sudo, sudoedit - execute a command as another user
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bo -\b-K\bK | -\b-k\bk | -\b-h\bh | -\b-L\bL | -\b-V\bV | -\b-v\bv
+ s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-V\bV | -\b-v\bv
s\bsu\bud\bdo\bo -\b-l\bl [-\b-U\bU _\bu_\bs_\be_\br_\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
s\bsu\bud\bdo\bo [-\b-b\bbE\bEH\bHP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
- [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be]
- {-\b-e\be file [...] | -\b-i\bi | -\b-s\bs | _\bc_\bo_\bm_\bm_\ba_\bn_\bd}
+ [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] {-\b-i\bi | -\b-s\bs | _\bc_\bo_\bm_\b-
+ _\bm_\ba_\bn_\bd}
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-S\bS] [-\b-u\bu _\bu_\bs_\be_\br_\b
- _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file [...]
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-S\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
+ [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the
file. The real and effective uid and gid are set to match
those of the target user as specified in the passwd file
and the group vector is initialized based on the group
- file (unless the -\b-P\bP option was specified). If the invok
+ file (unless the -\b-P\bP option was specified). If the invok-
ing user is root or if the target user is the same as the
invoking user, no password is required. Otherwise, s\bsu\bud\bdo\bo
- requires that users authenticate themselves with a pass
+ requires that users authenticate themselves with a pass-
word by default (NOTE: in the default configuration this
is the user's password, not the root password). Once a
user has been authenticated, a timestamp is updated and
is implied.
s\bsu\bud\bdo\bo determines who is an authorized user by consulting
- the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By giving s\bsu\bud\bdo\bo the -\b-v\bv flag a user
- can update the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b. The
+ the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By giving s\bsu\bud\bdo\bo the -\b-v\bv flag, a user
+ can update the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd. The
password prompt itself will also time out if the user's
- password is not entered within 5 minutes (unless overrid
+ password is not entered within 5 minutes (unless overrid-
den via _\bs_\bu_\bd_\bo_\be_\br_\bs).
If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to
- run a command via s\bsu\bud\bdo\bo, mail is sent to the proper author
+ run a command via s\bsu\bud\bdo\bo, mail is sent to the proper author-
ities, as defined at configure time or in the _\bs_\bu_\bd_\bo_\be_\br_\bs file
(defaults to root). Note that the mail will not be sent
if an unauthorized user tries to run sudo with the -\b-l\bl or
-\b-v\bv flags. This allows users to determine for themselves
whether or not they are allowed to use s\bsu\bud\bdo\bo.
- If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment vari
+ If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment vari-
able is set, s\bsu\bud\bdo\bo will use this value to determine who the
- actual user is. This can be used by a user to log com
+ actual user is. This can be used by a user to log com-
mands through sudo even when a root shell has been
invoked. It also allows the -\b-e\be flag to remain useful even
-1.7 June 23, 2007 1
+1.7 August 15, 2007 1
-a The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use
the specified authentication type when validating the
- user, as allowed by /etc/login.conf. The system
+ user, as allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system
administrator may specify a list of sudo-specific
authentication methods by adding an "auth-sudo" entry
- in /etc/login.conf. This option is only available on
- systems that support BSD authentication where s\bsu\bud\bdo\bo has
- been configured with the --with-bsdauth option.
+ in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This option is only available on
+ systems that support BSD authentication.
-b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
command in the background. Note that if you use the
- -\b-b\bb option you cannot use shell job control to manipu
+ -\b-b\bb option you cannot use shell job control to manipu-
late the process.
-C fd
Normally, s\bsu\bud\bdo\bo will close all open file descriptors
- other than standard input, standard output and stan
+ other than standard input, standard output and stan-
dard error. The -\b-C\bC (_\bc_\bl_\bo_\bs_\be _\bf_\br_\bo_\bm) option allows the
user to specify a starting point above the standard
error (file descriptor three). Values less than three
are not permitted. This option is only available if
the administrator has enabled the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be
- option in sudoers(4).
+ option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
-c The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
command with resources limited by the specified login
class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name
- as defined in /etc/login.conf, or a single '-' charac
- ter. Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the com
+ as defined in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single '-' charac-
+ ter. Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the com-
mand should be run restricted by the default login
capabilities for the user the command is run as. If
the _\bc_\bl_\ba_\bs_\bs argument specifies an existing user class,
the command must be run as root, or the s\bsu\bud\bdo\bo command
must be run from a shell that is already root. This
option is only available on systems with BSD login
- classes where s\bsu\bud\bdo\bo has been configured with the
- --with-logincap option.
+ classes.
-E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in sudoers(4)). It is only available
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)). It is only available
when either the matching command has the SETENV tag or
- the _\bs_\be_\bt_\be_\bn_\bv option is set in sudoers(4).
+ the _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+ -e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of
-1.7 June 23, 2007 2
+
+1.7 August 15, 2007 2
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- -e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of run
- ning a command, the user wishes to edit one or more
+ running a command, the user wishes to edit one or more
files. In lieu of a command, the string "sudoedit" is
used when consulting the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is
authorized by _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
- 1. Temporary copies are made of the files to be
- edited with the owner set to the invoking
- user.
+ 1. Temporary copies are made of the files to be
+ edited with the owner set to the invoking user.
- 2. The editor specified by the VISUAL or EDITOR
- environment variables is run to edit the tem
- porary files. If neither VISUAL nor EDITOR
- are set, the program listed in the _\be_\bd_\bi_\bt_\bo_\br
- _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
+ 2. The editor specified by the VISUAL or EDITOR envi-
+ ronment variables is run to edit the temporary
+ files. If neither VISUAL nor EDITOR are set, the
+ program listed in the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs variable is
+ used.
- 3. If they have been modified, the temporary
- files are copied back to their original loca
- tion and the temporary versions are removed.
+ 3. If they have been modified, the temporary files
+ are copied back to their original location and the
+ temporary versions are removed.
- If the specified file does not exist, it will be cre
+ If the specified file does not exist, it will be cre-
ated. Note that unlike most commands run by s\bsu\bud\bdo\bo, the
editor is run with the invoking user's environment
unmodified. If, for some reason, s\bsu\bud\bdo\bo is unable to
receive a warning and the edited copy will remain in a
temporary file.
- -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment vari
+ -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment vari-
able to the homedir of the target user (root by
- default) as specified in passwd(4). By default, s\bsu\bud\bdo\bo
+ default) as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). By default, s\bsu\bud\bdo\bo
does not modify HOME (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be
- in sudoers(4)).
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)).
- -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage mes
+ -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage mes-
sage and exit.
-i The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
- specified in the passwd(4) entry of the user that the
+ specified in the _\bp_\ba_\bs_\bs_\bw_\bd(4) entry of the user that the
command is being run as. The command name argument
given to the shell begins with a `-' to tell the shell
to run as a login shell. s\bsu\bud\bdo\bo attempts to change to
that user's home directory before running the shell.
It also initializes the environment, leaving _\bD_\bI_\bS_\bP_\bL_\bA_\bY
- and _\bT_\bE_\bR_\bM unchanged, setting _\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\b
+ and _\bT_\bE_\bR_\bM unchanged, setting _\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\b-
_\bN_\bA_\bM_\bE, and _\bP_\bA_\bT_\bH, and unsetting all other environment
variables.
-k The -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the user's
timestamp by setting the time on it to the Epoch. The
+ next time s\bsu\bud\bdo\bo is run a password will be required.
+ This option does not require a password and was added
-1.7 June 23, 2007 3
+1.7 August 15, 2007 3
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- next time s\bsu\bud\bdo\bo is run a password will be required.
- This option does not require a password and was added
to allow a user to revoke s\bsu\bud\bdo\bo permissions from a
.logout file.
- -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list out the param
+ -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list out the param-
eters that may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a
short description for each. This option is useful in
conjunction with _\bg_\br_\be_\bp(1).
invoking user (or the user specified by the -\b-U\bU option)
on the current host. If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is
permitted by _\bs_\bu_\bd_\bo_\be_\br_\bs, the fully-qualified path to the
- command is displayed along with any command line argu
+ command is displayed along with any command line argu-
ments. If _\bc_\bo_\bm_\bm_\ba_\bn_\bd is not allowed, s\bsu\bud\bdo\bo will exit with
a return value of 1.
default password prompt and use a custom one. The
following percent (`%') escapes are supported:
- %u expanded to the invoking user's login name
+ %H expanded to the local hostname including the
+ domain name (on if the machine's hostname is fully
+ qualified or the _\bf_\bq_\bd_\bn _\bs_\bu_\bd_\bo_\be_\br_\bs option is set)
- %U expanded to the login name of the user the
- command will be run as (defaults to root)
+ %h expanded to the local hostname without the domain
+ name
- %h expanded to the local hostname without the
- domain name
+ %U expanded to the login name of the user the command
+ will be run as (defaults to root)
- %H expanded to the local hostname including the
- domain name (on if the machine's hostname is
- fully qualified or the _\bf_\bq_\bd_\bn _\bs_\bu_\bd_\bo_\be_\br_\bs option is
- set)
+ %u expanded to the invoking user's login name
- %% two consecutive % characters are collapsed
- into a single % character
+ %% two consecutive % characters are collapsed into a
+ single % character
-S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password
from the standard input instead of the terminal
-s The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the
_\bS_\bH_\bE_\bL_\bL environment variable if it is set or the shell
- as specified in passwd(4).
+ as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4).
+
+ -U The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with
+ the -\b-l\bl option to specify the user whose privileges
-1.7 June 23, 2007 4
+1.7 August 15, 2007 4
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- -U The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with
- the -\b-l\bl option to specify the user whose privileges
should be listed. Only root or a user with s\bsu\bud\bdo\bo ALL
on the current host may use this option.
-u The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
- instead of a _\bu_\bs_\be_\br_\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. Note that if the
- _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option is set (see sudoers(4)) it is
+ instead of a _\bu_\bs_\be_\br_\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running com-
+ mands as a _\bu_\bi_\bd, many shells require that the '#' be
+ escaped with a backslash ('\'). Note that if the _\bt_\ba_\br_\b-
+ _\bg_\be_\bt_\bp_\bw Defaults option is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is
not possible to run commands with a uid not listed in
the password database.
- -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the ver
+ -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the ver-
sion number and exit. If the invoking user is already
root the -\b-V\bV option will print out a list of the
defaults s\bsu\bud\bdo\bo was compiled with as well as the
machine's local network addresses.
-v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update
- the user's timestamp, prompting for the user's pass
+ the user's timestamp, prompting for the user's pass-
word if necessary. This extends the s\bsu\bud\bdo\bo timeout for
another 5 minutes (or whatever the timeout is set to
in _\bs_\bu_\bd_\bo_\be_\br_\bs) but does not run a command.
-- The -\b--\b- flag indicates that s\bsu\bud\bdo\bo should stop processing
- command line arguments. It is most useful in conjunc
+ command line arguments. It is most useful in conjunc-
tion with the -\b-s\bs flag.
Environment variables to be set for the command may also
be passed on the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be,
- e.g. L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. This is only
- permitted when the _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs or the
- command to be run has the SETENV tag set. See sudoers(4)
- for more information.
+ e.g. L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables
+ passed on the command line are subject to the same
+ restrictions as normal environment variables with one
+ important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\b-
+ _\be_\br_\bs or the command to be run has the SETENV tag set the
+ user may set variables that would overwise be forbidden.
+ See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
Upon successful execution of a program, the return value
that was executed.
Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is
- a configuration/permission problem or if s\bsu\bud\bdo\bo cannot exe
+ a configuration/permission problem or if s\bsu\bud\bdo\bo cannot exe-
cute the given command. In the latter case the error
string is printed to stderr. If s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one
or more entries in the user's PATH an error is printed on
stderr. (If the directory does not exist or if it is not
really a directory, the entry is ignored and no error is
- printed.) This should not happen under normal circum
+ printed.) This should not happen under normal circum-
stances. The most common reason for _\bs_\bt_\ba_\bt(2) to return
"permission denied" is if you are running an automounter
and one of the directories in your PATH is on a machine
- that is currently unreachable.
-
-
-1.7 June 23, 2007 5
+1.7 August 15, 2007 5
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ that is currently unreachable.
+
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
s\bsu\bud\bdo\bo tries to be safe when executing external commands.
- Variables that control how dynamic loading and binding is
- done can be used to subvert the program that s\bsu\bud\bdo\bo runs.
- To combat this the LD_*, _RLD_*, SHLIB_PATH (HP-UX only),
- and LIBPATH (AIX only) environment variables are removed
- from the environment passed on to all commands executed.
- s\bsu\bud\bdo\bo will also remove the IFS, CDPATH, ENV, BASH_ENV,
- KRB_CONF, KRBCONFDIR, KRBTKFILE, KRB5_CONFIG, LOCALDOMAIN,
- RES_OPTIONS, HOSTALIASES, NLSPATH, PATH_LOCALE, TERMINFO,
- TERMINFO_DIRS and TERMPATH variables as they too can pose
- a threat. If the TERMCAP variable is set and is a path
- name, it too is ignored. Additionally, if the LC_* or
- LANGUAGE variables contain the / or % characters, they are
- ignored. Environment variables with a value beginning
- with () are also removed as they could be interpreted as
- b\bba\bas\bsh\bh functions. If s\bsu\bud\bdo\bo has been compiled with SecurID
- support, the VAR_ACE, USR_ACE and DLC_ACE variables are
- cleared as well. The list of environment variables that
- s\bsu\bud\bdo\bo clears is contained in the output of sudo -V when run
- as root.
+
+ There are two distinct ways to deal with environment vari-
+ ables. By default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt _\bs_\bu_\bd_\bo_\be_\br_\bs option is
+ enabled. This causes commands to be executed with a mini-
+ mal environment containing TERM, PATH, HOME, SHELL, LOG-
+ NAME, USER and USERNAME in addition to variables from the
+ invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp
+ _\bs_\bu_\bd_\bo_\be_\br_\bs options. There is effectively a whitelist for
+ environment variables.
+
+ If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs,
+ any variables not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
+ _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are inherited from the invoking pro-
+ cess. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave like
+ a blacklist. Since it is not possible to blacklist all
+ potentially dangerous environment variables, use of the
+ default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
+
+ In all cases, environment variables with a value beginning
+ with () are removed as they could be interpreted as b\bba\bas\bsh\bh
+ functions. The list of environment variables that s\bsu\bud\bdo\bo
+ allows or denies is contained in the output of sudo -V
+ when run as root.
+
+ Note that the dynamic linker on most operating systems
+ will remove variables that can control dynamic linking
+ from the environment of setuid executables, including
+ s\bsu\bud\bdo\bo. Depending on the operating system this may include
+ _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and oth-
+ ers. These type of variables are removed from the envi-
+ ronment before s\bsu\bud\bdo\bo even begins execution and, as such, it
+ is not possible for s\bsu\bud\bdo\bo to preserve them.
