Sudo only shipped .cat pages for Irix, which lacked nroff.
Irix is long dead and there are multiple open source nroff options.
doc/Makefile.in
doc/TROUBLESHOOTING
doc/UPGRADE
-doc/cvtsudoers.cat
doc/cvtsudoers.man.in
doc/cvtsudoers.mdoc.in
doc/fixman.sh
doc/schema.OpenLDAP
doc/schema.iPlanet
doc/schema.olcSudo
-doc/sudo.cat
-doc/sudo.conf.cat
doc/sudo.conf.man.in
doc/sudo.conf.mdoc.in
doc/sudo.man.in
doc/sudo.man.in.sed
doc/sudo.mdoc.in
-doc/sudo_plugin.cat
doc/sudo_plugin.man.in
doc/sudo_plugin.mdoc.in
-doc/sudoers.cat
-doc/sudoers.ldap.cat
doc/sudoers.ldap.man.in
doc/sudoers.ldap.mdoc.in
doc/sudoers.man.in
doc/sudoers.man.in.sed
doc/sudoers.mdoc.in
-doc/sudoers_timestamp.cat
doc/sudoers_timestamp.man.in
doc/sudoers_timestamp.mdoc.in
-doc/sudoreplay.cat
doc/sudoreplay.man.in
doc/sudoreplay.mdoc.in
-doc/visudo.cat
doc/visudo.man.in
doc/visudo.mdoc.in
examples/Makefile.in
badpass_message="Sorry, try again."
fqdn=off
runas_default=root
-env_editor=off
+env_editor=on
env_reset=on
editor=vi
passwd_tries=3
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_mantype" >&5
$as_echo "$sudo_cv_var_mantype" >&6; }
MANTYPE="$sudo_cv_var_mantype"
- else
- MANTYPE=cat
- MANDIRTYPE=cat
- mansrcdir='$(srcdir)'
fi
fi
*-*-irix*)
$as_echo "#define _BSD_TYPES 1" >>confdefs.h
- if test -z "$NROFFPROG"; then
- if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
- if test -d /usr/share/catman/local; then
- mandir="/usr/share/catman/local"
- else
- mandir="/usr/catman/local"
- fi
- fi
- # Compress cat pages with pack
- MANCOMPRESS='pack'
- MANCOMPRESSEXT='.z'
- else
- if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
- if test -d "/usr/share/man/local"; then
- mandir="/usr/share/man/local"
- else
- mandir="/usr/man/local"
- fi
+ if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
+ if test -d "/usr/share/man/local"; then
+ mandir="/usr/share/man/local"
+ else
+ mandir="/usr/man/local"
fi
fi
# IRIX <= 4 needs -lsun
]
)
MANTYPE="$sudo_cv_var_mantype"
- else
- MANTYPE=cat
- MANDIRTYPE=cat
- mansrcdir='$(srcdir)'
fi
fi
;;
*-*-irix*)
AC_DEFINE([_BSD_TYPES])
- if test -z "$NROFFPROG"; then
- if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
- if test -d /usr/share/catman/local; then
- mandir="/usr/share/catman/local"
- else
- mandir="/usr/catman/local"
- fi
- fi
- # Compress cat pages with pack
- MANCOMPRESS='pack'
- MANCOMPRESSEXT='.z'
- else
- if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
- if test -d "/usr/share/man/local"; then
- mandir="/usr/share/man/local"
- else
- mandir="/usr/man/local"
- fi
+ if test "$prefix" = "/usr/local" -a "$mandir" = '${datarootdir}/man'; then
+ if test -d "/usr/share/man/local"; then
+ mandir="/usr/share/man/local"
+ else
+ mandir="/usr/man/local"
fi
fi
# IRIX <= 4 needs -lsun
$(mansrcdir)/sudoers_timestamp.$(mantype) \
$(mansrcdir)/sudoreplay.$(mantype) $(mansrcdir)/visudo.$(mantype)
-DEVDOCS = $(srcdir)/cvtsudoers.man.in $(srcdir)/cvtsudoers.cat \
- $(srcdir)/sudo.conf.man.in $(srcdir)/sudo.conf.cat \
- $(srcdir)/sudo.man.in $(srcdir)/sudo.cat \
- $(srcdir)/sudo_plugin.man.in $(srcdir)/sudo_plugin.cat \
- $(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.ldap.cat \
- $(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \
- $(srcdir)/sudoers_timestamp.man.in $(srcdir)/sudoers_timestamp.cat \
- $(srcdir)/sudoreplay.man.in $(srcdir)/sudoreplay.cat \
- $(srcdir)/visudo.man.in $(srcdir)/visudo.cat
+DEVDOCS = $(srcdir)/cvtsudoers.man.in $(srcdir)/sudo.conf.man.in \
+ $(srcdir)/sudo.man.in $(srcdir)/sudo_plugin.man.in \
