-1.8.0a1 May 25, 2010 1
+1.8.0a2 May 30, 2010 1
-1.8.0a1 May 25, 2010 2
+1.8.0a2 May 30, 2010 2
-1.8.0a1 May 25, 2010 3
+1.8.0a2 May 30, 2010 3
-1.8.0a1 May 25, 2010 4
+1.8.0a2 May 30, 2010 4
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
- 'SETENV:' | 'NOSETENV:' | 'TRANSCRIPT:' | 'NOTRANSCRIPT:')
+ 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
+ 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
-
-1.8.0a1 May 25, 2010 5
+1.8.0a2 May 30, 2010 5
T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
A command may have zero or more tags associated with it. There are
eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
- NOSETENV, TRANSCRIPT and NOTRANSCRIPT. Once a tag is set on a Cmnd,
- subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless it is
- overridden by the opposite tag (i.e.: PASSWD overrides NOPASSWD and
- NOEXEC overrides EXEC).
+ NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
+ tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
+ the tag unless it is overridden by the opposite tag (i.e.: PASSWD
+ overrides NOPASSWD and NOEXEC overrides EXEC).
_\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
-1.8.0a1 May 25, 2010 6
+1.8.0a2 May 30, 2010 6
If the command matched is A\bAL\bLL\bL, the SETENV tag is implied for that
command; this default may be overridden by use of the UNSETENV tag.
- _\bT_\bR_\bA_\bN_\bS_\bC_\bR_\bI_\bP_\bT _\ba_\bn_\bd _\bN_\bO_\bT_\bR_\bA_\bN_\bS_\bC_\bR_\bI_\bP_\bT
+ _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
- These tags override the value of the _\bt_\br_\ba_\bn_\bs_\bc_\br_\bi_\bp_\bt option on a per-command
- basis. For more information, see the description of _\bt_\br_\ba_\bn_\bs_\bc_\br_\bi_\bp_\bt in the
+ These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
+ "SUDOERS OPTIONS" section below.
+
+ _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
+
+ These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
"SUDOERS OPTIONS" section below.
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
Would match any file name beginning with a letter.
- Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
- in the path name. When matching the command line arguments, however, a
- slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
- /usr/bin/*
+1.8.0a2 May 30, 2010 7
-1.8.0a1 May 25, 2010 7
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
+ in the path name. When matching the command line arguments, however, a
+ slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
+ /usr/bin/*
match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
- in the file names can be used to avoid such problems.
-
- Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
- files in a #includedir directory unless one of them contains a syntax
- error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
-1.8.0a1 May 25, 2010 8
+1.8.0a2 May 30, 2010 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
+ in the file names can be used to avoid such problems.
+
+ Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
+ files in a #includedir directory unless one of them contains a syntax
+ error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
files directly.
O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
authenticate If set, users must authenticate themselves via a
password (or other means of authentication) before they
- may run commands. This default may be overridden via
- the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
- default.
-
- closefrom_override
- If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
-1.8.0a1 May 25, 2010 9
+1.8.0a2 May 30, 2010 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ may run commands. This default may be overridden via
+ the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
+ default.
+
+ closefrom_override
+ If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
overrides the default starting point at which s\bsu\bud\bdo\bo
begins closing open file descriptors. This flag is _\bo_\bf_\bf
by default.
- compress_transcript
- If set, and the _\bt_\br_\ba_\bn_\bs_\bc_\br_\bi_\bp_\bt flag is also set, s\bsu\bud\bdo\bo will
- compress the transcript logs using z\bzl\bli\bib\bb. This flag is
- _\bo_\bn by default when s\bsu\bud\bdo\bo is compiled with z\bzl\bli\bib\bb support.
+ compress_io If set, and s\bsu\bud\bdo\bo is configured to log a command's input
+ or output, the I/O logs will be compressed using z\bzl\bli\bib\bb.
+ This flag is _\bo_\bn by default when s\bsu\bud\bdo\bo is compiled with
+ z\bzl\bli\bib\bb support.
env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
VISUAL environment variables before falling back on the
flag is _\bo_\bf_\bf by default.
fqdn Set this flag if you want to put fully qualified host
- names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
- would use myhost.mydomain.edu. You may still use the
- short form if you wish (and even mix the two). Beware
- that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
- which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
- example if the machine is not plugged into the
-1.8.0a1 May 25, 2010 10
+1.8.0a2 May 30, 2010 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
+ would use myhost.mydomain.edu. You may still use the
+ short form if you wish (and even mix the two). Beware
+ that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
+ which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
+ example if the machine is not plugged into the
network). Also note that you must use the host's
official name as DNS knows it. That is, you may not
use a host alias (CNAME entry) due to performance
does not enter the correct password. This flag is _\bo_\bf_\bf
by default.
- mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
- invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
- allowed to run commands on the current host. This flag
- is _\bo_\bf_\bf by default.
-
-
-1.8.0a1 May 25, 2010 11
+1.8.0a2 May 30, 2010 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
+ allowed to run commands on the current host. This flag
+ is _\bo_\bf_\bf by default.
+
mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
invoking user is allowed to use s\bsu\bud\bdo\bo but the command
they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
able to determine the length of the password being
entered. This flag is _\bo_\bf_\bf by default.
- requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
- to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
- run from a login session and not via other means such
- as _\bc_\br_\bo_\bn(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
-
-1.8.0a1 May 25, 2010 12
+1.8.0a2 May 30, 2010 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
+ to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
+ run from a login session and not via other means such
+ as _\bc_\br_\bo_\bn(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
default.
root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
shell as root (the shell is determined by the SHELL
environment variable if it is set, falling back on the
shell listed in the invoking user's /etc/passwd entry
- if not). This flag is _\bo_\bf_\bf by default.
- stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
- effective UIDs are set to the target user (root by
-
-1.8.0a1 May 25, 2010 13
+1.8.0a2 May 30, 2010 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ if not). This flag is _\bo_\bf_\bf by default.
+
+ stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
+ effective UIDs are set to the target user (root by
default). This option changes that behavior such that
the real UID is left as the invoking user's UID. In
other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
not listed in the passwd database as an argument to the
-\b-u\bu option. This flag is _\bo_\bf_\bf by default.
- transcript If set, s\bsu\bud\bdo\bo will log a transcript of the command being
- run, similar to the _\bs_\bc_\br_\bi_\bp_\bt(1) command. In this mode
- s\bsu\bud\bdo\bo will allocate a new _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and log all input
- and output for the command (except when echo is turned
- off as when a password is entered). Transcripts are
- logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bs_\be_\bs_\bs_\bi_\bo_\bn directory with a
- unique transcript ID that is included in the normal
- s\bsu\bud\bdo\bo log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
-
- Transcripts may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
+ log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log all user input. If the standard input is not
+ connected to the user's tty, due to I/O redirection or
+ because the command is part of a pipeline, that input
+ is also captured and stored in a separate log file.
+
+ Input is logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo directory using
+ a unique session ID that is included in the normal s\bsu\bud\bdo\bo
+ log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
+
+ log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log all output that is sent to the screen, similar to
+ the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
+ standard error is not connected to the user's tty, due
+ to I/O redirection or because the command is part of a
+ pipeline, that output is also captured and stored in
+ separate log files.
+
+ Output is logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo directory
+ using a unique session ID that is included in the
+ normal s\bsu\bud\bdo\bo log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
+
+ Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
utility, which can also be used to list or search the
- available transcripts.
-
- A side effect of this mode is that it will not be
- possible to suspend the command being run (because it
- is running in a different tty with its own job
- control). If a shell is being run, commands executed
- by that shell will have normal job control but the
- shell itself may not be suspended.
+ available logs.
tty_tickets If set, users must authenticate on a per-tty basis.
Normally, s\bsu\bud\bdo\bo uses a directory in the ticket dir with
user is logged in on in that directory. This flag is
_\bo_\bf_\bf by default.
- umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
- without modification. This makes it possible to
- specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
- user's own umask and matches historical behavior. If
- _\bu_\bm_\ba_\bs_\bk_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is not set, s\bsu\bud\bdo\bo will set the umask to
- be the union of the user's umask and what is specified
- in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
-
- use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
- target user's login class if one exists. Only
-1.8.0a1 May 25, 2010 14
+1.8.0a2 May 30, 2010 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
+ without modification. This makes it possible to
+ specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
+ user's own umask and matches historical behavior. If
+ _\bu_\bm_\ba_\bs_\bk_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is not set, s\bsu\bud\bdo\bo will set the umask to
+ be the union of the user's umask and what is specified
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
+
+ use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
+ target user's login class if one exists. Only
available if s\bsu\bud\bdo\bo is configured with the
--with-logincap option. This flag is _\bo_\bf_\bf by default.