To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both
- denoting current directory) last when searching for a com
+ denoting current directory) last when searching for a com-
mand in the user's PATH (if one or both are in the PATH).
Note, however, that the actual PATH environment variable
is _\bn_\bo_\bt modified and is passed unchanged to the program
that s\bsu\bud\bdo\bo executes.
- For security reasons, if your OS supports shared libraries
- and does not disable user-defined library search paths for
- setuid programs (most do), you should either use a linker
- option that disables this behavior or link s\bsu\bud\bdo\bo stati
- cally.
-
s\bsu\bud\bdo\bo will check the ownership of its timestamp directory
- (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's con
+ (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's con-
tents if it is not owned by root or if it is writable by a
user other than root. On systems that allow non-root
users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
timestamp directory before s\bsu\bud\bdo\bo is run. However, because
s\bsu\bud\bdo\bo checks the ownership and mode of the directory and
its contents, the only damage that can be done is to
- "hide" files by putting them in the timestamp dir. This
- is unlikely to happen since once the timestamp dir is
- owned by root and inaccessible by any other user, the user
- placing files there would be unable to get them back out.
- To get around this issue you can use a directory that is
- not world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for
- instance) or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate
- owner (root) and permissions (0700) in the system startup
- files.
-1.7 June 23, 2007 6
+1.7 August 15, 2007 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ "hide" files by putting them in the timestamp dir. This
+ is unlikely to happen since once the timestamp dir is
+ owned by root and inaccessible by any other user, the user
+ placing files there would be unable to get them back out.
+ To get around this issue you can use a directory that is
+ not world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for
+ instance) or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate
+ owner (root) and permissions (0700) in the system startup
+ files.
+
s\bsu\bud\bdo\bo will not honor timestamps set far in the future.
Timestamps with a date greater than current_time + 2 *
TIMEOUT will be ignored and sudo will log and complain.
escapes (including most editors). Because of this, care
must be taken when giving users access to commands via
s\bsu\bud\bdo\bo to verify that the command does not inadvertently
- give the user an effective root shell. For more informa
+ give the user an effective root shell. For more informa-
tion, please see the PREVENTING SHELL ESCAPES section in
- sudoers(4).
+ _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
s\bsu\bud\bdo\bo utilizes the following environment variables:
- EDITOR Default editor to use in -e (sudoedit) mode if
- VISUAL is not set
+ EDITOR Default editor to use in -\b-e\be (sudoedit)
+ mode if VISUAL is not set
- HOME In -s or -H mode (or if sudo was configured with
- the --enable-shell-sets-home option), set to
- homedir of the target user
+ HOME In -\b-s\bs or -\b-H\bH mode (or if sudo was config-
+ ured with the --enable-shell-sets-home
+ option), set to homedir of the target user
- PATH Set to a sane value if sudo was configured with
- the --with-secure-path option
+ PATH Set to a sane value if the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh
+ sudoers option is set.
- SHELL Used to determine shell to run with -s option
+ SHELL Used to determine shell to run with -s
+ option
- SUDO_PROMPT Used as the default password prompt
+ SUDO_PROMPT Used as the default password prompt
- SUDO_COMMAND Set to the command run by sudo
+ SUDO_COMMAND Set to the command run by sudo
- SUDO_USER Set to the login of the user who invoked sudo
+ SUDO_USER Set to the login of the user who invoked
+ sudo
- SUDO_UID Set to the uid of the user who invoked sudo
+ SUDO_UID Set to the uid of the user who invoked
+ sudo
- SUDO_GID Set to the gid of the user who invoked sudo
- SUDO_PS1 If set, PS1 will be set to its value
- USER Set to the target user (root unless the -u option
- is specified)
+1.7 August 15, 2007 7
- VISUAL Default editor to use in -e (sudoedit) mode
-F\bFI\bIL\bLE\bES\bS
- /etc/sudoers List of who can run what
- /var/run/sudo Directory containing timestamps
-1.7 June 23, 2007 7
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ SUDO_GID Set to the gid of the user who invoked
+ sudo
+ SUDO_PS1 If set, PS1 will be set to its value
+ USER Set to the target user (root unless the -\b-u\bu
+ option is specified)
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ VISUAL Default editor to use in -\b-e\be (sudoedit)
+ mode
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+ _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo Directory containing timestamps
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Note: the following examples assume suitable sudoers(4)
+ Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4)
entries.
To get a file listing of an unreadable directory:
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), sudoers(4),
- passwd(4), visudo(1m)
+ _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4),
+ _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bv_\bi_\bs_\bu_\bd_\bo(1m)
A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this ver
+ Many people have worked on s\bsu\bud\bdo\bo over the years; this ver-
sion consists of code written primarily by:
Todd C. Miller
See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
+
+
+
+1.7 August 15, 2007 8
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
http://www.sudo.ws/sudo/history.html for a short history
of s\bsu\bud\bdo\bo.
user to run commands via shell escapes, thus avoiding
s\bsu\bud\bdo\bo's checks. However, on most systems it is possible to
prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
- See the sudoers(4) manual for details.
+ See the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual for details.
It is not meaningful to run the cd command directly via
sudo, e.g.,
-
-
-
-1.7 June 23, 2007 8
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
$ sudo cd /usr/local/protected
since when the command exits the parent process (your
If users have sudo ALL there is nothing to prevent them
from creating their own program that gives them a root
- shell regardless of any '!' elements in the user specifi
+ shell regardless of any '!' elements in the user specifi-
cation.
Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel
- bugs that make setuid shell scripts unsafe on some operat
+ bugs that make setuid shell scripts unsafe on some operat-
ing systems (if your OS has a /dev/fd/ directory, setuid
shell scripts are generally safe).
bug report at http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mail
- ing list, see http://www.sudo.ws/mail
+ Limited free support is available via the sudo-users mail-
+ ing list, see http://www.sudo.ws/mail-
man/listinfo/sudo-users to subscribe or search the
archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- S\bSu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
- ranties, including, but not limited to, the implied war
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied war-
+ ranties, including, but not limited to, the implied war-
ranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed
- with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com
+ with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com-
plete details.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7 June 23, 2007 9
+1.7 August 15, 2007 9
Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
EBNF is a concise and exact way of describing the grammar
- of a language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\b
+ of a language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\b-
_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
symbol ::= definition | alternate1 | alternate2 ...
Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a
- grammar for the language. EBNF also contains the follow
- ing operators, which many readers will recognize from reg
+ grammar for the language. EBNF also contains the follow-
+ ing operators, which many readers will recognize from reg-
ular expressions. Do not, however, confuse them with
"wildcard" characters, which have different meanings.
- ? Means that the preceding symbol (or group of sym
- bols) is optional. That is, it may appear once or
- not at all.
+ ? Means that the preceding symbol (or group of symbols)
+ is optional. That is, it may appear once or not at
+ all.
- * Means that the preceding symbol (or group of sym
- bols) may appear zero or more times.
+ * Means that the preceding symbol (or group of symbols)
+ may appear zero or more times.
- + Means that the preceding symbol (or group of sym
- bols) may appear one or more times.
+ + Means that the preceding symbol (or group of symbols)
+ may appear one or more times.
Parentheses may be used to group symbols together. For
clarity, we will use single quotes ('') to designate what
-1.7 June 23, 2007 1
+1.7 August 15, 2007 1
Alias_Type NAME = item1, item2, ...
where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias,
- Host_Alias, or Cmnd_Alias. A NAME is a string of upper
+ Host_Alias, or Cmnd_Alias. A NAME is a string of upper-
case letters, numbers, and underscore characters ('_'). A
NAME m\bmu\bus\bst\bt start with an uppercase letter. It is possible
to put several alias definitions of the same type on a
-1.7 June 23, 2007 2
+1.7 August 15, 2007 2
also contain uids (prefixed with '#') and instead of
User_Aliases it can contain Runas_Aliases. Note that
usernames and groups are matched as strings. In other
- words, two users (groups) with the same uid (gid) are con
- sidered to be distinct. If you wish to match all user
+ words, two users (groups) with the same uid (gid) are con-
+ sidered to be distinct. If you wish to match all user-
names with the same uid (e.g. root and toor), you can use
a uid instead (#0 in the example given).
each of the local host's network interfaces and, if the
network number corresponds to one of the hosts's network
interfaces, the corresponding netmask will be used. The
- netmask may be specified either in dotted quad notation
- (e.g. 255.255.255.0) or CIDR notation (number of bits,
- e.g. 24). A hostname may include shell-style wildcards
- (see the Wildcards section below), but unless the hostname
- command on your machine returns the fully qualified host
- name, you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to
- be useful.
+ netmask may be specified either in standard IP address
+ notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
+ CIDR notation (number of bits, e.g. 24 or 64). A hostname
+ may include shell-style wildcards (see the Wildcards sec-
+ tion below), but unless the hostname command on your
+ machine returns the fully qualified hostname, you'll need
+ to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
'!'* "sudoedit" |
'!'* Cmnd_Alias
- A Cmnd_List is a list of one or more commandnames, direc
- tories, and other aliases. A commandname is a fully qual
+ A Cmnd_List is a list of one or more commandnames, direc-
+ tories, and other aliases. A commandname is a fully qual-
ified filename which may include shell-style wildcards
(see the Wildcards section below). A simple filename
allows the user to run the command with any arguments
-1.7 June 23, 2007 3
+1.7 August 15, 2007 3
arguments in the Cmnd must match exactly those given by
the user on the command line (or match the wildcards if
there are any). Note that the following characters must
- be escaped with a '\' if they are used in command argu
+ be escaped with a '\' if they are used in command argu-
ments: ',', ':', '=', '\'. The special command "sudoedit"
is used to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be flag (or
as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may take command line arguments just as
Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or
l\bli\bis\bst\bts\bs. Flags are implicitly boolean and can be turned off
via the '!' operator. Some integer, string and list
- parameters may also be used in a boolean context to dis
+ parameters may also be used in a boolean context to dis-
able them. Values may be enclosed in double quotes (")
when they contain multiple words. Special characters may
be escaped with a backslash (\).
-1.7 June 23, 2007 4
+1.7 August 15, 2007 4
to remove an element that does not exist in a list.
- F\bFl\bla\bag\bgs\bs:
+ See "SUDOERS OPTIONS" for a list of supported Defaults
+ parameters.
- long_otp_prompt
- When validating with a One Time Password
- scheme (S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE), a two-line prompt is
- used to make it easier to cut and paste the
- challenge to a local window. It's not as
- pretty as the default but some people find it
- more convenient. This flag is _\bo_\bf_\bf by default.
-
- ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current
- dir) in the PATH environment variable; the
- PATH itself is not modified. This flag is _\bo_\bf_\bf
- by default.
-
- mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a
- users runs s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
-
- mail_badpass
- Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user run
- ning s\bsu\bud\bdo\bo does not enter the correct password.
- This flag is _\bo_\bf_\bf by default.
-
- mail_no_user
- If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
- if the invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file. This flag is _\bo_\bn by default.
-
- mail_no_host
- If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
- if the invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file, but is not allowed to run commands on
- the current host. This flag is _\bo_\bf_\bf by
- default.
+ U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
- mail_no_perms
- If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
- if the invoking user is allowed to use s\bsu\bud\bdo\bo
- but the command they are trying is not listed
- in their _\bs_\bu_\bd_\bo_\be_\br_\bs file entry or is explicitly
- denied. This flag is _\bo_\bf_\bf by default.
+ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
+ (':' Host_List '=' Cmnd_Spec_List)*
- tty_tickets If set, users must authenticate on a per-tty
- basis. Normally, s\bsu\bud\bdo\bo uses a directory in the
- ticket dir with the same name as the user run
- ning it. With this flag enabled, s\bsu\bud\bdo\bo will
- use a file named for the tty the user is
- logged in on in that directory. This flag is
- _\bo_\bf_\bf by default.
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
- authenticate
- If set, users must authenticate themselves via
+ Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+ Runas_Spec ::= '(' Runas_List ')'
+ Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'SETENV:' | 'NOSETENV:' )
-1.7 June 23, 2007 5
+ A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may
+ run (and as what user) on specified hosts. By default,
+ commands are run as r\bro\boo\bot\bt, but this can be changed on a
+ per-command basis.
+ Let's break that down into its constituent parts:
+ R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
+ A Runas_Spec is simply a Runas_List (as defined above)
+ enclosed in a set of parentheses. If you do not specify a
+ Runas_Spec in the user specification, a default Runas_Spec
+ of r\bro\boo\bot\bt will be used. A Runas_Spec sets the default for
+ commands that follow it. What this means is that for the
+ entry:
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
+ -- but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+ $ sudo -u operator /bin/ls.
- a password (or other means of authentication)
- before they may run commands. This default
- may be overridden via the PASSWD and NOPASSWD
- tags. This flag is _\bo_\bn by default.
-
- root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Dis
- abling this prevents users from "chaining"
- s\bsu\bud\bdo\bo commands to get a root shell by doing
- something like "sudo sudo /bin/sh". Note,
- however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo will also
- prevent root and from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt. Dis
- abling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
- security; it exists purely for historical rea
- sons. This flag is _\bo_\bn by default.
-
- log_host If set, the hostname will be logged in the
- (non-syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf
- by default.
-
- log_year If set, the four-digit year will be logged in
- the (non-syslog) s\bsu\bud\bdo\bo log file. This flag is
- _\bo_\bf_\bf by default.
-
- shell_noargs
- If set and s\bsu\bud\bdo\bo is invoked with no arguments
- it acts as if the -\b-s\bs flag had been given.
- That is, it runs a shell as root (the shell is
- determined by the SHELL environment variable
- if it is set, falling back on the shell listed
- in the invoking user's /etc/passwd entry if
- not). This flag is _\bo_\bf_\bf by default.
-
- set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs flag
- the HOME environment variable will be set to
- the home directory of the target user (which
- is root unless the -\b-u\bu option is used). This
- effectively makes the -\b-s\bs flag imply -\b-H\bH. This
- flag is _\bo_\bf_\bf by default.
-
- always_set_home
- If set, s\bsu\bud\bdo\bo will set the HOME environment
- variable to the home directory of the target
- user (which is root unless the -\b-u\bu option is
- used). This effectively means that the -\b-H\bH
- flag is always implied. This flag is _\bo_\bf_\bf by
- default.