+ $(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.man.in \
+ $(srcdir)/sudoers_timestamp.man.in $(srcdir)/sudoreplay.man.in \
+ $(srcdir)/visudo.man.in
OTHER_DOCS = $(top_srcdir)/ChangeLog $(top_srcdir)/README \
$(top_srcdir)/NEWS $(srcdir)/HISTORY $(srcdir)/CONTRIBUTORS \
.SUFFIXES: .man
-varsub: $(top_srcdir)/configure.ac
- @if [ -n "$(DEVEL)" ]; then \
- printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#5#g\ns#@%s@#8#g\ns#@%s@#%s#\n' SEMAN BAMAN LCMAN PSMAN sysconfdir prefix mansectform mansectsu PACKAGE_VERSION $(VERSION) > $@; \
- $(SED) -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(top_srcdir)/configure.ac | $(SED) -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@; \
- fi
-
$(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in $(srcdir)/sudo.man.in.sed
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
$(mansrcdir)/sudo.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
-$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.mdoc.in
- @if [ -n "$(DEVEL)" ]; then \
- echo "Generating $@"; \
- $(SED) -f varsub $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
- fi
-
$(srcdir)/visudo.man.in: $(srcdir)/visudo.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
$(mansrcdir)/visudo.mdoc: $(top_builddir)/config.status $(srcdir)/visudo.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
-$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.mdoc.in
- @if [ -n "$(DEVEL)" ]; then \
- echo "Generating $@"; \
- $(SED) -f varsub $(srcdir)/visudo.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
- fi
-
$(srcdir)/sudo.conf.man.in: $(srcdir)/sudo.conf.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
$(mansrcdir)/sudo.conf.mdoc: $(top_builddir)/config.status $(srcdir)/sudo.conf.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
-$(srcdir)/sudo.conf.cat: varsub $(srcdir)/sudo.conf.mdoc.in
- @if [ -n "$(DEVEL)" ]; then \
- echo "Generating $@"; \
- $(SED) -f varsub $(srcdir)/sudo.conf.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
- fi
-
$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in $(srcdir)/sudoers.man.in.sed
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
$(mansrcdir)/sudoers.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.mdoc.in $(srcdir)/fixmdoc.sed
(cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/sudoers.mdoc.in | $(SED) -f $(srcdir)/fixmdoc.sed > $@
-$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.mdoc.in
- @if [ -n "$(DEVEL)" ]; then \
- echo "Generating $@"; \
- $(SED) -f varsub $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
- fi
-
$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
$(mansrcdir)/sudoers.ldap.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers.ldap.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
-$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.mdoc.in
- @if [ -n "$(DEVEL)" ]; then \
- echo "Generating $@"; \
- $(SED) -f varsub $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
- fi
-
$(srcdir)/sudoers_timestamp.man.in: $(srcdir)/sudoers_timestamp.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
$(mansrcdir)/sudoers_timestamp.mdoc: $(top_builddir)/config.status $(srcdir)/sudoers_timestamp.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
-$(srcdir)/sudoers_timestamp.cat: varsub $(srcdir)/sudoers_timestamp.mdoc.in
- @if [ -n "$(DEVEL)" ]; then \
- echo "Generating $@"; \
- $(SED) -f varsub $(srcdir)/sudoers_timestamp.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
- fi
-
$(srcdir)/cvtsudoers.man.in: $(srcdir)/cvtsudoers.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
