-1.6.9 September 30, 2004 1
+1.6.9 October 4, 2004 1
-1.6.9 September 30, 2004 2
+1.6.9 October 4, 2004 2
-1.6.9 September 30, 2004 3
+1.6.9 October 4, 2004 3
-1.6.9 September 30, 2004 4
+1.6.9 October 4, 2004 4
mail_badpass
Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user run
- ning sudo does not enter the correct password.
+ ning s\bsu\bud\bdo\bo does not enter the correct password.
This flag is _\bo_\bf_\bf by default.
mail_no_user
-1.6.9 September 30, 2004 5
+1.6.9 October 4, 2004 5
-1.6.9 September 30, 2004 6
+1.6.9 October 4, 2004 6
-1.6.9 September 30, 2004 7
+1.6.9 October 4, 2004 7
can be useful on systems that disable some
potentially dangerous functionality when a
program is run setuid. Note, however, that
- this means that sudo will run with the real
+ this means that s\bsu\bud\bdo\bo will run with the real
uid of the invoking user which may allow that
user to kill s\bsu\bud\bdo\bo before it can log a failure,
depending on how your OS defines the interac
-1.6.9 September 30, 2004 8
+1.6.9 October 4, 2004 8
with the --with-logincap option. This flag is
_\bo_\bf_\bf by default.
- noexec If set, all commands run via sudo will behave
+ noexec If set, all commands run via s\bsu\bud\bdo\bo will behave
as if the NOEXEC tag has been set, unless
overridden by a EXEC tag. See the description
of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as well as the "PRE
VENTING SHELL ESCAPES" section at the end of
this manual. This flag is _\bo_\bf_\bf by default.
- trace If set, all commands run via sudo will behave
- as if the TRACE tag has been set, unless over
- ridden by a NOTRACE tag. See the description
- of _\bT_\bR_\bA_\bC_\bE _\ba_\bn_\bd _\bN_\bO_\bT_\bR_\bA_\bC_\bE below as well as the
- "PREVENTING SHELL ESCAPES" section at the end
- of this manual. Be aware that tracing is only
- supported on certain operating systems. On
- systems where it is not supported this flag
- will have no effect. This flag is _\bo_\bf_\bf by
- default.
+ monitor If set, all commands run via s\bsu\bud\bdo\bo will behave
+ as if the MONITOR tag has been set, unless
+ overridden by a NOMONITOR tag. See the
+ description of _\bM_\bO_\bN_\bI_\bT_\bO_\bR _\ba_\bn_\bd _\bN_\bO_\bM_\bO_\bN_\bI_\bT_\bO_\bR below as
+ well as the "PREVENTING SHELL ESCAPES" section
+ at the end of this manual. Be aware that
+ tracing is only supported on certain operating
+ systems. On systems where it is not supported
+ this flag will have no effect. This flag is
+ _\bo_\bf_\bf by default.
ignore_local_sudoers
If set via LDAP, parsing of @sysconfdir@/sudo
who would attempt to add roles to
@sysconfdir@/sudoers. When this option is
present, @sysconfdir@/sudoers does not even
- need to exist. Since this options tells sudo
+ need to exist. Since this options tells s\bsu\bud\bdo\bo
how to behave when no specific LDAP entries
have been matched, this sudoOption is only
meaningful for the cn=defaults section. This
-1.6.9 September 30, 2004 9
+1.6.9 October 4, 2004 9
-1.6.9 September 30, 2004 10
+1.6.9 October 4, 2004 10
-1.6.9 September 30, 2004 11
+1.6.9 October 4, 2004 11
The default value is _\bo_\bn_\bc_\be.
lecture_file
- Path to a file containing an alternate sudo
+ Path to a file containing an alternate s\bsu\bud\bdo\bo
lecture that will be used in place of the
standard lecture if the named file exists.
mailto Address to send warning and error mail to.
The address should be enclosed in double
- quotes (") to protect against sudo interpret
+ quotes (") to protect against s\bsu\bud\bdo\bo interpret
ing the @ sign. Defaults to root.
exempt_group
-1.6.9 September 30, 2004 12
+1.6.9 October 4, 2004 12
-1.6.9 September 30, 2004 13
+1.6.9 October 4, 2004 13
Runas_Spec ::= '(' Runas_List ')'
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
- 'TRACE' | 'NOTRACE')
+ 'MONITOR' | 'NOMONITOR')
A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may
run (and as what user) on specified hosts. By default,
-1.6.9 September 30, 2004 14
+1.6.9 October 4, 2004 14
A command may have zero or more tags associated with it.