+ It is also possible to override a Runas_Spec later on in
+ an entry. If we modify the entry like so:
- path_info Normally, s\bsu\bud\bdo\bo will tell the user when a com
- mand could not be found in their PATH environ
- ment variable. Some sites may wish to disable
- this as it could be used to gather information
- on the location of executables that the normal
- user does not have access to. The disadvan
- tage is that if the executable is simply not
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+ Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br,
+ but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
-1.7 June 23, 2007 6
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+1.7 August 15, 2007 5
- in the user's PATH, s\bsu\bud\bdo\bo will tell the user
- that they are not allowed to run it, which can
- be confusing. This flag is _\bo_\bf_\bf by default.
-
- preserve_groups
- By default s\bsu\bud\bdo\bo will initialize the group vec
- tor to the list of groups the target user is
- in. When _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's
- existing group vector is left unaltered. The
- real and effective group IDs, however, are
- still set to match the target user. This flag
- is _\bo_\bf_\bf by default.
-
- fqdn Set this flag if you want to put fully quali
- fied hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e.,
- instead of myhost you would use myhost.mydo
- main.edu. You may still use the short form if
- you wish (and even mix the two). Beware that
- turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS
- lookups which may make s\bsu\bud\bdo\bo unusable if DNS
- stops working (for example if the machine is
- not plugged into the network). Also note that
- you must use the host's official name as DNS
- knows it. That is, you may not use a host
- alias (CNAME entry) due to performance issues
- and the fact that there is no way to get all
- aliases from DNS. If your machine's hostname
- (as returned by the hostname command) is
- already fully qualified you shouldn't need to
- set _\bf_\bq_\bd_\bn. This flag is _\bo_\bf_\bf by default.
-
- insults If set, s\bsu\bud\bdo\bo will insult users when they enter
- an incorrect password. This flag is _\bo_\bf_\bf by
- default.
- requiretty If set, s\bsu\bud\bdo\bo will only run when the user is
- logged in to a real tty. This will disallow
- things like "rsh somehost sudo ls" since
- _\br_\bs_\bh(1) does not allocate a tty. Because it is
- not possible to turn off echo when there is no
- tty present, some sites may wish to set this
- flag to prevent a user from entering a visible
- password. This flag is _\bo_\bf_\bf by default.
- env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDI
- TOR or VISUAL environment variables before
- falling back on the default editor list. Note
- that this may create a security hole as it
- allows the user to run any arbitrary command
- as root without logging. A safer alternative
- is to place a colon-separated list of editors
- in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
- use the EDITOR or VISUAL if they match a value
- specified in editor. This flag is off by
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.7 June 23, 2007 7
+ T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
+ A command may have zero or more tags associated with it.
+ There are eight possible tag values, NOPASSWD, PASSWD,
+ NOEXEC, EXEC, SETENV and NOSETENV. Once a tag is set on a
+ Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the
+ tag unless it is overridden by the opposite tag (i.e.:
+ PASSWD overrides NOPASSWD and NOEXEC overrides EXEC).
+ _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
+ By default, s\bsu\bud\bdo\bo requires that a user authenticate him or
+ herself before running a command. This behavior can be
+ modified via the NOPASSWD tag. Like a Runas_Spec, the
+ NOPASSWD tag sets a default for the commands that follow
+ it in the Cmnd_Spec_List. Conversely, the PASSWD tag can
+ be used to reverse things. For example:
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as root on the machine rushmore as r\bro\boo\bot\bt
+ without authenticating himself. If we only want r\bra\bay\by to be
+ able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry would
+ be:
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
- default.
+ Note, however, that the PASSWD tag has no effect on users
+ who are in the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
- rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password
- instead of the password of the invoking user.
- This flag is _\bo_\bf_\bf by default.
+ By default, if the NOPASSWD tag is applied to any of the
+ entries for a user on the current host, he or she will be
+ able to run sudo -l without a password. Additionally, a
+ user may only run sudo -v without a password if the
+ NOPASSWD tag is present for all a user's entries that per-
+ tain to the current host. This behavior may be overridden
+ via the verifypw and listpw options.
- runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of
- the user defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option
- (defaults to root) instead of the password of
- the invoking user. This flag is _\bo_\bf_\bf by
- default.
+ _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
- targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of
- the user specified by the -\b-u\bu flag (defaults to
- root) instead of the password of the invoking
- user. Note that this precludes the use of a
- uid not listed in the passwd database as an
- argument to the -\b-u\bu flag. This flag is _\bo_\bf_\bf by
- default.
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
+ underlying operating system supports it, the NOEXEC tag
+ can be used to prevent a dynamically-linked executable
+ from running further commands itself.
- set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and
- USERNAME environment variables to the name of
- the target user (usually root unless the -\b-u\bu
- flag is given). However, since some programs
- (including the RCS revision control system)
- use LOGNAME to determine the real identity of
- the user, it may be desirable to change this
- behavior. This can be done by negating the
- set_logname option. Note that if the
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been disabled,
- entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override the
- value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be.
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be
+ and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
- stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the
- real and effective UIDs are set to the target
- user (root by default). This option changes
- that behavior such that the real UID is left
- as the invoking user's UID. In other words,
- this makes s\bsu\bud\bdo\bo act as a setuid wrapper. This
- can be useful on systems that disable some
- potentially dangerous functionality when a
- program is run setuid. This option is only
- effective on systems with either the
- _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- env_reset If set, s\bsu\bud\bdo\bo will reset the environment to
- only contain the LOGNAME, SHELL, USER, USER
- NAME and the SUDO_* variables. Any variables
- in the caller's environment that match the
- env_keep and env_check lists are then added.
- The default contents of the env_keep and
- env_check lists are displayed when s\bsu\bud\bdo\bo is run
- by root with the _\b-_\bV option. If the
- _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set, its -value will be
+ See the "PREVENTING SHELL ESCAPES" section below for more
+ details on how NOEXEC works and whether or not it will
+ work on your system.
-1.7 June 23, 2007 8
+1.7 August 15, 2007 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- used for the PATH environment variable. This
- flag is _\bo_\bn by default.
-
- use_loginclass
- If set, s\bsu\bud\bdo\bo will apply the defaults specified
- for the target user's login class if one
- exists. Only available if s\bsu\bud\bdo\bo is configured
- with the --with-logincap option. This flag is
- _\bo_\bf_\bf by default.
-
- noexec If set, all commands run via s\bsu\bud\bdo\bo will behave
- as if the NOEXEC tag has been set, unless
- overridden by a EXEC tag. See the description
- of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as well as the "PRE
- VENTING SHELL ESCAPES" section at the end of
- this manual. This flag is _\bo_\bf_\bf by default.
-
- monitor If set, all commands run via s\bsu\bud\bdo\bo will behave
- as if the MONITOR tag has been set, unless
- overridden by a NOMONITOR tag. See the
- description of _\bM_\bO_\bN_\bI_\bT_\bO_\bR _\ba_\bn_\bd _\bN_\bO_\bM_\bO_\bN_\bI_\bT_\bO_\bR below as
- well as the "PREVENTING SHELL ESCAPES" section
- at the end of this manual. Be aware that
- tracing is only supported on certain operating
- systems. On systems where it is not supported
- this flag will have no effect. This flag is
- _\bo_\bf_\bf by default.
+ _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
- ignore_local_sudoers
- If set via LDAP, parsing of @sysconfdir@/sudo
- ers will be skipped. This is intended for
- Enterprises that wish to prevent the usage of
- local sudoers files so that only LDAP is used.
- This thwarts the efforts of rogue operators
- who would attempt to add roles to
- @sysconfdir@/sudoers. When this option is
- present, @sysconfdir@/sudoers does not even
- need to exist. Since this option tells s\bsu\bud\bdo\bo
- how to behave when no specific LDAP entries
- have been matched, this sudoOption is only
- meaningful for the cn=defaults section. This
- flag is _\bo_\bf_\bf by default.
+ These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a
+ per-command basis. Note that if SETENV has been set for a
+ command, any environment variables set on the command line
+ way are not subject to the restrictions imposed by
+ _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted
+ users should be allowed to set variables in this manner.
- closefrom_override
- If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option
- which overrides the default starting point at
- which s\bsu\bud\bdo\bo begins closing open file descrip
- tors. This flag is _\bo_\bf_\bf by default.
+ W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
- I\bIn\bnt\bte\beg\bge\ber\brs\bs:
+ s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob char-
+ acters) to be used in pathnames as well as command line
+ arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done
+ via the P\bPO\bOS\bSI\bIX\bX _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routine. Note that these are _\bn_\bo_\bt
+ regular expressions.
- passwd_tries
- The number of tries a user gets to enter
- his/her password before s\bsu\bud\bdo\bo logs the failure
+ * Matches any set of zero or more characters.
+ ? Matches any single character.
+ [...] Matches any character in the specified range.
-1.7 June 23, 2007 9
+ [!...] Matches any character n\bno\bot\bt in the specified range.
+ \x For any character "x", evaluates to "x". This is
+ used to escape special characters such as: "*",
+ "?", "[", and "}".
+ Note that a forward slash ('/') will n\bno\bot\bt be matched by
+ wildcards used in the pathname. When matching the command
+ line arguments, however, a slash d\bdo\boe\bes\bs get matched by wild-
+ cards. This is to make a path like:
+ /usr/bin/*
+ match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
+ The following exceptions apply to the above rules:
- and exits. The default is 3.
+ "" If the empty string "" is the only command line
+ argument in the _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that com-
+ mand is not allowed to be run with a\ban\bny\by arguments.
- I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
- loglinelen Number of characters per line for the file
- log. This value is used to decide when to
- wrap lines for nicer log files. This has no
- effect on the syslog log file, only the file
- log. The default is 80 (use 0 or negate the
- option to disable word wrap).
+ It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within
+ the _\bs_\bu_\bd_\bo_\be_\br_\bs file currently being parsed using the #include
+ directive, similar to the one used by the C preprocessor.
+ This is useful, for example, for keeping a site-wide _\bs_\bu_\bd_\bo_\b-
+ _\be_\br_\bs file in addition to a per-machine local one. For the
+ sake of this example the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be
- timestamp_timeout
- Number of minutes that can elapse before s\bsu\bud\bdo\bo
- will ask for a passwd again. The default is
- 5. Set this to 0 to always prompt for a pass
- word. If set to a value less than 0 the
- user's timestamp will never expire. This can
- be used to allow users to create or delete
- their own timestamps via sudo -v and sudo -k
- respectively.
-
- passwd_timeout
- Number of minutes before the s\bsu\bud\bdo\bo password
- prompt times out. The default is 5, set this
- to 0 for no password timeout.
-
- umask Umask to use when running the command. Negate
- this option or set it to 0777 to preserve the
- user's umask. The default is 0022.
-
- closefrom Before it executes a command, s\bsu\bud\bdo\bo will close
- all open file descriptors other than standard
- input, standard output and standard error (ie:
- file descriptors 0-2). The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option
- can be used to specify a different file
- descriptor at which to start closing. The
- default is 3.
-
- setenv Allow the user to set additional environment
- variables from the command line. Note that
- variables set this way are not subject to the
- restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be,
- or _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt. As such, only trusted users
- should be allowed to set variables in this
- manner.
- S\bSt\btr\bri\bin\bng\bgs\bs:
- mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user.
- The escape %h will expand to the hostname of
- the machine. Default is *** SECURITY informa
- tion for %h ***.
+1.7 August 15, 2007 7
-1.7 June 23, 2007 10
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-
+ _\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-
+ _\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
+ #include /etc/sudoers.local
+ When s\bsu\bud\bdo\bo reaches this line it will suspend processing of
+ the current file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-
+ _\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl,
+ the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be processed. Files that
+ are included may themselves include other files. A hard
+ limit of 128 nested include files is enforced to prevent
+ include file loops.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
+ The pound sign ('#') is used to indicate a comment (unless
+ it is part of a #include directive or unless it occurs in
+ the context of a user name and is followed by one or more
+ digits, in which case it is treated as a uid). Both the
+ comment character and any text after it, up to the end of
+ the line, are ignored.
- badpass_message
- Message that is displayed if a user enters an
- incorrect password. The default is Sorry, try
- again. unless insults are enabled.
+ The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always
+ causes a match to succeed. It can be used wherever one
+ might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
+ or Host_Alias. You should not try to define your own
+ _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
+ preference to your own. Please note that using A\bAL\bLL\bL can be
+ dangerous since in a command context, it allows the user
+ to run a\ban\bny\by command on the system.
- timestampdir
- The directory in which s\bsu\bud\bdo\bo stores its times
- tamp files. The default is _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo.
+ An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
+ operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
+ allows one to exclude certain values. Note, however, that
+ using a ! in conjunction with the built-in ALL alias to
+ allow a user to run "all but a few" commands rarely works
+ as intended (see SECURITY NOTES below).
- timestampowner
- The owner of the timestamp directory and the
- timestamps stored therein. The default is
- root.
+ Long lines can be continued with a backslash ('\') as the
+ last character on the line.
- passprompt The default prompt to use when asking for a
- password; can be overridden via the -\b-p\bp option
- or the SUDO_PROMPT environment variable. The
- following percent (`%') escapes are supported:
+ Whitespace between elements in a list as well as special
+ syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
+ '(', ')') is optional.
- %u expanded to the invoking user's login
- name
+ The following characters must be escaped with a backslash
+ ('\') when used as part of a word (e.g. a username or
+ hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
- %U expanded to the login name of the user
- the command will be run as (defaults
- to root)
+S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
+ s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as
+ explained earlier. A list of all supported Defaults
+ parameters, grouped by type, are listed below.
- %h expanded to the local hostname without
- the domain name
- %H expanded to the local hostname includ
- ing the domain name (on if the
- machine's hostname is fully qualified
- or the _\bf_\bq_\bd_\bn option is set)
- %% two consecutive % characters are col
- lapsed into a single % character
+1.7 August 15, 2007 8
- The default value is Password:.
- runas_default
- The default user to run commands as if the -\b-u\bu
- flag is not specified on the command line.
- This defaults to root. Note that if
- _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur before any
- Runas_Alias specifications.
- syslog_goodpri
- Syslog priority to use when user authenticates
- successfully. Defaults to notice.
- syslog_badpri
- Syslog priority to use when user authenticates
- unsuccessfully. Defaults to alert.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ F\bFl\bla\bag\bgs\bs:
-1.7 June 23, 2007 11
+ always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment
+ variable to the home directory of the tar-
+ get user (which is root unless the -\b-u\bu
+ option is used). This effectively means
+ that the -\b-H\bH flag is always implied. This
+ flag is _\bo_\bf_\bf by default.
+ authenticate If set, users must authenticate themselves
+ via a password (or other means of authen-
+ tication) before they may run commands.
+ This default may be overridden via the
+ PASSWD and NOPASSWD tags. This flag is _\bo_\bn
+ by default.
