-1.7.5rc1 February 21, 2011 1
+1.7.6 April 9, 2011 1
User ',' User_List
User ::= '!'* user name |
- '!'* '#'uid |
- '!'* '%'group |
- '!'* '+'netgroup |
- '!'* '%:'nonunix_group |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
'!'* User_Alias
- A User_List is made up of one or more user names, uids (prefixed with
- '#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
- and User_Aliases. Each list item may be prefixed with zero or more '!'
- operators. An odd number of '!' operators negate the value of the
- item; an even number just cancel each other out.
+ A User_List is made up of one or more user names, user ids (prefixed
+ with '#'), system group names and ids (prefixed with '%' and '%#'
+ respectively), netgroups (prefixed with '+'), non-Unix group names and
+ IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
+ list item may be prefixed with zero or more '!' operators. An odd
+ number of '!' operators negate the value of the item; an even number
+ just cancel each other out.
- A user name, group, netgroup or nonunix_group may be enclosed in double
- quotes to avoid the need for escaping special characters. Alternately,
- special characters may be specified in escaped hex mode, e.g. \x20 for
- space.
+ A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
+ may be enclosed in double quotes to avoid the need for escaping special
+ characters. Alternately, special characters may be specified in
+ escaped hex mode, e.g. \x20 for space. When using double quotes, any
+ prefix characters must be included inside the quotes.
- The nonunix_group syntax depends on the underlying implementation. For
- instance, the QAS AD backend supports the following formats:
+ The nonunix_group and nonunix_gid syntax depends on the underlying
+ implementation. For instance, the QAS AD backend supports the
+ following formats:
+\bo Group in the same domain: "Group Name"
+\bo Group SID: "S-1-2-34-5678901234-5678901234-5678901234-567"
- Note that quotes around group names are optional. Unquoted strings
- must use a backslash (\) to escape spaces and the '@' symbol.
-
- Runas_List ::= Runas_Member |
- Runas_Member ',' Runas_List
-
-1.7.5rc1 February 21, 2011 2
+1.7.6 April 9, 2011 2
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Note that quotes around group names are optional. Unquoted strings
+ must use a backslash (\) to escape spaces and special characters. See
+ "Other special characters and reserved words" for a list of characters
+ that need to be escaped.
+
+ Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
Runas_Member ::= '!'* user name |
- '!'* '#'uid |
- '!'* '%'group |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
'!'* +netgroup |
'!'* Runas_Alias
Host ::= '!'* host name |
'!'* ip_addr |
'!'* network(/netmask)? |
- '!'* '+'netgroup |
+ '!'* +netgroup |
'!'* Host_Alias
A Host_List is made up of one or more host names, IP addresses, network
Cmnd ',' Cmnd_List
commandname ::= file name |
- file name args |
- file name '""'
- Cmnd ::= '!'* commandname |
- '!'* directory |
- '!'* "sudoedit" |
- '!'* Cmnd_Alias
- A Cmnd_List is a list of one or more commandnames, directories, and
- other aliases. A commandname is a fully qualified file name which may
+1.7.6 April 9, 2011 3
-1.7.5rc1 February 21, 2011 3
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ file name args |
+ file name '""'
+ Cmnd ::= '!'* commandname |
+ '!'* directory |
+ '!'* "sudoedit" |
+ '!'* Cmnd_Alias
+ A Cmnd_List is a list of one or more commandnames, directories, and
+ other aliases. A commandname is a fully qualified file name which may
include shell-style wildcards (see the Wildcards section below). A
simple file name allows the user to run the command with any arguments
he/she wishes. However, you may also specify command line arguments
Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
implicitly boolean and can be turned off via the '!' operator. Some
- integer, string and list parameters may also be used in a boolean
- context to disable them. Values may be enclosed in double quotes (")
- when they contain multiple words. Special characters may be escaped
- with a backslash (\).
- Lists have two additional assignment operators, += and -=. These
- operators are used to add to and delete from a list respectively. It
- is not an error to use the -= operator to remove an element that does
- not exist in a list.
+1.7.6 April 9, 2011 4
-1.7.5rc1 February 21, 2011 4
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ integer, string and list parameters may also be used in a boolean
+ context to disable them. Values may be enclosed in double quotes (")
+ when they contain multiple words. Special characters may be escaped
+ with a backslash (\).