$(mansrcdir)/cvtsudoers.mdoc: $(top_builddir)/config.status $(srcdir)/cvtsudoers.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
-$(srcdir)/cvtsudoers.cat: varsub $(srcdir)/cvtsudoers.mdoc.in
- @if [ -n "$(DEVEL)" ]; then \
- echo "Generating $@"; \
- $(SED) -f varsub $(srcdir)/cvtsudoers.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
- fi
-
$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
$(mansrcdir)/sudoreplay.mdoc: $(top_builddir)/config.status $(srcdir)/sudoreplay.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
-$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.mdoc.in
- @if [ -n "$(DEVEL)" ]; then \
- echo "Generating $@"; \
- $(SED) -f varsub $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
- fi
-
$(srcdir)/sudo_plugin.man.in: $(srcdir)/sudo_plugin.mdoc.in
@if [ -n "$(DEVEL)" ]; then \
echo "Generating $@"; \
$(mansrcdir)/sudo_plugin.mdoc: $(top_builddir)/config.status $(srcdir)/sudo_plugin.mdoc.in
cd $(top_builddir) && $(SHELL) config.status --file=doc/$@
-$(srcdir)/sudo_plugin.cat: varsub $(srcdir)/sudo_plugin.mdoc.in
- @if [ -n "$(DEVEL)" ]; then \
- echo "Generating $@"; \
- $(SED) -f varsub $(srcdir)/sudo_plugin.mdoc.in | $(MANDOC) -Tascii -mdoc | $(SED) -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
- fi
-
pre-install:
install: install-doc
check:
clean:
- -rm -f varsub fixman.sed
+ -rm -f fixman.sed
mostlyclean: clean
+++ /dev/null
-CVTSUDOERS(1) General Commands Manual CVTSUDOERS(1)
-
-N\bNA\bAM\bME\bE
- c\bcv\bvt\bts\bsu\bud\bdo\boe\ber\brs\bs - convert between sudoers file formats
-
-S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- c\bcv\bvt\bts\bsu\bud\bdo\boe\ber\brs\bs [-\b-e\beh\bhM\bMp\bpV\bV] [-\b-b\bb _\bd_\bn] [-\b-c\bc _\bc_\bo_\bn_\bf_\b__\bf_\bi_\bl_\be] [-\b-d\bd _\bd_\be_\bf_\bt_\by_\bp_\be_\bs]
- [-\b-f\bf _\bo_\bu_\bt_\bp_\bu_\bt_\b__\bf_\bo_\br_\bm_\ba_\bt] [-\b-i\bi _\bi_\bn_\bp_\bu_\bt_\b__\bf_\bo_\br_\bm_\ba_\bt] [-\b-I\bI _\bi_\bn_\bc_\br_\be_\bm_\be_\bn_\bt]
- [-\b-m\bm _\bf_\bi_\bl_\bt_\be_\br] [-\b-o\bo _\bo_\bu_\bt_\bp_\bu_\bt_\b__\bf_\bi_\bl_\be] [-\b-O\bO _\bs_\bt_\ba_\br_\bt_\b__\bp_\bo_\bi_\bn_\bt] [-\b-P\bP _\bp_\ba_\bd_\bd_\bi_\bn_\bg]
- [-\b-s\bs _\bs_\be_\bc_\bt_\bi_\bo_\bn_\bs] [_\bi_\bn_\bp_\bu_\bt_\b__\bf_\bi_\bl_\be]
-
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- c\bcv\bvt\bts\bsu\bud\bdo\boe\ber\brs\bs can be used to convert between _\bs_\bu_\bd_\bo_\be_\br_\bs security policy file
- formats. The default input format is sudoers. The default output format
- is LDIF. It is only possible to convert a _\bs_\bu_\bd_\bo_\be_\br_\bs file that is
- syntactically correct.
-
- If no _\bi_\bn_\bp_\bu_\bt_\b__\bf_\bi_\bl_\be is specified, or if it is `-', the policy is read from
- the standard input. By default, the result is written to the standard
- output.
-
- The options are as follows:
-
- -\b-b\bb _\bd_\bn, -\b--\b-b\bba\bas\bse\be=_\bd_\bn
- The base DN (distinguished name) that will be used when
- performing LDAP queries. Typically this is of the form
- ou=SUDOers,dc=my-domain,dc=com for the domain my-domain.com.
- If this option is not specified, the value of the
- SUDOERS_BASE environment variable will be used instead. Only
- necessary when converting to LDIF format.
-
- -\b-c\bc _\bc_\bo_\bn_\bf_\b__\bf_\bi_\bl_\be, -\b--\b-c\bco\bon\bnf\bfi\big\bg=_\bc_\bo_\bn_\bf_\b__\bf_\bi_\bl_\be
- Specify the path to the configuration file. Defaults to
- _\b/_\be_\bt_\bc_\b/_\bc_\bv_\bt_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bc_\bo_\bn_\bf.
