (non-
- syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
+ syslog) \e[1msudo \e[22mlog file. This flag is \e[4moff\e[24m by default.
- log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log_input If set, \e[1msudo \e[22mwill run the command in a \e[4mpseudo\e[24m \e[4mtty\e[24m and
log all user input. If the standard input is not
connected to the user's tty, due to I/O redirection or
because the command is part of a pipeline, that input
is also captured and stored in a separate log file.
Input is logged to the directory specified by the
- _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
- unique session ID that is included in the normal s\bsu\bud\bdo\bo
- log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
+ \e[4miolog_dir\e[24m option (\e[4m/var/log/sudo-io\e[24m by default) using a
+ unique session ID that is included in the normal \e[1msudo\e[0m
+ log line, prefixed with \e[4mTSID=\e[24m.
Note that user input may contain sensitive information
such as passwords (even if they are not echoed to the
screen), which will be stored in the log file
unencrypted. In most cases, logging the command output
- via _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt is all that is required.
-
-
-
-1.7.6 April 9, 2011 12
-
-
+ via \e[4mlog_output\e[24m is all that is required.
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log_output If set, \e[1msudo \e[22mwill run the command in a \e[4mpseudo\e[24m \e[4mtty\e[24m and
log all output that is sent to the screen, similar to
- the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
+ the \e[4mscript\e[24m(1) command. If the standard output or
standard error is not connected to the user's tty, due
to I/O redirection or because the command is part of a
pipeline, that output is also captured and stored in
separate log files.
Output is logged to the directory specified by the
- _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
- unique session ID that is included in the normal s\bsu\bud\bdo\bo
- log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
+ \e[4miolog_dir\e[24m option (\e[4m/var/log/sudo-io\e[24m by default) using a
+ unique session ID that is included in the normal \e[1msudo\e[0m
+ log line, prefixed with \e[4mTSID=\e[24m.
- Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
+ Output logs may be viewed with the \e[4msudoreplay\e[24m(1m)
utility, which can also be used to list or search the
available logs.
log_year If set, the four-digit year will be logged in the (non-
- syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
+ syslog) \e[1msudo \e[22mlog file. This flag is \e[4moff\e[24m by default.
- long_otp_prompt When validating with a One Time Password (OPT) scheme
- such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
+ long_otp_prompt When validating with a One Time Password (OTP) scheme
+ such as \e[1mS/Key \e[22mor \e[1mOPIE\e[22m, a two-line prompt is used to
make it easier to cut and paste the challenge to a
local window. It's not as pretty as the default but
- some people find it more convenient. This flag is _\bo_\bf_\bf
+ some people find it more convenient. This flag is \e[4moff\e[0m
by default.
- mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
- s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
+ mail_always Send mail to the \e[4mmailto\e[24m user every time a users runs
+ \e[1msudo\e[22m. This flag is \e[4moff\e[24m by default.
- mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
- does not enter the correct password. This flag is _\bo_\bf_\bf
+ mail_badpass Send mail to the \e[4mmailto\e[24m user if the user running \e[1msudo\e[0m
+ does not enter the correct password. This flag is \e[4moff\e[0m
by default.
- mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
- invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
+ mail_no_host If set, mail will be sent to the \e[4mmailto\e[24m user if the
+ invoking user exists in the \e[4msudoers\e[24m file, but is not
allowed to run commands on the current host. This flag
- is _\bo_\bf_\bf by default.
+ is \e[4moff\e[24m by default.
- mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
- invoking user is allowed to use s\bsu\bud\bdo\bo but the command
- they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
- entry or is explicitly denied. This flag is _\bo_\bf_\bf by
+ mail_no_perms If set, mail will be sent to the \e[4mmailto\e[24m user if the
+ invoking user is allowed to use \e[1msudo \e[22mbut the command
+ they are trying is not listed in their \e[4msudoers\e[24m file
+ entry or is explicitly denied. This flag is \e[4moff\e[24m by
default.
- mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
- invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
- _\bo_\bn by default.
+ mail_no_user If set, mail will be sent to the \e[4mmailto\e[24m user if the
+ invoking user is not in the \e[4msudoers\e[24m file. This flag is
+ \e[4mon\e[24m by default.
- noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
+ noexec If set, all commands run via \e[1msudo \e[22mwill behave as if the
NOEXEC tag has been set, unless overridden by a EXEC
- tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
+ tag. See the description of \e[4mNOEXEC\e[24m \e[4mand\e[24m \e[4mEXEC\e[24m below as
well as the "PREVENTING SHELL ESCAPES" section at the
- end of this manual. This flag is _\bo_\bf_\bf by default.
-
-
-
-1.7.6 April 9, 2011 13
-
+ end of this manual. This flag is \e[4moff\e[24m by default.
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
+ path_info Normally, \e[1msudo \e[22mwill tell the user when a command could
not be found in their PATH environment variable. Some
sites may wish to disable this as it could be used to
gather information on the location of executables that
the normal user does not have access to. The
disadvantage is that if the executable is simply not in
- the user's PATH, s\bsu\bud\bdo\bo will tell the user that they are
+ the user's PATH, \e[1msudo \e[22mwill tell the user that they are
not allowed to run it, which can be confusing. This
- flag is _\bo_\bn by default.
+ flag is \e[4mon\e[24m by default.
passprompt_override
- The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
+ The password prompt specified by \e[4mpassprompt\e[24m will
normally only be used if the password prompt provided
by systems such as PAM matches the string "Password:".
- If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always
- be used. This flag is _\bo_\bf_\bf by default.
+ If \e[4mpassprompt_override\e[24m is set, \e[4mpassprompt\e[24m will always
+ be used. This flag is \e[4moff\e[24m by default.
- preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
+ preserve_groups By default, \e[1msudo \e[22mwill initialize the group vector to
the list of groups the target user is in. When
- _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
+ \e[4mpreserve_groups\e[24m is set, the user's existing group
vector is left unaltered. The real and effective group
IDs, however, are still set to match the target user.
- This flag is _\bo_\bf_\bf by default.
+ This flag is \e[4moff\e[24m by default.
- pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
+ pwfeedback By default, \e[1msudo \e[22mreads the password like most other
Unix programs, by turning off echo until the user hits
the return (or enter) key. Some users become confused
- by this as it appears to them that s\bsu\bud\bdo\bo has hung at
- this point. When _\bp_\bw_\bf_\be_\be_\bd_\bb_\ba_\bc_\bk is set, s\bsu\bud\bdo\bo will provide
+ by this as it appears to them that \e[1msudo \e[22mhas hung at
+ this point. When \e[4mpwfeedback\e[24m is set, \e[1msudo \e[22mwill provide
visual feedback when the user presses a key. Note that
this does have a security impact as an onlooker may be
able to determine the length of the password being
- entered. This flag is _\bo_\bf_\bf by default.
+ entered. This flag is \e[4moff\e[24m by default.
- requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
- to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
+ requiretty If set, \e[1msudo \e[22mwill only run when the user is logged in
+ to a real tty. When this flag is set, \e[1msudo \e[22mcan only be
run from a login session and not via other means such
- as _\bc_\br_\bo_\bn(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
+ as \e[4mcron\e[24m(1m) or cgi-bin scripts. This flag is \e[4moff\e[24m by
default.
- root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
- this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
+ root_sudo If set, root is allowed to run \e[1msudo \e[22mtoo. Disabling
+ this prevents users from "chaining" \e[1msudo \e[22mcommands to
get a root shell by doing something like "sudo sudo
- /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
- will also prevent root from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
- Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
+ /bin/sh". Note, however, that turning off \e[4mroot_sudo\e[0m
+ will also prevent root from running \e[1msudoedit\e[22m.
+ Disabling \e[4mroot_sudo\e[24m provides no real additional
security; it exists purely for historical reasons.
- This flag is _\bo_\bn by default.
+ This flag is \e[4mon\e[24m by default.
- rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
- of the password of the invoking user. This flag is _\bo_\bf_\bf
+ rootpw If set, \e[1msudo \e[22mwill prompt for the root password instead
+ of the password of the invoking user. This flag is \e[4moff\e[0m
by default.
- runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
-
-
-
-1.7.6 April 9, 2011 14
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option (defaults to root)
+ runaspw If set, \e[1msudo \e[22mwill prompt for the password of the user
+ defined by the \e[4mrunas_default\e[24m option (defaults to root)
instead of the password of the invoking user. This
- flag is _\bo_\bf_\bf by default.
+ flag is \e[4moff\e[24m by default.
- set_home If enabled and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the
+ set_home If enabled and \e[1msudo \e[22mis invoked with the \e[1m-s \e[22moption the
HOME environment variable will be set to the home
directory of the target user (which is root unless the
- -\b-u\bu option is used). This effectively makes the -\b-s\bs
- option imply -\b-H\bH. Note that HOME is already set when
- the the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled, so _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is
+ \e[1m-u \e[22moption is used). This effectively makes the \e[1m-s\e[0m
+ option imply \e[1m-H\e[22m. Note that HOME is already set when
+ the the \e[4menv_reset\e[24m option is enabled, so \e[4mset_home\e[24m is
only effective for configurations where either
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled or HOME is present in the
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This flag is _\bo_\bf_\bf by default.
+ \e[4menv_reset\e[24m is disabled or HOME is present in the
+ \e[4menv_keep\e[24m list. This flag is \e[4moff\e[24m by default.
- set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and USERNAME
+ set_logname Normally, \e[1msudo \e[22mwill set the LOGNAME, USER and USERNAME
environment variables to the name of the target user
- (usually root unless the -\b-u\bu option is given). However,
+ (usually root unless the \e[1m-u \e[22moption is given). However,
since some programs (including the RCS revision control
system) use LOGNAME to determine the real identity of
the user, it may be desirable to change this behavior.
This can be done by negating the set_logname option.
- Note that if the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been
- disabled, entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
- the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bn by default.
+ Note that if the \e[4menv_reset\e[24m option has not been
+ disabled, entries in the \e[4menv_keep\e[24m list will override
+ the value of \e[4mset_logname\e[24m. This flag is \e[4mon\e[24m by default.
- setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
+ setenv Allow the user to disable the \e[4menv_reset\e[24m option from the
command line. Additionally, environment variables set
via the command line are not subject to the
- restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be
+ restrictions imposed by \e[4menv_check\e[24m, \e[4menv_delete\e[24m, or
+ \e[4menv_keep\e[24m. As such, only trusted users should be
allowed to set variables in this manner. This flag is
- _\bo_\bf_\bf by default.
+ \e[4moff\e[24m by default.
- shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
- if the -\b-s\bs option had been given. That is, it runs a
+ shell_noargs If set and \e[1msudo \e[22mis invoked with no arguments it acts as
+ if the \e[1m-s \e[22moption had been given. That is, it runs a
shell as root (the shell is determined by the SHELL
environment variable if it is set, falling back on the
shell listed in the invoking user's /etc/passwd entry
- if not). This flag is _\bo_\bf_\bf by default.
+ if not). This flag is \e[4moff\e[24m by default.
- stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
+ stay_setuid Normally, when \e[1msudo \e[22mexecutes a command the real and
effective UIDs are set to the target user (root by
default). This option changes that behavior such that
the real UID is left as the invoking user's UID. In
- other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
+ other words, this makes \e[1msudo \e[22mact as a setuid wrapper.
This can be useful on systems that disable some
potentially dangerous functionality when a program is
run setuid. This option is only effective on systems
- with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
- This flag is _\bo_\bf_\bf by default.
+ with either the \e[4msetreuid()\e[24m or \e[4msetresuid()\e[24m function.
+ This flag is \e[4moff\e[24m by default.
- targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
- specified by the -\b-u\bu option (defaults to root) instead
+ targetpw If set, \e[1msudo \e[22mwill prompt for the password of the user
+ specified by the \e[1m-u \e[22moption (defaults to root) instead
of the password of the invoking user. In addition, the
-
-
-
-1.7.6 April 9, 2011 15
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
timestamp file name will include the target user's
name. Note that this flag precludes the use of a uid
not listed in the passwd database as an argument to the
- -\b-u\bu option. This flag is _\bo_\bf_\bf by default.
+ \e[1m-u \e[22moption. This flag is \e[4moff\e[24m by default.
tty_tickets If set, users must authenticate on a per-tty basis.
- With this flag enabled, s\bsu\bud\bdo\bo will use a file named for
+ With this flag enabled, \e[1msudo \e[22mwill use a file named for
the tty the user is logged in on in the user's time
stamp directory. If disabled, the time stamp of the
- directory is used instead. This flag is _\bo_\bn by default.
+ directory is used instead. This flag is \e[4mon\e[24m by default.
- umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
+ umask_override If set, \e[1msudo \e[22mwill set the umask as specified by \e[4msudoers\e[0m
without modification. This makes it possible to
- specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
+ specify a more permissive umask in \e[4msudoers\e[24m than the
user's own umask and matches historical behavior. If
- _\bu_\bm_\ba_\bs_\bk_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is not set, s\bsu\bud\bdo\bo will set the umask to
+ \e[4mumask_override\e[24m is not set, \e[1msudo \e[22mwill set the umask to
be the union of the user's umask and what is specified
- in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
+ in \e[4msudoers\e[24m. This flag is \e[4moff\e[24m by default.
