ethernet _\bi_\bn_\bt_\be_\br_\bf_\ba_\bc_\be(s) will be used when matching. The
netmask may be specified either in dotted quad notation
(eg. 255.255.255.0) or CIDR notation (number of bits, eg.
- 24).
+ 24). A hostname may include shell-style wildcards (see
+ `Wildcards' section below), but unless the hostname
+ command on your machine returns the fully qualified
+ hostname, you'll need to use the _\bf_\bq_\bd_\bn option for wildcards
+ to be useful.
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
'!'* Cmnd_Alias
A Cmnd_List is a list of one or more commandnames,
- directories, and other aliases. A commandname is a fully-
+ directories, and other aliases. A commandname is a fully
qualified filename which may include shell-style wildcards
(see `Wildcards' section below). A simple filename allows
the user to run the command with any arguments he/she
be escaped with a '\' if they are used in command
arguments: ',', ':', '=', '\'.
- D\bD\bD\bDe\be\be\bef\bf\bf\bfa\ba\ba\bau\bu\bu\bul\bl\bl\blt\bt\bt\bts\bs\bs\bs
- Certain configuration options may be changed from their
- default values at runtime via one or more Default_Entry
- lines. These may affect all users on any host, all users
- on a specific host, or just a specific user. When
- multiple entries match, they are applied in order. Where
+
+
sudoers(5) FILE FORMATS sudoers(5)
+ D\bD\bD\bDe\be\be\bef\bf\bf\bfa\ba\ba\bau\bu\bu\bul\bl\bl\blt\bt\bt\bts\bs\bs\bs
+
+ Certain configuration options may be changed from their
+ default values at runtime via one or more Default_Entry
+ lines. These may affect all users on any host, all users
+ on a specific host, or just a specific user. When
+ multiple entries match, they are applied in order. Where
there are conflicting values, the last value on a matching
line takes effect.
if the invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs
file, but is not allowed to run commands on
the current host. This flag is off by
- default.
-
- mail_no_perms
- If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
- if the invoking user allowed to use s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo but
- the command they are trying is not listed in
- their _\bs_\bu_\bd_\bo_\be_\br_\bs file entry. This flag is off by
default.
+ mail_no_perms
+ If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
+ if the invoking user allowed to use s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo but
+ the command they are trying is not listed in
+ their _\bs_\bu_\bd_\bo_\be_\br_\bs file entry. This flag is off by
+ default.
+
tty_tickets If set, users must authenticate on a per-tty
basis. Normally, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo uses a directory in the
ticket dir with the same name as the user
set_home If set and s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo is invoked with the -s flag
the HOME environment variable will be set to
the home directory of the target user (which
- is root unless the -u option is used). This
- effectively makes the -s flag imply -H. This
- flag is off by default.
-
- path_info Normally, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will tell the user when a
- command could not be found in their $PATH.
- Some sites may wish to disable this as it
sudoers(5) FILE FORMATS sudoers(5)
+ is root unless the -u option is used). This
+ effectively makes the -s flag imply -H. This
+ flag is off by default.
+
+ path_info Normally, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will tell the user when a
+ command could not be found in their $PATH.
+ Some sites may wish to disable this as it
could be used to gather information on the
location of executables that the normal user
does not have access to. The disadvantage is
to get a shell (which would be a root shell
and not be logged).
- rootpw If set, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will prompt for the root password
- instead of the password of the invoking user.
-
- runaspw If set, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will prompt for the password of
- the user defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option
- (defaults to root) instead of the password of
- the invoking user.
sudoers(5) FILE FORMATS sudoers(5)
+ rootpw If set, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will prompt for the root password
+ instead of the password of the invoking user.
+
+ runaspw If set, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will prompt for the password of
+ the user defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option
+ (defaults to root) instead of the password of
+ the invoking user.
+
targetpw If set, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will prompt for the password of
the user specified by the -u flag (defaults to
root) instead of the password of the invoking
passwd_timeout
Number of minutes before the s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo password
prompt times out. The default is 5, set this
- to 0 for no password timeout.