-
- -\b-d\bd _\bd_\be_\bf_\bt_\by_\bp_\be_\bs, -\b--\b-d\bde\bef\bfa\bau\bul\blt\bts\bs=_\bd_\be_\bf_\bt_\by_\bp_\be_\bs
- Only convert Defaults entries of the specified types. One or
- more Defaults types may be specified, separated by a comma
- (`,'). The supported types are:
-
- all All Defaults entries.
-
- global Global Defaults entries that are applied regardless
- of user, runas, host or command.
-
- user Per-user Defaults entries.
-
- runas Per-runas user Defaults entries.
-
- host Per-host Defaults entries.
-
- command Per-command Defaults entries.
-
- See the D\bDe\bef\bfa\bau\bul\blt\bts\bs section in sudoers(4) for more information.
-
- If the -\b-d\bd option is not specified, all Defaults entries will
- be converted.
-
- -\b-e\be, -\b--\b-e\bex\bxp\bpa\ban\bnd\bd-\b-a\bal\bli\bia\bas\bse\bes\bs
- Expand aliases in _\bi_\bn_\bp_\bu_\bt_\b__\bf_\bi_\bl_\be. Aliases are preserved by
- default when the output _\bf_\bo_\br_\bm_\ba_\bt is JSON or sudoers.
-
- -\b-f\bf _\bo_\bu_\bt_\bp_\bu_\bt_\b__\bf_\bo_\br_\bm_\ba_\bt, -\b--\b-o\bou\but\btp\bpu\but\bt-\b-f\bfo\bor\brm\bma\bat\bt=_\bo_\bu_\bt_\bp_\bu_\bt_\b__\bf_\bo_\br_\bm_\ba_\bt
- Specify the output format (case-insensitive). The following
- formats are supported:
-
- JSON JSON (JavaScript Object Notation) files are usually
- easier for third-party applications to consume than
- the traditional _\bs_\bu_\bd_\bo_\be_\br_\bs format. The various values
- have explicit types which removes much of the
- ambiguity of the _\bs_\bu_\bd_\bo_\be_\br_\bs format.
-
- LDIF LDIF (LDAP Data Interchange Format) files can be
- imported into an LDAP server for use with
- sudoers.ldap(4).
-
- Conversion to LDIF has the following limitations:
-
- +\b+\bo\bo Command, host, runas and user-specific Defaults
- lines cannot be translated as they don't have an
- equivalent in the sudoers LDAP schema.
-
- +\b+\bo\bo Command, host, runas and user aliases are not
- supported by the sudoers LDAP schema so they are
- expanded during the conversion.
-
- sudoers Traditional sudoers format. A new sudoers file
- will be reconstructed from the parsed input file.
- Comments are not preserved and data from any
- include files will be output inline.
-
- -\b-h\bh, -\b--\b-h\bhe\bel\blp\bp Display a short help message to the standard output and exit.
-
- -\b-i\bi _\bi_\bn_\bp_\bu_\bt_\b__\bf_\bo_\br_\bm_\ba_\bt, -\b--\b-i\bin\bnp\bpu\but\bt-\b-f\bfo\bor\brm\bma\bat\bt=_\bi_\bn_\bp_\bu_\bt_\b__\bf_\bo_\br_\bm_\ba_\bt
- Specify the input format. The following formats are
- supported:
-
- LDIF LDIF (LDAP Data Interchange Format) files can be
- exported from an LDAP server to convert security
- policies used by sudoers.ldap(4). If a base DN
- (distinguished name) is specified, only sudoRole
- objects that match the base DN will be processed.
- Not all sudoOptions specified in a sudoRole can be
- translated from LDIF to sudoers format.
-
- sudoers Traditional sudoers format. This is the default
- input format.
-
- -\b-I\bI _\bi_\bn_\bc_\br_\be_\bm_\be_\bn_\bt, -\b--\b-i\bin\bnc\bcr\bre\bem\bme\ben\bnt\bt=_\bi_\bn_\bc_\br_\be_\bm_\be_\bn_\bt
- When generating LDIF output, increment each sudoOrder
- attribute by the specified number. Defaults to an increment
- of 1.
