-1.7.2 June 11, 2009 1
+1.7.2 June 23, 2009 1
'!'* '#'uid |
'!'* '%'group |
'!'* '+'netgroup |
+ '!'* '%:'nonunix_group |
'!'* User_Alias
A User_List is made up of one or more usernames, uids (prefixed with
operators. An odd number of '!' operators negate the value of the
item; an even number just cancel each other out.
+ A username, group, netgroup and nonunix_groups may be enclosed in
+ double quotes to avoid the need for escaping special characters.
+ Alternately, special characters may be specified in escaped hex mode,
+ e.g. \x20 for space.
+
+ The nonunix_group syntax depends on the underlying implementation. For
+ instance, the QAS AD backend supports the following formats:
+
+ +\bo Group in the same domain: "Group Name"
+
+ +\bo Group in any domain: "Group Name@FULLY.QUALIFIED.DOMAIN"
+
+ +\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
+
+ Note that quotes around group names are optional. Unquoted strings
+ must use a backslash (\) to escape spaces and the '@' symbol.
+
+
+
+
+1.7.2 June 23, 2009 2
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
Runas_List ::= Runas_Member |
Runas_Member ',' Runas_List
Host_List ::= Host |
Host ',' Host_List
-
-
-1.7.2 June 11, 2009 2
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
-
Host ::= '!'* hostname |
'!'* ip_addr |
'!'* network(/netmask)? |
other aliases. A commandname is a fully qualified filename which may
include shell-style wildcards (see the Wildcards section below). A
simple filename allows the user to run the command with any arguments
+
+
+
+1.7.2 June 23, 2009 3
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
he/she wishes. However, you may also specify command line arguments
(including wildcards). Alternately, you can specify "" to indicate
that the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A
to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It
may take command line arguments just as a normal command does.
-
-
-
-
-
-
-1.7.2 June 11, 2009 3
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
D\bDe\bef\bfa\bau\bul\blt\bts\bs
Certain configuration options may be changed from their default values
not exist in a list.
Defaults entries are parsed in the following order: generic, host and
- user Defaults first, then runas Defaults and finally command defaults.
- See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
- U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
- User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
- (':' Host_List '=' Cmnd_Spec_List)*
+1.7.2 June 23, 2009 4
- Cmnd_Spec_List ::= Cmnd_Spec |
- Cmnd_Spec ',' Cmnd_Spec_List
- Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
- Runas_Spec ::= '(' Runas_List? (: Runas_List)? ')'
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.7.2 June 11, 2009 4
+ user Defaults first, then runas Defaults and finally command defaults.
+ See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
+ U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
+ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
+ (':' Host_List '=' Cmnd_Spec_List)*
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+ Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+ Runas_Spec ::= '(' Runas_List? (: Runas_List)? ')'
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:' )
It is also possible to override a Runas_Spec later on in an entry. If
we modify the entry like so:
+
+
+1.7.2 June 23, 2009 5
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
device file with the dialer group. Note that in this example only the
group will be set, the command still runs as user t\btc\bcm\bm.
-
-
-1.7.2 June 11, 2009 5
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
_\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
- operating system supports it, the NOEXEC tag can be used to prevent a
- dynamically-linked executable from running further commands itself.
-
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- See the "PREVENTING SHELL ESCAPES" section below for more details on
- how NOEXEC works and whether or not it will work on your system.
+1.7.2 June 23, 2009 6
- _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
-1.7.2 June 11, 2009 6
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
+ operating system supports it, the NOEXEC tag can be used to prevent a
+ dynamically-linked executable from running further commands itself.
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ See the "PREVENTING SHELL ESCAPES" section below for more details on
+ how NOEXEC works and whether or not it will work on your system.
+ _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
basis. Note that if SETENV has been set for a command, any environment
/usr/bin/*
- match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
- E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
- The following exceptions apply to the above rules:
- "" If the empty string "" is the only command line argument in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
- with a\ban\bny\by arguments.
+1.7.2 June 23, 2009 7
- I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
- It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file currently being parsed using the #include and #includedir
-1.7.2 June 11, 2009 7
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
+ E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
+ The following exceptions apply to the above rules:
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ "" If the empty string "" is the only command line argument in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
+ with a\ban\bny\by arguments.
+ I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
+ It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file currently being parsed using the #include and #includedir
directives.
This can be used, for example, to keep a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in
in the file names can be used to avoid such problems.
Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
+
+
+
+1.7.2 June 23, 2009 8
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
files in a #includedir directory unless one of them contains a syntax
error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
files directly.