+ closefrom_override
+ If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option
+ which overrides the default starting point
+ at which s\bsu\bud\bdo\bo begins closing open file
+ descriptors. This flag is _\bo_\bf_\bf by default.
+ env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the
+ EDITOR or VISUAL environment variables
+ before falling back on the default editor
+ list. Note that this may create a secu-
+ rity hole as it allows the user to run any
+ arbitrary command as root without logging.
+ A safer alternative is to place a colon-
+ separated list of editors in the editor
+ variable. v\bvi\bis\bsu\bud\bdo\bo will then only use the
+ EDITOR or VISUAL if they match a value
+ specified in editor. This flag is _\bo_\bf_\bf by
+ default.
+ env_reset If set, s\bsu\bud\bdo\bo will reset the environment to
+ only contain the LOGNAME, SHELL, USER,
+ USERNAME and the SUDO_* variables. Any
+ variables in the caller's environment that
+ match the env_keep and env_check lists are
+ then added. The default contents of the
+ env_keep and env_check lists are displayed
+ when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV
+ option. If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set,
+ its value will be used for the PATH envi-
+ ronment variable. This flag is _\bo_\bn by
+ default.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ fqdn Set this flag if you want to put fully
+ qualified hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ I.e., instead of myhost you would use
+ myhost.mydomain.edu. You may still use
+ the short form if you wish (and even mix
+ the two). Beware that turning on _\bf_\bq_\bd_\bn
- editor A colon (':') separated list of editors
- allowed to be used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will
- choose the editor that matches the user's EDI
- TOR environment variable if possible, or the
- first editor in the list that exists and is
- executable. The default is the path to vi on
- your system.
- noexec_file Path to a shared library containing dummy ver
- sions of the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b)
- library functions that just return an error.
- This is used to implement the _\bn_\bo_\be_\bx_\be_\bc function
- ality on systems that support LD_PRELOAD or
- its equivalent. Defaults to
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc.
+1.7 August 15, 2007 9
- S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- lecture This option controls when a short lecture will
- be printed along with the password prompt. It
- has the following possible values:
- never Never lecture the user.
- once Only lecture the user the first time
- they run s\bsu\bud\bdo\bo.
- always Always lecture the user.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- If no value is specified, a value of _\bo_\bn_\bc_\be is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\bo_\bn_\bc_\be.
- lecture_file
- Path to a file containing an alternate s\bsu\bud\bdo\bo
- lecture that will be used in place of the
- standard lecture if the named file exists.
+ requires s\bsu\bud\bdo\bo to make DNS lookups which
+ may make s\bsu\bud\bdo\bo unusable if DNS stops work-
+ ing (for example if the machine is not
+ plugged into the network). Also note that
+ you must use the host's official name as
+ DNS knows it. That is, you may not use a
+ host alias (CNAME entry) due to perfor-
+ mance issues and the fact that there is no
+ way to get all aliases from DNS. If your
+ machine's hostname (as returned by the
+ hostname command) is already fully quali-
+ fied you shouldn't need to set _\bf_\bq_\bd_\bn. This
+ flag is _\bo_\bf_\bf by default.
+
+ ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (cur-
+ rent dir) in the PATH environment vari-
+ able; the PATH itself is not modified.
+ This flag is _\bo_\bf_\bf by default.
- logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log
- file). Setting a path turns on logging to a
- file; negating this option turns it off.
+ ignore_local_sudoers
+ If set via LDAP, parsing of
+ @sysconfdir@/sudoers will be skipped.
+ This is intended for Enterprises that wish
+ to prevent the usage of local sudoers
+ files so that only LDAP is used. This
+ thwarts the efforts of rogue operators who
+ would attempt to add roles to
+ @sysconfdir@/sudoers. When this option is
+ present, @sysconfdir@/sudoers does not
+ even need to exist. Since this option
+ tells s\bsu\bud\bdo\bo how to behave when no specific
+ LDAP entries have been matched, this
+ sudoOption is only meaningful for the
+ cn=defaults section. This flag is _\bo_\bf_\bf by
+ default.
- syslog Syslog facility if syslog is being used for
- logging (negate to disable syslog logging).
- Defaults to local2.
+ insults If set, s\bsu\bud\bdo\bo will insult users when they
+ enter an incorrect password. This flag is
+ _\bo_\bf_\bf by default.
- mailerpath Path to mail program used to send warning
- mail. Defaults to the path to sendmail found
- at configure time.
+ log_host If set, the hostname will be logged in the
+ (non-syslog) s\bsu\bud\bdo\bo log file. This flag is
+ _\bo_\bf_\bf by default.
- mailerflags Flags to use when invoking mailer. Defaults to
- -\b-t\bt.
+ log_year If set, the four-digit year will be logged
+ in the (non-syslog) s\bsu\bud\bdo\bo log file. This
+ flag is _\bo_\bf_\bf by default.
+ long_otp_prompt When validating with a One Time Password
+ (OPT) scheme such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-
+ line prompt is used to make it easier to
+ cut and paste the challenge to a local
+ window. It's not as pretty as the default
+ but some people find it more convenient.
-1.7 June 23, 2007 12
+1.7 August 15, 2007 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- mailto Address to send warning and error mail to.
- The address should be enclosed in double
- quotes (") to protect against s\bsu\bud\bdo\bo interpret
- ing the @ sign. Defaults to root.
+ This flag is _\bo_\bf_\bf by default.
- exempt_group
- Users in this group are exempt from password
- and PATH requirements. This is not set by
- default.
+ mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a
+ users runs s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by
+ default.
- secure_path Path used for every command run from s\bsu\bud\bdo\bo. If
- you don't trust the people running s\bsu\bud\bdo\bo to
- have a sane PATH environment variable you may
- want to use this. Another use is if you want
- to have the "root path" be separate from the
- "user path." Users in the group specified by
- the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by
- _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This is not set by default.
+ mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user
+ running s\bsu\bud\bdo\bo does not enter the correct
+ password. This flag is _\bo_\bf_\bf by default.
- verifypw This option controls when a password will be
- required when a user runs s\bsu\bud\bdo\bo with the -\b-v\bv
- flag. It has the following possible values:
+ mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo
+ user if the invoking user exists in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not allowed to run
+ commands on the current host. This flag
+ is _\bo_\bf_\bf by default.
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD
- flag set to avoid entering a password.
+ mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo
+ user if the invoking user is allowed to
+ use s\bsu\bud\bdo\bo but the command they are trying
+ is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file entry
+ or is explicitly denied. This flag is _\bo_\bf_\bf
+ by default.
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
- entries for the current host must have
- the NOPASSWD flag set to avoid enter
- ing a password.
+ mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo
+ user if the invoking user is not in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is _\bo_\bn by default.
- never The user need never enter a password
- to use the -\b-v\bv flag.
+ noexec If set, all commands run via s\bsu\bud\bdo\bo will
+ behave as if the NOEXEC tag has been set,
+ unless overridden by a EXEC tag. See the
+ description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
+ well as the "PREVENTING SHELL ESCAPES"
+ section at the end of this manual. This
+ flag is _\bo_\bf_\bf by default.
- always The user must always enter a password
- to use the -\b-v\bv flag.
+ path_info Normally, s\bsu\bud\bdo\bo will tell the user when a
+ command could not be found in their PATH
+ environment variable. Some sites may wish
+ to disable this as it could be used to
+ gather information on the location of exe-
+ cutables that the normal user does not
+ have access to. The disadvantage is that
+ if the executable is simply not in the
+ user's PATH, s\bsu\bud\bdo\bo will tell the user that
+ they are not allowed to run it, which can
+ be confusing. This flag is _\bo_\bn by default.
- If no value is specified, a value of _\ba_\bl_\bl is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\ba_\bl_\bl.
+ preserve_groups By default s\bsu\bud\bdo\bo will initialize the group
+ vector to the list of groups the target
+ user is in. When _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set,
+ the user's existing group vector is left
+ unaltered. The real and effective group
+ IDs, however, are still set to match the
+ target user. This flag is _\bo_\bf_\bf by default.
- listpw This option controls when a password will be
- required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
- flag. It has the following possible values:
-
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD
- flag set to avoid entering a password.
-
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
- entries for the current host must have
- the NOPASSWD flag set to avoid
-
-1.7 June 23, 2007 13
+1.7 August 15, 2007 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- entering a password.
+ requiretty If set, s\bsu\bud\bdo\bo will only run when the user
+ is logged in to a real tty. This will
+ disallow things like "rsh somehost sudo
+ ls" since _\br_\bs_\bh(1) does not allocate a tty.
+ Because it is not possible to turn off
+ echo when there is no tty present, some
+ sites may wish to set this flag to prevent
+ a user from entering a visible password.
+ This flag is _\bo_\bf_\bf by default.
+
+ root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too.
+ Disabling this prevents users from "chain-
+ ing" s\bsu\bud\bdo\bo commands to get a root shell by
+ doing something like "sudo sudo /bin/sh".
+ Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
+ will also prevent root and from running
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt. Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no
+ real additional security; it exists purely
+ for historical reasons. This flag is _\bo_\bn
+ by default.
+
+ rootpw If set, s\bsu\bud\bdo\bo will prompt for the root
+ password instead of the password of the
+ invoking user. This flag is _\bo_\bf_\bf by
+ default.
+
+ runaspw If set, s\bsu\bud\bdo\bo will prompt for the password
+ of the user defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt
+ option (defaults to root) instead of the
+ password of the invoking user. This flag
+ is _\bo_\bf_\bf by default.
+
+ set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs
+ flag the HOME environment variable will be
+ set to the home directory of the target
+ user (which is root unless the -\b-u\bu option
+ is used). This effectively makes the -\b-s\bs
+ flag imply -\b-H\bH. This flag is _\bo_\bf_\bf by
+ default.
+
+ set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER
+ and USERNAME environment variables to the
+ name of the target user (usually root
+ unless the -\b-u\bu flag is given). However,
+ since some programs (including the RCS
+ revision control system) use LOGNAME to
+ determine the real identity of the user,
+ it may be desirable to change this behav-
+ ior. This can be done by negating the
+ set_logname option. Note that if the
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been disabled,
+ entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
+ the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is
+ _\bo_\bf_\bf by default.
+
+
+
+1.7 August 15, 2007 12
- never The user need never enter a password
- to use the -\b-l\bl flag.
- always The user must always enter a password
- to use the -\b-l\bl flag.
- If no value is specified, a value of _\ba_\bn_\by is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\ba_\bn_\by.
- L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- env_check Environment variables to be removed from the
- user's environment if the variable's value
- contains % or / characters. This can be used
- to guard against printf-style format vulnera
- bilities in poorly-written programs. The
- argument may be a double-quoted, space-sepa
- rated list or a single value without dou
- ble-quotes. The list can be replaced, added
- to, deleted from, or disabled by using the =,
- +=, -=, and ! operators respectively. Regard
- less of whether the env_reset option is
- enabled or disabled, variables specified by
- env_check will be preserved in the environment
- if they pass the aforementioned check. The
- default list of environment variables to check
- is displayed when s\bsu\bud\bdo\bo is run by root with the
- _\b-_\bV option.
-
- env_delete Environment variables to be removed from the
- user's environment. The argument may be a
- double-quoted, space-separated list or a sin
- gle value without double-quotes. The list can
- be replaced, added to, deleted from, or dis
- abled by using the =, +=, -=, and ! operators
- respectively. The default list of environment
- variables to remove is displayed when s\bsu\bud\bdo\bo is
- run by root with the _\b-_\bV option. Note that
- many operating systems will remove potentially
- dangerous variables from the environment of
- any setuid process (such as s\bsu\bud\bdo\bo).
-
- env_keep Environment variables to be preserved in the
- user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option
- is in effect. This allows fine-grained con
- trol over the environment s\bsu\bud\bdo\bo-spawned pro
- cesses will receive. The argument may be a
- double-quoted, space-separated list or a sin
- gle value without double-quotes. The list can
- be replaced, added to, deleted from, or
-
-
-
-1.7 June 23, 2007 14
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt
+ option from the command line. Addition-
+ ally, environment variables set via the
+ command line are not subject to the
+ restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk,
+ _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only
+ trusted users should be allowed to set
+ variables in this manner. This flag is
+ _\bo_\bf_\bf by default.
+
+ shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no argu-
+ ments it acts as if the -\b-s\bs flag had been
+ given. That is, it runs a shell as root
+ (the shell is determined by the SHELL
+ environment variable if it is set, falling
+ back on the shell listed in the invoking
+ user's /etc/passwd entry if not). This
+ flag is _\bo_\bf_\bf by default.
+
+ stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the
+ real and effective UIDs are set to the
+ target user (root by default). This
+ option changes that behavior such that the
+ real UID is left as the invoking user's
+ UID. In other words, this makes s\bsu\bud\bdo\bo act
+ as a setuid wrapper. This can be useful
+ on systems that disable some potentially
+ dangerous functionality when a program is
+ run setuid. This option is only effective
+ on systems with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or
+ _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function. This flag is _\bo_\bf_\bf by
+ default.
+
+ targetpw If set, s\bsu\bud\bdo\bo will prompt for the password
+ of the user specified by the -\b-u\bu flag
+ (defaults to root) instead of the password
+ of the invoking user. Note that this pre-
+ cludes the use of a uid not listed in the
+ passwd database as an argument to the -\b-u\bu
+ flag. This flag is _\bo_\bf_\bf by default.
+
+ tty_tickets If set, users must authenticate on a per-
+ tty basis. Normally, s\bsu\bud\bdo\bo uses a direc-
+ tory in the ticket dir with the same name
+ as the user running it. With this flag
+ enabled, s\bsu\bud\bdo\bo will use a file named for
+ the tty the user is logged in on in that
+ directory. This flag is _\bo_\bf_\bf by default.
+
+ use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults spec-
+ ified for the target user's login class if
+ one exists. Only available if s\bsu\bud\bdo\bo is
+ configured with the --with-logincap
+ option. This flag is _\bo_\bf_\bf by default.
+
+
+
+1.7 August 15, 2007 13
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- disabled by using the =, +=, -=, and ! opera
- tors respectively. The default list of vari
- ables to keep is displayed when s\bsu\bud\bdo\bo is run by
- root with the _\b-_\bV option.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following
- values for the syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg
- Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your OS supports it), a\bau\but\bth\bh, d\bda\bae\be\b
- m\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3, l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5,
- l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities are
- supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be,
- and w\bwa\bar\brn\bni\bin\bng\bg.
- U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs:
- User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
- (':' Host_List '=' Cmnd_Spec_List)*
+ closefrom Before it executes a command, s\bsu\bud\bdo\bo will
+ close all open file descriptors other than
+ standard input, standard output and stan-
+ dard error (ie: file descriptors 0-2).
+ The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to spec-
+ ify a different file descriptor at which
+ to start closing. The default is 3.