- umask Umask to use when running the root command.
- Set this to 0777 to not override the user's
- umask. The default is 0022.
- S\bS\bS\bSt\bt\bt\btr\br\br\bri\bi\bi\bin\bn\bn\bng\bg\bg\bgs\bs\bs\bs:
+22/Mar/2000 1.6.3 7
-22/Mar/2000 1.6.3 7
+sudoers(5) FILE FORMATS sudoers(5)
+ to 0 for no password timeout.
-sudoers(5) FILE FORMATS sudoers(5)
+ umask Umask to use when running the root command.
+ Set this to 0777 to not override the user's
+ umask. The default is 0022.
+ S\bS\bS\bSt\bt\bt\btr\br\br\bri\bi\bi\bin\bn\bn\bng\bg\bg\bgs\bs\bs\bs:
mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user.
The escape %h will expand to the hostname of
syslog Syslog facility if syslog is being used for
logging (negate to disable syslog logging).
- Defaults to "local2".
-
- mailerpath Path to mail program used to send warning
- mail. Defaults to the path to sendmail found
- at configure time.
-
- mailerflags Flags to use when invoking mailer. Defaults to
- -t.
sudoers(5) FILE FORMATS sudoers(5)
+ Defaults to "local2".
+
+ mailerpath Path to mail program used to send warning
+ mail. Defaults to the path to sendmail found
+ at configure time.
+
+ mailerflags Flags to use when invoking mailer. Defaults to
+ -t.
+
mailto Address to send warning and erorr mail to.
Defaults to "root".
current host must have the C<NOPASSWD>
flag set to avoid entering a password.
- any At least one of the user's I<sudoers> entries
- for the current host must have the
- C<NOPASSWD> flag set to avoid entering a
- password.
- never The user need never enter a password to use
- the B<-l> flag.
-
- always The user must always enter a password to use
- the B<-l> flag.
sudoers(5) FILE FORMATS sudoers(5)
+ any At least one of the user's I<sudoers> entries
+ for the current host must have the
+ C<NOPASSWD> flag set to avoid entering a
+ password.
+
+ never The user need never enter a password to use
+ the B<-l> flag.
+
+ always The user must always enter a password to use
+ the B<-l> flag.
+
The default value is `any'.
When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo accepts the following
The user d\bd\bd\bdg\bg\bg\bgb\bb\bb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
-- but only as o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br. Eg.
- sudo -u operator /bin/ls.
-
- It is also possible to override a Runas_Spec later on in
- an entry. If we modify the entry like so:
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
- Then user d\bd\bd\bdg\bg\bg\bgb\bb\bb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br,
- but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt.
+22/Mar/2000 1.6.3 10
-22/Mar/2000 1.6.3 10
+sudoers(5) FILE FORMATS sudoers(5)
+ sudo -u operator /bin/ls.
+ It is also possible to override a Runas_Spec later on in
+ an entry. If we modify the entry like so:
-sudoers(5) FILE FORMATS sudoers(5)
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+ Then user d\bd\bd\bdg\bg\bg\bgb\bb\bb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br,
+ but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt.
N\bN\bN\bNO\bO\bO\bOP\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD a\ba\ba\ban\bn\bn\bnd\bd\bd\bd P\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD
[...] Matches any character in the specified range.
- [!...] Matches any character n\bn\bn\bno\bo\bo\bot\bt\bt\bt in the specified range.
-
- \x For any character "x", evaluates to "x". This is
- used to escape special characters such as: "*",
- "?", "[", and "}".
-
- Note that a forward slash ('/') will n\bn\bn\bno\bo\bo\bot\bt\bt\bt be matched by
- wildcards used in the pathname. When matching the command
- line arguments, however, as slash d\bd\bd\bdo\bo\bo\boe\be\be\bes\bs\bs\bs get matched by
- wildcards. This is to make a path like:
sudoers(5) FILE FORMATS sudoers(5)
+ [!...] Matches any character n\bn\bn\bno\bo\bo\bot\bt\bt\bt in the specified range.