-
- -\b-m\bm _\bf_\bi_\bl_\bt_\be_\br, -\b--\b-m\bma\bat\btc\bch\bh=_\bf_\bi_\bl_\bt_\be_\br
- Only output rules that match the specified _\bf_\bi_\bl_\bt_\be_\br. A _\bf_\bi_\bl_\bt_\be_\br
- expression is made up of one or more k\bke\bey\by =\b= _\bv_\ba_\bl_\bu_\be pairs,
- separated by a comma (`,'). The k\bke\bey\by may be "user", "group"
- or "host". For example, u\bus\bse\ber\br = _\bo_\bp_\be_\br_\ba_\bt_\bo_\br or h\bho\bos\bst\bt = _\bw_\bw_\bw. An
- upper-case User_Alias or Host_Alias may be specified as the
- "user" or "host".
-
- A matching _\bs_\bu_\bd_\bo_\be_\br_\bs rule may also include users, groups and
- hosts that are not part of the _\bf_\bi_\bl_\bt_\be_\br. This can happen when
- a rule includes multiple users, groups or hosts. To prune
- out any non-matching user, group or host from the rules, the
- -\b-p\bp option may be used.
-
- By default, the password and group databases are not
- consulted when matching against the filter so the users and
- groups do not need to be present on the local system (see the
- -\b-M\bM option). Only aliases that are referenced by the filtered
- policy rules will be displayed.
-
- -\b-M\bM, -\b--\b-m\bma\bat\btc\bch\bh-\b-l\blo\boc\bca\bal\bl
- When the -\b-m\bm option is also specified, use password and group
- database information when matching users and groups in the
- filter. Only users and groups in the filter that exist on
- the local system will match, and a user's groups will
- automatically be added to the filter. If the -\b-M\bM is _\bn_\bo_\bt
- specified, users and groups in the filter do not need to
- exist on the local system, but all groups used for matching
- must be explicitly listed in the filter.
-
- -\b-o\bo _\bo_\bu_\bt_\bp_\bu_\bt_\b__\bf_\bi_\bl_\be, -\b--\b-o\bou\but\btp\bpu\but\bt=_\bo_\bu_\bt_\bp_\bu_\bt_\b__\bf_\bi_\bl_\be
- Write the converted output to _\bo_\bu_\bt_\bp_\bu_\bt_\b__\bf_\bi_\bl_\be. If no _\bo_\bu_\bt_\bp_\bu_\bt_\b__\bf_\bi_\bl_\be
- is specified, or if it is `-', the converted _\bs_\bu_\bd_\bo_\be_\br_\bs policy
- will be written to the standard output.
-
- -\b-O\bO _\bs_\bt_\ba_\br_\bt_\b__\bp_\bo_\bi_\bn_\bt, -\b--\b-o\bor\brd\bde\ber\br-\b-s\bst\bta\bar\brt\bt=_\bs_\bt_\ba_\br_\bt_\b__\bp_\bo_\bi_\bn_\bt
- When generating LDIF output, use the number specified by
- _\bs_\bt_\ba_\br_\bt_\b__\bp_\bo_\bi_\bn_\bt in the sudoOrder attribute of the first sudoRole
- object. Subsequent sudoRole object use a sudoOrder value
- generated by adding an _\bi_\bn_\bc_\br_\be_\bm_\be_\bn_\bt, see the -\b-I\bI option for
- details. Defaults to a starting point of 1. A starting
- point of 0 will disable the generation of sudoOrder
- attributes in the resulting LDIF file.
-
- -\b-p\bp, -\b--\b-p\bpr\bru\bun\bne\be-\b-m\bma\bat\btc\bch\bhe\bes\bs
- When the -\b-m\bm option is also specified, c\bcv\bvt\bts\bsu\bud\bdo\boe\ber\brs\bs will prune
- out non-matching users, groups and hosts from matching
- entries.
-
- -\b-P\bP _\bp_\ba_\bd_\bd_\bi_\bn_\bg, -\b--\b-p\bpa\bad\bdd\bdi\bin\bng\bg=_\bp_\ba_\bd_\bd_\bi_\bn_\bg
- When generating LDIF output, construct the initial sudoOrder
- value by concatenating _\bo_\br_\bd_\be_\br_\b__\bs_\bt_\ba_\br_\bt and _\bi_\bn_\bc_\br_\be_\bm_\be_\bn_\bt, padding the
- _\bi_\bn_\bc_\br_\be_\bm_\be_\bn_\bt with zeros until it consists of _\bp_\ba_\bd_\bd_\bi_\bn_\bg digits.
