.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
.\" IT IS GENERATED AUTOMATICALLY FROM sudo_plugin.mdoc.in
.\"
-.\" Copyright (c) 2009-2017 Todd C. Miller <Todd.Miller@sudo.ws>
+.\" Copyright (c) 2009-2018 Todd C. Miller <Todd.Miller@sudo.ws>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
A vector of user-supplied
\fBsudo\fR
settings in the form of
-\(Lqname=value\(Rq
+\(lqname=value\(rq
strings.
The vector is terminated by a
\fRNULL\fR
network_addrs=list
A space-separated list of IP network addresses and netmasks in the
form
-\(Lqaddr/netmask\(Rq,
+\(lqaddr/netmask\(rq,
e.g.\&
-\(Lq192.168.1.2/255.255.255.0\(Rq.
+\(lq192.168.1.2/255.255.255.0\(rq.
The address and netmask pairs may be either IPv4 or IPv6, depending on
what the operating system supports.
If the address contains a colon
.TP 6n
progname=string
The command name that sudo was run as, typically
-\(Lqsudo\(Rq
+\(lqsudo\(rq
or
-\(Lqsudoedit\(Rq.
+\(lqsudoedit\(rq.
.TP 6n
prompt=string
The prompt to use when requesting a password, if specified via
.TP 6n
user_info
A vector of information about the user running the command in the form of
-\(Lqname=value\(Rq
+\(lqname=value\(rq
strings.
The vector is terminated by a
\fRNULL\fR
The path to the user's terminal device.
If the user has no terminal device associated with the session,
the value will be empty, as in
-\(Lq\fRtty=\fR\(Rq.
+\(lq\fRtty=\fR\(rq.
.TP 6n
uid=uid_t
The real user ID of the user invoking
user_env
The user's environment in the form of a
\fRNULL\fR-terminated vector of
-\(Lqname=value\(Rq
+\(lqname=value\(rq
strings.
.sp
When parsing
\fIargv_out\fR,
separated from the
editor and its arguments by a
-\(Lq\fR--\fR\(Rq
+\(lq\fR--\fR\(rq
element.
The
-\(Lq\fR--\fR\(Rq
+\(lq\fR--\fR\(rq
will
be removed by
\fBsudo\fR
line in the form of a
\fRNULL\fR-terminated
vector of
-\(Lqname=value\(Rq
+\(lqname=value\(rq
strings.
The plugin may reject the command if one or more variables
are not allowed to be set, or it may silently ignore such variables.
.TP 6n
command_info
Information about the command being run in the form of
-\(Lqname=value\(Rq
+\(lqname=value\(rq
strings.
These values are used by
\fBsudo\fR
run in, in the form of a
\fRNULL\fR-terminated
vector of
-\(Lqname=value\(Rq
+\(lqname=value\(rq
strings.
This is the same string passed back to the front end via
the Policy Plugin's
A vector of user-supplied
\fBsudo\fR
settings in the form of
-\(Lqname=value\(Rq
+\(lqname=value\(rq
strings.
The vector is terminated by a
\fRNULL\fR
.TP 6n
user_info
A vector of information about the user running the command in the form of
-\(Lqname=value\(Rq
+\(lqname=value\(rq
strings.
The vector is terminated by a
\fRNULL\fR
The user's environment in the form of a
\fRNULL\fR-terminated
vector of
-\(Lqname=value\(Rq
+\(lqname=value\(rq
strings.
.sp
When parsing
A plugin may also accept a
\fIrunas_user\fR
in the form of
-\(Lquser@hostname\(Rq
+\(lquser@hostname\(rq
which will work with older versions of
\fBsudo\fR.
It is anticipated that remote commands will be supported by executing a
-\(Lqhelper\(Rq
+\(lqhelper\(rq
program.
The policy plugin should setup the execution environment such that the
\fBsudo\fR
.SH "DISCLAIMER"
\fBsudo\fR
is provided
-\(LqAS IS\(Rq
+\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
.fi
.PP
Without the
-\(Lq\fR=()*\fR\(Rq
+\(lq\fR=()*\fR\(rq
suffix, this would not match, as
\fBbash\fR
shell functions are not preserved by default.
The complete list of environment variables that
\fBsudo\fR
allows or denies is contained in the output of
-\(Lq\fRsudo -V\fR\(Rq
+\(lq\fRsudo -V\fR\(rq
when run as root.
Please note that this list varies based on the operating system
\fBsudo\fR
operators, which many readers will recognize from regular
expressions.