- Cmnd_Spec_List ::= Cmnd_Spec |
- Cmnd_Spec ',' Cmnd_Spec_List
+ passwd_tries The number of tries a user gets to enter
+ his/her password before s\bsu\bud\bdo\bo logs the
+ failure and exits. The default is 3.
- Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- Runas_Spec ::= '(' Runas_List ')'
+ loglinelen Number of characters per line for the file
+ log. This value is used to decide when to
+ wrap lines for nicer log files. This has
+ no effect on the syslog log file, only the
+ file log. The default is 80 (use 0 or
+ negate the option to disable word wrap).
- Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
- 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:')
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password
+ prompt times out. The default is 5; set
+ this to 0 for no password timeout.
- A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may
- run (and as what user) on specified hosts. By default,
- commands are run as r\bro\boo\bot\bt, but this can be changed on a
- per-command basis.
+ timestamp_timeout
+ Number of minutes that can elapse before
+ s\bsu\bud\bdo\bo will ask for a passwd again. The
+ default is 5. Set this to 0 to always
+ prompt for a password. If set to a value
+ less than 0 the user's timestamp will
+ never expire. This can be used to allow
+ users to create or delete their own times-
+ tamps via sudo -v and sudo -k respec-
+ tively.
+
+ umask Umask to use when running the command.
+ Negate this option or set it to 0777 to
+ preserve the user's umask. The default is
+ 0022.
- Let's break that down into its constituent parts:
+ S\bSt\btr\bri\bin\bng\bgs\bs:
- R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
+ badpass_message Message that is displayed if a user enters
+ an incorrect password. The default is
+ Sorry, try again. unless insults are
+ enabled.
- A Runas_Spec is simply a Runas_List (as defined above)
- enclosed in a set of parentheses. If you do not specify a
- Runas_Spec in the user specification, a default Runas_Spec
- of r\bro\boo\bot\bt will be used. A Runas_Spec sets the default for
- commands that follow it. What this means is that for the
- entry:
+ editor A colon (':') separated list of editors
+ allowed to be used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo
+ will choose the editor that matches the
+ user's EDITOR environment variable if
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
- The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
- -- but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
- $ sudo -u operator /bin/ls.
+1.7 August 15, 2007 14
- It is also possible to override a Runas_Spec later on in
- an entry. If we modify the entry like so:
-1.7 June 23, 2007 15
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ possible, or the first editor in the list
+ that exists and is executable. The
+ default is the path to vi on your system.
+ mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo
+ user. The escape %h will expand to the
+ hostname of the machine. Default is ***
+ SECURITY information for %h ***.
+ noexec_file Path to a shared library containing dummy
+ versions of the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\b-
+ _\be_\bc_\bv_\be_\b(_\b) library functions that just return
+ an error. This is used to implement the
+ _\bn_\bo_\be_\bx_\be_\bc functionality on systems that sup-
+ port LD_PRELOAD or its equivalent.
+ Defaults to
+ _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ passprompt The default prompt to use when asking for
+ a password; can be overridden via the -\b-p\bp
+ option or the SUDO_PROMPT environment
+ variable. The following percent (`%')
+ escapes are supported:
+ %H expanded to the local hostname includ-
+ ing the domain name (on if the
+ machine's hostname is fully qualified
+ or the _\bf_\bq_\bd_\bn option is set)
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+ %h expanded to the local hostname without
+ the domain name
- Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br,
- but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
+ %U expanded to the login name of the user
+ the command will be run as (defaults
+ to root)
- T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
+ %u expanded to the invoking user's login
+ name
- A command may have zero or more tags associated with it.
- There are eight possible tag values, NOPASSWD, PASSWD,
- NOEXEC, EXEC, SETENV, NOSETENV, MONITOR and NOMONITOR.
- Once a tag is set on a Cmnd, subsequent Cmnds in the
- Cmnd_Spec_List, inherit the tag unless it is overridden by
- the opposite tag (i.e.: PASSWD overrides NOPASSWD and
- NOEXEC overrides EXEC).
+ %% two consecutive % characters are col-
+ lapsed into a single % character
- _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
+ The default value is Password:.
- By default, s\bsu\bud\bdo\bo requires that a user authenticate him or
- herself before running a command. This behavior can be
- modified via the NOPASSWD tag. Like a Runas_Spec, the
- NOPASSWD tag sets a default for the commands that follow
- it in the Cmnd_Spec_List. Conversely, the PASSWD tag can
- be used to reverse things. For example:
+ runas_default The default user to run commands as if the
+ -\b-u\bu flag is not specified on the command
+ line. This defaults to root. Note that
+ if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
+ before any Runas_Alias specifications.
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+ syslog_badpri Syslog priority to use when user authenti-
+ cates unsuccessfully. Defaults to alert.
- would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as root on the machine rushmore as r\bro\boo\bot\bt
- without authenticating himself. If we only want r\bra\bay\by to be
- able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry would
- be:
+ syslog_goodpri Syslog priority to use when user
- ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
- Note, however, that the PASSWD tag has no effect on users
- who are in the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
- By default, if the NOPASSWD tag is applied to any of the
- entries for a user on the current host, he or she will be
- able to run sudo -l without a password. Additionally, a
- user may only run sudo -v without a password if the
- NOPASSWD tag is present for all a user's entries that per
- tain to the current host. This behavior may be overridden
- via the verifypw and listpw options.
+1.7 August 15, 2007 15
- _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
- underlying operating system supports it, the NOEXEC tag
- can be used to prevent a dynamically-linked executable
- from running further commands itself.
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be
- and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.7 June 23, 2007 16
+ authenticates successfully. Defaults to
+ notice.
+ timestampdir The directory in which s\bsu\bud\bdo\bo stores its
+ timestamp files. The default is
+ _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo.
+ timestampowner The owner of the timestamp directory and
+ the timestamps stored therein. The
+ default is root.
+ S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ exempt_group
+ Users in this group are exempt from password
+ and PATH requirements. This is not set by
+ default.
+ lecture This option controls when a short lecture will
+ be printed along with the password prompt. It
+ has the following possible values:
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+ always Always lecture the user.
- See the "PREVENTING SHELL ESCAPES" section below for more
- details on how NOEXEC works and whether or not it will
- work on your system.
+ never Never lecture the user.
- _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
+ once Only lecture the user the first time
+ they run s\bsu\bud\bdo\bo.
- These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a
- per-command basis. Note that environment variables set on
- the command line way are not subject to the restrictions
- imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt. As such,
- only trusted users should be allowed to set variables in
- this manner.
+ If no value is specified, a value of _\bo_\bn_\bc_\be is
+ implied. Negating the option results in a
+ value of _\bn_\be_\bv_\be_\br being used. The default value
+ is _\bo_\bn_\bc_\be.
- _\bM_\bO_\bN_\bI_\bT_\bO_\bR _\ba_\bn_\bd _\bN_\bO_\bM_\bO_\bN_\bI_\bT_\bO_\bR
+ lecture_file
+ Path to a file containing an alternate s\bsu\bud\bdo\bo
+ lecture that will be used in place of the
+ standard lecture if the named file exists. By
+ default, s\bsu\bud\bdo\bo uses a built-in lecture.
- If s\bsu\bud\bdo\bo has been configured with the --with-systrace
- option, the MONITOR tag can be used to cause programs
- spawned by a command to be checked against _\bs_\bu_\bd_\bo_\be_\br_\bs and
- logged just like they would be if run through s\bsu\bud\bdo\bo
- directly. This is useful in conjunction with commands
- that allow shell escapes such as editors, shells and pagi
- nators.
+ listpw This option controls when a password will be
+ required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
+ flag. It has the following possible values:
- In the following example, user c\bch\bhu\buc\bck\bk may run any command
- on the machine research in monitor mode.
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ current host must have the NOPASSWD
+ flag set to avoid entering a password.
- chuck research = MONITOR: ALL
+ always The user must always enter a password
+ to use the -\b-l\bl flag.
- See the "PREVENTING SHELL ESCAPES" section below for more
- details on how MONITOR works and whether or not it will
- work on your system.
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
+ entries for the current host must have
+ the NOPASSWD flag set to avoid
- W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
- s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob char
- acters) to be used in pathnames as well as command line
- arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done
- via the P\bPO\bOS\bSI\bIX\bX _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routine. Note that these are _\bn_\bo_\bt
- regular expressions.
- * Matches any set of zero or more characters.
+1.7 August 15, 2007 16
- ? Matches any single character.
- [...] Matches any character in the specified range.
- [!...] Matches any character n\bno\bot\bt in the specified range.
- \x For any character "x", evaluates to "x". This is
- used to escape special characters such as: "*",
- "?", "[", and "}".
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ entering a password.
-1.7 June 23, 2007 17
+ never The user need never enter a password
+ to use the -\b-l\bl flag.
+ If no value is specified, a value of _\ba_\bn_\by is
+ implied. Negating the option results in a
+ value of _\bn_\be_\bv_\be_\br being used. The default value
+ is _\ba_\bn_\by.
+ logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log
+ file). Setting a path turns on logging to a
+ file; negating this option turns it off. By
+ default, s\bsu\bud\bdo\bo logs via syslog.
+ mailerflags Flags to use when invoking mailer. Defaults to
+ -\b-t\bt.
+ mailerpath Path to mail program used to send warning
+ mail. Defaults to the path to sendmail found
+ at configure time.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ mailto Address to send warning and error mail to.
+ The address should be enclosed in double
+ quotes (") to protect against s\bsu\bud\bdo\bo interpret-
+ ing the @ sign. Defaults to root.
+ secure_path Path used for every command run from s\bsu\bud\bdo\bo. If
+ you don't trust the people running s\bsu\bud\bdo\bo to
+ have a sane PATH environment variable you may
+ want to use this. Another use is if you want
+ to have the "root path" be separate from the
+ "user path." Users in the group specified by
+ the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by
+ _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This is not set by default.
- Note that a forward slash ('/') will n\bno\bot\bt be matched by
- wildcards used in the pathname. When matching the command
- line arguments, however, a slash d\bdo\boe\bes\bs get matched by wild
- cards. This is to make a path like:
+ syslog Syslog facility if syslog is being used for
+ logging (negate to disable syslog logging).
+ Defaults to local2.
- /usr/bin/*
+ verifypw This option controls when a password will be
+ required when a user runs s\bsu\bud\bdo\bo with the -\b-v\bv
+ flag. It has the following possible values:
- match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ current host must have the NOPASSWD
+ flag set to avoid entering a password.
- E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
+ always The user must always enter a password
+ to use the -\b-v\bv flag.
- The following exceptions apply to the above rules:
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
+ entries for the current host must have
+ the NOPASSWD flag set to avoid
- "" If the empty string "" is the only command line
- argument in the _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that com
- mand is not allowed to be run with a\ban\bny\by arguments.
- I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
- It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within
- the _\bs_\bu_\bd_\bo_\be_\br_\bs file currently being parsed using the #include
- directive, similar to the one used by the C preprocessor.
- This is useful, for example, for keeping a site-wide _\bs_\bu_\bd_\bo_\b
- _\be_\br_\bs file in addition to a per-machine local one. For the
- sake of this example the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b
- _\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b
- _\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
+1.7 August 15, 2007 17
- #include /etc/sudoers.local
- When s\bsu\bud\bdo\bo reaches this line it will suspend processing of
- the current file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b
- _\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl,
- the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be processed. Files that
- are included may themselves include other files. A hard
- limit of 128 nested include files is enforced to prevent
- include file loops.
- O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
- The pound sign ('#') is used to indicate a comment (unless
- it is part of a #include directive or unless it occurs in
- the context of a user name and is followed by one or more
- digits, in which case it is treated as a uid). Both the
- comment character and any text after it, up to the end of
- the line, are ignored.
- The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always
- causes a match to succeed. It can be used wherever one
- might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
- or Host_Alias. You should not try to define your own
- _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
- preference to your own. Please note that using A\bAL\bLL\bL can be
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ entering a password.
-1.7 June 23, 2007 18
+ never The user need never enter a password
+ to use the -\b-v\bv flag.
+ If no value is specified, a value of _\ba_\bl_\bl is
+ implied. Negating the option results in a
+ value of _\bn_\be_\bv_\be_\br being used. The default value
+ is _\ba_\bl_\bl.
+ L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ env_check Environment variables to be removed from
+ the user's environment if the variable's
+ value contains % or / characters. This
+ can be used to guard against printf-style
+ format vulnerabilities in poorly-written
+ programs. The argument may be a dou-
+ ble-quoted, space-separated list or a sin-
+ gle value without double-quotes. The list
+ can be replaced, added to, deleted from,
+ or disabled by using the =, +=, -=, and !
+ operators respectively. Regardless of
+ whether the env_reset option is enabled or
+ disabled, variables specified by env_check
+ will be preserved in the environment if
+ they pass the aforementioned check. The
+ default list of environment variables to
+ check is displayed when s\bsu\bud\bdo\bo is run by
+ root with the _\b-_\bV option.
+
+ env_delete Environment variables to be removed from
+ the user's environment. The argument may
+ be a double-quoted, space-separated list
+ or a single value without double-quotes.
+ The list can be replaced, added to,
+ deleted from, or disabled by using the =,
+ +=, -=, and ! operators respectively. The
+ default list of environment variables to
+ remove is displayed when s\bsu\bud\bdo\bo is run by
+ root with the _\b-_\bV option. Note that many
+ operating systems will remove potentially
+ dangerous variables from the environment
+ of any setuid process (such as s\bsu\bud\bdo\bo).
+
+ env_keep Environment variables to be preserved in
+ the user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt
+ option is in effect. This allows fine-
+ grained control over the environment
+ s\bsu\bud\bdo\bo-spawned processes will receive. The
+ argument may be a double-quoted, space-
+ separated list or a single value without
+ double-quotes. The list can be replaced,
+ added to, deleted from, or disabled by
+
+
+
+1.7 August 15, 2007 18
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- dangerous since in a command context, it allows the user
- to run a\ban\bny\by command on the system.
- An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
- operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
- allows one to exclude certain values. Note, however, that
- using a ! in conjunction with the built-in ALL alias to
- allow a user to run "all but a few" commands rarely works
- as intended (see SECURITY NOTES below).
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Long lines can be continued with a backslash ('\') as the
- last character on the line.
- Whitespace between elements in a list as well as special
- syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
- '(', ')') is optional.
+ using the =, +=, -=, and ! operators
+ respectively. The default list of vari-
+ ables to keep is displayed when s\bsu\bud\bdo\bo is
+ run by root with the _\b-_\bV option.