- For example, if _\bo_\br_\bd_\be_\br_\b__\bs_\bt_\ba_\br_\bt is 1027, _\bp_\ba_\bd_\bd_\bi_\bn_\bg is 3, and
- _\bi_\bn_\bc_\br_\be_\bm_\be_\bn_\bt is 1, the value of sudoOrder for the first entry
- will be 1027000, followed by 1027001, 1027002, etc. If the
- number of sudoRole entries is larger than the padding would
- allow, c\bcv\bvt\bts\bsu\bud\bdo\boe\ber\brs\bs will exit with an error. By default, no
- padding is performed.
-
- -\b-s\bs _\bs_\be_\bc_\bt_\bi_\bo_\bn_\bs, -\b--\b-s\bsu\bup\bpp\bpr\bre\bes\bss\bs=_\bs_\be_\bc_\bt_\bi_\bo_\bn_\bs
- Suppress the output of specific _\bs_\be_\bc_\bt_\bi_\bo_\bn_\bs of the security
- policy. One or more section names may be specified,
- separated by a comma (`,'). The supported section name are:
- d\bde\bef\bfa\bau\bul\blt\bts\bs, a\bal\bli\bia\bas\bse\bes\bs and p\bpr\bri\biv\bvi\bil\ble\beg\bge\bes\bs (which may be shortened to
- p\bpr\bri\biv\bvs\bs).
-
- -\b-V\bV, -\b--\b-v\bve\ber\brs\bsi\bio\bon\bn
- Print the c\bcv\bvt\bts\bsu\bud\bdo\boe\ber\brs\bs and _\bs_\bu_\bd_\bo_\be_\br_\bs grammar versions and exit.
-
- Options in the form "keyword = value" may also be specified in a
- configuration file, _\b/_\be_\bt_\bc_\b/_\bc_\bv_\bt_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bc_\bo_\bn_\bf by default. The following
- keywords are recognized:
-
- d\bde\bef\bfa\bau\bul\blt\bts\bs =\b= _\bd_\be_\bf_\bt_\by_\bp_\be_\bs
- See the description of the -\b-d\bd command line option.
-
- e\bex\bxp\bpa\ban\bnd\bd_\b_a\bal\bli\bia\bas\bse\bes\bs =\b= _\by_\be_\bs | _\bn_\bo
- See the description of the -\b-e\be command line option.
-
- i\bin\bnp\bpu\but\bt_\b_f\bfo\bor\brm\bma\bat\bt =\b= _\bl_\bd_\bi_\bf | _\bs_\bu_\bd_\bo_\be_\br_\bs
- See the description of the -\b-i\bi command line option.
-
- m\bma\bat\btc\bch\bh =\b= _\bf_\bi_\bl_\bt_\be_\br
- See the description of the -\b-m\bm command line option.
-
- o\bor\brd\bde\ber\br_\b_i\bin\bnc\bcr\bre\bem\bme\ben\bnt\bt =\b= _\bi_\bn_\bc_\br_\be_\bm_\be_\bn_\bt
- See the description of the -\b-I\bI command line option.
-
- o\bor\brd\bde\ber\br_\b_s\bst\bta\bar\brt\bt =\b= _\bs_\bt_\ba_\br_\bt_\b__\bp_\bo_\bi_\bn_\bt
- See the description of the -\b-O\bO command line option.
-
- o\bou\but\btp\bpu\but\bt_\b_f\bfo\bor\brm\bma\bat\bt =\b= _\bj_\bs_\bo_\bn | _\bl_\bd_\bi_\bf | _\bs_\bu_\bd_\bo_\be_\br_\bs
- See the description of the -\b-f\bf command line option.
-
- p\bpa\bad\bdd\bdi\bin\bng\bg =\b= _\bp_\ba_\bd_\bd_\bi_\bn_\bg
- See the description of the -\b-P\bP command line option.
-
- p\bpr\bru\bun\bne\be_\b_m\bma\bat\btc\bch\bhe\bes\bs =\b= _\by_\be_\bs | _\bn_\bo
- See the description of the -\b-p\bp command line option.
-
- s\bsu\bud\bdo\boe\ber\brs\bs_\b_b\bba\bas\bse\be =\b= _\bd_\bn
- See the description of the -\b-b\bb command line option.
-
- s\bsu\bup\bpp\bpr\bre\bes\bss\bs =\b= _\bs_\be_\bc_\bt_\bi_\bo_\bn_\bs
- See the description of the -\b-s\bs command line option.
-
- Options on the command line will override values from the configuration
- file.