+ Lists have two additional assignment operators, += and -=. These
+ operators are used to add to and delete from a list respectively. It
+ is not an error to use the -= operator to remove an element that does
+ not exist in a list.
Defaults entries are parsed in the following order: generic, host and
user Defaults first, then runas Defaults and finally command defaults.
what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
but this can be changed on a per-command basis.
- The basic structure of a user specification is `who = where (as_whom)
+ The basic structure of a user specification is `who where = (as_whom)
what'. Let's break that down into its constituent parts:
R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
the group set to any listed in the Runas_List. If no Runas_Spec is
specified the command may be run as r\bro\boo\bot\bt and no group may be specified.
- A Runas_Spec sets the default for the commands that follow it. What
- this means is that for the entry:
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
- The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm -- but only
- as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
- $ sudo -u operator /bin/ls
+1.7.6 April 9, 2011 5
-1.7.5rc1 February 21, 2011 5
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ A Runas_Spec sets the default for the commands that follow it. What
+ this means is that for the entry:
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm -- but only
+ as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+ $ sudo -u operator /bin/ls
It is also possible to override a Runas_Spec later on in an entry. If
we modify the entry like so:
user a\bal\bla\ban\bn may run any command as either user root or bin, optionally
setting the group to operator or system.
- S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
- On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
- SELinux role and/or type associated with a command. If a role or type
- is specified with the command it will override any default values
- specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line,
- however, will supercede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
- T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
- A command may have zero or more tags associated with it. There are
- eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
-1.7.5rc1 February 21, 2011 6
+1.7.6 April 9, 2011 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
+ On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
+ SELinux role and/or type associated with a command. If a role or type
+ is specified with the command it will override any default values
+ specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line,
+ however, will supercede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+ T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
+ A command may have zero or more tags associated with it. There are
+ eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
the tag unless it is overridden by the opposite tag (i.e.: PASSWD
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more details on
- how NOEXEC works and whether or not it will work on your system.
- _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
- These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
- basis. Note that if SETENV has been set for a command, any environment
- variables set on the command line way are not subject to the
- restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such,
- only trusted users should be allowed to set variables in this manner.
- If the command matched is A\bAL\bLL\bL, the SETENV tag is implied for that
+1.7.6 April 9, 2011 7
-1.7.5rc1 February 21, 2011 7
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ how NOEXEC works and whether or not it will work on your system.
+ _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
- command; this default may be overridden by use of the NOSETENV tag.
+ These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
+ basis. Note that if SETENV has been set for a command, the user may
+ disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
+ Additionally, environment variables set on the command line are not
+ subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set
+ variables in this manner. If the command matched is A\bAL\bLL\bL, the SETENV
+ tag is implied for that command; this default may be overridden by use
+ of the NOSETENV tag.
_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
in the path name. When matching the command line arguments, however, a
slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
- /usr/bin/*
-
- match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
- E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
- The following exceptions apply to the above rules:
- "" If the empty string "" is the only command line argument in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
- with a\ban\bny\by arguments.
+1.7.6 April 9, 2011 8
-1.7.5rc1 February 21, 2011 8
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ /usr/bin/*
+ match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
+ The following exceptions apply to the above rules:
+ "" If the empty string "" is the only command line argument in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
+ with a\ban\bny\by arguments.
I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
in the file names can be used to avoid such problems.
Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
- files in a #includedir directory unless one of them contains a syntax
- error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
- files directly.
- O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
- The pound sign ('#') is used to indicate a comment (unless it is part
- of a #include directive or unless it occurs in the context of a user
- name and is followed by one or more digits, in which case it is treated
- as a uid). Both the comment character and any text after it, up to the
- end of the line, are ignored.
+1.7.6 April 9, 2011 9
-1.7.5rc1 February 21, 2011 9
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ files in a #includedir directory unless one of them contains a syntax
+ error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
+ files directly.
+ O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
+ The pound sign ('#') is used to indicate a comment (unless it is part
+ of a #include directive or unless it occurs in the context of a user
+ name and is followed by one or more digits, in which case it is treated
+ as a uid). Both the comment character and any text after it, up to the
+ end of the line, are ignored.
The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':', '(', ')') is optional.