- use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
+ use_loginclass If set, \e[1msudo \e[22mwill apply the defaults specified for the
target user's login class if one exists. Only
- available if s\bsu\bud\bdo\bo is configured with the
- --with-logincap option. This flag is _\bo_\bf_\bf by default.
+ available if \e[1msudo \e[22mis configured with the
+ --with-logincap option. This flag is \e[4moff\e[24m by default.
- use_pty If set, s\bsu\bud\bdo\bo will run the command in a pseudo-pty even
+ use_pty If set, \e[1msudo \e[22mwill run the command in a pseudo-pty even
if no I/O logging is being gone. A malicious program
- run under s\bsu\bud\bdo\bo could conceivably fork a background
+ run under \e[1msudo \e[22mcould conceivably fork a background
process that retains to the user's terminal device
after the main program has finished executing. Use of
this option will make that impossible.
- visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
+ visiblepw By default, \e[1msudo \e[22mwill refuse to run if the user must
enter a password but it is not possible to disable echo
- on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
+ on the terminal. If the \e[4mvisiblepw\e[24m flag is set, \e[1msudo\e[0m
will prompt for a password even when it would be
visible on the screen. This makes it possible to run
- things like "rsh somehost sudo ls" since _\br_\bs_\bh(1) does
- not allocate a tty. This flag is _\bo_\bf_\bf by default.
+ things like "rsh somehost sudo ls" since \e[4mrsh\e[24m(1) does
+ not allocate a tty. This flag is \e[4moff\e[24m by default.
- I\bIn\bnt\bte\beg\bge\ber\brs\bs:
+ \e[1mIntegers\e[22m:
- closefrom Before it executes a command, s\bsu\bud\bdo\bo will close all open
+ closefrom Before it executes a command, \e[1msudo \e[22mwill close all open
file descriptors other than standard input, standard
output and standard error (ie: file descriptors 0-2).
- The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to specify a different
+ The \e[4mclosefrom\e[24m option can be used to specify a different
file descriptor at which to start closing. The default
is 3.
passwd_tries The number of tries a user gets to enter his/her
- password before s\bsu\bud\bdo\bo logs the failure and exits. The
+ password before \e[1msudo \e[22mlogs the failure and exits. The
default is 3.
- I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
-
-
-
-
-1.7.6 April 9, 2011 16
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
+ \e[1mIntegers that can be used in a boolean context\e[22m:
loglinelen Number of characters per line for the file log. This
value is used to decide when to wrap lines for nicer
only the file log. The default is 80 (use 0 or negate
the option to disable word wrap).
- passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
+ passwd_timeout Number of minutes before the \e[1msudo \e[22mpassword prompt times
out, or 0 for no timeout. The timeout may include a
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5.
timestamp_timeout
- Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
+ Number of minutes that can elapse before \e[1msudo \e[22mwill ask
for a passwd again. The timeout may include a
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5. Set
umask Umask to use when running the command. Negate this
option or set it to 0777 to preserve the user's umask.
The actual umask that is used will be the union of the
- user's umask and the value of the _\bu_\bm_\ba_\bs_\bk option, which
- defaults to 0022. This guarantees that s\bsu\bud\bdo\bo never
+ user's umask and the value of the \e[4mumask\e[24m option, which
+ defaults to 0022. This guarantees that \e[1msudo \e[22mnever
lowers the umask when running a command. Note on
systems that use PAM, the default PAM configuration may
specify its own umask which will override the value set
- in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ in \e[4msudoers\e[24m.
- S\bSt\btr\bri\bin\bng\bgs\bs:
+ \e[1mStrings\e[22m:
badpass_message Message that is displayed if a user enters an incorrect
password. The default is Sorry, try again. unless
insults are enabled.
editor A colon (':') separated list of editors allowed to be
- used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will choose the editor that
+ used with \e[1mvisudo\e[22m. \e[1mvisudo \e[22mwill choose the editor that
matches the user's EDITOR environment variable if
possible, or the first editor in the list that exists
and is executable. The default is "vi".
iolog_dir The directory in which to store input/output logs when
- the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt options are enabled or when
+ the \e[4mlog_input\e[24m or \e[4mlog_output\e[24m options are enabled or when
the LOG_INPUT or LOG_OUTPUT tags are present for a
command. The default is "/var/log/sudo-io".
- mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
+ mailsub Subject of the mail sent to the \e[4mmailto\e[24m user. The escape
%h will expand to the host name of the machine.
Default is *** SECURITY information for %h ***.
noexec_file Path to a shared library containing dummy versions of
-
-
-
-1.7.6 April 9, 2011 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b) library functions
+ the \e[4mexecv()\e[24m, \e[4mexecve()\e[24m and \e[4mfexecve()\e[24m library functions
that just return an error. This is used to implement
- the _\bn_\bo_\be_\bx_\be_\bc functionality on systems that support
+ the \e[4mnoexec\e[24m functionality on systems that support
LD_PRELOAD or its equivalent. Defaults to
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
+ \e[4m/usr/local/libexec/sudo_noexec.so\e[24m.
passprompt The default prompt to use when asking for a password;
- can be overridden via the -\b-p\bp option or the SUDO_PROMPT
+ can be overridden via the \e[1m-p \e[22moption or the SUDO_PROMPT
environment variable. The following percent (`%')
escapes are supported:
%H expanded to the local host name including the
domain name (on if the machine's host name is fully
- qualified or the _\bf_\bq_\bd_\bn option is set)
+ qualified or the \e[4mfqdn\e[24m option is set)
%h expanded to the local host name without the domain
name
%p expanded to the user whose password is being asked
- for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
- flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
+ for (respects the \e[4mrootpw\e[24m, \e[4mtargetpw\e[24m and \e[4mrunaspw\e[0m
+ flags in \e[4msudoers\e[24m)
%U expanded to the login name of the user the command
will be run as (defaults to root)
role The default SELinux role to use when constructing a new
security context to run the command. The default role
- may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
+ may be overridden on a per-command basis in \e[4msudoers\e[24m or
via command line options. This option is only
- available whe s\bsu\bud\bdo\bo is built with SELinux support.
+ available whe \e[1msudo \e[22mis built with SELinux support.
- runas_default The default user to run commands as if the -\b-u\bu option is
+ runas_default The default user to run commands as if the \e[1m-u \e[22moption is
not specified on the command line. This defaults to
- root. Note that if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
- before any Runas_Alias specifications.
+ root.
syslog_badpri Syslog priority to use when user authenticates
unsuccessfully. Defaults to alert.
+ The following syslog priorities are supported: \e[1malert\e[22m,
+ \e[1mcrit\e[22m, \e[1mdebug\e[22m, \e[1memerg\e[22m, \e[1merr\e[22m, \e[1minfo\e[22m, \e[1mnotice\e[22m, and \e[1mwarning\e[22m.
+
syslog_goodpri Syslog priority to use when user authenticates
successfully. Defaults to notice.
+ See syslog_badpri for the list of supported syslog
+ priorities.
+
sudoers_locale Locale to use when parsing the sudoers file, logging
commands, and sending email. Note that changing the
locale may affect how sudoers is interpreted. Defaults
to "C".
-
-
-
-1.7.6 April 9, 2011 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
- The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
+ timestampdir The directory in which \e[1msudo \e[22mstores its timestamp files.
+ The default is \e[4m/var/adm/sudo\e[24m.
timestampowner The owner of the timestamp directory and the timestamps
stored therein. The default is root.
type The default SELinux type to use when constructing a new
security context to run the command. The default type
- may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
+ may be overridden on a per-command basis in \e[4msudoers\e[24m or
via command line options. This option is only
- available whe s\bsu\bud\bdo\bo is built with SELinux support.
+ available whe \e[1msudo \e[22mis built with SELinux support.
- S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ \e[1mStrings that can be used in a boolean context\e[22m:
- askpass The _\ba_\bs_\bk_\bp_\ba_\bs_\bs option specifies the fully qualified path to a
+ askpass The \e[4maskpass\e[24m option specifies the fully qualified path to a
helper program used to read the user's password when no
- terminal is available. This may be the case when s\bsu\bud\bdo\bo is
+ terminal is available. This may be the case when \e[1msudo \e[22mis
executed from a graphical (as opposed to text-based)
- application. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs should
+ application. The program specified by \e[4maskpass\e[24m should
display the argument passed to it as the prompt and write
the user's password to the standard output. The value of
- _\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
+ \e[4maskpass\e[24m may be overridden by the SUDO_ASKPASS environment
variable.
- env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be options specifies the fully qualified path to
+ env_file The \e[4menv_file\e[24m options specifies the fully qualified path to
a file containing variables to be set in the environment of
the program being run. Entries in this file should either
be of the form VARIABLE=value or export VARIABLE=value.
The value may optionally be surrounded by single or double
- quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
- environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
+ quotes. Variables in this file are subject to other \e[1msudo\e[0m
+ environment settings such as \e[4menv_keep\e[24m and \e[4menv_check\e[24m.
exempt_group
Users in this group are exempt from password and PATH
- requirements. This is not set by default.
+ requirements. The group name specified should not include
+ a % prefix. This is not set by default.
lecture This option controls when a short lecture will be printed
along with the password prompt. It has the following
never Never lecture the user.
- once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
+ once Only lecture the user the first time they run \e[1msudo\e[22m.
- If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
- Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
- The default value is _\bo_\bn_\bc_\be.
+ If no value is specified, a value of \e[4monce\e[24m is implied.
+ Negating the option results in a value of \e[4mnever\e[24m being used.
+ The default value is \e[4monce\e[24m.
lecture_file
- Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
+ Path to a file containing an alternate \e[1msudo \e[22mlecture that
will be used in place of the standard lecture if the named
- file exists. By default, s\bsu\bud\bdo\bo uses a built-in lecture.
-
-
-
-1.7.6 April 9, 2011 19
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
+ file exists. By default, \e[1msudo \e[22muses a built-in lecture.
listpw This option controls when a password will be required when
- a user runs s\bsu\bud\bdo\bo with the -\b-l\bl option. It has the following
+ a user runs \e[1msudo \e[22mwith the \e[1m-l \e[22moption. It has the following
possible values:
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
+ all All the user's \e[4msudoers\e[24m entries for the current host
must have the NOPASSWD flag set to avoid entering a
password.
- always The user must always enter a password to use the -\b-l\bl
+ always The user must always enter a password to use the \e[1m-l\e[0m
option.
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ any At least one of the user's \e[4msudoers\e[24m entries for the
current host must have the NOPASSWD flag set to
avoid entering a password.
- never The user need never enter a password to use the -\b-l\bl
+ never The user need never enter a password to use the \e[1m-l\e[0m
option.
- If no value is specified, a value of _\ba_\bn_\by is implied.
- Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
- The default value is _\ba_\bn_\by.
+ If no value is specified, a value of \e[4many\e[24m is implied.
+ Negating the option results in a value of \e[4mnever\e[24m being used.
+ The default value is \e[4many\e[24m.
- logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
+ logfile Path to the \e[1msudo \e[22mlog file (not the syslog log file).
Setting a path turns on logging to a file; negating this
- option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
+ option turns it off. By default, \e[1msudo \e[22mlogs via syslog.
- mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
+ mailerflags Flags to use when invoking mailer. Defaults to \e[1m-t\e[22m.
mailerpath Path to mail program used to send warning mail. Defaults
to the path to sendmail found at configure time.
mailfrom Address to use for the "from" address when sending warning
and error mail. The address should be enclosed in double
- quotes (") to protect against s\bsu\bud\bdo\bo interpreting the @ sign.
- Defaults to the name of the user running s\bsu\bud\bdo\bo.
+ quotes (") to protect against \e[1msudo \e[22minterpreting the @ sign.
+ Defaults to the name of the user running \e[1msudo\e[22m.
mailto Address to send warning and error mail to. The address
should be enclosed in double quotes (") to protect against
- s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
+ \e[1msudo \e[22minterpreting the @ sign. Defaults to root.
- secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
- trust the people running s\bsu\bud\bdo\bo to have a sane PATH
+ secure_path Path used for every command run from \e[1msudo\e[22m. If you don't
+ trust the people running \e[1msudo \e[22mto have a sane PATH
environment variable you may want to use this. Another use
is if you want to have the "root path" be separate from the
"user path." Users in the group specified by the
- _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
+ \e[4mexempt_group\e[24m option are not affected by \e[4msecure_path\e[24m. This
option is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
to disable syslog logging). Defaults to auth.
+ The following syslog facilities are supported: \e[1mauthpriv \e[22m(if
+ your OS supports it), \e[1mauth\e[22m, \e[1mdaemon\e[22m, \e[1muser\e[22m, \e[1mlocal0\e[22m, \e[1mlocal1\e[22m,
+ \e[1mlocal2\e[22m, \e[1mlocal3\e[22m, \e[1mlocal4\e[22m, \e[1mlocal5\e[22m, \e[1mlocal6\e[22m, and \e[1mlocal7\e[22m.