Do not, however, confuse them with
-\(Lqwildcard\(Rq
+\(lqwildcard\(rq
characters, which have different meanings.
.TP 6n
\fR\&?\fR
only inspects actual network interfaces; this means that IP address
127.0.0.1 (localhost) will never match.
Also, the host name
-\(Lqlocalhost\(Rq
+\(lqlocalhost\(rq
will only match if that is the actual host name, which is usually
only the case for non-networked systems.
.nf
\(oq=\&\(cq,
\(oq\e\(cq.
The built-in command
-\(Lq\fRsudoedit\fR\(Rq
+\(lq\fRsudoedit\fR\(rq
is used to permit a user to run
\fBsudo\fR
with the
\fBsudoedit\fR).
It may take command line arguments just as a normal command does.
Note that
-\(Lq\fRsudoedit\fR\(Rq
+\(lq\fRsudoedit\fR\(rq
is a command built into
\fBsudo\fR
itself and must be specified in the
but this can be changed on a per-command basis.
.PP
The basic structure of a user specification is
-\(Lqwho where = (as_whom) what\(Rq.
+\(lqwho where = (as_whom) what\(rq.
Let's break that down into its constituent parts:
.SS "Runas_Spec"
A
.fi
.PP
In addition, there are several
-\(Lqspecial\(Rq
+\(lqspecial\(rq
privilege strings:
.TP 10n
none
\fRNOPASSWD\fR
tag is applied to any of the entries for a user on the current host,
he or she will be able to run
-\(Lq\fRsudo -l\fR\(Rq
+\(lq\fRsudo -l\fR\(rq
without a password.
Additionally, a user may only run
-\(Lq\fRsudo -v\fR\(Rq
+\(lq\fRsudo -v\fR\(rq
without a password if the
\fRNOPASSWD\fR
tag is present for all a user's entries that pertain to the current host.
and
fnmatch(3)
functions as specified by
-IEEE Std 1003.1 (\(LqPOSIX.1\(Rq).
+IEEE Std 1003.1 (\(lqPOSIX.1\(rq).
.TP 10n
\fR*\fR
Matches any set of zero or more characters (including white space).
\fR%h\fR
escape, signifying the short form of the host name.
In other words, if the machine's host name is
-\(Lqxerxes\(Rq,
+\(lqxerxes\(rq,
then
.nf
.sp
.PP
it would explicitly deny root but not match any other users.
This is different from a true
-\(Lqnegation\(Rq
+\(lqnegation\(rq
operator.
.PP
Note, however, that using a
in conjunction with the built-in
\fBALL\fR
alias to allow a user to run
-\(Lqall but a few\(Rq
+\(lqall but a few\(rq
commands rarely works as intended (see
\fISECURITY NOTES\fR
below).
In other words, instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
This option is only effective when the
-\(Lqcanonical\(Rq
+\(lqcanonical\(rq
host name, as returned by the
\fBgetaddrinfo\fR()
or
If the system is configured to use the
\fI/etc/hosts\fR
file in preference to DNS, the
-\(Lqcanonical\(Rq
+\(lqcanonical\(rq
host name may not be fully-qualified.
The order that sources are queried for host name resolution
is usually specified in the
In the
\fI/etc/hosts\fR
file, the first host name of the entry is considered to be the
-\(Lqcanonical\(Rq
+\(lqcanonical\(rq
name; subsequent names are aliases that are not used by
\fBsudoers\fR.
For example, the following hosts file line for the machine
-\(Lqxyzzy\(Rq
+\(lqxyzzy\(rq
has the fully-qualified domain name as the
-\(Lqcanonical\(Rq
+\(lqcanonical\(rq
host name, and the short version as an alias.
.sp
.RS 24n
unusable if DNS stops working (for example if the machine is disconnected
from the network).
Also note that just like with the hosts file, you must use the
-\(Lqcanonical\(Rq
+\(lqcanonical\(rq
name as DNS knows it.
That is, you may not use a host alias
(\fRCNAME\fR
\fBsudo\fR
too.
Disabling this prevents users from
-\(Lqchaining\(Rq
+\(lqchaining\(rq
\fBsudo\fR
commands to get a root shell by doing something like
-\(Lq\fRsudo sudo /bin/sh\fR\(Rq.
+\(lq\fRsudo sudo /bin/sh\fR\(rq.
Note, however, that turning off
\fIroot_sudo\fR
will also prevent root from running
\fBsudo\fR
will prompt for a password even when it would be visible on the screen.