The following characters must be escaped with a backslash ('\') when
- used as part of a word (e.g. a user name or host name): '@', '!', '=',
- ':', ',', '(', ')', '\'.
+ used as part of a word (e.g. a user name or host name): '!', '=', ':',
+ ',', '(', ')', '\'.
S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
authenticate If set, users must authenticate themselves via a
password (or other means of authentication) before they
- may run commands. This default may be overridden via
- the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
- default.
- closefrom_override
- If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
- overrides the default starting point at which s\bsu\bud\bdo\bo
- begins closing open file descriptors. This flag is _\bo_\bf_\bf
- by default.
- compress_io If set, and s\bsu\bud\bdo\bo is configured to log a command's input
+1.7.6 April 9, 2011 10
-1.7.5rc1 February 21, 2011 10
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ may run commands. This default may be overridden via
+ the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
+ default.
+ closefrom_override
+ If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
+ overrides the default starting point at which s\bsu\bud\bdo\bo
+ begins closing open file descriptors. This flag is _\bo_\bf_\bf
+ by default.
+ compress_io If set, and s\bsu\bud\bdo\bo is configured to log a command's input
or output, the I/O logs will be compressed using z\bzl\bli\bib\bb.
This flag is _\bo_\bn by default when s\bsu\bud\bdo\bo is compiled with
z\bzl\bli\bib\bb support.
flag is _\bo_\bf_\bf by default.
fqdn Set this flag if you want to put fully qualified host
- names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
- would use myhost.mydomain.edu. You may still use the
- short form if you wish (and even mix the two). Beware
- that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
- which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
- example if the machine is not plugged into the
- network). Also note that you must use the host's
- official name as DNS knows it. That is, you may not
- use a host alias (CNAME entry) due to performance
- issues and the fact that there is no way to get all
- aliases from DNS. If your machine's host name (as
-1.7.5rc1 February 21, 2011 11
+1.7.6 April 9, 2011 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
+ would use myhost.mydomain.edu. You may still use the
+ short form if you wish (and even mix the two). Beware
+ that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
+ which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
+ example if the machine is not plugged into the
+ network). Also note that you must use the host's
+ official name as DNS knows it. That is, you may not
+ use a host alias (CNAME entry) due to performance
+ issues and the fact that there is no way to get all
+ aliases from DNS. If your machine's host name (as
returned by the hostname command) is already fully
qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
_\bo_\bf_\bf by default.
log_host If set, the host name will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
+ log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log all user input. If the standard input is not
+ connected to the user's tty, due to I/O redirection or
+ because the command is part of a pipeline, that input
+ is also captured and stored in a separate log file.
+
+ Input is logged to the directory specified by the
+ _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
+ unique session ID that is included in the normal s\bsu\bud\bdo\bo
+ log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
+
+ Note that user input may contain sensitive information
+ such as passwords (even if they are not echoed to the
+ screen), which will be stored in the log file
+ unencrypted. In most cases, logging the command output
+ via _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt is all that is required.
+
+
+
+1.7.6 April 9, 2011 12
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log all output that is sent to the screen, similar to
+ the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
+ standard error is not connected to the user's tty, due
+ to I/O redirection or because the command is part of a
+ pipeline, that output is also captured and stored in
+ separate log files.
+
+ Output is logged to the directory specified by the
+ _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
+ unique session ID that is included in the normal s\bsu\bud\bdo\bo
+ log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
+
+ Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
+ utility, which can also be used to list or search the
+ available logs.
+
log_year If set, the four-digit year will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
entry or is explicitly denied. This flag is _\bo_\bf_\bf by
default.
+ mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
+ _\bo_\bn by default.
+ noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
+ NOEXEC tag has been set, unless overridden by a EXEC
+ tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
+ well as the "PREVENTING SHELL ESCAPES" section at the
+ end of this manual. This flag is _\bo_\bf_\bf by default.
-1.7.5rc1 February 21, 2011 12
+1.7.6 April 9, 2011 13
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
- invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
- _\bo_\bn by default.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
- NOEXEC tag has been set, unless overridden by a EXEC
- tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
- well as the "PREVENTING SHELL ESCAPES" section at the
- end of this manual. This flag is _\bo_\bf_\bf by default.
path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
not be found in their PATH environment variable. Some
this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
get a root shell by doing something like "sudo sudo
/bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
+ will also prevent root from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+ Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
+ security; it exists purely for historical reasons.