The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
-
-
-
-1.7.2 June 11, 2009 8
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
User_Alias, Runas_Alias, or Host_Alias. You should not try to define
your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
preference to your own. Please note that using A\bAL\bLL\bL can be dangerous
the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
default.
+
+
+1.7.2 June 23, 2009 9
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
closefrom_override
If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
overrides the default starting point at which s\bsu\bud\bdo\bo
arbitrary command as root without logging. A safer
alternative is to place a colon-separated list of
editors in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
-
-
-
-1.7.2 June 11, 2009 9
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
use the EDITOR or VISUAL if they match a value
specified in editor. This flag is _\bo_\bf_\bf by default.
operators who would attempt to add roles to
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option is present,
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
+
+
+
+1.7.2 June 23, 2009 10
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
option tells s\bsu\bud\bdo\bo how to behave when no specific LDAP
entries have been matched, this sudoOption is only
meaningful for the cn=defaults section. This flag is
log_year If set, the four-digit year will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
-
-
-1.7.2 June 11, 2009 10
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
long_otp_prompt When validating with a One Time Password (OPT) scheme
such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
make it easier to cut and paste the challenge to a
sites may wish to disable this as it could be used to
gather information on the location of executables that
the normal user does not have access to. The
+
+
+
+1.7.2 June 23, 2009 11
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
disadvantage is that if the executable is simply not in
the user's PATH, s\bsu\bud\bdo\bo will tell the user that they are
not allowed to run it, which can be confusing. This
preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
the list of groups the target user is in. When
-
-
-
-1.7.2 June 11, 2009 11
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
_\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
vector is left unaltered. The real and effective group
IDs, however, are still set to match the target user.
flag is _\bo_\bf_\bf by default.
set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the HOME
+
+
+
+1.7.2 June 23, 2009 12
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
environment variable will be set to the home directory
of the target user (which is root unless the -\b-u\bu option
is used). This effectively makes the -\b-s\bs option imply
This can be done by negating the set_logname option.
Note that if the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been
disabled, entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
-
-
-
-1.7.2 June 11, 2009 12
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bf_\bf by default.
setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
This flag is _\bo_\bf_\bf by default.
+
+
+
+1.7.2 June 23, 2009 13
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
specified by the -\b-u\bu option (defaults to root) instead
of the password of the invoking user. Note that this
user is logged in on in that directory. This flag is
_\bo_\bf_\bf by default.
-
-
-
-1.7.2 June 11, 2009 13
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
without modification. This makes it possible to
specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
value is used to decide when to wrap lines for nicer
log files. This has no effect on the syslog log file,
only the file log. The default is 80 (use 0 or negate
+
+
+
+1.7.2 June 23, 2009 14
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
the option to disable word wrap).
passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
their own timestamps via sudo -v and sudo -k
respectively.
-
-
-1.7.2 June 11, 2009 14
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
umask Umask to use when running the command. Negate this
option or set it to 0777 to preserve the user's umask.
The actual umask that is used will be the union of the
escapes are supported:
%H expanded to the local hostname including the domain
- name (on if the machine's hostname is fully
- qualified or the _\bf_\bq_\bd_\bn option is set)
- %h expanded to the local hostname without the domain
- name
- %p expanded to the user whose password is being asked
- for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
- flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
- %U expanded to the login name of the user the command
- will be run as (defaults to root)
+1.7.2 June 23, 2009 15
- %u expanded to the invoking user's login name
-1.7.2 June 11, 2009 15
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ name (on if the machine's hostname is fully
+ qualified or the _\bf_\bq_\bd_\bn option is set)
+ %h expanded to the local hostname without the domain
+ name
+ %p expanded to the user whose password is being asked
+ for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
+ flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ %U expanded to the login name of the user the command
+ will be run as (defaults to root)
+ %u expanded to the invoking user's login name
%% two consecutive % characters are collapsed into a
single % character
variable.
env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be options specifies the fully qualified path to
- a file containing variables to be set in the environment of
- the program being run. Entries in this file should be of
- the form VARIABLE=value. Variables in this file are
- subject to other s\bsu\bud\bdo\bo environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp
- and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
- exempt_group
- Users in this group are exempt from password and PATH
- requirements. This is not set by default.
- lecture This option controls when a short lecture will be printed
- along with the password prompt. It has the following
- possible values:
- always Always lecture the user.