There are four possible tag values, NOPASSWD, PASSWD,
- NOEXEC, EXEC, TRACE and NOTRACE. Once a tag is set on a
- Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the
- tag unless it is overridden by the opposite tag (ie:
- PASSWD overrides NOPASSWD and NOTRACE overrides TRACE).
+ NOEXEC, EXEC, MONITOR and NOMONITOR. Once a tag is set on
+ a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
+ the tag unless it is overridden by the opposite tag (ie:
+ PASSWD overrides NOPASSWD and NOMONITOR overrides MONI
+ TOR).
_\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
_\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
-1.6.9 September 30, 2004 15
+1.6.9 October 4, 2004 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
underlying operating system supports it, the NOEXEC tag
can be used to prevent a dynamically-linked executable
from running further commands itself.
details on how NOEXEC works and whether or not it will
work on your system.
- _\bT_\bR_\bA_\bC_\bE _\ba_\bn_\bd _\bN_\bO_\bT_\bR_\bA_\bC_\bE
+ _\bM_\bO_\bN_\bI_\bT_\bO_\bR _\ba_\bn_\bd _\bN_\bO_\bM_\bO_\bN_\bI_\bT_\bO_\bR
If s\bsu\bud\bdo\bo has been configured with the --with-systrace
- option, the TRACE tag can be used to cause programs
+ option, the MONITOR tag can be used to cause programs
spawned by a command to be checked against _\bs_\bu_\bd_\bo_\be_\br_\bs and
logged just like they would be if run through s\bsu\bud\bdo\bo
directly. This is useful in conjunction with commands
nators.
In the following example, user c\bch\bhu\buc\bck\bk may run any command
- on the machine research with tracing enabled.
+ on the machine research in monitor mode.
- chuck research = TRACE: ALL
+ chuck research = MONITOR: ALL
See the "PREVENTING SHELL ESCAPES" section below for more
- details on how TRACE works and whether or not it will work
- on your system.
+ details on how MONITOR works and whether or not it will
+ work on your system.
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
"?", "[", and "}".
Note that a forward slash ('/') will n\bno\bot\bt be matched by
- wildcards used in the pathname. When matching the command
-1.6.9 September 30, 2004 16
+1.6.9 October 4, 2004 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ wildcards used in the pathname. When matching the command
line arguments, however, a slash d\bdo\boe\bes\bs get matched by wild
cards. This is to make a path like:
#include /etc/sudoers.local
- When s\bsu\bud\bdo\bo reaches this line it will suspend processing of
-1.6.9 September 30, 2004 17
+1.6.9 October 4, 2004 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ When s\bsu\bud\bdo\bo reaches this line it will suspend processing of
the current file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b
_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl,
the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be processed. Files that
is important. In general, you should structure _\bs_\bu_\bd_\bo_\be_\br_\bs
such that the Host_Alias, User_Alias, and Cmnd_Alias spec
ifications come first, followed by any Default_Entry
- lines, and finally the Runas_Alias and user
-1.6.9 September 30, 2004 18
+1.6.9 October 4, 2004 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- specifications. The basic rule of thumb is you cannot
- reference an Alias that has not already been defined.
+ lines, and finally the Runas_Alias and user specifica
+ tions. The basic rule of thumb is you cannot reference an
+ Alias that has not already been defined.
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
these are a bit contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
-
-1.6.9 September 30, 2004 19
+1.6.9 October 4, 2004 19
-1.6.9 September 30, 2004 20
+1.6.9 October 4, 2004 20
-1.6.9 September 30, 2004 21
+1.6.9 October 4, 2004 21
the user to run arbitrary commands. Many edi
tors have a restricted mode where shell escapes
are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better solu
- tion to running editors via sudo. Due to the
+ tion to running editors via s\bsu\bud\bdo\bo. Due to the
large number of programs that offer shell
escapes, restricting users to the set of pro
grams that do not if often unworkable.
-1.6.9 September 30, 2004 22
+1.6.9 October 4, 2004 22
On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality can
- be used to prevent a program run by sudo from
+ be used to prevent a program run by s\bsu\bud\bdo\bo from
executing any other programs. Note, however,
that this applies only to native dynamically-
linked executables. Statically-linked executa
porting _\bn_\bo_\be_\bx_\be_\bc you can always just try it out
and see if it works.