- The following characters must be escaped with a backslash
- ('\') when used as part of a word (e.g. a username or
- hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
+ When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following
+ values for the syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg
+ Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your OS supports it), a\bau\but\bth\bh, d\bda\bae\be-\b-
+ m\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3, l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5,
+ l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities are
+ supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be,
+ and w\bwa\bar\brn\bni\bin\bng\bg.
F\bFI\bIL\bLE\bES\bS
- /etc/sudoers List of who can run what
- /etc/group Local groups file
- /etc/netgroup List of network groups
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+ _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
-
-
-
-
-
-
-
-
-1.7 June 23, 2007 19
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+
+
+1.7 August 15, 2007 19
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
Here we override some of the compiled in default values.
We want s\bsu\bud\bdo\bo to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility
in all cases. We don't want to subject the full time
sure we log the year in each log line since the log
entries will be kept around for several years. Lastly, we
disable shell escapes for the commands in the PAGERS
- Cmnd_Alias (/usr/bin/more, /usr/bin/pg and /usr/bin/less).
+ Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
# Override built-in defaults
Defaults syslog=auth
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
Defaults!PAGERS noexec
- The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter
+ The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter-
mines who may run what.
root ALL = (ALL) ALL
PARTTIMERS ALL = ALL
Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run
- any command on any host but they must authenticate them
+ any command on any host but they must authenticate them-
selves first (since the entry lacks the NOPASSWD tag).
-
-
-1.7 June 23, 2007 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
jack CSNETS = ALL
The user j\bja\bac\bck\bk may run any command on the machines in the
The user l\bli\bis\bsa\ba may run any command on any host in the
_\bC_\bU_\bN_\bE_\bT_\bS alias (the class B network 128.138.0.0).
+
+
+1.7 August 15, 2007 20
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
- The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple main
+ The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple main-
tenance. Here, those are commands related to backups,
killing processes, the printing system, shutting down the
system, and any commands in the directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
jim +biglab = ALL
The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb
- netgroup. S\bSu\bud\bdo\bo knows that "biglab" is a netgroup due to
+ netgroup. s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to
the '+' prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
fred ALL = (DB) NOPASSWD: ALL
The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
-
-
-
-1.7 June 23, 2007 21
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
Runas_Alias (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
jill SERVERS = /usr/bin/, !SU, !SHELLS
+
+
+1.7 August 15, 2007 21
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run
- any commands in the directory /usr/bin/ except for those
+ any commands in the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those
commands belonging to the _\bS_\bU and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
steve CSNETS = (operator) /usr/local/op_commands/
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
It is generally not effective to "subtract" commands from
- ALL using the '!' operator. A user can trivially circum
+ ALL using the '!' operator. A user can trivially circum-
vent this by copying the desired command to a different
name and then executing that. For example:
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent b\bbi\bil\bll\bl from running the commands
- listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those
-
-
-
-1.7 June 23, 2007 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- commands to a different name, or use a shell escape from
- an editor or other program. Therefore, these kind of
+ listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those com-
+ mands to a different name, or use a shell escape from an
+ editor or other program. Therefore, these kind of
restrictions should be considered advisory at best (and
reinforced by policy).
permit shell escapes include shells (obviously), editors,
paginators, mail and terminal programs.
- There are three basic approaches to this problem:
+ There are two basic approaches to this problem:
+
+
+
+1.7 August 15, 2007 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
restrict Avoid giving users access to commands that allow
- the user to run arbitrary commands. Many edi
+ the user to run arbitrary commands. Many edi-
tors have a restricted mode where shell escapes
- are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better solu
+ are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better solu-
tion to running editors via s\bsu\bud\bdo\bo. Due to the
large number of programs that offer shell
- escapes, restricting users to the set of pro
+ escapes, restricting users to the set of pro-
grams that do not if often unworkable.
noexec Many systems that support shared libraries have
- the ability to override default library func
- tions by pointing an environment variable (usu
+ the ability to override default library func-
+ tions by pointing an environment variable (usu-
ally LD_PRELOAD) to an alternate shared library.
On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality can
be used to prevent a program run by s\bsu\bud\bdo\bo from
executing any other programs. Note, however,
that this applies only to native dynamically-
- linked executables. Statically-linked executa
+ linked executables. Statically-linked executa-
bles and foreign executables running under
binary emulation are not affected.
of functions in the standard library with its
own that simply return an error. Unfortunately,
there is no foolproof way to know whether or not
- _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bN_\bo_\be_\bx_\be_\bc should
+ _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc should
work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt
-
-
-
-1.7 June 23, 2007 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- to work on AIX and UnixWare. _\bN_\bo_\be_\bx_\be_\bc is expected
+ to work on AIX and UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected
to work on most operating systems that support
the LD_PRELOAD environment variable. Check your
operating system's manual pages for the dynamic
linker (usually ld.so, ld.so.1, dyld, dld.sl,
- rld, or loader) to see if LD_PRELOAD is sup
+ rld, or loader) to see if LD_PRELOAD is sup-
ported.
To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC
- tag as documented in the User Specification sec
+ tag as documented in the User Specification sec-
tion above. Here is that example again:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi with _\bn_\bo_\be_\bx_\be_\bc enabled. This will pre
- vent those two commands from executing other
- commands (such as a shell). If you are unsure
- whether or not your system is capable of sup
- porting _\bn_\bo_\be_\bx_\be_\bc you can always just try it out
- and see if it works.
-
- monitor On operating systems that support the s\bsy\bys\bst\btr\bra\bac\bce\be
- pseudo-device, the --with-systrace configure
- option can be used to compile support for proc
- cess monitoring in s\bsu\bud\bdo\bo. In monitor mode s\bsu\bud\bdo\bo
- can transparently intercept a new command, allow
- or deny it based on _\bs_\bu_\bd_\bo_\be_\br_\bs, and log the result.
- This does require that s\bsu\bud\bdo\bo become a daemon that
- persists until the command and all its descen
- dents have exited.
-
- To enable monitor mode on a per-command basis,
- use the MONITOR tag as documented in the User
- Specification section above. Here is that exam
- ple again:
-
- chuck research = MONITOR: ALL
-
- This allows user c\bch\bhu\buc\bck\bk to run any command on the
- machine research in monitor mode. Any commands
- run via shell escapes will be logged by s\bsu\bud\bdo\bo.
-
- At the time of this writing the s\bsy\bys\bst\btr\bra\bac\bce\be pseudo-
- device comes standard with OpenBSD and NetBSD
- and is available as patches to FreeBSD, MacOS X
- and Linux. See <http://www.systrace.org/> for
- more information.
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi with _\bn_\bo_\be_\bx_\be_\bc enabled. This will
- Note that restricting shell escapes is not a panacea.
- Programs running as root are still capable of many poten
- tially hazardous operations (such as changing or overwrit
- ing files) that could lead to unintended privilege escala
- tion. In the specific case of an editor, a safer approach
-
-1.7 June 23, 2007 24
+1.7 August 15, 2007 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ prevent those two commands from executing other
+ commands (such as a shell). If you are unsure
+ whether or not your system is capable of sup-
+ porting _\bn_\bo_\be_\bx_\be_\bc you can always just try it out
+ and see if it works.
+
+ Note that restricting shell escapes is not a panacea.
+ Programs running as root are still capable of many poten-
+ tially hazardous operations (such as changing or overwrit-
+ ing files) that could lead to unintended privilege escala-
+ tion. In the specific case of an editor, a safer approach
is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), sudo(1m), visudo(1m)
+ _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo
- command which locks the file and does grammatical check
+ command which locks the file and does grammatical check-
ing. It is imperative that _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax
- errors since s\bsu\bud\bdo\bo will not run with a syntactically incor
+ errors since s\bsu\bud\bdo\bo will not run with a syntactically incor-
rect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
When using netgroups of machines (as opposed to users), if
bug report at http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mail
- ing list, see http://www.sudo.ws/mail
+ Limited free support is available via the sudo-users mail-
+ ing list, see http://www.sudo.ws/mail-
man/listinfo/sudo-users to subscribe or search the
archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- S\bSu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
- ranties, including, but not limited to, the implied war
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied war-
+ ranties, including, but not limited to, the implied war-
ranties of merchantability and fitness for a particular
purpose are disclaimed. See the LICENSE file distributed
- with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com
+ with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com-
plete details.
-
-
-
-
-
-
-
-
-
-
-
-1.7 June 23, 2007 25
+1.7 August 15, 2007 24
-.\" Copyright (c) 1994-1996,1998-2005 Todd C. Miller <Todd.Miller@courtesan.com>
+.\" Copyright (c) 1994-1996, 1998-2005, 2007
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "July 9, 2007" "1.7" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "August 15, 2007" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
operators, which many readers will recognize from regular
expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
characters, which have different meanings.
-.ie n .IP "\*(C`?\*(C'" 8
-.el .IP "\f(CW\*(C`?\*(C'\fR" 8
+.ie n .IP "\*(C`?\*(C'" 4
+.el .IP "\f(CW\*(C`?\*(C'\fR" 4
.IX Item "?"
Means that the preceding symbol (or group of symbols) is optional.
That is, it may appear once or not at all.
-.ie n .IP "\*(C`*\*(C'" 8
-.el .IP "\f(CW\*(C`*\*(C'\fR" 8
+.ie n .IP "\*(C`*\*(C'" 4
+.el .IP "\f(CW\*(C`*\*(C'\fR" 4
.IX Item "*"
Means that the preceding symbol (or group of symbols) may appear
zero or more times.
-.ie n .IP "\*(C`+\*(C'" 8
-.el .IP "\f(CW\*(C`+\*(C'\fR" 8
+.ie n .IP "\*(C`+\*(C'" 4
+.el .IP "\f(CW\*(C`+\*(C'\fR" 4
.IX Item "+"
Means that the preceding symbol (or group of symbols) may appear
one or more times.
\&\fBsudo\fR will query each of the local host's network interfaces and,
if the network number corresponds to one of the hosts's network
interfaces, the corresponding netmask will be used. The netmask
-may be specified either in dotted quad notation (e.g.\ 255.255.255.0)
-or \s-1CIDR\s0 notation (number of bits, e.g.\ 24). A hostname may
+may be specified either in standard \s-1IP\s0 address notation
+(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
+or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A hostname may
include shell-style wildcards (see the Wildcards section below),
but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully
qualified hostname, you'll need to use the \fIfqdn\fR option for
.PP
.Vb 2
\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
-\& 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:')
+\& 'SETENV:' | 'NOSETENV:' )
.Ve
.PP
A \fBuser specification\fR determines which commands a user may run
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
-\&\f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR.
+\&\f(CW\*(C`SETENV\*(C'\fR and \f(CW\*(C`NOSETENV\*(C'\fR.
Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR
to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
\&\fIenv_keep\fR. As such, only trusted users should be allowed to set
variables in this manner.
-.PP
-\fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR
-.IX Subsection "MONITOR and NOMONITOR"
-.PP
-If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option,
-the \f(CW\*(C`MONITOR\*(C'\fR tag can be used to cause programs spawned by a command
-to be checked against \fIsudoers\fR and logged just like they would
-be if run through \fBsudo\fR directly. This is useful in conjunction
-with commands that allow shell escapes such as editors, shells and
-paginators.
-.PP
-In the following example, user \fBchuck\fR may run any command on the
-machine research in monitor mode.
-.PP
-.Vb 1
-\& chuck research = MONITOR: ALL
-.Ve
-.PP
-See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
-on how \f(CW\*(C`MONITOR\*(C'\fR works and whether or not it will work on your system.
.Sh "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
\&'@', '!', '=', ':', ',', '(', ')', '\e'.
.SH "SUDOERS OPTIONS"
.IX Header "SUDOERS OPTIONS"
-Sudo's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
+\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
explained earlier. A list of all supported Defaults parameters,
grouped by type, are listed below.
.PP
\&\fBFlags\fR:
-.IP "long_otp_prompt" 12
-.IX Item "long_otp_prompt"
-When validating with a One Time Password scheme (\fBS/Key\fR or \fB\s-1OPIE\s0\fR),
-a two-line prompt is used to make it easier to cut and paste the
-challenge to a local window. It's not as pretty as the default but
-some people find it more convenient. This flag is \fI@long_otp_prompt@\fR
-by default.
-.IP "ignore_dot" 12
+.IP "always_set_home" 16
+.IX Item "always_set_home"
+If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home
+directory of the target user (which is root unless the \fB\-u\fR option is used).
+This effectively means that the \fB\-H\fR flag is always implied.
+This flag is \fIoff\fR by default.
+.IP "authenticate" 16
+.IX Item "authenticate"
+If set, users must authenticate themselves via a password (or other
+means of authentication) before they may run commands. This default
+may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
+This flag is \fIon\fR by default.
+.IP "closefrom_override" 16
+.IX Item "closefrom_override"
+If set, the user may use \fBsudo\fR's \fB\-C\fR option which
+overrides the default starting point at which \fBsudo\fR begins
+closing open file descriptors. This flag is \fIoff\fR by default.
+.IP "env_editor" 16
+.IX Item "env_editor"
+If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
+environment variables before falling back on the default editor list.
+Note that this may create a security hole as it allows the user to
+run any arbitrary command as root without logging. A safer alternative
+is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
+variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
+they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fI@env_editor@\fR by
+default.
+.IP "env_reset" 16
+.IX Item "env_reset"
+If set, \fBsudo\fR will reset the environment to only contain the
+\&\s-1LOGNAME\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
+variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
+and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the
+\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is
+run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option
+is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
+This flag is \fIon\fR by default.
+.IP "fqdn" 16
+.IX Item "fqdn"
+Set this flag if you want to put fully qualified hostnames in the
+\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
+You may still use the short form if you wish (and even mix the two).
+Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
+which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
+if the machine is not plugged into the network). Also note that
+you must use the host's official name as \s-1DNS\s0 knows it. That is,
+you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
+issues and the fact that there is no way to get all aliases from
+\&\s-1DNS\s0. If your machine's hostname (as returned by the \f(CW\*(C`hostname\*(C'\fR
+command) is already fully qualified you shouldn't need to set
+\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
+.IP "ignore_dot" 16
.IX Item "ignore_dot"
If set, \fBsudo\fR will ignore '.' or '' (current dir) in the \f(CW\*(C`PATH\*(C'\fR
environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
flag is \fI@ignore_dot@\fR by default.
-.IP "mail_always" 12
+.IP "ignore_local_sudoers" 16
+.IX Item "ignore_local_sudoers"
+If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped.
+This is intended for Enterprises that wish to prevent the usage of local
+sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
+rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers.
+When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist.
+Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 entries
+have been matched, this sudoOption is only meaningful for the cn=defaults
+section. This flag is \fIoff\fR by default.
+.IP "insults" 16
+.IX Item "insults"
+If set, \fBsudo\fR will insult users when they enter an incorrect
+password. This flag is \fI@insults@\fR by default.