+
verifypw This option controls when a password will be required when
- a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
+ a user runs \e[1msudo \e[22mwith the \e[1m-v \e[22moption. It has the following
possible values:
-
-
-1.7.6 April 9, 2011 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
+ all All the user's \e[4msudoers\e[24m entries for the current host
must have the NOPASSWD flag set to avoid entering a
password.
- always The user must always enter a password to use the -\b-v\bv
+ always The user must always enter a password to use the \e[1m-v\e[0m
option.
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ any At least one of the user's \e[4msudoers\e[24m entries for the
current host must have the NOPASSWD flag set to
avoid entering a password.
- never The user need never enter a password to use the -\b-v\bv
+ never The user need never enter a password to use the \e[1m-v\e[0m
option.
- If no value is specified, a value of _\ba_\bl_\bl is implied.
- Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
- The default value is _\ba_\bl_\bl.
+ If no value is specified, a value of \e[4mall\e[24m is implied.
+ Negating the option results in a value of \e[4mnever\e[24m being used.
+ The default value is \e[4mall\e[24m.
- L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ \e[1mLists that can be used in a boolean context\e[22m:
env_check Environment variables to be removed from the user's
environment if the variable's value contains % or /
option is enabled or disabled, variables specified by
env_check will be preserved in the environment if they
pass the aforementioned check. The default list of
- environment variables to check is displayed when s\bsu\bud\bdo\bo
- is run by root with the _\b-_\bV option.
+ environment variables to check is displayed when \e[1msudo\e[0m
+ is run by root with the \e[4m-V\e[24m option.
env_delete Environment variables to be removed from the user's
- environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
+ environment when the \e[4menv_reset\e[24m option is not in effect.
The argument may be a double-quoted, space-separated
list or a single value without double-quotes. The list
can be replaced, added to, deleted from, or disabled by
using the =, +=, -=, and ! operators respectively. The
default list of environment variables to remove is
- displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
+ displayed when \e[1msudo \e[22mis run by root with the \e[4m-V\e[24m option.
Note that many operating systems will remove
potentially dangerous variables from the environment of
- any setuid process (such as s\bsu\bud\bdo\bo).
+ any setuid process (such as \e[1msudo\e[22m).
env_keep Environment variables to be preserved in the user's
- environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
+ environment when the \e[4menv_reset\e[24m option is in effect.
This allows fine-grained control over the environment
- s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
+ \e[1msudo\e[22m-spawned processes will receive. The argument may
be a double-quoted, space-separated list or a single
value without double-quotes. The list can be replaced,
added to, deleted from, or disabled by using the =, +=,
-
-
-
-1.7.6 April 9, 2011 21
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
-=, and ! operators respectively. The default list of
- variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
- with the _\b-_\bV option.
-
- When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following values for the
- syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your
- OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3,
- l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities
- are supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be, and
- w\bwa\bar\brn\bni\bin\bng\bg.
+ variables to keep is displayed when \e[1msudo \e[22mis run by root
+ with the \e[4m-V\e[24m option.
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+\e[1mFILES\e[0m
+ \e[4m/etc/sudoers\e[24m List of who can run what
- _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
+ \e[4m/etc/group\e[24m Local groups file
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
+ \e[4m/etc/netgroup\e[24m List of network groups
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
+ \e[4m/var/log/sudo-io\e[24m I/O log files
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
+\e[1mEXAMPLES\e[0m
+ Below are example \e[4msudoers\e[24m entries. Admittedly, some of these are a bit
contrived. First, we allow a few environment variables to pass and
- then define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+ then define our \e[4maliases\e[24m:
# Run X applications through sudo; HOME is used to find the
# .Xauthority file. Note that other programs use HOME to find
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias KILL = /usr/bin/kill
-
-
-
-1.7.6 April 9, 2011 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
- Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo
- to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't
- want to subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt
+ Here we override some of the compiled in default values. We want \e[1msudo\e[0m
+ to log via \e[4msyslog\e[24m(3) using the \e[4mauth\e[24m facility in all cases. We don't
+ want to subject the full time staff to the \e[1msudo \e[22mlecture, user \e[1mmillert\e[0m
need not give a password, and we don't want to reset the LOGNAME, USER
or USERNAME environment variables when running commands as root.
- Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an
+ Additionally, on the machines in the \e[4mSERVERS\e[24m Host_Alias, we keep an
additional local log file and make sure we log the year in each log
line since the log entries will be kept around for several years.
Lastly, we disable shell escapes for the commands in the PAGERS
- Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
+ Cmnd_Alias (\e[4m/usr/bin/more\e[24m, \e[4m/usr/bin/pg\e[24m and \e[4m/usr/bin/less\e[24m).
# Override built-in defaults
Defaults syslog=auth
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
Defaults!PAGERS noexec
- The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
+ The \e[4mUser\e[24m \e[4mspecification\e[24m is the part that actually determines who may run
what.
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
- We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
+ We let \e[1mroot \e[22mand any user in group \e[1mwheel \e[22mrun any command on any host as
any user.
FULLTIMERS ALL = NOPASSWD: ALL
- Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
+ Full time sysadmins (\e[1mmillert\e[22m, \e[1mmikef\e[22m, and \e[1mdowdy\e[22m) may run any command on
any host without authenticating themselves.
PARTTIMERS ALL = ALL
- Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
+ Part time sysadmins (\e[1mbostley\e[22m, \e[1mjwfox\e[22m, and \e[1mcrawl\e[22m) may run any command on
any host but they must authenticate themselves first (since the entry
lacks the NOPASSWD tag).
jack CSNETS = ALL
- The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
+ The user \e[1mjack \e[22mmay run any command on the machines in the \e[4mCSNETS\e[24m alias
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
those networks, only 128.138.204.0 has an explicit netmask (in CIDR
-
-
-
-1.7.6 April 9, 2011 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
notation) indicating it is a class C network. For the other networks
- in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be used during matching.
+ in \e[4mCSNETS\e[24m, the local machine's netmask will be used during matching.
lisa CUNETS = ALL
- The user l\bli\bis\bsa\ba may run any command on any host in the _\bC_\bU_\bN_\bE_\bT_\bS alias (the
+ The user \e[1mlisa \e[22mmay run any command on any host in the \e[4mCUNETS\e[24m alias (the
class B network 128.138.0.0).
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
- The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance.
+ The \e[1moperator \e[22muser may run commands limited to simple maintenance.
Here, those are commands related to backups, killing processes, the
printing system, shutting down the system, and any commands in the
- directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
+ directory \e[4m/usr/oper/bin/\e[24m.
joe ALL = /usr/bin/su operator
- The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
+ The user \e[1mjoe \e[22mmay only \e[4msu\e[24m(1) to operator.
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
%opers ALL = (: ADMINGRP) /usr/sbin/
- Users in the o\bop\bpe\ber\brs\bs group may run commands in _\b/_\bu_\bs_\br_\b/_\bs_\bb_\bi_\bn_\b/ as themselves
- with any group in the _\bA_\bD_\bM_\bI_\bN_\bG_\bR_\bP Runas_Alias (the a\bad\bdm\bm and o\bop\bpe\ber\br groups).
+ Users in the \e[1mopers \e[22mgroup may run commands in \e[4m/usr/sbin/\e[24m as themselves
+ with any group in the \e[4mADMINGRP\e[24m Runas_Alias (the \e[1madm \e[22mand \e[1moper \e[22mgroups).
- The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
- the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
+ The user \e[1mpete \e[22mis allowed to change anyone's password except for root on
+ the \e[4mHPPA\e[24m machines. Note that this assumes \e[4mpasswd\e[24m(1) does not take
multiple user names on the command line.
bob SPARC = (OP) ALL : SGI = (OP) ALL
- The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
- listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
+ The user \e[1mbob \e[22mmay run anything on the \e[4mSPARC\e[24m and \e[4mSGI\e[24m machines as any user
+ listed in the \e[4mOP\e[24m Runas_Alias (\e[1mroot \e[22mand \e[1moperator\e[22m).
jim +biglab = ALL
- The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
- s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
+ The user \e[1mjim \e[22mmay run any command on machines in the \e[4mbiglab\e[24m netgroup.
+ \e[1msudo \e[22mknows that "biglab" is a netgroup due to the '+' prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
+ Users in the \e[1msecretaries \e[22mnetgroup need to help manage the printers as
well as add and remove users, so they are allowed to run those commands
on all machines.
fred ALL = (DB) NOPASSWD: ALL
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
- (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
+ The user \e[1mfred \e[22mcan run commands as any user in the \e[4mDB\e[24m Runas_Alias
+ (\e[1moracle \e[22mor \e[1msybase\e[22m) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
-
-
-
-1.7.6 April 9, 2011 24
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
- not allowed to specify any options to the _\bs_\bu(1) command.
+ On the \e[4mALPHA\e[24m machines, user \e[1mjohn \e[22mmay su to anyone except root but he is
+ not allowed to specify any options to the \e[4msu\e[24m(1) command.
jen ALL, !SERVERS = ALL
- The user j\bje\ben\bn may run any command on any machine except for those in the
- _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and ns).
+ The user \e[1mjen \e[22mmay run any command on any machine except for those in the
+ \e[4mSERVERS\e[24m Host_Alias (master, mail, www and ns).
jill SERVERS = /usr/bin/, !SU, !SHELLS
- For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
- the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU
- and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
+ For any machine in the \e[4mSERVERS\e[24m Host_Alias, \e[1mjill \e[22mmay run any commands in
+ the directory \e[4m/usr/bin/\e[24m except for those commands belonging to the \e[4mSU\e[0m
+ and \e[4mSHELLS\e[24m Cmnd_Aliases.
steve CSNETS = (operator) /usr/local/op_commands/
- The user s\bst\bte\bev\bve\be may run any command in the directory
+ The user \e[1msteve \e[22mmay run any command in the directory
/usr/local/op_commands/ but only as user operator.
matt valkyrie = KILL
- On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be able to kill
+ On his personal workstation, valkyrie, \e[1mmatt \e[22mneeds to be able to kill
hung processes.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
- On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias (will, wendy,
+ On the host www, any user in the \e[4mWEBMASTERS\e[24m User_Alias (will, wendy,
and wim), may run any command as user www (which owns the web pages) or
- simply _\bs_\bu(1) to www.
+ simply \e[4msu\e[24m(1) to www.
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
This is a bit tedious for users to type, so it is a prime candidate for
encapsulating in a shell script.
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+\e[1mSECURITY NOTES\e[0m
It is generally not effective to "subtract" commands from ALL using the
'!' operator. A user can trivially circumvent this by copying the
desired command to a different name and then executing that. For
bill ALL = ALL, !SU, !SHELLS
- Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
- _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
+ Doesn't really prevent \e[1mbill \e[22mfrom running the commands listed in \e[4mSU\e[24m or
+ \e[4mSHELLS\e[24m since he can simply copy those commands to a different name, or
use a shell escape from an editor or other program. Therefore, these
kind of restrictions should be considered advisory at best (and
reinforced by policy).
- Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
+ Furthermore, if the \e[4mfast_glob\e[24m option is in use, it is not possible to
reliably negate commands where the path name includes globbing (aka
-
-
-
-1.7.6 April 9, 2011 25
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- wildcard) characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
+ wildcard) characters. This is because the C library's \e[4mfnmatch\e[24m(3)
function cannot resolve relative paths. While this is typically only
an inconvenience for rules that grant privileges, it can result in a
security issue for rules that subtract or revoke privileges.
- For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
+ For example, given the following \e[4msudoers\e[24m entry:
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
- User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
- changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
+ User \e[1mjohn \e[22mcan still run /usr/bin/passwd root if \e[4mfast_glob\e[24m is enabled by
+ changing to \e[4m/usr/bin\e[24m and running ./passwd root instead.
-P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
- Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
+\e[1mPREVENTING SHELL ESCAPES\e[0m
+ Once \e[1msudo \e[22mexecutes a program, that program is free to do whatever it
pleases, including run other programs. This can be a security issue
since it is not uncommon for a program to allow shell escapes, which
- lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
+ lets a user bypass \e[1msudo\e[22m's access control and logging. Common programs
that permit shell escapes include shells (obviously), editors,
paginators, mail and terminal programs.
restrict Avoid giving users access to commands that allow the user to
run arbitrary commands. Many editors have a restricted mode
- where shell escapes are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better
- solution to running editors via s\bsu\bud\bdo\bo. Due to the large
+ where shell escapes are disabled, though \e[1msudoedit \e[22mis a better
+ solution to running editors via \e[1msudo\e[22m. Due to the large
number of programs that offer shell escapes, restricting
users to the set of programs that do not is often unworkable.
noexec Many systems that support shared libraries have the ability
to override default library functions by pointing an
environment variable (usually LD_PRELOAD) to an alternate
- shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality
- can be used to prevent a program run by s\bsu\bud\bdo\bo from executing
+ shared library. On such systems, \e[1msudo\e[22m's \e[4mnoexec\e[24m functionality
+ can be used to prevent a program run by \e[1msudo \e[22mfrom executing
any other programs. Note, however, that this applies only to
native dynamically-linked executables. Statically-linked
executables and foreign executables running under binary
emulation are not affected.