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5. Set
this to 0 to always prompt for a password. If set to a
- value less than 0 the user's timestamp will never
- expire. This can be used to allow users to create or
- delete their own timestamps via sudo -v and sudo -k
- respectively.
- umask Umask to use when running the command. Negate this
- option or set it to 0777 to preserve the user's umask.
- The actual umask that is used will be the union of the
- user's umask and 0022. This guarantees that s\bsu\bud\bdo\bo never
- lowers the umask when running a command. Note on
-
-1.8.0a1 May 25, 2010 15
+1.8.0a2 May 30, 2010 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ value less than 0 the user's timestamp will never
+ expire. This can be used to allow users to create or
+ delete their own timestamps via sudo -v and sudo -k
+ respectively.
+
+ umask Umask to use when running the command. Negate this
+ option or set it to 0777 to preserve the user's umask.
+ The actual umask that is used will be the union of the
+ user's umask and 0022. This guarantees that s\bsu\bud\bdo\bo never
+ lowers the umask when running a command. Note on
systems that use PAM, the default PAM configuration may
specify its own umask which will override the value set
in _\bs_\bu_\bd_\bo_\be_\br_\bs.
for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
- %U expanded to the login name of the user the command
- will be run as (defaults to root)
- %u expanded to the invoking user's login name
- %% two consecutive % characters are collapsed into a
- single % character
- The default value is Password:.
+1.8.0a2 May 30, 2010 16
-1.8.0a1 May 25, 2010 16
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ %U expanded to the login name of the user the command
+ will be run as (defaults to root)
+ %u expanded to the invoking user's login name
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ %% two consecutive % characters are collapsed into a
+ single % character
+ The default value is Password:.
runas_default The default user to run commands as if the -\b-u\bu option is
not specified on the command line. This defaults to
Users in this group are exempt from password and PATH
requirements. This is not set by default.
- lecture This option controls when a short lecture will be printed
- along with the password prompt. It has the following
- possible values:
- always Always lecture the user.
- never Never lecture the user.
+1.8.0a2 May 30, 2010 17
- once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
-1.8.0a1 May 25, 2010 17
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ lecture This option controls when a short lecture will be printed
+ along with the password prompt. It has the following
+ possible values:
+ always Always lecture the user.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ never Never lecture the user.
+ once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
quotes (") to protect against s\bsu\bud\bdo\bo interpreting the @ sign.
Defaults to the name of the user running s\bsu\bud\bdo\bo.
- mailto Address to send warning and error mail to. The address
- should be enclosed in double quotes (") to protect against
- s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
-
- secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
- trust the people running s\bsu\bud\bdo\bo to have a sane PATH
- environment variable you may want to use this. Another use
- is if you want to have the "root path" be separate from the
- "user path." Users in the group specified by the
-
-1.8.0a1 May 25, 2010 18
+1.8.0a2 May 30, 2010 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ mailto Address to send warning and error mail to. The address
+ should be enclosed in double quotes (") to protect against
+ s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
+
+ secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
+ trust the people running s\bsu\bud\bdo\bo to have a sane PATH
+ environment variable you may want to use this. Another use
+ is if you want to have the "root path" be separate from the
+ "user path." Users in the group specified by the
_\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
option is not set by default.
environment variables to check is displayed when s\bsu\bud\bdo\bo
is run by root with the _\b-_\bV option.
- env_delete Environment variables to be removed from the user's
- environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
- The argument may be a double-quoted, space-separated
- list or a single value without double-quotes. The list
- can be replaced, added to, deleted from, or disabled by
- using the =, +=, -=, and ! operators respectively. The
- default list of environment variables to remove is
- displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
- Note that many operating systems will remove
-1.8.0a1 May 25, 2010 19
+1.8.0a2 May 30, 2010 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ env_delete Environment variables to be removed from the user's
+ environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
+ The argument may be a double-quoted, space-separated
+ list or a single value without double-quotes. The list
+ can be replaced, added to, deleted from, or disabled by
+ using the =, +=, -=, and ! operators respectively. The
+ default list of environment variables to remove is
+ displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
+ Note that many operating systems will remove
potentially dangerous variables from the environment of
any setuid process (such as s\bsu\bud\bdo\bo).