- tracing On operating systems that support the s\bsy\bys\bst\btr\bra\bac\bce\be
+ monitor On operating systems that support the s\bsy\bys\bst\btr\bra\bac\bce\be
pseudo-device, the --with-systrace configure
- option can be used to compile support for com
- mand tracing in s\bsu\bud\bdo\bo. With s\bsy\bys\bst\btr\bra\bac\bce\be support
- s\bsu\bud\bdo\bo can transparently intercept a new command,
- allow or deny it based on _\bs_\bu_\bd_\bo_\be_\br_\bs, and log the
- result. This does require that s\bsu\bud\bdo\bo become a
+ option can be used to compile support for proc
+ cess monitoring in s\bsu\bud\bdo\bo. In monitor mode s\bsu\bud\bdo\bo
+ can transparently intercept a new command, allow
+ or deny it based on _\bs_\bu_\bd_\bo_\be_\br_\bs, and log the result.
+ This does require that s\bsu\bud\bdo\bo become a daemon that
-1.6.9 September 30, 2004 23
+1.6.9 October 4, 2004 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- daemon that persists until the command and all
- its descendents have finished.
+ persists until the command and all its descen
+ dents have exited.
- To enable tracing on a per-command basis, use
- the TRACE tag as documented in the User Specifi
- cation section above. Here is that example
- again:
+ To enable monitor mode on a per-command basis,
+ use the MONITOR tag as documented in the User
+ Specification section above. Here is that exam
+ ple again:
- chuck research = TRACE: ALL
+ chuck research = MONITOR: ALL
This allows user c\bch\bhu\buc\bck\bk to run any command on the
- machine research with tracing enabled. Any com
- mands run via shell escapes will be logged by
- sudo.
+ machine research in monitor mode. Any commands
+ run via shell escapes will be logged by s\bsu\bud\bdo\bo.
At the time of this writing the s\bsy\bys\bst\btr\bra\bac\bce\be pseudo-
device comes standard with OpenBSD and NetBSD
http://www.sudo.ws/sudo/support.html for details.
Limited free support is available via the sudo-users mail
- ing list, see
+ ing list, see http://www.sudo.ws/mail
+ man/listinfo/sudo-users to subscribe or search the
-1.6.9 September 30, 2004 24
+1.6.9 October 4, 2004 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- http://www.sudo.ws/mailman/listinfo/sudo-users to sub
- scribe or search the archives.
+ archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
S\bSu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
-1.6.9 September 30, 2004 25
+
+1.6.9 October 4, 2004 25
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "September 30, 2004" "1.6.9" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "October 4, 2004" "1.6.9" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
This flag is \fIoff\fR by default.
.IP "mail_badpass" 12
.IX Item "mail_badpass"
-Send mail to the \fImailto\fR user if the user running sudo does not
+Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not
enter the correct password. This flag is \fIoff\fR by default.
.IP "mail_no_user" 12
.IX Item "mail_no_user"
user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
wrapper. This can be useful on systems that disable some potentially
dangerous functionality when a program is run setuid. Note, however,
-that this means that sudo will run with the real uid of the invoking
+that this means that \fBsudo\fR will run with the real uid of the invoking
user which may allow that user to kill \fBsudo\fR before it can log a
failure, depending on how your \s-1OS\s0 defines the interaction between
signals and setuid processes.
the \-\-with\-logincap option. This flag is \fIoff\fR by default.
.IP "noexec" 12
.IX Item "noexec"
-If set, all commands run via sudo will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
+If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
-.IP "trace" 12
-.IX Item "trace"
-If set, all commands run via sudo will behave as if the \f(CW\*(C`TRACE\*(C'\fR
-tag has been set, unless overridden by a \f(CW\*(C`NOTRACE\*(C'\fR tag. See the
-description of \fI\s-1TRACE\s0 and \s-1NOTRACE\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. Be aware that
+.IP "monitor" 12
+.IX Item "monitor"
+If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`MONITOR\*(C'\fR
+tag has been set, unless overridden by a \f(CW\*(C`NOMONITOR\*(C'\fR tag. See the
+description of \fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. Be aware that
tracing is only supported on certain operating systems. On systems
where it is not supported this flag will have no effect.
This flag is \fIoff\fR by default.
sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
rogue operators who would attempt to add roles to \f(CW@sysconfdir\fR@/sudoers.
When this option is present, \f(CW@sysconfdir\fR@/sudoers does not even need to exist.
-Since this options tells sudo how to behave when no specific \s-1LDAP\s0 entries
+Since this options tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0 entries
have been matched, this sudoOption is only meaningful for the cn=defaults
section. This flag is \fIoff\fR by default.
.PP
.RE
.IP "lecture_file" 12
.IX Item "lecture_file"
-Path to a file containing an alternate sudo lecture that will
+Path to a file containing an alternate \fBsudo\fR lecture that will
be used in place of the standard lecture if the named file exists.