- To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run the
+ To tell whether or not \e[1msudo \e[22msupports \e[4mnoexec\e[24m, you can run the
following as root:
sudo -V | grep "dummy exec"
File containing dummy exec functions:
- then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
+ then \e[1msudo \e[22mmay be able to replace the exec family of functions
in the standard library with its own that simply return an
error. Unfortunately, there is no foolproof way to know
- whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
+ whether or not \e[4mnoexec\e[24m will work at compile-time. \e[4mnoexec\e[0m
should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
-
-
-
-1.7.6 April 9, 2011 26
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
- UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating
+ MacOS X, and HP-UX 11.x. It is known \e[1mnot \e[22mto work on AIX and
+ UnixWare. \e[4mnoexec\e[24m is expected to work on most operating
systems that support the LD_PRELOAD environment variable.
Check your operating system's manual pages for the dynamic
linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
to see if LD_PRELOAD is supported.
- To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as
+ To enable \e[4mnoexec\e[24m for a command, use the NOEXEC tag as
documented in the User Specification section above. Here is
that example again:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
- with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
+ This allows user \e[1maaron \e[22mto run \e[4m/usr/bin/more\e[24m and \e[4m/usr/bin/vi\e[0m
+ with \e[4mnoexec\e[24m enabled. This will prevent those two commands
from executing other commands (such as a shell). If you are
unsure whether or not your system is capable of supporting
- _\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
+ \e[4mnoexec\e[24m you can always just try it out and see if it works.
Note that restricting shell escapes is not a panacea. Programs running
as root are still capable of many potentially hazardous operations
(such as changing or overwriting files) that could lead to unintended
privilege escalation. In the specific case of an editor, a safer
- approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+ approach is to give the user permission to run \e[1msudoedit\e[22m.
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bg_\bl_\bo_\bb(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
+\e[1mSEE ALSO\e[0m
+ \e[4mrsh\e[24m(1), \e[4msu\e[24m(1), \e[4mfnmatch\e[24m(3), \e[4mglob\e[24m(3), \e[4msudo\e[24m(1m), \e[4mvisudo\e[24m(8)
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
+\e[1mCAVEATS\e[0m
+ The \e[4msudoers\e[24m file should \e[1malways \e[22mbe edited by the \e[1mvisudo \e[22mcommand which
locks the file and does grammatical checking. It is imperative that
- _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
- syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ \e[4msudoers\e[24m be free of syntax errors since \e[1msudo \e[22mwill not run with a
+ syntactically incorrect \e[4msudoers\e[24m file.
When using netgroups of machines (as opposed to users), if you store
fully qualified host name in the netgroup (as is usually the case), you
either need to have the machine's host name be fully qualified as
- returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ returned by the hostname command or use the \e[4mfqdn\e[24m option in \e[4msudoers\e[24m.
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+\e[1mBUGS\e[0m
+ If you feel you have found a bug in \e[1msudo\e[22m, please submit a bug report at
http://www.sudo.ws/sudo/bugs/
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+\e[1mSUPPORT\e[0m
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+\e[1mDISCLAIMER\e[0m
+ \e[1msudo \e[22mis provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
+ See the LICENSE file distributed with \e[1msudo \e[22mor
http://www.sudo.ws/sudo/license.html for complete details.
-1.7.6 April 9, 2011 27
-
-
+1.7.7 August 13, 2011 SUDOERS(4)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
-N\bNA\bAM\bME\bE
+\e[1mNAME\e[0m
sudoers.ldap - sudo LDAP configuration
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- In addition to the standard _\bs_\bu_\bd_\bo_\be_\br_\bs file, s\bsu\bud\bdo\bo may be configured via
- LDAP. This can be especially useful for synchronizing _\bs_\bu_\bd_\bo_\be_\br_\bs in a
+\e[1mDESCRIPTION\e[0m
+ In addition to the standard \e[4msudoers\e[24m file, \e[1msudo \e[22mmay be configured via
+ LDAP. This can be especially useful for synchronizing \e[4msudoers\e[24m in a
large, distributed environment.
- Using LDAP for _\bs_\bu_\bd_\bo_\be_\br_\bs has several benefits:
+ Using LDAP for \e[4msudoers\e[24m has several benefits:
- +\bo s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety. When LDAP is
+ +\bo \e[1msudo \e[22mno longer needs to read \e[4msudoers\e[24m in its entirety. When LDAP is
used, there are only two or three LDAP queries per invocation.
This makes it especially fast and particularly usable in LDAP
environments.
- +\bo s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs. It is not
+ +\bo \e[1msudo \e[22mno longer exits if there is a typo in \e[4msudoers\e[24m. It is not
possible to load LDAP data into the server that does not conform to
the sudoers schema, so proper syntax is guaranteed. It is still
possible to have typos in a user or host name, but this will not
- prevent s\bsu\bud\bdo\bo from running.
+ prevent \e[1msudo \e[22mfrom running.
+\bo It is possible to specify per-entry options that override the
- global default options. _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs only supports default options
+ global default options. \e[4m/etc/sudoers\e[24m only supports default options
and limited options associated with user/host/commands/aliases.
The syntax is complicated and can be difficult for users to
understand. Placing the options directly in the entry is more
natural.
- +\bo The v\bvi\bis\bsu\bud\bdo\bo program is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking
- and syntax checking of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file. Since LDAP updates
+ +\bo The \e[1mvisudo \e[22mprogram is no longer needed. \e[1mvisudo \e[22mprovides locking
+ and syntax checking of the \e[4m/etc/sudoers\e[24m file. Since LDAP updates
are atomic, locking is no longer necessary. Because syntax is
checked when the data is inserted into LDAP, there is no need for a
specialized tool to check syntax.
- Another major difference between LDAP and file-based _\bs_\bu_\bd_\bo_\be_\br_\bs is that in
- LDAP, s\bsu\bud\bdo\bo-specific Aliases are not supported.
+ Another major difference between LDAP and file-based \e[4msudoers\e[24m is that in
+ LDAP, \e[1msudo\e[22m-specific Aliases are not supported.
- For the most part, there is really no need for s\bsu\bud\bdo\bo-specific Aliases.
+ For the most part, there is really no need for \e[1msudo\e[22m-specific Aliases.
Unix groups or user netgroups can be used in place of User_Aliases and
Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
Since Unix groups and netgroups can also be stored in LDAP there is no
- real need for s\bsu\bud\bdo\bo-specific aliases.
+ real need for \e[1msudo\e[22m-specific aliases.
Cmnd_Aliases are not really required either since it is possible to
have multiple users listed in a sudoRole. Instead of defining a
Cmnd_Alias that is referenced by multiple users, one can create a
sudoRole that contains the commands and assign multiple users to it.
- S\bSU\bUD\bDO\bOe\ber\brs\bs L\bLD\bDA\bAP\bP c\bco\bon\bnt\bta\bai\bin\bne\ber\br
- The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers LDAP
+ \e[1mSUDOers LDAP container\e[0m
+ The \e[4msudoers\e[24m configuration is contained in the ou=SUDOers LDAP
container.
Sudo first looks for the cn=default entry in the SUDOers container. If
found, the multi-valued sudoOption attribute is parsed in the same
-
-
-
-1.7.6 April 9, 2011 1
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
- manner as a global Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following
+ manner as a global Defaults line in \e[4m/etc/sudoers\e[24m. In the following
example, the SSH_AUTH_SOCK variable will be preserved in the
environment for all users.
The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
following attributes:
- s\bsu\bud\bdo\boU\bUs\bse\ber\br
+ \e[1msudoUser\e[0m
A user name, uid (prefixed with '#'), Unix group (prefixed with a
'%') or user netgroup (prefixed with a '+').
- s\bsu\bud\bdo\boH\bHo\bos\bst\bt
+ \e[1msudoHost\e[0m
A host name, IP address, IP network, or host netgroup (prefixed
with a '+'). The special value ALL will match any host.
- s\bsu\bud\bdo\boC\bCo\bom\bmm\bma\ban\bnd\bd
+ \e[1msudoCommand\e[0m
A Unix command with optional command line arguments, potentially
including globbing characters (aka wild cards). The special value
ALL will match any command. If a command is prefixed with an
exclamation point '!', the user will be prohibited from running
that command.
- s\bsu\bud\bdo\boO\bOp\bpt\bti\bio\bon\bn
+ \e[1msudoOption\e[0m
Identical in function to the global options described above, but
specific to the sudoRole in which it resides.
- s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsU\bUs\bse\ber\br
+ \e[1msudoRunAsUser\e[0m
A user name or uid (prefixed with '#') that commands may be run as
or a Unix group (prefixed with a '%') or user netgroup (prefixed
with a '+') that contains a list of users that commands may be run
as. The special value ALL will match any user.
- The sudoRunAsUser attribute is only available in s\bsu\bud\bdo\bo versions
- 1.7.0 and higher. Older versions of s\bsu\bud\bdo\bo use the sudoRunAs
+ The sudoRunAsUser attribute is only available in \e[1msudo \e[22mversions
+ 1.7.0 and higher. Older versions of \e[1msudo \e[22muse the sudoRunAs
attribute instead.
- s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsG\bGr\bro\bou\bup\bp
+ \e[1msudoRunAsGroup\e[0m
A Unix group or gid (prefixed with '#') that commands may be run
as. The special value ALL will match any group.
- The sudoRunAsGroup attribute is only available in s\bsu\bud\bdo\bo versions
+ The sudoRunAsGroup attribute is only available in \e[1msudo \e[22mversions
1.7.0 and higher.
- s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be
- A timestamp in the form yyyymmddHHMMZ that can be used to provide a
- start date/time for when the sudoRole will be valid. If multiple
+ \e[1msudoNotBefore\e[0m
+ A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
+ a start date/time for when the sudoRole will be valid. If multiple
sudoNotBefore entries are present, the earliest is used. Note that
-
-
-
-1.7.6 April 9, 2011 2
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
timestamps must be in Coordinated Universal Time (UTC), not the
- local timezone.
+ local timezone. The minute and seconds portions are optional, but
+ some LDAP servers require that they be present (contrary to the
+ RFC).
- The sudoNotBefore attribute is only available in s\bsu\bud\bdo\bo versions
+ The sudoNotBefore attribute is only available in \e[1msudo \e[22mversions
1.7.5 and higher and must be explicitly enabled via the
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
-
- s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
- A timestamp in the form yyyymmddHHMMZ that indicates an expiration
- date/time, after which the sudoRole will no longer be valid. If
- multiple sudoNotBefore entries are present, the last one is used.
- Note that timestamps must be in Coordinated Universal Time (UTC),
- not the local timezone.
-
- The sudoNotAfter attribute is only available in s\bsu\bud\bdo\bo versions 1.7.5
- and higher and must be explicitly enabled via the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD
- option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
-
- s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br
+ \e[1mSUDOERS_TIMED \e[22moption in \e[4m/etc/ldap.conf\e[24m.
+
+ \e[1msudoNotAfter\e[0m
+ A timestamp in the form yyyymmddHHMMSSZ that indicates an
+ expiration date/time, after which the sudoRole will no longer be
+ valid. If multiple sudoNotBefore entries are present, the last one
+ is used. Note that timestamps must be in Coordinated Universal
+ Time (UTC), not the local timezone. The minute and seconds
+ portions are optional, but some LDAP servers require that they be
+ present (contrary to the RFC).
+
+ The sudoNotAfter attribute is only available in \e[1msudo \e[22mversions 1.7.5
+ and higher and must be explicitly enabled via the \e[1mSUDOERS_TIMED\e[0m
+ option in \e[4m/etc/ldap.conf\e[24m.
+
+ \e[1msudoOrder\e[0m
The sudoRole entries retrieved from the LDAP directory have no
inherent order. The sudoOrder attribute is an integer (or floating
point value for LDAP servers that support it) that is used to sort
corresponds to the "last match" behavior of the sudoers file. If
the sudoOrder attribute is not present, a value of 0 is assumed.
- The sudoOrder attribute is only available in s\bsu\bud\bdo\bo versions 1.7.5
+ The sudoOrder attribute is only available in \e[1msudo \e[22mversions 1.7.5
and higher.
Each attribute listed above should contain a single value, but there
contain at least one sudoUser, sudoHost and sudoCommand.