This makes it possible to run things like
-\(Lq\fRssh somehost sudo ls\fR\(Rq
+\(lq\fRssh somehost sudo ls\fR\(rq
since by default,
ssh(1)
does
.TP 18n
maxseq
The maximum sequence number that will be substituted for the
-\(Lq\fR%{seq}\fR\(Rq
+\(lq\fR%{seq}\fR\(rq
escape in the I/O log file (see the
\fIiolog_dir\fR
description above for more information).
While the value substituted for
-\(Lq\fR%{seq}\fR\(Rq
+\(lq\fR%{seq}\fR\(rq
is in base 36,
\fImaxseq\fR
itself should be expressed in decimal.
Values larger than 2176782336 (which corresponds to the
base 36 sequence number
-\(LqZZZZZZ\(Rq)
+\(lqZZZZZZ\(rq)
will be silently truncated to 2176782336.
The default value is 2176782336.
.sp
Once the local sequence number reaches the value of
\fImaxseq\fR,
it will
-\(Lqroll over\(Rq
+\(lqroll over\(rq
to zero, after which
\fBsudoers\fR
will truncate and re-use any existing I/O log path names.
\fIsyslog_maxlen\fR
bytes.
When a message is split, additional parts will include the string
-\(Lq(command continued)\(Rq
+\(lq(command continued)\(rq
after the user name and before the continued command line arguments.
.sp
This setting is only supported by version 1.8.19 or higher.
\fR0\fR
the user's time stamp will not expire until the system is rebooted.
This can be used to allow users to create or delete their own time stamps via
-\(Lq\fRsudo -v\fR\(Rq
+\(lq\fRsudo -v\fR\(rq
and
-\(Lq\fRsudo -k\fR\(Rq
+\(lq\fRsudo -k\fR\(rq
respectively.
.TP 18n
umask
\fIiolog_file\fR
may contain directory components.
The default is
-\(Lq\fR%{seq}\fR\(Rq.
+\(lq\fR%{seq}\fR\(rq.
.sp
See the
\fIiolog_dir\fR
\fR%h\fR
will expand to the host name of the machine.
Default is
-\(Lq\fR@mailsub@\fR\(Rq.
+\(lq\fR@mailsub@\fR\(rq.
.TP 18n
noexec_file
As of
\fB\-i\fR
option is specified.
The default value is
-\(Lq\fR@pam_login_service@\fR\(Rq.
+\(lq\fR@pam_login_service@\fR\(rq.
See the description of
\fIpam_service\fR
for more information.
\fI/etc/pam.d\fR
directory.
The default value is
-\(Lq\fRsudo\fR\(Rq.
+\(lq\fRsudo\fR\(rq.
.sp
This setting is only supported by version 1.8.8 or higher.
.TP 18n
On systems that use PAM for authentication,
\fIpassprompt\fR
will only be used if the prompt provided by the PAM module matches the string
-\(LqPassword: \(Rq
+\(lqPassword: \(rq
or
-\(Lqusername's Password: \(Rq.
+\(lqusername's Password: \(rq.
This ensures that the
\fIpassprompt\fR
setting does not interfere with challenge-response style authentication.
flag can be used to change this behavior.
.sp
The default value is
-\(Lq\fR@passprompt@\fR\(Rq.
+\(lq\fR@passprompt@\fR\(rq.
.RE
.TP 18n
privs
sending email.
Note that changing the locale may affect how sudoers is interpreted.
Defaults to
-\(Lq\fRC\fR\(Rq.
+\(lq\fRC\fR\(rq.
.TP 18n
timestamp_type
\fBsudoers\fR
option specifies the fully qualified path to a file containing variables
to be set in the environment of the program being run.
Entries in this file should either be of the form
-\(Lq\fRVARIABLE=value\fR\(Rq
+\(lq\fRVARIABLE=value\fR\(rq
or
-\(Lq\fRexport VARIABLE=value\fR\(Rq.
+\(lq\fRexport VARIABLE=value\fR\(rq.
The value may optionally be surrounded by single or double quotes.
Variables in this file are only added if the variable does not already
exist in the environment.
.TP 14n
mailfrom
Address to use for the
-\(Lqfrom\(Rq
+\(lqfrom\(rq
address when sending warning and error mail.
The address should be enclosed in double quotes
(\&"")
option specifies the fully qualified path to a file containing variables
to be set in the environment of the program being run.
Entries in this file should either be of the form
-\(Lq\fRVARIABLE=value\fR\(Rq
+\(lq\fRVARIABLE=value\fR\(rq
or
-\(Lq\fRexport VARIABLE=value\fR\(Rq.
+\(lq\fRexport VARIABLE=value\fR\(rq.