+.IP "log_host" 16
+.IX Item "log_host"
+If set, the hostname will be logged in the (non\-syslog) \fBsudo\fR log file.
+This flag is \fIoff\fR by default.
+.IP "log_year" 16
+.IX Item "log_year"
+If set, the four-digit year will be logged in the (non\-syslog) \fBsudo\fR log file.
+This flag is \fIoff\fR by default.
+.IP "long_otp_prompt" 16
+.IX Item "long_otp_prompt"
+When validating with a One Time Password (\s-1OPT\s0) scheme such as
+\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
+to cut and paste the challenge to a local window. It's not as
+pretty as the default but some people find it more convenient. This
+flag is \fI@long_otp_prompt@\fR by default.
+.IP "mail_always" 16
.IX Item "mail_always"
Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
This flag is \fIoff\fR by default.
-.IP "mail_badpass" 12
+.IP "mail_badpass" 16
.IX Item "mail_badpass"
Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not
enter the correct password. This flag is \fIoff\fR by default.
-.IP "mail_no_user" 12
-.IX Item "mail_no_user"
-If set, mail will be sent to the \fImailto\fR user if the invoking
-user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR
-by default.
-.IP "mail_no_host" 12
+.IP "mail_no_host" 16
.IX Item "mail_no_host"
If set, mail will be sent to the \fImailto\fR user if the invoking
user exists in the \fIsudoers\fR file, but is not allowed to run
commands on the current host. This flag is \fI@mail_no_host@\fR by default.
-.IP "mail_no_perms" 12
+.IP "mail_no_perms" 16
.IX Item "mail_no_perms"
If set, mail will be sent to the \fImailto\fR user if the invoking
user is allowed to use \fBsudo\fR but the command they are trying is not
listed in their \fIsudoers\fR file entry or is explicitly denied.
This flag is \fI@mail_no_perms@\fR by default.
-.IP "tty_tickets" 12
-.IX Item "tty_tickets"
-If set, users must authenticate on a per-tty basis. Normally,
-\&\fBsudo\fR uses a directory in the ticket dir with the same name as
-the user running it. With this flag enabled, \fBsudo\fR will use a
-file named for the tty the user is logged in on in that directory.
-This flag is \fI@tty_tickets@\fR by default.
-.IP "authenticate" 12
-.IX Item "authenticate"
-If set, users must authenticate themselves via a password (or other
-means of authentication) before they may run commands. This default
-may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
-This flag is \fIon\fR by default.
-.IP "root_sudo" 12
-.IX Item "root_sudo"
-If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
-from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
-like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
-will also prevent root and from running \fBsudoedit\fR.
-Disabling \fIroot_sudo\fR provides no real additional security; it
-exists purely for historical reasons.
-This flag is \fI@root_sudo@\fR by default.
-.IP "log_host" 12
-.IX Item "log_host"
-If set, the hostname will be logged in the (non\-syslog) \fBsudo\fR log file.
-This flag is \fIoff\fR by default.
-.IP "log_year" 12
-.IX Item "log_year"
-If set, the four-digit year will be logged in the (non\-syslog) \fBsudo\fR log file.
-This flag is \fIoff\fR by default.
-.IP "shell_noargs" 12
-.IX Item "shell_noargs"
-If set and \fBsudo\fR is invoked with no arguments it acts as if the
-\&\fB\-s\fR flag had been given. That is, it runs a shell as root (the
-shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
-set, falling back on the shell listed in the invoking user's
-/etc/passwd entry if not). This flag is \fIoff\fR by default.
-.IP "set_home" 12
-.IX Item "set_home"
-If set and \fBsudo\fR is invoked with the \fB\-s\fR flag the \f(CW\*(C`HOME\*(C'\fR
-environment variable will be set to the home directory of the target
-user (which is root unless the \fB\-u\fR option is used). This effectively
-makes the \fB\-s\fR flag imply \fB\-H\fR. This flag is \fIoff\fR by default.
-.IP "always_set_home" 12
-.IX Item "always_set_home"
-If set, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the home
-directory of the target user (which is root unless the \fB\-u\fR option is used).
-This effectively means that the \fB\-H\fR flag is always implied.
-This flag is \fIoff\fR by default.
-.IP "path_info" 12
+.IP "mail_no_user" 16
+.IX Item "mail_no_user"
+If set, mail will be sent to the \fImailto\fR user if the invoking
+user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR
+by default.
+.IP "noexec" 16
+.IX Item "noexec"
+If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
+tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
+description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
+.IP "path_info" 16
.IX Item "path_info"
Normally, \fBsudo\fR will tell the user when a command could not be
found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish
location of executables that the normal user does not have access
to. The disadvantage is that if the executable is simply not in
the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
-allowed to run it, which can be confusing. This flag is \fIoff\fR by
-default.
-.IP "preserve_groups" 12
+allowed to run it, which can be confusing. This flag is \fI@path_info@\fR
+by default.
+.IP "preserve_groups" 16
.IX Item "preserve_groups"
By default \fBsudo\fR will initialize the group vector to the list of
groups the target user is in. When \fIpreserve_groups\fR is set, the
user's existing group vector is left unaltered. The real and
effective group IDs, however, are still set to match the target
user. This flag is \fIoff\fR by default.
-.IP "fqdn" 12
-.IX Item "fqdn"
-Set this flag if you want to put fully qualified hostnames in the
-\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
-You may still use the short form if you wish (and even mix the two).
-Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
-which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
-if the machine is not plugged into the network). Also note that
-you must use the host's official name as \s-1DNS\s0 knows it. That is,
-you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
-issues and the fact that there is no way to get all aliases from
-\&\s-1DNS\s0. If your machine's hostname (as returned by the \f(CW\*(C`hostname\*(C'\fR
-command) is already fully qualified you shouldn't need to set
-\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
-.IP "insults" 12
-.IX Item "insults"
-If set, \fBsudo\fR will insult users when they enter an incorrect
-password. This flag is \fI@insults@\fR by default.
-.IP "requiretty" 12
+.IP "requiretty" 16
.IX Item "requiretty"
If set, \fBsudo\fR will only run when the user is logged in to a real
tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since
off echo when there is no tty present, some sites may wish to set
this flag to prevent a user from entering a visible password. This
flag is \fIoff\fR by default.
-.IP "env_editor" 12
-.IX Item "env_editor"
-If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
-environment variables before falling back on the default editor list.
-Note that this may create a security hole as it allows the user to
-run any arbitrary command as root without logging. A safer alternative
-is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
-variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
-they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \f(CW\*(C`@env_editor@\*(C'\fR by
-default.
-.IP "rootpw" 12
+.IP "root_sudo" 16
+.IX Item "root_sudo"
+If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
+from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
+like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
+will also prevent root and from running \fBsudoedit\fR.
+Disabling \fIroot_sudo\fR provides no real additional security; it
+exists purely for historical reasons.
+This flag is \fI@root_sudo@\fR by default.
+.IP "rootpw" 16
.IX Item "rootpw"
If set, \fBsudo\fR will prompt for the root password instead of the password
of the invoking user. This flag is \fIoff\fR by default.
-.IP "runaspw" 12
+.IP "runaspw" 16
.IX Item "runaspw"
If set, \fBsudo\fR will prompt for the password of the user defined by the
\&\fIrunas_default\fR option (defaults to \f(CW\*(C`@runas_default@\*(C'\fR) instead of the
password of the invoking user. This flag is \fIoff\fR by default.
-.IP "targetpw" 12
-.IX Item "targetpw"
-If set, \fBsudo\fR will prompt for the password of the user specified by
-the \fB\-u\fR flag (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the
-invoking user. Note that this precludes the use of a uid not listed
-in the passwd database as an argument to the \fB\-u\fR flag.
-This flag is \fIoff\fR by default.
-.IP "set_logname" 12
+.IP "set_home" 16
+.IX Item "set_home"
+If set and \fBsudo\fR is invoked with the \fB\-s\fR flag the \f(CW\*(C`HOME\*(C'\fR
+environment variable will be set to the home directory of the target
+user (which is root unless the \fB\-u\fR option is used). This effectively
+makes the \fB\-s\fR flag imply \fB\-H\fR. This flag is \fIoff\fR by default.
+.IP "set_logname" 16
.IX Item "set_logname"
Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
environment variables to the name of the target user (usually root
change this behavior. This can be done by negating the set_logname
option. Note that if the \fIenv_reset\fR option has not been disabled,
entries in the \fIenv_keep\fR list will override the value of
-\&\fIset_logname\fR.
-.IP "stay_setuid" 12
+\&\fIset_logname\fR. This flag is \fIoff\fR by default.
+.IP "setenv" 16
+.IX Item "setenv"
+Allow the user to disable the \fIenv_reset\fR option from the command
+line. Additionally, environment variables set via the command line
+are not subject to the restrictions imposed by \fIenv_check\fR,
+\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
+be allowed to set variables in this manner. This flag is \fIoff\fR
+by default.
+.IP "shell_noargs" 16
+.IX Item "shell_noargs"
+If set and \fBsudo\fR is invoked with no arguments it acts as if the
+\&\fB\-s\fR flag had been given. That is, it runs a shell as root (the
+shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
+set, falling back on the shell listed in the invoking user's
+/etc/passwd entry if not). This flag is \fIoff\fR by default.
+.IP "stay_setuid" 16
.IX Item "stay_setuid"
Normally, when \fBsudo\fR executes a command the real and effective
UIDs are set to the target user (root by default). This option
wrapper. This can be useful on systems that disable some potentially
dangerous functionality when a program is run setuid. This option
is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR
-function.
-.IP "env_reset" 12
-.IX Item "env_reset"
-If set, \fBsudo\fR will reset the environment to only contain the
-\&\s-1LOGNAME\s0, \s-1SHELL\s0, \s-1USER\s0, \s-1USERNAME\s0 and the \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
-variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
-and \f(CW\*(C`env_check\*(C'\fR lists are then added. The default contents of the
-\&\f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are displayed when \fBsudo\fR is
-run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option
-is set, its \-value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
-This flag is \fIon\fR by default.
-.IP "use_loginclass" 12
+function. This flag is \fIoff\fR by default.
+.IP "targetpw" 16
+.IX Item "targetpw"
+If set, \fBsudo\fR will prompt for the password of the user specified by
+the \fB\-u\fR flag (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the
+invoking user. Note that this precludes the use of a uid not listed
+in the passwd database as an argument to the \fB\-u\fR flag.
+This flag is \fIoff\fR by default.
+.IP "tty_tickets" 16
+.IX Item "tty_tickets"
+If set, users must authenticate on a per-tty basis. Normally,
+\&\fBsudo\fR uses a directory in the ticket dir with the same name as
+the user running it. With this flag enabled, \fBsudo\fR will use a
+file named for the tty the user is logged in on in that directory.
+This flag is \fI@tty_tickets@\fR by default.
+.IP "use_loginclass" 16
.IX Item "use_loginclass"
If set, \fBsudo\fR will apply the defaults specified for the target user's
login class if one exists. Only available if \fBsudo\fR is configured with
the \-\-with\-logincap option. This flag is \fIoff\fR by default.
-.IP "noexec" 12
-.IX Item "noexec"
-If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
-tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
-description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
-.IP "monitor" 12
-.IX Item "monitor"
-If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`MONITOR\*(C'\fR
-tag has been set, unless overridden by a \f(CW\*(C`NOMONITOR\*(C'\fR tag. See the
-description of \fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. Be aware that
-tracing is only supported on certain operating systems. On systems
-where it is not supported this flag will have no effect.
-This flag is \fIoff\fR by default.
-.IP "ignore_local_sudoers" 12
-.IX Item "ignore_local_sudoers"
-If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped.
-This is intended for Enterprises that wish to prevent the usage of local
-sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
-rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers.
-When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist.
-Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 entries
-have been matched, this sudoOption is only meaningful for the cn=defaults
-section. This flag is \fIoff\fR by default.
-.IP "closefrom_override" 12
-.IX Item "closefrom_override"
-If set, the user may use \fBsudo\fR's \fB\-C\fR option which
-overrides the default starting point at which \fBsudo\fR begins
-closing open file descriptors. This flag is \fIoff\fR by default.
.PP
\&\fBIntegers\fR:
-.IP "passwd_tries" 12
+.IP "closefrom" 16
+.IX Item "closefrom"
+Before it executes a command, \fBsudo\fR will close all open file
+descriptors other than standard input, standard output and standard
+error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used
+to specify a different file descriptor at which to start closing.
+The default is \f(CW3\fR.
+.IP "passwd_tries" 16
.IX Item "passwd_tries"
The number of tries a user gets to enter his/her password before
\&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`@passwd_tries@\*(C'\fR.
.PP
\&\fBIntegers that can be used in a boolean context\fR:
-.IP "loglinelen" 12
+.IP "loglinelen" 16
.IX Item "loglinelen"
Number of characters per line for the file log. This value is used
to decide when to wrap lines for nicer log files. This has no
effect on the syslog log file, only the file log. The default is
\&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap).
-.IP "timestamp_timeout" 12
+.IP "passwd_timeout" 16
+.IX Item "passwd_timeout"
+Number of minutes before the \fBsudo\fR password prompt times out.
+The default is \f(CW\*(C`@password_timeout@\*(C'\fR; set this to \f(CW0\fR for no password timeout.
+.IP "timestamp_timeout" 16
.IX Item "timestamp_timeout"
Number of minutes that can elapse before \fBsudo\fR will ask for a
passwd again. The default is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always
If set to a value less than \f(CW0\fR the user's timestamp will never
expire. This can be used to allow users to create or delete their
own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
-.IP "passwd_timeout" 12
-.IX Item "passwd_timeout"
-Number of minutes before the \fBsudo\fR password prompt times out.
-The default is \f(CW\*(C`@password_timeout@\*(C'\fR, set this to \f(CW0\fR for no password timeout.
-.IP "umask" 12
+.IP "umask" 16
.IX Item "umask"
Umask to use when running the command. Negate this option or set
it to 0777 to preserve the user's umask. The default is \f(CW\*(C`@sudo_umask@\*(C'\fR.
-.IP "closefrom" 12
-.IX Item "closefrom"
-Before it executes a command, \fBsudo\fR will close all open file
-descriptors other than standard input, standard output and standard
-error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used
-to specify a different file descriptor at which to start closing.
-The default is 3.
-.IP "setenv" 12
-.IX Item "setenv"
-Allow the user to disable the \fIenv_reset\fR option from the command
-line. Additionally, environment variables set via the command line
-are not subject to the restrictions imposed by \fIenv_check\fR,
-\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
-be allowed to set variables in this manner.