The following example allows users in group wheel to run any command on
- any host via s\bsu\bud\bdo\bo:
+ any host via \e[1msudo\e[22m:
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
objectClass: top
sudoHost: ALL
sudoCommand: ALL
- A\bAn\bna\bat\bto\bom\bmy\by o\bof\bf L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs l\blo\boo\bok\bku\bup\bp
+ \e[1mAnatomy of LDAP sudoers lookup\e[0m
When looking up a sudoer using LDAP there are only two or three LDAP
queries per invocation. The first query is to parse the global
options. The second is to match against the user's name and the groups
that the user belongs to. (The special ALL tag is matched in this
query too.) If no match is returned for the user's name and groups, a
third query returns all entries containing user netgroups and checks to
-
-
-
-1.7.6 April 9, 2011 3
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
see if the user belongs to any of them.
- If timed entries are enabled with the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD configuration
+ If timed entries are enabled with the \e[1mSUDOERS_TIMED \e[22mconfiguration
directive, the LDAP queries include a subfilter that limits retrieval
to entries that satisfy the time constraints, if any.
- D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
+ \e[1mDifferences between LDAP and non-LDAP sudoers\e[0m
There are some subtle differences in the way sudoers is handled once in
LDAP. Probably the biggest is that according to the RFC, LDAP ordering
is arbitrary and you cannot expect that Attributes and Entries are
currently ignored. For example, the following attributes do not behave
the way one might expect.
-
-
-
-
-1.7.6 April 9, 2011 4
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
# does not match all but joe
# rather, does not match anyone
sudoUser: !joe
sudoHost: ALL
sudoHost: !web01
- S\bSu\bud\bdo\boe\ber\brs\bs S\bSc\bch\bhe\bem\bma\ba
- In order to use s\bsu\bud\bdo\bo's LDAP support, the s\bsu\bud\bdo\bo schema must be installed
+ \e[1mSudoers Schema\e[0m
+ In order to use \e[1msudo\e[22m's LDAP support, the \e[1msudo \e[22mschema must be installed
on your LDAP server. In addition, be sure to index the 'sudoUser'
attribute.
Three versions of the schema: one for OpenLDAP servers
- (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP), one for Netscape-derived servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt),
- and one for Microsoft Active Directory (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bA_\bc_\bt_\bi_\bv_\be_\bD_\bi_\br_\be_\bc_\bt_\bo_\br_\by) may be
- found in the s\bsu\bud\bdo\bo distribution.
+ (\e[4mschema.OpenLDAP\e[24m), one for Netscape-derived servers (\e[4mschema.iPlanet\e[24m),
+ and one for Microsoft Active Directory (\e[4mschema.ActiveDirectory\e[24m) may be
+ found in the \e[1msudo \e[22mdistribution.
- The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included in the EXAMPLES
+ The schema for \e[1msudo \e[22min OpenLDAP form is included in the EXAMPLES
section.
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
- Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific configuration.
+ \e[1mConfiguring ldap.conf\e[0m
+ Sudo reads the \e[4m/etc/ldap.conf\e[24m file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
- As such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo
- parses _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ from
- those described in the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual.
+ As such, most of the settings are not \e[1msudo\e[22m-specific. Note that \e[1msudo\e[0m
+ parses \e[4m/etc/ldap.conf\e[24m itself and may support options that differ from
+ those described in the \e[4mldap.conf\e[24m(4) manual.
Also note that on systems using the OpenLDAP libraries, default values
- specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are
+ specified in \e[4m/etc/openldap/ldap.conf\e[24m or the user's \e[4m.ldaprc\e[24m files are
not used.
- Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf as being
- supported by s\bsu\bud\bdo\bo are honored. Configuration options are listed below
+ Only those options explicitly listed in \e[4m/etc/ldap.conf\e[24m as being
+ supported by \e[1msudo \e[22mare honored. Configuration options are listed below
in upper case but are parsed in a case-independent manner.
- U\bUR\bRI\bI ldap[s]://[hostname[:port]] ...
+ \e[1mURI \e[22mldap[s]://[hostname[:port]] ...
Specifies a whitespace-delimited list of one or more URIs
- describing the LDAP server(s) to connect to. The _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be
- either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS
- (SSL) encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389
- for ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
- s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Multiple U\bUR\bRI\bI lines are treated
- identically to a U\bUR\bRI\bI line containing multiple entries. Only
+ describing the LDAP server(s) to connect to. The \e[4mprotocol\e[24m may be
+ either \e[1mldap \e[22mor \e[1mldaps\e[22m, the latter being for servers that support TLS
+ (SSL) encryption. If no \e[4mport\e[24m is specified, the default is port 389
+ for ldap:// or port 636 for ldaps://. If no \e[4mhostname\e[24m is specified,
+ \e[1msudo \e[22mwill connect to \e[1mlocalhost\e[22m. Multiple \e[1mURI \e[22mlines are treated
+ identically to a \e[1mURI \e[22mline containing multiple entries. Only
systems using the OpenSSL libraries support the mixing of ldap://
and ldaps:// URIs. The Netscape-derived libraries used on most
commercial versions of Unix are only capable of supporting one or
the other.
-
-
-1.7.6 April 9, 2011 5
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
- H\bHO\bOS\bST\bT name[:port] ...
- If no U\bUR\bRI\bI is specified, the H\bHO\bOS\bST\bT parameter specifies a whitespace-
+ \e[1mHOST \e[22mname[:port] ...
+ If no \e[1mURI \e[22mis specified, the \e[1mHOST \e[22mparameter specifies a whitespace-
delimited list of LDAP servers to connect to. Each host may
- include an optional _\bp_\bo_\br_\bt separated by a colon (':'). The H\bHO\bOS\bST\bT
- parameter is deprecated in favor of the U\bUR\bRI\bI specification and is
+ include an optional \e[4mport\e[24m separated by a colon (':'). The \e[1mHOST\e[0m
+ parameter is deprecated in favor of the \e[1mURI \e[22mspecification and is
included for backwards compatibility.
- P\bPO\bOR\bRT\bT port_number
- If no U\bUR\bRI\bI is specified, the P\bPO\bOR\bRT\bT parameter specifies the default
- port to connect to on the LDAP server if a H\bHO\bOS\bST\bT parameter does not
- specify the port itself. If no P\bPO\bOR\bRT\bT parameter is used, the default
+ \e[1mPORT \e[22mport_number
+ If no \e[1mURI \e[22mis specified, the \e[1mPORT \e[22mparameter specifies the default
+ port to connect to on the LDAP server if a \e[1mHOST \e[22mparameter does not
+ specify the port itself. If no \e[1mPORT \e[22mparameter is used, the default
is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
- P\bPO\bOR\bRT\bT parameter is deprecated in favor of the U\bUR\bRI\bI specification and
+ \e[1mPORT \e[22mparameter is deprecated in favor of the \e[1mURI \e[22mspecification and
is included for backwards compatibility.
- B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
- The B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in
+ \e[1mBIND_TIMELIMIT \e[22mseconds
+ The \e[1mBIND_TIMELIMIT \e[22mparameter specifies the amount of time, in
seconds, to wait while trying to connect to an LDAP server. If
- multiple U\bUR\bRI\bIs or H\bHO\bOS\bST\bTs are specified, this is the amount of time to
+ multiple \e[1mURI\e[22ms or \e[1mHOST\e[22ms are specified, this is the amount of time to
wait before trying the next one in the list.
- N\bNE\bET\bTW\bWO\bOR\bRK\bK_\b_T\bTI\bIM\bME\bEO\bOU\bUT\bT seconds
- An alias for B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT for OpenLDAP compatibility.
+ \e[1mNETWORK_TIMEOUT \e[22mseconds
+ An alias for \e[1mBIND_TIMELIMIT \e[22mfor OpenLDAP compatibility.
- T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
- The T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in seconds,
+ \e[1mTIMELIMIT \e[22mseconds
+ The \e[1mTIMELIMIT \e[22mparameter specifies the amount of time, in seconds,
to wait for a response to an LDAP query.
- T\bTI\bIM\bME\bEO\bOU\bUT\bT seconds
- The T\bTI\bIM\bME\bEO\bOU\bUT\bT parameter specifies the amount of time, in seconds, to
+ \e[1mTIMEOUT \e[22mseconds
+ The \e[1mTIMEOUT \e[22mparameter specifies the amount of time, in seconds, to
wait for a response from the various LDAP APIs.
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE base
- The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries. Typically
+ \e[1mSUDOERS_BASE \e[22mbase
+ The base DN to use when performing \e[1msudo \e[22mLDAP queries. Typically
this is of the form ou=SUDOers,dc=example,dc=com for the domain
- example.com. Multiple S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE lines may be specified, in
+ example.com. Multiple \e[1mSUDOERS_BASE \e[22mlines may be specified, in
which case they are queried in the order specified.
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_S\bSE\bEA\bAR\bRC\bCH\bH_\b_F\bFI\bIL\bLT\bTE\bER\bR ldap_filter
+ \e[1mSUDOERS_SEARCH_FILTER \e[22mldap_filter
An LDAP filter which is used to restrict the set of records
- returned when performing a s\bsu\bud\bdo\bo LDAP query. Typically, this is of
+ returned when performing a \e[1msudo \e[22mLDAP query. Typically, this is of
the form attribute=value or
(&(attribute=value)(attribute2=value2)).
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD on/true/yes/off/false/no
+ \e[1mSUDOERS_TIMED \e[22mon/true/yes/off/false/no
Whether or not to evaluate the sudoNotBefore and sudoNotAfter
attributes that implement time-dependent sudoers entries.
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG debug_level
- This sets the debug level for s\bsu\bud\bdo\bo LDAP queries. Debugging
+ \e[1mSUDOERS_DEBUG \e[22mdebug_level
+ This sets the debug level for \e[1msudo \e[22mLDAP queries. Debugging
information is printed to the standard error. A value of 1 results
in a moderate amount of debugging information. A value of 2 shows
the results of the matches themselves. This parameter should not
be set in a production environment as the extra information is
-
-
-
-1.7.6 April 9, 2011 6
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
likely to confuse users.
- B\bBI\bIN\bND\bDD\bDN\bN DN
- The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
+ \e[1mBINDDN \e[22mDN
+ The \e[1mBINDDN \e[22mparameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing LDAP operations.
If not specified, LDAP operations are performed with an anonymous
identity. By default, most LDAP servers will allow anonymous
access.
- B\bBI\bIN\bND\bDP\bPW\bW secret
- The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
+ \e[1mBINDPW \e[22msecret
+ The \e[1mBINDPW \e[22mparameter specifies the password to use when performing
LDAP operations. This is typically used in conjunction with the
- B\bBI\bIN\bND\bDD\bDN\bN parameter.
+ \e[1mBINDDN \e[22mparameter.
- R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN DN
- The R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
+ \e[1mROOTBINDDN \e[22mDN
+ The \e[1mROOTBINDDN \e[22mparameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing privileged LDAP
- operations, such as _\bs_\bu_\bd_\bo_\be_\br_\bs queries. The password corresponding to
- the identity should be stored in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bs_\be_\bc_\br_\be_\bt. If not
- specified, the B\bBI\bIN\bND\bDD\bDN\bN identity is used (if any).
+ operations, such as \e[4msudoers\e[24m queries. The password corresponding to
+ the identity should be stored in \e[4m/etc/ldap.secret\e[24m. If not
+ specified, the \e[1mBINDDN \e[22midentity is used (if any).
- L\bLD\bDA\bAP\bP_\b_V\bVE\bER\bRS\bSI\bIO\bON\bN number
+ \e[1mLDAP_VERSION \e[22mnumber
The version of the LDAP protocol to use when connecting to the
server. The default value is protocol version 3.
- S\bSS\bSL\bL on/true/yes/off/false/no
- If the S\bSS\bSL\bL parameter is set to on, true or yes, TLS (SSL)
+ \e[1mSSL \e[22mon/true/yes/off/false/no
+ If the \e[1mSSL \e[22mparameter is set to on, true or yes, TLS (SSL)
encryption is always used when communicating with the LDAP server.
Typically, this involves connecting to the server on port 636
(ldaps).
- S\bSS\bSL\bL start_tls
- If the S\bSS\bSL\bL parameter is set to start_tls, the LDAP server
+ \e[1mSSL \e[22mstart_tls
+ If the \e[1mSSL \e[22mparameter is set to start_tls, the LDAP server
connection is initiated normally and TLS encryption is begun before
the bind credentials are sent. This has the advantage of not
requiring a dedicated port for encrypted communications. This
parameter is only supported by LDAP servers that honor the
start_tls extension, such as the OpenLDAP server.
- T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR on/true/yes/off/false/no
- If enabled, T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR will cause the LDAP server's TLS
+ \e[1mTLS_CHECKPEER \e[22mon/true/yes/off/false/no
+ If enabled, \e[1mTLS_CHECKPEER \e[22mwill cause the LDAP server's TLS
certificated to be verified. If the server's TLS certificate
cannot be verified (usually because it is signed by an unknown
- certificate authority), s\bsu\bud\bdo\bo will be unable to connect to it. If
- T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR is disabled, no check is made. Note that disabling
+ certificate authority), \e[1msudo \e[22mwill be unable to connect to it. If
+ \e[1mTLS_CHECKPEER \e[22mis disabled, no check is made. Note that disabling
the check creates an opportunity for man-in-the-middle attacks
since the server's identity will not be authenticated. If
possible, the CA's certificate should be installed locally so it
can be verified.