+ This flag is _\bo_\bn by default.
+ rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
+ of the password of the invoking user. This flag is _\bo_\bf_\bf
+ by default.
+ runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
-1.7.5rc1 February 21, 2011 13
+1.7.6 April 9, 2011 14
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- will also prevent root from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
- Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
- security; it exists purely for historical reasons.
- This flag is _\bo_\bn by default.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
- of the password of the invoking user. This flag is _\bo_\bf_\bf
- by default.
- runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option (defaults to root)
instead of the password of the invoking user. This
flag is _\bo_\bf_\bf by default.
effective UIDs are set to the target user (root by
default). This option changes that behavior such that
the real UID is left as the invoking user's UID. In
+ other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
+ This can be useful on systems that disable some
+ potentially dangerous functionality when a program is
+ run setuid. This option is only effective on systems
+ with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
+ This flag is _\bo_\bf_\bf by default.
+
+ targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ specified by the -\b-u\bu option (defaults to root) instead
+ of the password of the invoking user. In addition, the
-1.7.5rc1 February 21, 2011 14
+1.7.6 April 9, 2011 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
- This can be useful on systems that disable some
- potentially dangerous functionality when a program is
- run setuid. This option is only effective on systems
- with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
- This flag is _\bo_\bf_\bf by default.
-
- targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
- specified by the -\b-u\bu option (defaults to root) instead
- of the password of the invoking user. In addition, the
timestamp file name will include the target user's
name. Note that this flag precludes the use of a uid
not listed in the passwd database as an argument to the
-\b-u\bu option. This flag is _\bo_\bf_\bf by default.
- log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
- log all user input. If the standard input is not
- connected to the user's tty, due to I/O redirection or
- because the command is part of a pipeline, that input
- is also captured and stored in a separate log file.
-
- Input is logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo directory using
- a unique session ID that is included in the normal s\bsu\bud\bdo\bo
- log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
-
- log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
- log all output that is sent to the screen, similar to
- the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
- standard error is not connected to the user's tty, due
- to I/O redirection or because the command is part of a
- pipeline, that output is also captured and stored in
- separate log files.
-
- Output is logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo directory
- using a unique session ID that is included in the
- normal s\bsu\bud\bdo\bo log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
-
- Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
- utility, which can also be used to list or search the
- available logs.
-
tty_tickets If set, users must authenticate on a per-tty basis.
With this flag enabled, s\bsu\bud\bdo\bo will use a file named for
the tty the user is logged in on in the user's time
be the union of the user's umask and what is specified
in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
-
-
-1.7.5rc1 February 21, 2011 15
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
target user's login class if one exists. Only
available if s\bsu\bud\bdo\bo is configured with the
I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+
+
+
+1.7.6 April 9, 2011 16
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
loglinelen Number of characters per line for the file log. This
value is used to decide when to wrap lines for nicer
log files. This has no effect on the syslog log file,
this to 0 to always prompt for a password. If set to a
value less than 0 the user's timestamp will never
expire. This can be used to allow users to create or
-
-
-
-1.7.5rc1 February 21, 2011 16
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
delete their own timestamps via sudo -v and sudo -k
respectively.
Default is *** SECURITY information for %h ***.
noexec_file Path to a shared library containing dummy versions of
+
+
+
+1.7.6 April 9, 2011 17
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b) library functions
that just return an error. This is used to implement
the _\bn_\bo_\be_\bx_\be_\bc functionality on systems that support
name
%p expanded to the user whose password is being asked
-
-
-
-1.7.5rc1 February 21, 2011 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
locale may affect how sudoers is interpreted. Defaults
to "C".
+
+
+
+1.7.6 April 9, 2011 18
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
terminal is available. This may be the case when s\bsu\bud\bdo\bo is
executed from a graphical (as opposed to text-based)
application. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs should
-
-
-
-1.7.5rc1 February 21, 2011 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
display the argument passed to it as the prompt and write
the user's password to the standard output. The value of
_\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
will be used in place of the standard lecture if the named
file exists. By default, s\bsu\bud\bdo\bo uses a built-in lecture.