.IP "logfile" 12
.IX Item "logfile"
.IP "mailto" 12
.IX Item "mailto"
Address to send warning and error mail to. The address should
-be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against sudo
+be enclosed in double quotes (\f(CW\*(C`"\*(C'\fR) to protect against \fBsudo\fR
interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
.IP "exempt_group" 12
.IX Item "exempt_group"
.PP
.Vb 2
\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
-\& 'TRACE' | 'NOTRACE')
+\& 'MONITOR' | 'NOMONITOR')
.Ve
.PP
A \fBuser specification\fR determines which commands a user may run
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
-\&\f(CW\*(C`TRACE\*(C'\fR and \f(CW\*(C`NOTRACE\*(C'\fR.
+\&\f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR.
Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
-opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOTRACE\*(C'\fR
-overrides \f(CW\*(C`TRACE\*(C'\fR).
+opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR
+overrides \f(CW\*(C`MONITOR\*(C'\fR).
.PP
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
.IX Subsection "NOPASSWD and PASSWD"
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
.PP
-\fI\s-1TRACE\s0 and \s-1NOTRACE\s0\fR
-.IX Subsection "TRACE and NOTRACE"
+\fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR
+.IX Subsection "MONITOR and NOMONITOR"
.PP
If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option,
-the \f(CW\*(C`TRACE\*(C'\fR tag can be used to cause programs spawned by a command
+the \f(CW\*(C`MONITOR\*(C'\fR tag can be used to cause programs spawned by a command
to be checked against \fIsudoers\fR and logged just like they would
be if run through \fBsudo\fR directly. This is useful in conjunction
with commands that allow shell escapes such as editors, shells and
paginators.
.PP
In the following example, user \fBchuck\fR may run any command on the
-machine research with tracing enabled.
+machine research in monitor mode.
.PP
.Vb 1
-\& chuck research = TRACE: ALL
+\& chuck research = MONITOR: ALL
.Ve
.PP
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
-on how \f(CW\*(C`TRACE\*(C'\fR works and whether or not it will work on your system.
+on how \f(CW\*(C`MONITOR\*(C'\fR works and whether or not it will work on your system.
.Sh "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
Avoid giving users access to commands that allow the user to run
arbitrary commands. Many editors have a restricted mode where shell
escapes are disabled, though \fBsudoedit\fR is a better solution to
-running editors via sudo. Due to the large number of programs that
+running editors via \fBsudo\fR. Due to the large number of programs that
offer shell escapes, restricting users to the set of programs that
do not if often unworkable.
.IP "noexec" 10
override default library functions by pointing an environment
variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to
-prevent a program run by sudo from executing any other programs.
+prevent a program run by \fBsudo\fR from executing any other programs.
Note, however, that this applies only to native dynamically-linked
executables. Statically-linked executables and foreign executables
running under binary emulation are not affected.
executing other commands (such as a shell). If you are unsure
whether or not your system is capable of supporting \fInoexec\fR you
can always just try it out and see if it works.
-.IP "tracing" 10
-.IX Item "tracing"
+.IP "monitor" 10
+.IX Item "monitor"
On operating systems that support the \fBsystrace\fR pseudo\-device,
the \f(CW\*(C`\-\-with\-systrace\*(C'\fR configure option can be used to compile
-support for command tracing in \fBsudo\fR. With \fBsystrace\fR support
+support for proccess monitoring in \fBsudo\fR. In monitor mode
\&\fBsudo\fR can transparently intercept a new command, allow or deny
it based on \fIsudoers\fR, and log the result. This does require that
\&\fBsudo\fR become a daemon that persists until the command and all its
-descendents have finished.
+descendents have exited.
.Sp
-To enable tracing on a per-command basis, use the \f(CW\*(C`TRACE\*(C'\fR tag as
-documented in the User Specification section above. Here is that
-example again:
+To enable monitor mode on a per-command basis, use the \f(CW\*(C`MONITOR\*(C'\fR
+tag as documented in the User Specification section above. Here
+is that example again:
.Sp
.Vb 1
-\& chuck research = TRACE: ALL
+\& chuck research = MONITOR: ALL
.Ve
.Sp
This allows user \fBchuck\fR to run any command on the machine research
-with tracing enabled. Any commands run via shell escapes will be
-logged by sudo.
+in monitor mode. Any commands run via shell escapes will be logged
+by \fBsudo\fR.
.Sp
At the time of this writing the \fBsystrace\fR pseudo-device comes
standard with OpenBSD and NetBSD and is available as patches to
projects / sudo / commitdiff