-1.8.0a2 May 30, 2010 1
+1.8.0a2 June 8, 2010 1
-1.8.0a2 May 30, 2010 2
+1.8.0a2 June 8, 2010 2
-1.8.0a2 May 30, 2010 3
+1.8.0a2 June 8, 2010 3
-1.8.0a2 May 30, 2010 4
+1.8.0a2 June 8, 2010 4
-1.8.0a2 May 30, 2010 5
+1.8.0a2 June 8, 2010 5
-1.8.0a2 May 30, 2010 6
+1.8.0a2 June 8, 2010 6
-1.8.0a2 May 30, 2010 7
+1.8.0a2 June 8, 2010 7
-1.8.0a2 May 30, 2010 8
+1.8.0a2 June 8, 2010 8
earlier. A list of all supported Defaults parameters, grouped by type,
are listed below.
- F\bFl\bla\bag\bgs\bs:
+ B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment variable to
the home directory of the target user (which is root
-1.8.0a2 May 30, 2010 9
+1.8.0a2 June 8, 2010 9
-1.8.0a2 May 30, 2010 10
+1.8.0a2 June 8, 2010 10
-1.8.0a2 May 30, 2010 11
+1.8.0a2 June 8, 2010 11
-1.8.0a2 May 30, 2010 12
+1.8.0a2 June 8, 2010 12
-1.8.0a2 May 30, 2010 13
+1.8.0a2 June 8, 2010 13
-1.8.0a2 May 30, 2010 14
+1.8.0a2 June 8, 2010 14
available if s\bsu\bud\bdo\bo is configured with the
--with-logincap option. This flag is _\bo_\bf_\bf by default.
+ use_pty If set, s\bsu\bud\bdo\bo will run the command in a pseudo-pty even
+ if no I/O logging is being gone. A malicious program
+ run under s\bsu\bud\bdo\bo could conceivably fork a background
+ process that retains to the user's terminal device
+ after the main program has finished executing. Use of
+ this option will make that impossible.
+
visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
enter a password but it is not possible to disable echo
on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
The default is 5; set this to 0 for no password
timeout.
- timestamp_timeout
- Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
- for a passwd again. The timeout may include a
- fractional component if minute granularity is
- insufficient, for example 2.5. The default is 5. Set
- this to 0 to always prompt for a password. If set to a
-
-1.8.0a2 May 30, 2010 15
+1.8.0a2 June 8, 2010 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ timestamp_timeout
+ Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
+ for a passwd again. The timeout may include a
+ fractional component if minute granularity is
+ insufficient, for example 2.5. The default is 5. Set
+ this to 0 to always prompt for a password. If set to a
value less than 0 the user's timestamp will never
expire. This can be used to allow users to create or
delete their own timestamps via sudo -v and sudo -k
qualified or the _\bf_\bq_\bd_\bn option is set)
%h expanded to the local host name without the domain
- name
- %p expanded to the user whose password is being asked
- for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
- flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
+1.8.0a2 June 8, 2010 16
-1.8.0a2 May 30, 2010 16
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ name
+ %p expanded to the user whose password is being asked
+ for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
+ flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
%U expanded to the login name of the user the command
will be run as (defaults to root)
the program being run. Entries in this file should either
be of the form VARIABLE=value or export VARIABLE=value.
The value may optionally be surrounded by single or double
- quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
- environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
-
- exempt_group
- Users in this group are exempt from password and PATH
- requirements. This is not set by default.
-1.8.0a2 May 30, 2010 17
+1.8.0a2 June 8, 2010 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
+ environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
+
+ exempt_group
+ Users in this group are exempt from password and PATH
+ requirements. This is not set by default.
+
lecture This option controls when a short lecture will be printed
along with the password prompt. It has the following
possible values:
mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
- mailerpath Path to mail program used to send warning mail. Defaults
- to the path to sendmail found at configure time.
-
- mailfrom Address to use for the "from" address when sending warning
- and error mail. The address should be enclosed in double
- quotes (") to protect against s\bsu\bud\bdo\bo interpreting the @ sign.
- Defaults to the name of the user running s\bsu\bud\bdo\bo.
-1.8.0a2 May 30, 2010 18
+1.8.0a2 June 8, 2010 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ mailerpath Path to mail program used to send warning mail. Defaults
+ to the path to sendmail found at configure time.
+
+ mailfrom Address to use for the "from" address when sending warning
+ and error mail. The address should be enclosed in double
+ quotes (") to protect against s\bsu\bud\bdo\bo interpreting the @ sign.
+ Defaults to the name of the user running s\bsu\bud\bdo\bo.
+
mailto Address to send warning and error mail to. The address
should be enclosed in double quotes (") to protect against
s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
programs. The argument may be a double-quoted, space-
separated list or a single value without double-quotes.
The list can be replaced, added to, deleted from, or
- disabled by using the =, +=, -=, and ! operators
- respectively. Regardless of whether the env_reset
- option is enabled or disabled, variables specified by
- env_check will be preserved in the environment if they
- pass the aforementioned check. The default list of
- environment variables to check is displayed when s\bsu\bud\bdo\bo
- is run by root with the _\b-_\bV option.