+
+
+1.7.6 April 9, 2011 19
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
listpw This option controls when a password will be required when
a user runs s\bsu\bud\bdo\bo with the -\b-l\bl option. It has the following
possible values:
never The user need never enter a password to use the -\b-l\bl
option.
-
-
-
-1.7.5rc1 February 21, 2011 19
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
If no value is specified, a value of _\ba_\bn_\by is implied.
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\ba_\bn_\by.
a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
possible values:
+
+
+1.7.6 April 9, 2011 20
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
must have the NOPASSWD flag set to avoid entering a
password.
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\ba_\bl_\bl.
-
-
-1.7.5rc1 February 21, 2011 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
env_check Environment variables to be removed from the user's
be a double-quoted, space-separated list or a single
value without double-quotes. The list can be replaced,
added to, deleted from, or disabled by using the =, +=,
+
+
+
+1.7.6 April 9, 2011 21
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
-=, and ! operators respectively. The default list of
variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
with the _\b-_\bV option.
_\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
-
-
-
-1.7.5rc1 February 21, 2011 21
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias KILL = /usr/bin/kill
+
+
+
+1.7.6 April 9, 2011 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an
additional local log file and make sure we log the year in each log
line since the log entries will be kept around for several years.
-
-
-
-1.7.5rc1 February 21, 2011 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
Lastly, we disable shell escapes for the commands in the PAGERS
Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
those networks, only 128.138.204.0 has an explicit netmask (in CIDR
+
+
+
+1.7.6 April 9, 2011 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
notation) indicating it is a class C network. For the other networks
in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be used during matching.
joe ALL = /usr/bin/su operator
-
-
-
-1.7.5rc1 February 21, 2011 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+
+
+
+1.7.6 April 9, 2011 24
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
not allowed to specify any options to the _\bs_\bu(1) command.
The user s\bst\bte\bev\bve\be may run any command in the directory
/usr/local/op_commands/ but only as user operator.
-
-
-1.7.5rc1 February 21, 2011 24
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
matt valkyrie = KILL
On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be able to kill
Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
reliably negate commands where the path name includes globbing (aka
+
+
+
+1.7.6 April 9, 2011 25
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
wildcard) characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
function cannot resolve relative paths. While this is typically only
an inconvenience for rules that grant privileges, it can result in a
since it is not uncommon for a program to allow shell escapes, which
lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
that permit shell escapes include shells (obviously), editors,
-
-
-
-1.7.5rc1 February 21, 2011 25
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
paginators, mail and terminal programs.
There are two basic approaches to this problem:
error. Unfortunately, there is no foolproof way to know
whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
+
+
+
+1.7.6 April 9, 2011 26
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating
systems that support the LD_PRELOAD environment variable.
unsure whether or not your system is capable of supporting
_\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
-
-
-
-1.7.5rc1 February 21, 2011 26
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
Note that restricting shell escapes is not a panacea. Programs running
as root are still capable of many potentially hazardous operations
(such as changing or overwriting files) that could lead to unintended
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.5rc1 February 21, 2011 27
+1.7.6 April 9, 2011 27
-1.7.5rc1 February 21, 2011 1
+1.7.6 April 9, 2011 1
-1.7.5rc1 February 21, 2011 2
+1.7.6 April 9, 2011 2
-1.7.5rc1 February 21, 2011 3
+1.7.6 April 9, 2011 3
-1.7.5rc1 February 21, 2011 4
+1.7.6 April 9, 2011 4
-1.7.5rc1 February 21, 2011 5
+1.7.6 April 9, 2011 5
example.com. Multiple S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE lines may be specified, in
which case they are queried in the order specified.
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_S\bSE\bEA\bAR\bRC\bCH\bH_\b_F\bFI\bIL\bLT\bTE\bER\bR ldap_filter
+ An LDAP filter which is used to restrict the set of records
+ returned when performing a s\bsu\bud\bdo\bo LDAP query. Typically, this is of
+ the form attribute=value or
+ (&(attribute=value)(attribute2=value2)).
+
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD on/true/yes/off/false/no
Whether or not to evaluate the sudoNotBefore and sudoNotAfter
attributes that implement time-dependent sudoers entries.
in a moderate amount of debugging information. A value of 2 shows
the results of the matches themselves. This parameter should not
be set in a production environment as the extra information is
- likely to confuse users.