+
+ \x For any character "x", evaluates to "x". This is
+ used to escape special characters such as: "*",
+ "?", "[", and "}".
+
+ Note that a forward slash ('/') will n\bn\bn\bno\bo\bo\bot\bt\bt\bt be matched by
+ wildcards used in the pathname. When matching the command
+ line arguments, however, as slash d\bd\bd\bdo\bo\bo\boe\be\be\bes\bs\bs\bs get matched by
+ wildcards. This is to make a path like:
+
/usr/bin/*
match /usr/bin/who but not /usr/bin/X11/xterm.
syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
'(', ')') is optional.
- The following characters must be escaped with a backslash
- ('\') when used as part of a word (eg. a username or
- hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
-
-E\bE\bE\bEX\bX\bX\bXA\bA\bA\bAM\bM\bM\bMP\bP\bP\bPL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
- Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
- these are a bit contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
-
-
-
-
22/Mar/2000 1.6.3 12
sudoers(5) FILE FORMATS sudoers(5)
+ The following characters must be escaped with a backslash
+ ('\') when used as part of a word (eg. a username or
+ hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
+
+E\bE\bE\bEX\bX\bX\bXA\bA\bA\bAM\bM\bM\bMP\bP\bP\bPL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
+ Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
+ these are a bit contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
- The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually
- determines who may run what.
-
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
-
- We let r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt and any user in group w\bw\bw\bwh\bh\bh\bhe\be\be\bee\be\be\bel\bl\bl\bl run any command on
-
22/Mar/2000 1.6.3 13
sudoers(5) FILE FORMATS sudoers(5)
+ The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually
+ determines who may run what.
+
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
+
+ We let r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt and any user in group w\bw\bw\bwh\bh\bh\bhe\be\be\bee\be\be\bel\bl\bl\bl run any command on
any host as any user.
FULLTIMERS ALL = NOPASSWD: ALL
assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take multiple usernames on the
command line.
- bob SPARC = (OP) ALL : SGI = (OP) ALL
-
- The user b\bb\bb\bbo\bo\bo\bob\bb\bb\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
- machines as any user listed in the _\bO_\bP Runas_Alias (r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt
- and o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br).
-
- jim +biglab = ALL
sudoers(5) FILE FORMATS sudoers(5)
+ bob SPARC = (OP) ALL : SGI = (OP) ALL
+
+ The user b\bb\bb\bbo\bo\bo\bob\bb\bb\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
+ machines as any user listed in the _\bO_\bP Runas_Alias (r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt
+ and o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br).
+
+ jim +biglab = ALL
+
The user j\bj\bj\bji\bi\bi\bim\bm\bm\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb
netgroup. S\bS\bS\bSu\bu\bu\bud\bd\bd\bdo\bo\bo\bo knows that "biglab" is a netgroup due to
the '+' prefix.
On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias
(will, wendy, and wim), may run any command as user www
- (which owns the web pages) or simply _\bs_\bu(1) to www.
-
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
-
- Any user may mount or unmount a CD-ROM on the machines in
- the CDROM Host_Alias (orion, perseus, hercules) without
- entering a password. This is a bit tedious for users to
sudoers(5) FILE FORMATS sudoers(5)
+ (which owns the web pages) or simply _\bs_\bu(1) to www.
+
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+
+ Any user may mount or unmount a CD-ROM on the machines in
+ the CDROM Host_Alias (orion, perseus, hercules) without
+ entering a password. This is a bit tedious for users to
type, so it is a prime candiate for encapsulating in a
shell script.
incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
When using netgroups of machines (as opposed to users), if
- you store fully-qualified hostnames in the netgroup (as is
+ you store fully qualified hostnames in the netgroup (as is
usually the case), you either need to have the machine's
- hostname be fully-qualified as returned by the hostname
+ hostname be fully qualified as returned by the hostname
command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
F\bF\bF\bFI\bI\bI\bIL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
-
-
-
-
-
-
-
-
22/Mar/2000 1.6.3 16
projects / sudo / commitdiff