_\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bs_\be_\bs_\bs_\bi_\bo_\bn Transcript logs
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
Runas_Alias ADMINGRP = adm, oper
# Host alias specification
- Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
- SGI = grolsch, dandelion, black :\
- ALPHA = widget, thalamus, foobar :\
- HPPA = boa, nag, python
- Host_Alias CUNETS = 128.138.0.0/255.255.0.0
- Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
- Host_Alias SERVERS = master, mail, www, ns
- Host_Alias CDROM = orion, perseus, hercules
-
-1.8.0a1 May 25, 2010 20
+1.8.0a2 May 30, 2010 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
+
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
FULLTIMERS ALL = NOPASSWD: ALL
Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
- any host without authenticating themselves.
- PARTTIMERS ALL = ALL
- Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
- any host but they must authenticate themselves first (since the entry
- lacks the NOPASSWD tag).
- jack CSNETS = ALL
+1.8.0a2 May 30, 2010 21
-1.8.0a1 May 25, 2010 21
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ any host without authenticating themselves.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ PARTTIMERS ALL = ALL
+
+ Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
+ any host but they must authenticate themselves first (since the entry
+ lacks the NOPASSWD tag).
+ jack CSNETS = ALL
The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
- well as add and remove users, so they are allowed to run those commands
- on all machines.
- fred ALL = (DB) NOPASSWD: ALL
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
- (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
+1.8.0a2 May 30, 2010 22
-1.8.0a1 May 25, 2010 22
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
+ well as add and remove users, so they are allowed to run those commands
+ on all machines.
+
+ fred ALL = (DB) NOPASSWD: ALL
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
+ (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
It is generally not effective to "subtract" commands from ALL using the
'!' operator. A user can trivially circumvent this by copying the
- desired command to a different name and then executing that. For
- example:
- bill ALL = ALL, !SU, !SHELLS
- Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
- _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
- use a shell escape from an editor or other program. Therefore, these
- kind of restrictions should be considered advisory at best (and
- reinforced by policy).
+1.8.0a2 May 30, 2010 23
-1.8.0a1 May 25, 2010 23
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ desired command to a different name and then executing that. For
+ example:
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ bill ALL = ALL, !SU, !SHELLS
+ Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
+ _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
+ use a shell escape from an editor or other program. Therefore, these
+ kind of restrictions should be considered advisory at best (and
+ reinforced by policy).
Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
reliably negate commands where the path name includes globbing (aka
emulation are not affected.
To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run the
- following as root:
- sudo -V | grep "dummy exec"
- If the resulting output contains a line that begins with:
- File containing dummy exec functions:
+1.8.0a2 May 30, 2010 24
- then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
- in the standard library with its own that simply return an
- error. Unfortunately, there is no foolproof way to know
-1.8.0a1 May 25, 2010 24
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ following as root:
+ sudo -V | grep "dummy exec"
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ If the resulting output contains a line that begins with:
+ File containing dummy exec functions:
+ then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
+ in the standard library with its own that simply return an
+ error. Unfortunately, there is no foolproof way to know
whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
B\bBU\bUG\bGS\bS
If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- http://www.sudo.ws/sudo/bugs/
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of
- merchantability and fitness for a particular purpose are disclaimed.
+1.8.0a2 May 30, 2010 25
-1.8.0a1 May 25, 2010 25
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ http://www.sudo.ws/sudo/bugs/
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of
+ merchantability and fitness for a particular purpose are disclaimed.
See the LICENSE file distributed with s\bsu\bud\bdo\bo or
http://www.sudo.ws/sudo/license.html for complete details.
-
-
-
-
-
-
-
-
-
-
-
-1.8.0a1 May 25, 2010 26
+1.8.0a2 May 30, 2010 26
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "May 25, 2010" "1.8.0a1" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "May 30, 2010" "1.8.0a2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\&
\}
\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
-\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqTRANSCRIPT:\*(Aq | \*(AqNOTRANSCRIPT:\*(Aq)
+\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq |
+\& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq)
.Ve
.PP
A \fBuser specification\fR determines which commands a user may run
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
-\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`TRANSCRIPT\*(C'\fR and \f(CW\*(C`NOTRANSCRIPT\*(C'\fR.
-Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
-\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
-opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR
-overrides \f(CW\*(C`EXEC\*(C'\fR).
+\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR,
+\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR,
+subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless
+it is overridden by the opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides
+\&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR).
.PP
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
.IX Subsection "NOPASSWD and PASSWD"
\&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may
be overridden by use of the \f(CW\*(C`UNSETENV\*(C'\fR tag.
.PP
-\fI\s-1TRANSCRIPT\s0 and \s-1NOTRANSCRIPT\s0\fR
-.IX Subsection "TRANSCRIPT and NOTRANSCRIPT"
+\fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
+.IX Subsection "LOG_INPUT and NOLOG_INPUT"
.PP
-These tags override the value of the \fItranscript\fR option on a
+These tags override the value of the \fIlog_input\fR option on a
per-command basis. For more information, see the description of
-\&\fItranscript\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
+\&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
+.PP
+\fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR
+.IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT"
+.PP
+These tags override the value of the \fIlog_output\fR option on a
+per-command basis. For more information, see the description of
+\&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
.SS "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
If set, the user may use \fBsudo\fR's \fB\-C\fR option which
overrides the default starting point at which \fBsudo\fR begins
closing open file descriptors. This flag is \fIoff\fR by default.
-.IP "compress_transcript" 16
-.IX Item "compress_transcript"
-If set, and the \fItranscript\fR flag is also set, \fBsudo\fR will compress
-the transcript logs using \fBzlib\fR. This flag is \fIon\fR by default
-when \fBsudo\fR is compiled with \fBzlib\fR support.
+.IP "compress_io" 16
+.IX Item "compress_io"
+If set, and \fBsudo\fR is configured to log a command's input or output,
+the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR
+by default when \fBsudo\fR is compiled with \fBzlib\fR support.
.IP "env_editor" 16
.IX Item "env_editor"
If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
include the target user's name. Note that this flag precludes the
use of a uid not listed in the passwd database as an argument to
the \fB\-u\fR option. This flag is \fIoff\fR by default.
-.IP "transcript" 16
-.IX Item "transcript"
-If set, \fBsudo\fR will log a transcript of the command being run,
-similar to the \fIscript\fR\|(1) command. In this mode \fBsudo\fR will allocate
-a new \fIpseudo tty\fR and log all input and output for the command (except
-when echo is turned off as when a password is entered). Transcripts
-are logged to the \fI/var/log/sudo\-session\fR directory with a unique
-transcript \s-1ID\s0 that is included in the normal \fBsudo\fR log line,
-prefixed with \fITSID=\fR.
+.IP "log_input" 16
+.IX Item "log_input"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+user input.
+If the standard input is not connected to the user's tty, due to
+I/O redirection or because the command is part of a pipeline, that
+input is also captured and stored in a separate log file.
+.Sp
+Input is logged to the \fI/var/log/sudo\-io\fR directory using a unique
+session \s-1ID\s0 that is included in the normal \fBsudo\fR log line, prefixed
+with \fITSID=\fR.
+.IP "log_output" 16
+.IX Item "log_output"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
+If the standard output or standard error is not connected to the
+user's tty, due to I/O redirection or because the command is part
+of a pipeline, that output is also captured and stored in separate
+log files.
.Sp
-Transcripts may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
-can also be used to list or search the available transcripts.
+Output is logged to the
+\&\fI/var/log/sudo\-io\fR directory using a unique session \s-1ID\s0 that is
+included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
.Sp
-A side effect of this mode is that it will not be possible to suspend
-the command being run (because it is running in a different tty
-with its own job control). If a shell is being run, commands
-executed by that shell will have normal job control but the shell
-itself may not be suspended.
+Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
+can also be used to list or search the available logs.
.IP "tty_tickets" 16
.IX Item "tty_tickets"
If set, users must authenticate on a per-tty basis. Normally,
.IP "\fI/etc/netgroup\fR" 24
.IX Item "/etc/netgroup"
List of network groups
-.IP "\fI/var/log/sudo\-session\fR" 24
-.IX Item "/var/log/sudo-session"
-Transcript logs
+.IP "\fI/var/log/sudo\-io\fR" 24
+.IX Item "/var/log/sudo-io"
+I/O log files
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Below are example \fIsudoers\fR entries. Admittedly, some of
projects / sudo / commitdiff