-
- B\bBI\bIN\bND\bDD\bDN\bN DN
- The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
- Distinguished Name (DN), to use when performing LDAP operations.
- If not specified, LDAP operations are performed with an anonymous
-1.7.5rc1 February 21, 2011 6
+1.7.6 April 9, 2011 6
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ likely to confuse users.
+
+ B\bBI\bIN\bND\bDD\bDN\bN DN
+ The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
+ Distinguished Name (DN), to use when performing LDAP operations.
+ If not specified, LDAP operations are performed with an anonymous
identity. By default, most LDAP servers will allow anonymous
access.
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bT file name
An alias for T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE for OpenLDAP compatibility.
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE file name
- The path to a certificate authority bundle which contains the
- certificates for all the Certificate Authorities the client knows
- to be valid, e.g. _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only
- supported by the OpenLDAP libraries. Netscape-derived LDAP
- libraries use the same certificate database for CA and client
- certificates (see T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT).
-1.7.5rc1 February 21, 2011 7
+
+1.7.6 April 9, 2011 7
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE file name
+ The path to a certificate authority bundle which contains the
+ certificates for all the Certificate Authorities the client knows
+ to be valid, e.g. _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only
+ supported by the OpenLDAP libraries. Netscape-derived LDAP
+ libraries use the same certificate database for CA and client
+ certificates (see T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT).
+
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
containing individual Certificate Authority certificates, e.g.
the OpenSSL manual for a list of valid ciphers. This option is
only supported by the OpenLDAP libraries.
- U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
- Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL authentication.
- S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
- The SASL user name to use when connecting to the LDAP server. By
- default, s\bsu\bud\bdo\bo will use an anonymous connection.
-
- R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
- Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
-1.7.5rc1 February 21, 2011 8
+1.7.6 April 9, 2011 8
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
+ Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL authentication.
+
+ S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
+ The SASL user name to use when connecting to the LDAP server. By
+ default, s\bsu\bud\bdo\bo will use an anonymous connection.
+
+ R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
+ Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
sudoers: files
- Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
- operating system does not use an nsswitch.conf file.
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bne\bet\bts\bsv\bvc\bc.\b.c\bco\bon\bnf\bf
- On AIX systems, the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is consulted instead of
- _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf. s\bsu\bud\bdo\bo simply treats _\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf as a variant of
- _\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the
- file format itself still applies.
+1.7.6 April 9, 2011 9
-1.7.5rc1 February 21, 2011 9
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
+ operating system does not use an nsswitch.conf file.
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bne\bet\bts\bsv\bvc\bc.\b.c\bco\bon\bnf\bf
+ On AIX systems, the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is consulted instead of
+ _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf. s\bsu\bud\bdo\bo simply treats _\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf as a variant of
+ _\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the
+ file format itself still applies.
To consult LDAP first followed by the local sudoers file (if it
exists), use:
#uri ldaps://secureldapserver
#uri ldaps://secureldapserver ldap://ldapserver
#
- # The amount of time, in seconds, to wait while trying to connect to
- # an LDAP server.
- bind_timelimit 30
- #
- # The amount of time, in seconds, to wait while performing an LDAP query.
- timelimit 30
- #
- # Must be set or sudo will ignore LDAP; may be specified multiple times.
- sudoers_base ou=SUDOers,dc=example,dc=com
-1.7.5rc1 February 21, 2011 10
+1.7.6 April 9, 2011 10
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ # The amount of time, in seconds, to wait while trying to connect to
+ # an LDAP server.
+ bind_timelimit 30
+ #
+ # The amount of time, in seconds, to wait while performing an LDAP query.
+ timelimit 30
+ #
+ # Must be set or sudo will ignore LDAP; may be specified multiple times.
+ sudoers_base ou=SUDOers,dc=example,dc=com
#
# verbose sudoers matching from ldap
#sudoers_debug 2
#tls_randfile /etc/egd-pool
#
# You may restrict which ciphers are used. Consult your SSL
- # documentation for which options go here.
- # Only supported when using OpenLDAP.
- #
- #tls_ciphers <cipher-list>
- #
- # Sudo can provide a client certificate when communicating to
- # the LDAP server.
- # Tips:
- # * Enable both lines at the same time.