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bT file name
- An alias for T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE for OpenLDAP compatibility.
-
-
-
-
-
-1.7.6 April 9, 2011 7
+ \e[1mTLS_CACERT \e[22mfile name
+ An alias for \e[1mTLS_CACERTFILE \e[22mfor OpenLDAP compatibility.
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE file name
+ \e[1mTLS_CACERTFILE \e[22mfile name
The path to a certificate authority bundle which contains the
certificates for all the Certificate Authorities the client knows
- to be valid, e.g. _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only
+ to be valid, e.g. \e[4m/etc/ssl/ca-bundle.pem\e[24m. This option is only
supported by the OpenLDAP libraries. Netscape-derived LDAP
libraries use the same certificate database for CA and client
- certificates (see T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT).
+ certificates (see \e[1mTLS_CERT\e[22m).
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
- Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
+ \e[1mTLS_CACERTDIR \e[22mdirectory
+ Similar to \e[1mTLS_CACERTFILE \e[22mbut instead of a file, it is a directory
containing individual Certificate Authority certificates, e.g.
- _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\be_\br_\bt_\bs. The directory specified by T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR is
- checked after T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE. This option is only supported by the
+ \e[4m/etc/ssl/certs\e[24m. The directory specified by \e[1mTLS_CACERTDIR \e[22mis
+ checked after \e[1mTLS_CACERTFILE\e[22m. This option is only supported by the
OpenLDAP libraries.
- T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT file name
+ \e[1mTLS_CERT \e[22mfile name
The path to a file containing the client certificate which can be
used to authenticate the client to the LDAP server. The
certificate type depends on the LDAP libraries used.
When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates.
- T\bTL\bLS\bS_\b_K\bKE\bEY\bY file name
+ \e[1mTLS_KEY \e[22mfile name
The path to a file containing the private key which matches the
- certificate specified by T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT. The private key must not be
+ certificate specified by \e[1mTLS_CERT\e[22m. The private key must not be
password-protected. The key type depends on the LDAP libraries
used.
Netscape-derived:
tls_key /var/ldap/key3.db
- T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE file name
- The T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE parameter specifies the path to an entropy source
+ \e[1mTLS_RANDFILE \e[22mfile name
+ The \e[1mTLS_RANDFILE \e[22mparameter specifies the path to an entropy source
for systems that lack a random device. It is generally used in
- conjunction with _\bp_\br_\bn_\bg_\bd or _\be_\bg_\bd. This option is only supported by
+ conjunction with \e[4mprngd\e[24m or \e[4megd\e[24m. This option is only supported by
the OpenLDAP libraries.
- T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS cipher list
- The T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS parameter allows the administer to restrict which
+ \e[1mTLS_CIPHERS \e[22mcipher list
+ The \e[1mTLS_CIPHERS \e[22mparameter allows the administer to restrict which
encryption algorithms may be used for TLS (SSL) connections. See
the OpenSSL manual for a list of valid ciphers. This option is
only supported by the OpenLDAP libraries.
+ \e[1mUSE_SASL \e[22mon/true/yes/off/false/no
+ Enable \e[1mUSE_SASL \e[22mfor LDAP servers that support SASL authentication.
-
-
-
-1.7.6 April 9, 2011 8
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
- U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
- Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL authentication.
-
- S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
+ \e[1mSASL_AUTH_ID \e[22midentity
The SASL user name to use when connecting to the LDAP server. By
- default, s\bsu\bud\bdo\bo will use an anonymous connection.
+ default, \e[1msudo \e[22mwill use an anonymous connection.
- R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
- Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
- to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
+ \e[1mROOTUSE_SASL \e[22mon/true/yes/off/false/no
+ Enable \e[1mROOTUSE_SASL \e[22mto enable SASL authentication when connecting
+ to an LDAP server from a privileged process, such as \e[1msudo\e[22m.
- R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
- The SASL user name to use when R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL is enabled.
+ \e[1mROOTSASL_AUTH_ID \e[22midentity
+ The SASL user name to use when \e[1mROOTUSE_SASL \e[22mis enabled.
- S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS none/properties
- SASL security properties or _\bn_\bo_\bn_\be for no properties. See the SASL
+ \e[1mSASL_SECPROPS \e[22mnone/properties
+ SASL security properties or \e[4mnone\e[24m for no properties. See the SASL
programmer's manual for details.
- K\bKR\bRB\bB5\b5_\b_C\bCC\bCN\bNA\bAM\bME\bE file name
+ \e[1mKRB5_CCNAME \e[22mfile name
The path to the Kerberos 5 credential cache to use when
authenticating with the remote server.
See the ldap.conf entry in the EXAMPLES section.
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
- Unless it is disabled at build time, s\bsu\bud\bdo\bo consults the Name Service
- Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order.
+ \e[1mConfiguring nsswitch.conf\e[0m
+ Unless it is disabled at build time, \e[1msudo \e[22mconsults the Name Service
+ Switch file, \e[4m/etc/nsswitch.conf\e[24m, to specify the \e[4msudoers\e[24m search order.
Sudo looks for a line beginning with sudoers: and uses this to
- determine the search order. Note that s\bsu\bud\bdo\bo does not stop searching
+ determine the search order. Note that \e[1msudo \e[22mdoes not stop searching
after the first match and later matches take precedence over earlier
ones.
sudoers: ldap files
- The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
+ The local \e[4msudoers\e[24m file can be ignored completely by using:
sudoers: ldap
- If the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
+ If the \e[4m/etc/nsswitch.conf\e[24m file is not present or there is no sudoers
line, the following default is assumed:
sudoers: files
-
-
-
-1.7.6 April 9, 2011 9
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
- Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
+ Note that \e[4m/etc/nsswitch.conf\e[24m is supported even when the underlying
operating system does not use an nsswitch.conf file.
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bne\bet\bts\bsv\bvc\bc.\b.c\bco\bon\bnf\bf
- On AIX systems, the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is consulted instead of
- _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf. s\bsu\bud\bdo\bo simply treats _\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf as a variant of
- _\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the
+ \e[1mConfiguring netsvc.conf\e[0m
+ On AIX systems, the \e[4m/etc/netsvc.conf\e[24m file is consulted instead of
+ \e[4m/etc/nsswitch.conf\e[24m. \e[1msudo \e[22msimply treats \e[4mnetsvc.conf\e[24m as a variant of
+ \e[4mnsswitch.conf\e[24m; information in the previous section unrelated to the
file format itself still applies.
To consult LDAP first followed by the local sudoers file (if it
sudoers = ldap, files
- The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
+ The local \e[4msudoers\e[24m file can be ignored completely by using:
sudoers = ldap
sudoers = ldap = auth, files
Note that in the above example, the auth qualfier only affects user
- lookups; both LDAP and _\bs_\bu_\bd_\bo_\be_\br_\bs will be queried for Defaults entries.
+ lookups; both LDAP and \e[4msudoers\e[24m will be queried for Defaults entries.
- If the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
+ If the \e[4m/etc/netsvc.conf\e[24m file is not present or there is no sudoers
line, the following default is assumed:
sudoers = files
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
+\e[1mFILES\e[0m
+ \e[4m/etc/ldap.conf\e[24m LDAP configuration file
- _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
+ \e[4m/etc/nsswitch.conf\e[24m determines sudoers source order
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf determines sudoers source order on AIX
+ \e[4m/etc/netsvc.conf\e[24m determines sudoers source order on AIX
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
+\e[1mEXAMPLES\e[0m
+ \e[1mExample ldap.conf\e[0m
# Either specify one or more URIs or one or more host:port pairs.
# If neither is specified sudo will default to localhost, port 389.
#
#uri ldaps://secureldapserver
#uri ldaps://secureldapserver ldap://ldapserver
#
-
-
-
-1.7.6 April 9, 2011 10
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
# The amount of time, in seconds, to wait while trying to connect to
# an LDAP server.
bind_timelimit 30
#tls_randfile /etc/egd-pool
#
# You may restrict which ciphers are used. Consult your SSL
-
-
-
-1.7.6 April 9, 2011 11
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
# documentation for which options go here.
# Only supported when using OpenLDAP.
#
# sasl_secprops none
# krb5_ccname /etc/.ldapcache
- S\bSu\bud\bdo\bo s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
- The following schema, in OpenLDAP format, is included with s\bsu\bud\bdo\bo source
- and binary distributions as _\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP. Simply copy it to the
- schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba), add the proper include
- line in slapd.conf and restart s\bsl\bla\bap\bpd\bd.
+ \e[1mSudo schema for OpenLDAP\e[0m
+ The following schema, in OpenLDAP format, is included with \e[1msudo \e[22msource
+ and binary distributions as \e[4mschema.OpenLDAP\e[24m. Simply copy it to the
+ schema directory (e.g. \e[4m/etc/openldap/schema\e[24m), add the proper include
+ line in slapd.conf and restart \e[1mslapd\e[22m.
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
-
-
-
-1.7.6 April 9, 2011 12
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
DESC 'Host(s) who may run sudo'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
DESC 'an integer to order the sudoRole entries'
EQUALITY integerMatch
ORDERING integerOrderingMatch
-
-
-
-1.7.6 April 9, 2011 13
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
sudoOrder $ description )
)
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
+\e[1mSEE ALSO\e[0m
+ \e[4mldap.conf\e[24m(4), \e[4msudoers\e[24m(5)
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- Note that there are differences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs is
- parsed compared to file-based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the "Differences between
+\e[1mCAVEATS\e[0m
+ Note that there are differences in the way that LDAP-based \e[4msudoers\e[24m is
+ parsed compared to file-based \e[4msudoers\e[24m. See the "Differences between
LDAP and non-LDAP sudoers" section for more information.
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+\e[1mBUGS\e[0m
+ If you feel you have found a bug in \e[1msudo\e[22m, please submit a bug report at
http://www.sudo.ws/sudo/bugs/
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+\e[1mSUPPORT\e[0m
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+\e[1mDISCLAIMER\e[0m
+ \e[1msudo \e[22mis provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
+ See the LICENSE file distributed with \e[1msudo \e[22mor
http://www.sudo.ws/sudo/license.html for complete details.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.6 April 9, 2011 14
-
-
+1.7.7 August 13, 2011 SUDOERS.LDAP(4)
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
1.7.0 and higher.
.IP "\fBsudoNotBefore\fR" 4
.IX Item "sudoNotBefore"
-A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that can be used to provide
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that can be used to provide
a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If
multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used.
Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
-not the local timezone.
+not the local timezone. The minute and seconds portions are optional,
+but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
.Sp
The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions
1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
option in \fI@ldap_conf@\fR.
.IP "\fBsudoNotAfter\fR" 4
.IX Item "sudoNotAfter"
-A timestamp in the form \f(CW\*(C`yyyymmddHHMMZ\*(C'\fR that indicates an expiration
+A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that indicates an expiration
date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If
multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used.
Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
-not the local timezone.
+not the local timezone. The minute and seconds portions are optional,
+but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
.Sp
The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions
1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
This flag is \fIoff\fR by default.
.IP "long_otp_prompt" 16
.IX Item "long_otp_prompt"
-When validating with a One Time Password (\s-1OPT\s0) scheme such as
+When validating with a One Time Password (\s-1OTP\s0) scheme such as
\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
to cut and paste the challenge to a local window. It's not as
pretty as the default but some people find it more convenient. This
.IX Item "runas_default"
The default user to run commands as if the \fB\-u\fR option is not specified
on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR.
-Note that if \fIrunas_default\fR is set it \fBmust\fR occur before
-any \f(CW\*(C`Runas_Alias\*(C'\fR specifications.
.IP "syslog_badpri" 16
.IX Item "syslog_badpri"
Syslog priority to use when user authenticates unsuccessfully.
Defaults to \f(CW\*(C`@badpri@\*(C'\fR.
+.Sp
+The following syslog priorities are supported: \fBalert\fR, \fBcrit\fR,
+\&\fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
.IP "syslog_goodpri" 16
.IX Item "syslog_goodpri"
Syslog priority to use when user authenticates successfully.
Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
+.Sp
+See syslog_badpri for the list of supported syslog priorities.
.IP "sudoers_locale" 16
.IX Item "sudoers_locale"
Locale to use when parsing the sudoers file, logging commands, and
.IP "exempt_group" 12
.IX Item "exempt_group"
Users in this group are exempt from password and \s-1PATH\s0 requirements.
+The group name specified should not include a \f(CW\*(C`%\*(C'\fR prefix.
This is not set by default.
.IP "lecture" 12
.IX Item "lecture"
.IX Item "syslog"
Syslog facility if syslog is being used for logging (negate to
disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
+.Sp
+The following syslog facilities are supported: \fBauthpriv\fR (if your
+\&\s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR,
+\&\fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR.