-
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bc_\bv_\bt_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bc_\bo_\bn_\bf default configuration for cvtsudoers
-
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Convert _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs to LDIF (LDAP Data Interchange Format) where the
- _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file uses a _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bb_\ba_\bs_\be of my-domain,dc=com, storing the
- result in _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bd_\bi_\bf:
-
- $ cvtsudoers -b ou=SUDOers,dc=my-domain,dc=com -o sudoers.ldif \
- /etc/sudoers
-
- Convert _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs to JSON format, storing the result in _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bj_\bs_\bo_\bn:
-
- $ cvtsudoers -f json -o sudoers.json /etc/sudoers
-
- Parse _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and display only rules that match user _\ba_\bm_\bb_\br_\bo_\bs_\be on host
- _\bh_\ba_\bs_\bt_\bu_\br:
-
- $ cvtsudoers -f sudoers -m user=ambrose,host=hastur /etc/sudoers
-
- Same as above, but expand aliases and prune out any non-matching users
- and hosts from the expanded entries.
-
- $ cvtsudoers -ep -f sudoers -m user=ambrose,host=hastur /etc/sudoers
-
- Convert _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bd_\bi_\bf from LDIF to traditional _\bs_\bu_\bd_\bo_\be_\br_\bs format:
-
- $ cvtsudoers -i ldif -f sudoers -o sudoers.new sudoers.ldif
-
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- sudoers(4), sudoers.ldap(4), sudo(1m)
-
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists of
- code written primarily by:
-
- Todd C. Miller
-
- See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
- (https://www.sudo.ws/contributors.html) for an exhaustive list of people
- who have contributed to s\bsu\bud\bdo\bo.
-
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in c\bcv\bvt\bts\bsu\bud\bdo\boe\ber\brs\bs, please submit a bug
- report at https://bugzilla.sudo.ws/
-
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
-
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- c\bcv\bvt\bts\bsu\bud\bdo\boe\ber\brs\bs is provided "AS IS" and any express or implied warranties,
- including, but not limited to, the implied warranties of merchantability
- and fitness for a particular purpose are disclaimed. See the LICENSE
- file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
- complete details.
-
-Sudo 1.8.28 December 11, 2018 Sudo 1.8.28
+++ /dev/null
-SUDO(1m) System Manager's Manual SUDO(1m)
-
-N\bNA\bAM\bME\bE
- s\bsu\bud\bdo\bo, s\bsu\bud\bdo\boe\bed\bdi\bit\bt - execute a command as another user
-
-S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-V\bV
- s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAB\bBk\bkn\bnS\bS] [-\b-a\ba _\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp] [-\b-h\bh _\bh_\bo_\bs_\bt] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br]
- s\bsu\bud\bdo\bo -\b-l\bl [-\b-A\bAB\bBk\bkn\bnS\bS] [-\b-a\ba _\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp] [-\b-h\bh _\bh_\bo_\bs_\bt] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-U\bU _\bu_\bs_\be_\br]
- [-\b-u\bu _\bu_\bs_\be_\br] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- s\bsu\bud\bdo\bo [-\b-A\bAB\bBb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\bt_\by_\bp_\be] [-\b-C\bC _\bn_\bu_\bm] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs] [-\b-g\bg _\bg_\br_\bo_\bu_\bp] [-\b-h\bh _\bh_\bo_\bs_\bt]
- [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be] [-\b-t\bt _\bt_\by_\bp_\be] [-\b-T\bT _\bt_\bi_\bm_\be_\bo_\bu_\bt] [-\b-u\bu _\bu_\bs_\be_\br] [_\bV_\bA_\bR=_\bv_\ba_\bl_\bu_\be]
- [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAB\bBk\bkn\bnS\bS] [-\b-a\ba _\bt_\by_\bp_\be] [-\b-C\bC _\bn_\bu_\bm] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs] [-\b-g\bg _\bg_\br_\bo_\bu_\bp] [-\b-h\bh _\bh_\bo_\bs_\bt]
- [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-T\bT _\bt_\bi_\bm_\be_\bo_\bu_\bt] [-\b-u\bu _\bu_\bs_\be_\br] _\bf_\bi_\bl_\be _\b._\b._\b.
-
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the superuser or
- another user, as specified by the security policy. The invoking user's
- real (_\bn_\bo_\bt effective) user ID is used to determine the user name with
- which to query the security policy.