.PP
\&\fBStrings\fR:
-.IP "mailsub" 12
+.IP "badpass_message" 16
+.IX Item "badpass_message"
+Message that is displayed if a user enters an incorrect password.
+The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled.
+.IP "editor" 16
+.IX Item "editor"
+A colon (':') separated list of editors allowed to be used with
+\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
+\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
+list that exists and is executable. The default is the path to vi
+on your system.
+.IP "mailsub" 16
.IX Item "mailsub"
Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
will expand to the hostname of the machine.
Default is \f(CW\*(C`@mailsub@\*(C'\fR.
-.IP "badpass_message" 12
-.IX Item "badpass_message"
-Message that is displayed if a user enters an incorrect password.
-The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled.
-.IP "timestampdir" 12
-.IX Item "timestampdir"
-The directory in which \fBsudo\fR stores its timestamp files.
-The default is \fI@timedir@\fR.
-.IP "timestampowner" 12
-.IX Item "timestampowner"
-The owner of the timestamp directory and the timestamps stored therein.
-The default is \f(CW\*(C`root\*(C'\fR.
-.IP "passprompt" 12
+.IP "noexec_file" 16
+.IX Item "noexec_file"
+Path to a shared library containing dummy versions of the \fIexecv()\fR,
+\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error.
+This is used to implement the \fInoexec\fR functionality on systems that
+support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI@noexec_file@\fR.
+.IP "passprompt" 16
.IX Item "passprompt"
The default prompt to use when asking for a password; can be overridden
via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable.
The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported:
-.RS 12
-.ie n .IP "%u" 8
-.el .IP "\f(CW%u\fR" 8
-.IX Item "%u"
-expanded to the invoking user's login name
-.ie n .IP "%U" 8
-.el .IP "\f(CW%U\fR" 8
-.IX Item "%U"
-expanded to the login name of the user the command will
-be run as (defaults to root)
-.ie n .IP "%h" 8
-.el .IP "\f(CW%h\fR" 8
-.IX Item "%h"
-expanded to the local hostname without the domain name
-.ie n .IP "%H" 8
-.el .IP "\f(CW%H\fR" 8
+.RS 16
+.ie n .IP "%H" 4
+.el .IP "\f(CW%H\fR" 4
.IX Item "%H"
expanded to the local hostname including the domain name
(on if the machine's hostname is fully qualified or the \fIfqdn\fR
option is set)
-.ie n .IP "\*(C`%%\*(C'" 8
-.el .IP "\f(CW\*(C`%%\*(C'\fR" 8
+.ie n .IP "%h" 4
+.el .IP "\f(CW%h\fR" 4
+.IX Item "%h"
+expanded to the local hostname without the domain name
+.ie n .IP "%U" 4
+.el .IP "\f(CW%U\fR" 4
+.IX Item "%U"
+expanded to the login name of the user the command will
+be run as (defaults to root)
+.ie n .IP "%u" 4
+.el .IP "\f(CW%u\fR" 4
+.IX Item "%u"
+expanded to the invoking user's login name
+.ie n .IP "\*(C`%%\*(C'" 4
+.el .IP "\f(CW\*(C`%%\*(C'\fR" 4
.IX Item "%%"
two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
.RE
-.RS 12
+.RS 16
.Sp
The default value is \f(CW\*(C`@passprompt@\*(C'\fR.
.RE
-.IP "runas_default" 12
+.IP "runas_default" 16
.IX Item "runas_default"
The default user to run commands as if the \fB\-u\fR flag is not specified
on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR.
Note that if \fIrunas_default\fR is set it \fBmust\fR occur before
any \f(CW\*(C`Runas_Alias\*(C'\fR specifications.
-.IP "syslog_goodpri" 12
-.IX Item "syslog_goodpri"
-Syslog priority to use when user authenticates successfully.
-Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
-.IP "syslog_badpri" 12
+.IP "syslog_badpri" 16
.IX Item "syslog_badpri"
Syslog priority to use when user authenticates unsuccessfully.
Defaults to \f(CW\*(C`@badpri@\*(C'\fR.
-.IP "editor" 12
-.IX Item "editor"
-A colon (':') separated list of editors allowed to be used with
-\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
-\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
-list that exists and is executable. The default is the path to vi
-on your system.
-.IP "noexec_file" 12
-.IX Item "noexec_file"
-Path to a shared library containing dummy versions of the \fIexecv()\fR,
-\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error.
-This is used to implement the \fInoexec\fR functionality on systems that
-support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI@noexec_file@\fR.
+.IP "syslog_goodpri" 16
+.IX Item "syslog_goodpri"
+Syslog priority to use when user authenticates successfully.
+Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
+.IP "timestampdir" 16
+.IX Item "timestampdir"
+The directory in which \fBsudo\fR stores its timestamp files.
+The default is \fI@timedir@\fR.
+.IP "timestampowner" 16
+.IX Item "timestampowner"
+The owner of the timestamp directory and the timestamps stored therein.
+The default is \f(CW\*(C`root\*(C'\fR.
.PP
\&\fBStrings that can be used in a boolean context\fR:
+.IP "exempt_group" 12
+.IX Item "exempt_group"
+Users in this group are exempt from password and \s-1PATH\s0 requirements.
+This is not set by default.
.IP "lecture" 12
.IX Item "lecture"
This option controls when a short lecture will be printed along with
the password prompt. It has the following possible values:
.RS 12
+.IP "always" 8
+.IX Item "always"
+Always lecture the user.
.IP "never" 8
.IX Item "never"
Never lecture the user.
.IP "once" 8
.IX Item "once"
Only lecture the user the first time they run \fBsudo\fR.
-.IP "always" 8
-.IX Item "always"
-Always lecture the user.
.RE
.RS 12
.Sp
.IX Item "lecture_file"
Path to a file containing an alternate \fBsudo\fR lecture that will
be used in place of the standard lecture if the named file exists.
+By default, \fBsudo\fR uses a built-in lecture.
+.IP "listpw" 12
+.IX Item "listpw"
+This option controls when a password will be required when a
+user runs \fBsudo\fR with the \fB\-l\fR flag. It has the following possible values:
+.RS 12
+.IP "all" 8
+.IX Item "all"
+All the user's \fIsudoers\fR entries for the current host must have
+the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
+.IP "always" 8
+.IX Item "always"
+The user must always enter a password to use the \fB\-l\fR flag.
+.IP "any" 8
+.IX Item "any"
+At least one of the user's \fIsudoers\fR entries for the current host
+must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
+.IP "never" 8
+.IX Item "never"
+The user need never enter a password to use the \fB\-l\fR flag.
+.RE
+.RS 12
+.Sp
+If no value is specified, a value of \fIany\fR is implied.
+Negating the option results in a value of \fInever\fR being used.
+The default value is \fIany\fR.
+.RE
.IP "logfile" 12
.IX Item "logfile"
Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
turns on logging to a file; negating this option turns it off.
-.IP "syslog" 12
-.IX Item "syslog"
-Syslog facility if syslog is being used for logging (negate to
-disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
+By default, \fBsudo\fR logs via syslog.
+.IP "mailerflags" 12
+.IX Item "mailerflags"
+Flags to use when invoking mailer. Defaults to \fB\-t\fR.
.IP "mailerpath" 12
.IX Item "mailerpath"
Path to mail program used to send warning mail.
Defaults to the path to sendmail found at configure time.
-.IP "mailerflags" 12
-.IX Item "mailerflags"
-Flags to use when invoking mailer. Defaults to \fB\-t\fR.
.IP "mailto" 12
.IX Item "mailto"
Address to send warning and error mail to. The address should
be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
-.IP "exempt_group" 12
-.IX Item "exempt_group"
-Users in this group are exempt from password and \s-1PATH\s0 requirements.
-This is not set by default.
.IP "secure_path" 12
.IX Item "secure_path"
Path used for every command run from \fBsudo\fR. If you don't trust the
be separate from the \*(L"user path.\*(R" Users in the group specified by the
\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
This is not set by default.
+.IP "syslog" 12
+.IX Item "syslog"
+Syslog facility if syslog is being used for logging (negate to
+disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
.IP "verifypw" 12
.IX Item "verifypw"
This option controls when a password will be required when a user runs
.IX Item "all"
All the user's \fIsudoers\fR entries for the current host must have
the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "any" 8
-.IX Item "any"
-At least one of the user's \fIsudoers\fR entries for the current host
-must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "never" 8
-.IX Item "never"
-The user need never enter a password to use the \fB\-v\fR flag.
.IP "always" 8
.IX Item "always"
The user must always enter a password to use the \fB\-v\fR flag.
-.RE
-.RS 12
-.Sp
-If no value is specified, a value of \fIall\fR is implied.
-Negating the option results in a value of \fInever\fR being used.
-The default value is \fIall\fR.
-.RE
-.IP "listpw" 12
-.IX Item "listpw"
-This option controls when a password will be required when a
-user runs \fBsudo\fR with the \fB\-l\fR flag. It has the following possible values:
-.RS 12
-.IP "all" 8
-.IX Item "all"
-All the user's \fIsudoers\fR entries for the current host must have
-the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
.IP "any" 8
.IX Item "any"
At least one of the user's \fIsudoers\fR entries for the current host
must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
.IP "never" 8
.IX Item "never"
-The user need never enter a password to use the \fB\-l\fR flag.
-.IP "always" 8
-.IX Item "always"
-The user must always enter a password to use the \fB\-l\fR flag.
+The user need never enter a password to use the \fB\-v\fR flag.
.RE
.RS 12
.Sp
-If no value is specified, a value of \fIany\fR is implied.
+If no value is specified, a value of \fIall\fR is implied.
Negating the option results in a value of \fInever\fR being used.
-The default value is \fIany\fR.
+The default value is \fIall\fR.
.RE
.PP
\&\fBLists that can be used in a boolean context\fR:
-.IP "env_check" 12
+.IP "env_check" 16
.IX Item "env_check"
Environment variables to be removed from the user's environment if
the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
they pass the aforementioned check. The default list of environment
variables to check is displayed when \fBsudo\fR is run by root with
the \fI\-V\fR option.
-.IP "env_delete" 12
+.IP "env_delete" 16
.IX Item "env_delete"
Environment variables to be removed from the user's environment.
The argument may be a double\-quoted, space-separated list or a
\&\fI\-V\fR option. Note that many operating systems will remove potentially
dangerous variables from the environment of any setuid process (such
as \fBsudo\fR).
-.IP "env_keep" 12
+.IP "env_keep" 16
.IX Item "env_keep"
Environment variables to be preserved in the user's environment
when the \fIenv_reset\fR option is in effect. This allows fine-grained
\&\fBnotice\fR, and \fBwarning\fR.
.SH "FILES"
.IX Header "FILES"
-.Vb 3
-\& @sysconfdir@/sudoers List of who can run what
-\& /etc/group Local groups file
-\& /etc/netgroup List of network groups
-.Ve
+.ie n .IP "\fI@sysconfdir@/sudoers\fR\*(C` \*(C' List of who can run what" 4
+.el .IP "\fI@sysconfdir@/sudoers\fR\f(CW\*(C` \*(C'\fR List of who can run what" 4
+.IX Item "@sysconfdir@/sudoers List of who can run what"
+.PD 0
+.ie n .IP "\fI/etc/group\fR\*(C` \*(C' Local groups file" 4
+.el .IP "\fI/etc/group\fR\f(CW\*(C` \*(C'\fR Local groups file" 4
+.IX Item "/etc/group Local groups file"
+.ie n .IP "\fI/etc/netgroup\fR\*(C` \*(C' List of network groups" 4
+.el .IP "\fI/etc/netgroup\fR\f(CW\*(C` \*(C'\fR List of network groups" 4
+.IX Item "/etc/netgroup List of network groups"
+.PD
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Below are example \fIsudoers\fR entries. Admittedly, some of
local log file and make sure we log the year in each log line since
the log entries will be kept around for several years. Lastly, we
disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR
-(/usr/bin/more, /usr/bin/pg and /usr/bin/less).
+(\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR).
.PP
.Vb 7
\& # Override built-in defaults
.Ve
.PP
The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
-\&\fBSudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
+\&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
.PP
.Vb 1
\& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
.Ve
.PP
For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run
-any commands in the directory /usr/bin/ except for those commands
+any commands in the directory \fI/usr/bin/\fR except for those commands
belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR.
.PP
.Vb 1
Common programs that permit shell escapes include shells (obviously),
editors, paginators, mail and terminal programs.
.PP
-There are three basic approaches to this problem:
+There are two basic approaches to this problem:
.IP "restrict" 10
.IX Item "restrict"
Avoid giving users access to commands that allow the user to run
then \fBsudo\fR may be able to replace the exec family of functions
in the standard library with its own that simply return an error.
Unfortunately, there is no foolproof way to know whether or not
-\&\fInoexec\fR will work at compile\-time. \fINoexec\fR should work on
+\&\fInoexec\fR will work at compile\-time. \fInoexec\fR should work on
SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX
-11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fINoexec\fR
+11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fInoexec\fR
is expected to work on most operating systems that support the
\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
executing other commands (such as a shell). If you are unsure
whether or not your system is capable of supporting \fInoexec\fR you
can always just try it out and see if it works.
-.IP "monitor" 10
-.IX Item "monitor"
-On operating systems that support the \fBsystrace\fR pseudo\-device,
-the \f(CW\*(C`\-\-with\-systrace\*(C'\fR configure option can be used to compile
-support for proccess monitoring in \fBsudo\fR. In monitor mode
-\&\fBsudo\fR can transparently intercept a new command, allow or deny
-it based on \fIsudoers\fR, and log the result. This does require that
-\&\fBsudo\fR become a daemon that persists until the command and all its
-descendents have exited.
-.Sp
-To enable monitor mode on a per-command basis, use the \f(CW\*(C`MONITOR\*(C'\fR
-tag as documented in the User Specification section above. Here
-is that example again:
-.Sp
-.Vb 1
-\& chuck research = MONITOR: ALL
-.Ve
-.Sp
-This allows user \fBchuck\fR to run any command on the machine research
-in monitor mode. Any commands run via shell escapes will be logged
-by \fBsudo\fR.
-.Sp
-At the time of this writing the \fBsystrace\fR pseudo-device comes
-standard with OpenBSD and NetBSD and is available as patches to
-FreeBSD, MacOS X and Linux. See <http://www.systrace.org/> for
-more information.
.PP
Note that restricting shell escapes is not a panacea. Programs
running as root are still capable of many potentially hazardous
\&\fBsudoedit\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
-\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@)
+\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(8)
.SH "CAVEATS"
.IX Header "CAVEATS"
The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
search the archives.
.SH "DISCLAIMER"
.IX Header "DISCLAIMER"
-\&\fBSudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
+\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
projects / sudo / commitdiff