.IP "verifypw" 12
.IX Item "verifypw"
This option controls when a password will be required when a user runs
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
-.PP
-When logging via \fIsyslog\fR\|(3), \fBsudo\fR accepts the following values
-for the syslog facility (the value of the \fBsyslog\fR Parameter):
-\&\fBauthpriv\fR (if your \s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR,
-\&\fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR,
-\&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are
-supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR,
-\&\fBnotice\fR, and \fBwarning\fR.
.SH "FILES"
.IX Header "FILES"
.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
+SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-
-
-N\bNA\bAM\bME\bE
+\e[1mNAME\e[0m
sudoreplay - replay sudo session logs
-S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] [-\b-f\bf _\bf_\bi_\bl_\bt_\be_\br] [-\b-m\bm _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt] [-\b-s\bs
- _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br] ID
+\e[1mSYNOPSIS\e[0m
+ \e[1msudoreplay \e[22m[\e[1m-h\e[22m] [\e[1m-d \e[4m\e[22mdirectory\e[24m] [\e[1m-f \e[4m\e[22mfilter\e[24m] [\e[1m-m \e[4m\e[22mmax_wait\e[24m] [\e[1m-s\e[0m
+ \e[4mspeed_factor\e[24m] ID
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] -l [search expression]
+ \e[1msudoreplay \e[22m[\e[1m-h\e[22m] [\e[1m-d \e[4m\e[22mdirectory\e[24m] -l [search expression]
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by plays back or lists the session logs created by s\bsu\bud\bdo\bo. When
- replaying, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can play the session back in real-time, or the
+\e[1mDESCRIPTION\e[0m
+ \e[1msudoreplay \e[22mplays back or lists the session logs created by \e[1msudo\e[22m. When
+ replaying, \e[1msudoreplay \e[22mcan play the session back in real-time, or the
playback speed may be adjusted (faster or slower) based on the command
- line options. The _\bI_\bD should be a six character sequence of digits and
- upper case letters, e.g. 0100A5, which is logged by s\bsu\bud\bdo\bo when a
+ line options. The \e[4mID\e[24m should be a six character sequence of digits and
+ upper case letters, e.g. 0100A5, which is logged by \e[1msudo \e[22mwhen a
command is run with session logging enabled.
- In list mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can be used to find the ID of a session based
+ In list mode, \e[1msudoreplay \e[22mcan be used to find the ID of a session based
on a number of criteria such as the user, tty or command run.
In replay mode, if the standard output has not been redirected,
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will act on the following keys:
+ \e[1msudoreplay \e[22mwill act on the following keys:
' ' (space)
Pause output; press any key to resume.
'>' Double the playback speed.
-O\bOP\bPT\bTI\bIO\bON\bNS\bS
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by accepts the following command line options:
+\e[1mOPTIONS\e[0m
+ \e[1msudoreplay \e[22maccepts the following command line options:
- -d _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by
- Use _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by to for the session logs instead of the
- default, _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo.
+ -d \e[4mdirectory\e[0m
+ Use \e[4mdirectory\e[24m to for the session logs instead of the
+ default, \e[4m/var/log/sudo-io\e[24m.
- -f _\bf_\bi_\bl_\bt_\be_\br By default, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will play back the command's
- standard output, standard error and tty output. The _\b-_\bf
+ -f \e[4mfilter\e[24m By default, \e[1msudoreplay \e[22mwill play back the command's
+ standard output, standard error and tty output. The \e[4m-f\e[0m
option can be used to select which of these to output. The
- _\bf_\bi_\bl_\bt_\be_\br argument is a comma-separated list, consisting of
- one or more of following: _\bs_\bt_\bd_\bo_\bu_\bt, _\bs_\bt_\bd_\be_\br_\br, and _\bt_\bt_\by_\bo_\bu_\bt.
+ \e[4mfilter\e[24m argument is a comma-separated list, consisting of
+ one or more of following: \e[4mstdout\e[24m, \e[4mstderr\e[24m, and \e[4mttyout\e[24m.
- -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to print a short
+ -h The \e[1m-h \e[22m(\e[4mhelp\e[24m) option causes \e[1msudoreplay \e[22mto print a short
help message to the standard output and exit.
- -l [_\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn]
- Enable "list mode". In this mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will list
- available session IDs. If a _\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn is
+ -l [\e[4msearch\e[24m \e[4mexpression\e[24m]
+ Enable "list mode". In this mode, \e[1msudoreplay \e[22mwill list
+ available session IDs. If a \e[4msearch\e[24m \e[4mexpression\e[24m is
specified, it will be used to restrict the IDs that are
displayed. An expression is composed of the following
predicates:
-
-
-
-
-1.7.6 April 9, 2011 1
-
-
-
-
-
-SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-
-
- command _\bc_\bo_\bm_\bm_\ba_\bn_\bd _\bp_\ba_\bt_\bt_\be_\br_\bn
+ command \e[4mcommand\e[24m \e[4mpattern\e[0m
Evaluates to true if the command run matches
- _\bc_\bo_\bm_\bm_\ba_\bn_\bd _\bp_\ba_\bt_\bt_\be_\br_\bn. On systems with POSIX regular
+ \e[4mcommand\e[24m \e[4mpattern\e[24m. On systems with POSIX regular
expression support, the pattern may be an extended
regular expression. On systems without POSIX
regular expression support, a simple substring
match is performed instead.
- cwd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by
+ cwd \e[4mdirectory\e[0m
Evaluates to true if the command was run with the
specified current working directory.
- fromdate _\bd_\ba_\bt_\be
+ fromdate \e[4mdate\e[0m
Evaluates to true if the command was run on or
- after _\bd_\ba_\bt_\be. See "Date and time format" for a
+ after \e[4mdate\e[24m. See "Date and time format" for a
description of supported date and time formats.
- group _\br_\bu_\bn_\ba_\bs_\b__\bg_\br_\bo_\bu_\bp
+ group \e[4mrunas_group\e[0m
Evaluates to true if the command was run with the
- specified _\br_\bu_\bn_\ba_\bs_\b__\bg_\br_\bo_\bu_\bp. Note that unless a
- _\br_\bu_\bn_\ba_\bs_\b__\bg_\br_\bo_\bu_\bp was explicitly specified when s\bsu\bud\bdo\bo was
+ specified \e[4mrunas_group\e[24m. Note that unless a
+ \e[4mrunas_group\e[24m was explicitly specified when \e[1msudo \e[22mwas
run this field will be empty in the log.
- runas _\br_\bu_\bn_\ba_\bs_\b__\bu_\bs_\be_\br
+ runas \e[4mrunas_user\e[0m
Evaluates to true if the command was run as the
- specified _\br_\bu_\bn_\ba_\bs_\b__\bu_\bs_\be_\br. Note that s\bsu\bud\bdo\bo runs commands
- as user _\br_\bo_\bo_\bt by default.
+ specified \e[4mrunas_user\e[24m. Note that \e[1msudo \e[22mruns commands
+ as user \e[4mroot\e[24m by default.
- todate _\bd_\ba_\bt_\be
+ todate \e[4mdate\e[0m
Evaluates to true if the command was run on or
- prior to _\bd_\ba_\bt_\be. See "Date and time format" for a
+ prior to \e[4mdate\e[24m. See "Date and time format" for a
description of supported date and time formats.
- tty _\bt_\bt_\by Evaluates to true if the command was run on the
- specified terminal device. The _\bt_\bt_\by should be
- specified without the _\b/_\bd_\be_\bv_\b/ prefix, e.g. _\bt_\bt_\by_\b0_\b1
- instead of _\b/_\bd_\be_\bv_\b/_\bt_\bt_\by_\b0_\b1.
+ tty \e[4mtty\e[24m Evaluates to true if the command was run on the
+ specified terminal device. The \e[4mtty\e[24m should be
+ specified without the \e[4m/dev/\e[24m prefix, e.g. \e[4mtty01\e[0m
+ instead of \e[4m/dev/tty01\e[24m.
- user _\bu_\bs_\be_\br _\bn_\ba_\bm_\be
+ user \e[4muser\e[24m \e[4mname\e[0m
Evaluates to true if the ID matches a command run
- by _\bu_\bs_\be_\br _\bn_\ba_\bm_\be.
+ by \e[4muser\e[24m \e[4mname\e[24m.
Predicates may be abbreviated to the shortest unique string
(currently all predicates may be shortened to a single
character).
- Predicates may be combined using _\ba_\bn_\bd, _\bo_\br and _\b! operators as
+ Predicates may be combined using \e[4mand\e[24m, \e[4mor\e[24m and \e[4m!\e[24m operators as
well as '(' and ')' for grouping (note that parentheses
- must generally be escaped from the shell). The _\ba_\bn_\bd
+ must generally be escaped from the shell). The \e[4mand\e[0m
operator is optional, adjacent predicates have an implied
- _\ba_\bn_\bd unless separated by an _\bo_\br.
-
- -m _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt Specify an upper bound on how long to wait between key
- presses or output data. By default, s\bsu\bud\bdo\bo_\b_r\bre\bep\bpl\bla\bay\by will
-
-
-
-1.7.6 April 9, 2011 2
-
-
-
-
-
-SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-
+ \e[4mand\e[24m unless separated by an \e[4mor\e[24m.
+ -m \e[4mmax_wait\e[24m Specify an upper bound on how long to wait between key
+ presses or output data. By default, \e[1msudo_replay \e[22mwill
accurately reproduce the delays between key presses or
program output. However, this can be tedious when the
- session includes long pauses. When the _\b-_\bm option is
- specified, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will limit these pauses to at most
- _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt seconds. The value may be specified as a floating
- point number, .e.g. _\b2_\b._\b5.
+ session includes long pauses. When the \e[4m-m\e[24m option is
+ specified, \e[1msudoreplay \e[22mwill limit these pauses to at most
+ \e[4mmax_wait\e[24m seconds. The value may be specified as a floating
+ point number, .e.g. \e[4m2.5\e[24m.
- -s _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br
- This option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to adjust the number of
+ -s \e[4mspeed_factor\e[0m
+ This option causes \e[1msudoreplay \e[22mto adjust the number of
seconds it will wait between key presses or program output.
This can be used to slow down or speed up the display. For
- example, a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of _\b2 would make the output twice as
- fast whereas a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of <.5> would make the output
+ example, a \e[4mspeed_factor\e[24m of \e[4m2\e[24m would make the output twice as
+ fast whereas a \e[4mspeed_factor\e[24m of <.5> would make the output
twice as slow.
- -V The -\b-V\bV (version) option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to print its
+ -V The \e[1m-V \e[22m(version) option causes \e[1msudoreplay \e[22mto print its
version number and exit.
- D\bDa\bat\bte\be a\ban\bnd\bd t\bti\bim\bme\be f\bfo\bor\brm\bma\bat\bt
+ \e[1mDate and time format\e[0m
The time and date may be specified multiple ways, common formats
include:
2 hours ago
2 hours ago.
-
-
-1.7.6 April 9, 2011 3
-
-
-
-
-
-SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-
-
next Friday
The first second of the next Friday.
10:01 am Sep 17, 2009
10:01 am, September 17, 2009.
-F\bFI\bIL\bLE\bES\bS
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo The default I/O log directory.
+\e[1mFILES\e[0m
+ \e[4m/var/log/sudo-io\e[24m The default I/O log directory.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bl_\bo_\bg
+ \e[4m/var/log/sudo-io/00/00/01/log\e[0m
Example session log info.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\bi_\bn
+ \e[4m/var/log/sudo-io/00/00/01/stdin\e[0m
Example session standard input log.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\bo_\bu_\bt
+ \e[4m/var/log/sudo-io/00/00/01/stdout\e[0m
Example session standard output log.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\be_\br_\br
+ \e[4m/var/log/sudo-io/00/00/01/stderr\e[0m
Example session standard error log.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bt_\by_\bi_\bn
+ \e[4m/var/log/sudo-io/00/00/01/ttyin\e[0m
Example session tty input file.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bt_\by_\bo_\bu_\bt
+ \e[4m/var/log/sudo-io/00/00/01/ttyout\e[0m
Example session tty output file.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bi_\bm_\bi_\bn_\bg
+ \e[4m/var/log/sudo-io/00/00/01/timing\e[0m
Example session timing file.
- Note that the _\bs_\bt_\bd_\bi_\bn, _\bs_\bt_\bd_\bo_\bu_\bt and _\bs_\bt_\bd_\be_\br_\br files will be empty unless s\bsu\bud\bdo\bo
+ Note that the \e[4mstdin\e[24m, \e[4mstdout\e[24m and \e[4mstderr\e[24m files will be empty unless \e[1msudo\e[0m
was used as part of a pipeline for a particular command.