+1.7.2 June 23, 2009 16
-1.7.2 June 11, 2009 16
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ a file containing variables to be set in the environment of
+ the program being run. Entries in this file should either
+ be of the form VARIABLE=value or export VARIABLE=value.
+ The value may optionally be surrounded by single or double
+ quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
+ environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ exempt_group
+ Users in this group are exempt from password and PATH
+ requirements. This is not set by default.
+
+ lecture This option controls when a short lecture will be printed
+ along with the password prompt. It has the following
+ possible values:
+ always Always lecture the user.
never Never lecture the user.
logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
Setting a path turns on logging to a file; negating this
+
+
+
+1.7.2 June 23, 2009 17
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
-
-
-
-1.7.2 June 11, 2009 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
trust the people running s\bsu\bud\bdo\bo to have a sane PATH
environment variable you may want to use this. Another use
is if you want to have the "root path" be separate from the
env_check Environment variables to be removed from the user's
environment if the variable's value contains % or /
characters. This can be used to guard against printf-
+
+
+
+1.7.2 June 23, 2009 18
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
style format vulnerabilities in poorly-written
programs. The argument may be a double-quoted, space-
separated list or a single value without double-quotes.
is run by root with the _\b-_\bV option.
env_delete Environment variables to be removed from the user's
- environment. The argument may be a double-quoted,
- space-separated list or a single value without double-
- quotes. The list can be replaced, added to, deleted
- from, or disabled by using the =, +=, -=, and !
-
-
-
-1.7.2 June 11, 2009 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- operators respectively. The default list of
- environment variables to remove is displayed when s\bsu\bud\bdo\bo
- is run by root with the _\b-_\bV option. Note that many
- operating systems will remove potentially dangerous
- variables from the environment of any setuid process
- (such as s\bsu\bud\bdo\bo).
+ environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
+ The argument may be a double-quoted, space-separated
+ list or a single value without double-quotes. The list
+ can be replaced, added to, deleted from, or disabled by
+ using the =, +=, -=, and ! operators respectively. The
+ default list of environment variables to remove is
+ displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
+ Note that many operating systems will remove
+ potentially dangerous variables from the environment of
+ any setuid process (such as s\bsu\bud\bdo\bo).
env_keep Environment variables to be preserved in the user's
environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+
+
+
+
+1.7.2 June 23, 2009 19
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
# Runas alias specification
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
+ Runas_Alias ADMINGRP = adm, oper
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
-
-
-1.7.2 June 11, 2009 19
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
-
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Defaults!PAGERS noexec
The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
+
+
+
+1.7.2 June 23, 2009 20
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
what.
root ALL = (ALL) ALL
any host but they must authenticate themselves first (since the entry
lacks the NOPASSWD tag).
-
-
-
-1.7.2 June 11, 2009 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
jack CSNETS = ALL
The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+ %opers ALL = (: ADMINGRP) /usr/sbin/
+
+ Users in the o\bop\bpe\ber\brs\bs group may run commands in _\b/_\bu_\bs_\br_\b/_\bs_\bb_\bi_\bn_\b/ as themselves
+ with any group in the _\bA_\bD_\bM_\bI_\bN_\bG_\bR_\bP Runas_Alias (the a\bad\bdm\bm and o\bop\bpe\ber\br groups).
+
The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
multiple usernames on the command line.
+
+
+1.7.2 June 23, 2009 21
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
bob SPARC = (OP) ALL : SGI = (OP) ALL
The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
-
-
-
-1.7.2 June 11, 2009 21
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
not allowed to specify any options to the _\bs_\bu(1) command.
and wim), may run any command as user www (which owns the web pages) or
simply _\bs_\bu(1) to www.
+
+
+
+
+1.7.2 June 23, 2009 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
-
-
-
-1.7.2 June 11, 2009 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
pleases, including run other programs. This can be a security issue
since it is not uncommon for a program to allow shell escapes, which
lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
sudo -V | grep "dummy exec"
+
+
+
+1.7.2 June 23, 2009 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
If the resulting output contains a line that begins with:
File containing dummy exec functions:
This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
-
-
-
-1.7.2 June 11, 2009 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
from executing other commands (such as a shell). If you are
unsure whether or not your system is capable of supporting
_\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
Limited free support is available via the sudo-users mailing list, see
+
+
+
+1.7.2 June 23, 2009 24
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-1.7.2 June 11, 2009 24
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1.7.2 June 23, 2009 25
projects / sudo / commitdiff