-
-1.8.0a2 May 30, 2010 19
+1.8.0a2 June 8, 2010 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ disabled by using the =, +=, -=, and ! operators
+ respectively. Regardless of whether the env_reset
+ option is enabled or disabled, variables specified by
+ env_check will be preserved in the environment if they
+ pass the aforementioned check. The default list of
+ environment variables to check is displayed when s\bsu\bud\bdo\bo
+ is run by root with the _\b-_\bV option.
+
env_delete Environment variables to be removed from the user's
environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
The argument may be a double-quoted, space-separated
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
- # User alias specification
- User_Alias FULLTIMERS = millert, mikef, dowdy
- User_Alias PARTTIMERS = bostley, jwfox, crawl
- User_Alias WEBMASTERS = will, wendy, wim
- # Runas alias specification
- Runas_Alias OP = root, operator
- Runas_Alias DB = oracle, sybase
- Runas_Alias ADMINGRP = adm, oper
- # Host alias specification
-1.8.0a2 May 30, 2010 20
+
+1.8.0a2 June 8, 2010 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ # User alias specification
+ User_Alias FULLTIMERS = millert, mikef, dowdy
+ User_Alias PARTTIMERS = bostley, jwfox, crawl
+ User_Alias WEBMASTERS = will, wendy, wim
+
+ # Runas alias specification
+ Runas_Alias OP = root, operator
+ Runas_Alias DB = oracle, sybase
+ Runas_Alias ADMINGRP = adm, oper
+
+ # Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
SGI = grolsch, dandelion, black :\
ALPHA = widget, thalamus, foobar :\
Defaults!PAGERS noexec
The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
- what.
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
- We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
- any user.
- FULLTIMERS ALL = NOPASSWD: ALL
+1.8.0a2 June 8, 2010 21
- Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
-1.8.0a2 May 30, 2010 21
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ what.
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
+ any user.
+ FULLTIMERS ALL = NOPASSWD: ALL
+ Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
any host without authenticating themselves.
PARTTIMERS ALL = ALL
the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
multiple user names on the command line.
- bob SPARC = (OP) ALL : SGI = (OP) ALL
- The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
- listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
- jim +biglab = ALL
-
- The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
- s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
+1.8.0a2 June 8, 2010 22
-1.8.0a2 May 30, 2010 22
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ bob SPARC = (OP) ALL : SGI = (OP) ALL
+ The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
+ listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ jim +biglab = ALL
+ The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
+ s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
and wim), may run any command as user www (which owns the web pages) or
simply _\bs_\bu(1) to www.
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
- Any user may mount or unmount a CD-ROM on the machines in the CDROM
- Host_Alias (orion, perseus, hercules) without entering a password.
- This is a bit tedious for users to type, so it is a prime candidate for
- encapsulating in a shell script.
-
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- It is generally not effective to "subtract" commands from ALL using the
- '!' operator. A user can trivially circumvent this by copying the
-1.8.0a2 May 30, 2010 23
+1.8.0a2 June 8, 2010 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+
+ Any user may mount or unmount a CD-ROM on the machines in the CDROM
+ Host_Alias (orion, perseus, hercules) without entering a password.
+ This is a bit tedious for users to type, so it is a prime candidate for
+ encapsulating in a shell script.
+
+S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ It is generally not effective to "subtract" commands from ALL using the
+ '!' operator. A user can trivially circumvent this by copying the
desired command to a different name and then executing that. For
example:
number of programs that offer shell escapes, restricting
users to the set of programs that do not if often unworkable.
- noexec Many systems that support shared libraries have the ability
- to override default library functions by pointing an
- environment variable (usually LD_PRELOAD) to an alternate
- shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality
- can be used to prevent a program run by s\bsu\bud\bdo\bo from executing
- any other programs. Note, however, that this applies only to
- native dynamically-linked executables. Statically-linked
- executables and foreign executables running under binary
- emulation are not affected.
-
- To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run the
-1.8.0a2 May 30, 2010 24
+1.8.0a2 June 8, 2010 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ noexec Many systems that support shared libraries have the ability
+ to override default library functions by pointing an
+ environment variable (usually LD_PRELOAD) to an alternate
+ shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality
+ can be used to prevent a program run by s\bsu\bud\bdo\bo from executing
+ any other programs. Note, however, that this applies only to
+ native dynamically-linked executables. Statically-linked
+ executables and foreign executables running under binary
+ emulation are not affected.
+
+ To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run the
following as root:
sudo -V | grep "dummy exec"
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
- locks the file and does grammatical checking. It is imperative that
- _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
- syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
- When using netgroups of machines (as opposed to users), if you store
- fully qualified host name in the netgroup (as is usually the case), you
- either need to have the machine's host name be fully qualified as
- returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+1.8.0a2 June 8, 2010 25
-1.8.0a2 May 30, 2010 25
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ locks the file and does grammatical checking. It is imperative that
+ _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
+ syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ When using netgroups of machines (as opposed to users), if you store
+ fully qualified host name in the netgroup (as is usually the case), you
+ either need to have the machine's host name be fully qualified as
+ returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
-
-
-
-
-
-
-
-
-
-
-
-1.8.0a2 May 30, 2010 26
+1.8.0a2 June 8, 2010 26
projects / sudo / commitdiff