-1.7.5rc1 February 21, 2011 11
+1.7.6 April 9, 2011 11
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ # documentation for which options go here.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_ciphers <cipher-list>
+ #
+ # Sudo can provide a client certificate when communicating to
+ # the LDAP server.
+ # Tips:
+ # * Enable both lines at the same time.
# * Do not password protect the key file.
# * Ensure the keyfile is only readable by root.
#
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
- DESC 'Host(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.3
- NAME 'sudoCommand'
- DESC 'Command(s) to be executed by sudo'
- EQUALITY caseExactIA5Match
-1.7.5rc1 February 21, 2011 12
+1.7.6 April 9, 2011 12
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.4
DESC 'an integer to order the sudoRole entries'
EQUALITY integerMatch
ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
- objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
- DESC 'Sudoer Entries'
- MUST ( cn )
- MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
- sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
- sudoOrder $ description )
- )
-1.7.5rc1 February 21, 2011 13
+1.7.6 April 9, 2011 13
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+ sudoOrder $ description )
+ )
+
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
-
-
-
-
-
-
-
-
-
-
-1.7.5rc1 February 21, 2011 14
+1.7.6 April 9, 2011 14
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "February 21, 2011" "1.7.5rc1" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "April 9, 2011" "1.7.6" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\& User \*(Aq,\*(Aq User_List
\&
\& User ::= \*(Aq!\*(Aq* user name |
-\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
-\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
-\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
-\& \*(Aq!\*(Aq* \*(Aq%:\*(Aqnonunix_group |
+\& \*(Aq!\*(Aq* #uid |
+\& \*(Aq!\*(Aq* %group |
+\& \*(Aq!\*(Aq* %#gid |
+\& \*(Aq!\*(Aq* +netgroup |
+\& \*(Aq!\*(Aq* %:nonunix_group |
+\& \*(Aq!\*(Aq* %:#nonunix_gid |
\& \*(Aq!\*(Aq* User_Alias
.Ve
.PP
-A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, uids (prefixed
-with '#'), system groups (prefixed with '%'), netgroups (prefixed
-with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with
-zero or more '!' operators. An odd number of '!' operators negate
-the value of the item; an even number just cancel each other out.
-.PP
-A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR or \f(CW\*(C`nonunix_group\*(C'\fR may
-be enclosed in double quotes to avoid the need for escaping special
-characters. Alternately, special characters may be specified in
-escaped hex mode, e.g. \ex20 for space.
-.PP
-The \f(CW\*(C`nonunix_group\*(C'\fR syntax depends on the underlying implementation.
-For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports the following formats:
+A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids
+(prefixed with '#'), system group names and ids (prefixed with '%'
+and '%#' respectively), netgroups (prefixed with '+'), non-Unix
+group names and IDs (prefixed with '%:' and '%:#' respectively) and
+\&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more
+\&'!' operators. An odd number of '!' operators negate the value of
+the item; an even number just cancel each other out.
+.PP
+A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR
+or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the
+need for escaping special characters. Alternately, special characters
+may be specified in escaped hex mode, e.g. \ex20 for space. When
+using double quotes, any prefix characters must be included inside
+the quotes.
+.PP
+The \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on the
+underlying implementation. For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports
+the following formats:
.IP "\(bu" 4
Group in the same domain: \*(L"Group Name\*(R"
.IP "\(bu" 4
.IP "\(bu" 4
Group \s-1SID:\s0 \*(L"S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
.PP
-Note that quotes around group names are optional. Unquoted strings must
-use a backslash (\e) to escape spaces and the '@' symbol.
+Note that quotes around group names are optional. Unquoted strings
+must use a backslash (\e) to escape spaces and special characters.
+See \*(L"Other special characters and reserved words\*(R" for a list of
+characters that need to be escaped.
.PP
.Vb 2
\& Runas_List ::= Runas_Member |
\& Runas_Member \*(Aq,\*(Aq Runas_List
\&
\& Runas_Member ::= \*(Aq!\*(Aq* user name |
-\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
-\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
+\& \*(Aq!\*(Aq* #uid |
+\& \*(Aq!\*(Aq* %group |
+\& \*(Aq!\*(Aq* %#gid |
+\& \*(Aq!\*(Aq* %:nonunix_group |
+\& \*(Aq!\*(Aq* %:#nonunix_gid |
\& \*(Aq!\*(Aq* +netgroup |
\& \*(Aq!\*(Aq* Runas_Alias
.Ve
\& Host ::= \*(Aq!\*(Aq* host name |
\& \*(Aq!\*(Aq* ip_addr |
\& \*(Aq!\*(Aq* network(/netmask)? |
-\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
+\& \*(Aq!\*(Aq* +netgroup |
\& \*(Aq!\*(Aq* Host_Alias
.Ve
.PP
(and as what user) on specified hosts. By default, commands are
run as \fBroot\fR, but this can be changed on a per-command basis.