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- List sessions run by user _\bm_\bi_\bl_\bl_\be_\br_\bt:
+\e[1mEXAMPLES\e[0m
+ List sessions run by user \e[4mmillert\e[24m:
sudoreplay -l user millert
-
-
-1.7.6 April 9, 2011 4
-
-
-
-
-
-SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-
-
- List sessions run by user _\bb_\bo_\bb with a command containing the string vi:
+ List sessions run by user \e[4mbob\e[24m with a command containing the string vi:
sudoreplay -l user bob command vi
- List sessions run by user _\bj_\be_\bf_\bf that match a regular expression:
+ List sessions run by user \e[4mjeff\e[24m that match a regular expression:
sudoreplay -l user jeff command '/bin/[a-z]*sh'
sudoreplay -l ( user jeff or user bob ) tty console
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bs_\bu_\bd_\bo(1m), _\bs_\bc_\br_\bi_\bp_\bt(1)
+\e[1mSEE ALSO\e[0m
+ \e[4msudo\e[24m(1m), \e[4mscript\e[24m(1)
-A\bAU\bUT\bTH\bHO\bOR\bR
+\e[1mAUTHOR\e[0m
Todd C. Miller
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by, please submit a bug
+\e[1mBUGS\e[0m
+ If you feel you have found a bug in \e[1msudoreplay\e[22m, please submit a bug
report at http://www.sudo.ws/sudo/bugs/
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+\e[1mSUPPORT\e[0m
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by is provided ``AS IS'' and any express or implied warranties,
+\e[1mDISCLAIMER\e[0m
+ \e[1msudoreplay \e[22mis provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
+ See the LICENSE file distributed with \e[1msudo \e[22mor
http://www.sudo.ws/sudo/license.html for complete details.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.6 April 9, 2011 5
-
-
+1.7.7 August 13, 2011 SUDOREPLAY(1m)
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
+.TH SUDOREPLAY @mansectsu@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
+VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
-VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
-
-
-N\bNA\bAM\bME\bE
+\e[1mNAME\e[0m
visudo - edit the sudoers file
-S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- v\bvi\bis\bsu\bud\bdo\bo [-\b-c\bch\bhq\bqs\bsV\bV] [-\b-f\bf _\bs_\bu_\bd_\bo_\be_\br_\bs]
+\e[1mSYNOPSIS\e[0m
+ \e[1mvisudo \e[22m[\e[1m-chqsV\e[22m] [\e[1m-f \e[4m\e[22msudoers\e[24m]
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- v\bvi\bis\bsu\bud\bdo\bo edits the _\bs_\bu_\bd_\bo_\be_\br_\bs file in a safe fashion, analogous to _\bv_\bi_\bp_\bw(1m).
- v\bvi\bis\bsu\bud\bdo\bo locks the _\bs_\bu_\bd_\bo_\be_\br_\bs file against multiple simultaneous edits,
+\e[1mDESCRIPTION\e[0m
+ \e[1mvisudo \e[22medits the \e[4msudoers\e[24m file in a safe fashion, analogous to \e[4mvipw\e[24m(1m).
+ \e[1mvisudo \e[22mlocks the \e[4msudoers\e[24m file against multiple simultaneous edits,
provides basic sanity checks, and checks for parse errors. If the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file is currently being edited you will receive a message to
+ \e[4msudoers\e[24m file is currently being edited you will receive a message to
try again later.
- There is a hard-coded list of one or more editors that v\bvi\bis\bsu\bud\bdo\bo will use
- set at compile-time that may be overridden via the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs
- Default variable. This list defaults to "vi". Normally, v\bvi\bis\bsu\bud\bdo\bo does
+ There is a hard-coded list of one or more editors that \e[1mvisudo \e[22mwill use
+ set at compile-time that may be overridden via the \e[4meditor\e[24m \e[4msudoers\e[0m
+ Default variable. This list defaults to "vi". Normally, \e[1mvisudo \e[22mdoes
not honor the VISUAL or EDITOR environment variables unless they
contain an editor in the aforementioned editors list. However, if
- v\bvi\bis\bsu\bud\bdo\bo is configured with the _\b-_\b-_\bw_\bi_\bt_\bh_\b-_\be_\bn_\bv_\b-_\be_\bd_\bi_\bt_\bo_\br option or the
- _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br Default variable is set in _\bs_\bu_\bd_\bo_\be_\br_\bs, v\bvi\bis\bsu\bud\bdo\bo will use any the
+ \e[1mvisudo \e[22mis configured with the \e[4m--with-env-editor\e[24m option or the
+ \e[4menv_editor\e[24m Default variable is set in \e[4msudoers\e[24m, \e[1mvisudo \e[22mwill use any the
editor defines by VISUAL or EDITOR. Note that this can be a security
hole since it allows the user to execute any program they wish simply
by setting VISUAL or EDITOR.
- v\bvi\bis\bsu\bud\bdo\bo parses the _\bs_\bu_\bd_\bo_\be_\br_\bs file after the edit and will not save the
- changes if there is a syntax error. Upon finding an error, v\bvi\bis\bsu\bud\bdo\bo will
+ \e[1mvisudo \e[22mparses the \e[4msudoers\e[24m file after the edit and will not save the
+ changes if there is a syntax error. Upon finding an error, \e[1mvisudo \e[22mwill
print a message stating the line number(s) where the error occurred and
the user will receive the "What now?" prompt. At this point the user
- may enter "e" to re-edit the _\bs_\bu_\bd_\bo_\be_\br_\bs file, "x" to exit without saving
+ may enter "e" to re-edit the \e[4msudoers\e[24m file, "x" to exit without saving
the changes, or "Q" to quit and save changes. The "Q" option should be
- used with extreme care because if v\bvi\bis\bsu\bud\bdo\bo believes there to be a parse
- error, so will s\bsu\bud\bdo\bo and no one will be able to s\bsu\bud\bdo\bo again until the
- error is fixed. If "e" is typed to edit the _\bs_\bu_\bd_\bo_\be_\br_\bs file after a
+ used with extreme care because if \e[1mvisudo \e[22mbelieves there to be a parse
+ error, so will \e[1msudo \e[22mand no one will be able to \e[1msudo \e[22magain until the
+ error is fixed. If "e" is typed to edit the \e[4msudoers\e[24m file after a
parse error has been detected, the cursor will be placed on the line
where the error occurred (if the editor supports this feature).
-O\bOP\bPT\bTI\bIO\bON\bNS\bS
- v\bvi\bis\bsu\bud\bdo\bo accepts the following command line options:
+\e[1mOPTIONS\e[0m
+ \e[1mvisudo \e[22maccepts the following command line options:
- -c Enable c\bch\bhe\bec\bck\bk-\b-o\bon\bnl\bly\by mode. The existing _\bs_\bu_\bd_\bo_\be_\br_\bs file will be
+ -c Enable \e[1mcheck-only \e[22mmode. The existing \e[4msudoers\e[24m file will be
checked for syntax and a message will be printed to the
- standard output detailing the status of _\bs_\bu_\bd_\bo_\be_\br_\bs. If the
- syntax check completes successfully, v\bvi\bis\bsu\bud\bdo\bo will exit with
- a value of 0. If a syntax error is encountered, v\bvi\bis\bsu\bud\bdo\bo
+ standard output detailing the status of \e[4msudoers\e[24m. If the
+ syntax check completes successfully, \e[1mvisudo \e[22mwill exit with
+ a value of 0. If a syntax error is encountered, \e[1mvisudo\e[0m
will exit with a value of 1.
- -f _\bs_\bu_\bd_\bo_\be_\br_\bs Specify and alternate _\bs_\bu_\bd_\bo_\be_\br_\bs file location. With this
- option v\bvi\bis\bsu\bud\bdo\bo will edit (or check) the _\bs_\bu_\bd_\bo_\be_\br_\bs file of your
- choice, instead of the default, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. The lock
- file used is the specified _\bs_\bu_\bd_\bo_\be_\br_\bs file with ".tmp"
- appended to it. In c\bch\bhe\bec\bck\bk-\b-o\bon\bnl\bly\by mode only, the argument to
- -\b-f\bf may be "-", indicating that _\bs_\bu_\bd_\bo_\be_\br_\bs will be read from
+ -f \e[4msudoers\e[24m Specify and alternate \e[4msudoers\e[24m file location. With this
+ option \e[1mvisudo \e[22mwill edit (or check) the \e[4msudoers\e[24m file of your
+ choice, instead of the default, \e[4m/etc/sudoers\e[24m. The lock
+ file used is the specified \e[4msudoers\e[24m file with ".tmp"
+ appended to it. In \e[1mcheck-only \e[22mmode only, the argument to
+ \e[1m-f \e[22mmay be "-", indicating that \e[4msudoers\e[24m will be read from
the standard input.
-
-
-
-1.7.6 April 9, 2011 1
-
-
-
-
-
-VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
-
-
- -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes v\bvi\bis\bsu\bud\bdo\bo to print a short help
+ -h The \e[1m-h \e[22m(\e[4mhelp\e[24m) option causes \e[1mvisudo \e[22mto print a short help
message to the standard output and exit.
- -q Enable q\bqu\bui\bie\bet\bt mode. In this mode details about syntax
+ -q Enable \e[1mquiet \e[22mmode. In this mode details about syntax
errors are not printed. This option is only useful when
- combined with the -\b-c\bc option.
+ combined with the \e[1m-c \e[22moption.
- -s Enable s\bst\btr\bri\bic\bct\bt checking of the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If an alias is
- used before it is defined, v\bvi\bis\bsu\bud\bdo\bo will consider this a
+ -s Enable \e[1mstrict \e[22mchecking of the \e[4msudoers\e[24m file. If an alias is
+ used before it is defined, \e[1mvisudo \e[22mwill consider this a
parse error. Note that it is not possible to differentiate
between an alias and a host name or user name that consists
solely of uppercase letters, digits, and the underscore
('_') character.
- -V The -\b-V\bV (version) option causes v\bvi\bis\bsu\bud\bdo\bo to print its version
+ -V The \e[1m-V \e[22m(version) option causes \e[1mvisudo \e[22mto print its version
number and exit.
-E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
+\e[1mENVIRONMENT\e[0m
The following environment variables may be consulted depending on the
- value of the _\be_\bd_\bi_\bt_\bo_\br and _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs variables:
+ value of the \e[4meditor\e[24m and \e[4menv_editor\e[24m \e[4msudoers\e[24m variables:
VISUAL Invoked by visudo as the editor to use
EDITOR Used by visudo if VISUAL is not set
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+\e[1mFILES\e[0m
+ \e[4m/etc/sudoers\e[24m List of who can run what
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bt_\bm_\bp Lock file for visudo
+ \e[4m/etc/sudoers.tmp\e[24m Lock file for visudo
-D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS
+\e[1mDIAGNOSTICS\e[0m
sudoers file busy, try again later.
- Someone else is currently editing the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ Someone else is currently editing the \e[4msudoers\e[24m file.
/etc/sudoers.tmp: Permission denied
- You didn't run v\bvi\bis\bsu\bud\bdo\bo as root.
+ You didn't run \e[1mvisudo \e[22mas root.
Can't find you in the passwd database
Your userid does not appear in the system passwd file.
{User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
that consists solely of uppercase letters, digits, and the
underscore ('_') character. In the latter case, you can ignore the
- warnings (s\bsu\bud\bdo\bo will not complain). In -\b-s\bs (strict) mode these are
+ warnings (\e[1msudo \e[22mwill not complain). In \e[1m-s \e[22m(strict) mode these are
errors, not warnings.
Warning: unused {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used. You may wish to comment out or remove the unused alias. In
- -\b-s\bs (strict) mode this is an error, not a warning.
+ \e[1m-s \e[22m(strict) mode this is an error, not a warning.
+\e[1mSEE ALSO\e[0m
+ \e[4mvi\e[24m(1), \e[4msudoers\e[24m(4), \e[4msudo\e[24m(1m), \e[4mvipw\e[24m(8)
-
-
-
-1.7.6 April 9, 2011 2
-
-
-
-
-
-VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
-
-
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bv_\bi(1), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bp_\bw(8)
-
-A\bAU\bUT\bTH\bHO\bOR\bR
- Many people have worked on _\bs_\bu_\bd_\bo over the years; this version of v\bvi\bis\bsu\bud\bdo\bo
+\e[1mAUTHOR\e[0m
+ Many people have worked on \e[4msudo\e[24m over the years; this version of \e[1mvisudo\e[0m
was written by:
Todd Miller
See the HISTORY file in the sudo distribution or visit
http://www.sudo.ws/sudo/history.html for more details.
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
+\e[1mCAVEATS\e[0m
There is no easy way to prevent a user from gaining a root shell if the
- editor used by v\bvi\bis\bsu\bud\bdo\bo allows shell escapes.
+ editor used by \e[1mvisudo \e[22mallows shell escapes.
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in v\bvi\bis\bsu\bud\bdo\bo, please submit a bug report
+\e[1mBUGS\e[0m
+ If you feel you have found a bug in \e[1mvisudo\e[22m, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+\e[1mSUPPORT\e[0m
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- v\bvi\bis\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+\e[1mDISCLAIMER\e[0m
+ \e[1mvisudo \e[22mis provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
+ See the LICENSE file distributed with \e[1msudo \e[22mor
http://www.sudo.ws/sudo/license.html for complete details.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.6 April 9, 2011 3
-
-
+1.7.7 August 13, 2011 VISUDO(1m)
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
projects / sudo / commitdiff