The value may optionally be surrounded by single or double quotes.
Variables in this file are only added if the variable does not already
exist in the environment.
\fRPATH\fR
environment variable you may want to use this.
Another use is if you want to have the
-\(Lqroot path\(Rq
+\(lqroot path\(rq
be separate from the
-\(Lquser path\(Rq.
+\(lquser path\(rq.
Users in the group specified by the
\fIexempt_group\fR
option are not affected by
env_check
Environment variables to be removed from the user's environment
unless they are considered
-\(Lqsafe\(Rq.
+\(lqsafe\(rq.
For all variables except
\fRTZ\fR,
-\(Lqsafe\(Rq
+\(lqsafe\(rq
means that the variable's value does not contain any
\(oq%\(cq
or
date
The date the command was run.
Typically, this is in the format
-\(LqMMM, DD, HH:MM:SS\(Rq.
+\(lqMMM, DD, HH:MM:SS\(rq.
If logging via
syslog(3),
the actual date format is controlled by the syslog daemon.
.TP 14n
ttyname
The short name of the terminal (e.g.\&
-\(Lqconsole\(Rq,
-\(Lqtty01\(Rq,
+\(lqconsole\(rq,
+\(lqtty01\(rq,
or
-\(Lqpts/0\(Rq)
+\(lqpts/0\(rq)
\fBsudo\fR
was run on, or
-\(Lqunknown\(Rq
+\(lqunknown\(rq
if there was no terminal present.
.TP 14n
cwd
Messages are logged using the locale specified by
\fIsudoers_locale\fR,
which defaults to the
-\(Lq\fRC\fR\(Rq
+\(lq\fRC\fR\(rq
locale.
.SS "Denied command log entries"
If the user is not allowed to run the command, the reason for the denial
Consider either changing the ownership of
\fI@sysconfdir@/sudoers\fR
or adding an argument like
-\(Lqsudoers_uid=N\(Rq
+\(lqsudoers_uid=N\(rq
(where
\(oqN\(cq
is the user ID that owns the
If you wish to change the
\fIsudoers\fR
file owner, please add
-\(Lqsudoers_uid=N\(Rq
+\(lqsudoers_uid=N\(rq
(where
\(oqN\(cq
is the user ID that owns the
file must not be world-writable, the default file mode
is 0440 (readable by owner and group, writable by none).
The default mode may be changed via the
-\(Lqsudoers_mode\(Rq
+\(lqsudoers_mode\(rq
option to the
\fBsudoers\fR
\fRPlugin\fR
If you wish to change the
\fIsudoers\fR
file group ownership, please add
-\(Lqsudoers_gid=N\(Rq
+\(lqsudoers_gid=N\(rq
(where
\(oqN\(cq
is the group ID that owns the
using a unique session ID that is included in the
\fBsudo\fR
log line, prefixed with
-\(Lq\fRTSID=\fR\(Rq.
+\(lq\fRTSID=\fR\(rq.
The
\fIiolog_file\fR
option may be used to control the format of the session ID.
netgroup.
\fBsudo\fR
knows that
-\(Lqbiglab\(Rq
+\(lqbiglab\(rq
is a netgroup due to the
\(oq+\(cq
prefix.
.SH "SECURITY NOTES"
.SS "Limitations of the \(oq!\&\(cq operator"
It is generally not effective to
-\(Lqsubtract\(Rq
+\(lqsubtract\(rq
commands from
\fBALL\fR
using the
sudo(@mansectsu@).
.PP
For example, to allow user operator to edit the
-\(Lqmessage of the day\(Rq
+\(lqmessage of the day\(rq
file:
.nf
.sp
If the
\fItimestamp_type\fR
option is set to
-\(Lqtty\(Rq,
+\(lqtty\(rq,
the time stamp record includes the device number of the terminal
the user authenticated with.
This provides per-terminal granularity but time stamp records may still
Unless the
\fItimestamp_type\fR
option is set to
-\(Lqglobal\(Rq,
+\(lqglobal\(rq,
the time stamp record also includes the session ID of the process
that last authenticated.
This prevents processes in different terminal sessions from using
If no terminal is present or the
\fItimestamp_type\fR
option is set to
-\(Lqppid\(Rq,
+\(lqppid\(rq,
the start time of the parent process is used instead.
In most cases this will prevent a time stamp record from being re-used
without the user entering a password when logging out and back in again.
.SH "DISCLAIMER"
\fBsudo\fR
is provided
-\(LqAS IS\(Rq
+\(lqAS IS\(rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
projects / sudo / commitdiff