.PP
-The basic structure of a user specification is `who = where (as_whom)
+The basic structure of a user specification is `who where = (as_whom)
what'. Let's break that down into its constituent parts:
.SS "Runas_Spec"
.IX Subsection "Runas_Spec"
.IX Subsection "SETENV and NOSETENV"
.PP
These tags override the value of the \fIsetenv\fR option on a per-command
-basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, any
-environment variables set on the command line way are not subject
-to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
-\&\fIenv_keep\fR. As such, only trusted users should be allowed to set
-variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the
-\&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may
-be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
+basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user
+may disable the \fIenv_reset\fR option from the command line via the
+\&\fB\-E\fR option. Additionally, environment variables set on the command
+line are not subject to the restrictions imposed by \fIenv_check\fR,
+\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
+be allowed to set variables in this manner. If the command matched
+is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this
+default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
.PP
\fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
.IX Subsection "LOG_INPUT and NOLOG_INPUT"
.PP
The following characters must be escaped with a backslash ('\e') when
used as part of a word (e.g.\ a user name or host name):
-\&'@', '!', '=', ':', ',', '(', ')', '\e'.
+\&'!', '=', ':', ',', '(', ')', '\e'.
.SH "SUDOERS OPTIONS"
.IX Header "SUDOERS OPTIONS"
\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
.IX Item "log_host"
If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
This flag is \fIoff\fR by default.
+.IP "log_input" 16
+.IX Item "log_input"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+user input.
+If the standard input is not connected to the user's tty, due to
+I/O redirection or because the command is part of a pipeline, that
+input is also captured and stored in a separate log file.
+.Sp
+Input is logged to the directory specified by the \fIiolog_dir\fR
+option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
+is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+.Sp
+Note that user input may contain sensitive information such as
+passwords (even if they are not echoed to the screen), which will
+be stored in the log file unencrypted. In most cases, logging the
+command output via \fIlog_output\fR is all that is required.
+.IP "log_output" 16
+.IX Item "log_output"
+If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
+output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
+If the standard output or standard error is not connected to the
+user's tty, due to I/O redirection or because the command is part
+of a pipeline, that output is also captured and stored in separate
+log files.
+.Sp
+Output is logged to the directory specified by the \fIiolog_dir\fR
+option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
+is included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
+.Sp
+Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
+can also be used to list or search the available logs.
.IP "log_year" 16
.IX Item "log_year"
If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
include the target user's name. Note that this flag precludes the
use of a uid not listed in the passwd database as an argument to
the \fB\-u\fR option. This flag is \fIoff\fR by default.
-.IP "log_input" 16
-.IX Item "log_input"
-If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
-user input.
-If the standard input is not connected to the user's tty, due to
-I/O redirection or because the command is part of a pipeline, that
-input is also captured and stored in a separate log file.
-.Sp
-Input is logged to the \fI/var/log/sudo\-io\fR directory using a unique
-session \s-1ID\s0 that is included in the normal \fBsudo\fR log line, prefixed
-with \fITSID=\fR.
-.IP "log_output" 16
-.IX Item "log_output"
-If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
-output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
-If the standard output or standard error is not connected to the
-user's tty, due to I/O redirection or because the command is part
-of a pipeline, that output is also captured and stored in separate
-log files.
-.Sp
-Output is logged to the
-\&\fI/var/log/sudo\-io\fR directory using a unique session \s-1ID\s0 that is
-included in the normal \fBsudo\fR log line, prefixed with \fITSID=\fR.
-.Sp
-Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
-can also be used to list or search the available logs.
.IP "tty_tickets" 16
.IX Item "tty_tickets"
If set, users must authenticate on a per-tty basis. With this flag
projects / sudo / commitdiff