-
- s\bsu\bud\bdo\bo supports a plugin architecture for security policies and
- input/output logging. Third parties can develop and distribute their own
- policy and I/O logging plugins to work seamlessly with the s\bsu\bud\bdo\bo front
- end. The default security policy is _\bs_\bu_\bd_\bo_\be_\br_\bs, which is configured via the
- file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs, or via LDAP. See the _\bP_\bl_\bu_\bg_\bi_\bn_\bs section for more
- information.
-
- The security policy determines what privileges, if any, a user has to run
- s\bsu\bud\bdo\bo. The policy may require that users authenticate themselves with a
- password or another authentication mechanism. If authentication is
- required, s\bsu\bud\bdo\bo will exit if the user's password is not entered within a
- configurable time limit. This limit is policy-specific; the default
- password prompt timeout for the _\bs_\bu_\bd_\bo_\be_\br_\bs security policy is 5 minutes.
-
- Security policies may support credential caching to allow the user to run
- s\bsu\bud\bdo\bo again for a period of time without requiring authentication. The
- _\bs_\bu_\bd_\bo_\be_\br_\bs policy caches credentials for 5 minutes, unless overridden in
- sudoers(4). By running s\bsu\bud\bdo\bo with the -\b-v\bv option, a user can update the
- cached credentials without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd.
-
- When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below), is implied.
-
- Security policies may log successful and failed attempts to use s\bsu\bud\bdo\bo. If
- an I/O plugin is configured, the running command's input and output may
- be logged as well.
-
- The options are as follows:
-
- -\b-A\bA, -\b--\b-a\bas\bsk\bkp\bpa\bas\bss\bs
- Normally, if s\bsu\bud\bdo\bo requires a password, it will read it from
- the user's terminal. If the -\b-A\bA (_\ba_\bs_\bk_\bp_\ba_\bs_\bs) option is
- specified, a (possibly graphical) helper program is executed
- to read the user's password and output the password to the
- standard output. If the SUDO_ASKPASS environment variable is
- set, it specifies the path to the helper program. Otherwise,
- if sudo.conf(4) contains a line specifying the askpass
- program, that value will be used. For example:
-
- # Path to askpass helper program
- Path askpass /usr/X11R6/bin/ssh-askpass
-
- If no askpass program is available, s\bsu\bud\bdo\bo will exit with an
- error.
-
- -\b-a\ba _\bt_\by_\bp_\be, -\b--\b-a\bau\but\bth\bh-\b-t\bty\byp\bpe\be=_\bt_\by_\bp_\be
- Use the specified BSD authentication _\bt_\by_\bp_\be when validating the
- user, if allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system
- administrator may specify a list of sudo-specific
- authentication methods by adding an "auth-sudo" entry in
- _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This option is only available on systems
- that support BSD authentication.
-
- -\b-B\bB, -\b--\b-b\bbe\bel\bll\bl Ring the bell as part of the password promp when a terminal
- is present. This option has no effect if an askpass program
- is used.
-
- -\b-b\bb, -\b--\b-b\bba\bac\bck\bkg\bgr\bro\bou\bun\bnd\bd
- Run the given command in the background. Note that it is not
- possible to use shell job control to manipulate background
- processes started by s\bsu\bud\bdo\bo. Most interactive commands will
- fail to work properly in background mode.
-
- -\b-C\bC _\bn_\bu_\bm, -\b--\b-c\bcl\blo\bos\bse\be-\b-f\bfr\bro\bom\bm=_\bn_\bu_\bm
- Close all file descriptors greater than or equal to _\bn_\bu_\bm
- before executing a command. Values less than three are not
- permitted. By default, s\bsu\bud\bdo\bo will close all open file
- descriptors other than standard input, standard output and
- standard error when executing a command. The security policy
- may restrict the user's ability to use this option. The
- _\bs_\bu_\bd_\bo_\be_\br_\bs policy only permits use of the -\b-C\bC option when the
- administrator has enabled the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option.
-
- -\b-c\bc _\bc_\bl_\ba_\bs_\bs, -\b--\b-l\blo\bog\bgi\bin\bn-\b-c\bcl\bla\bas\bss\bs=_\bc_\bl_\ba_\bs_\bs
- Run the command with resource limits and scheduling priority
- of the specified login _\bc_\bl_\ba_\bs_\bs. The _\bc_\bl_\ba_\bs_\bs argument can be
- either a class name as defined in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a
- single `-' character. If _\bc_\bl_\ba_\bs_\bs is -\b-, the default login class
- of the target user will be used. Otherwise, the command must
- be run as the superuser (user ID 0), or s\bsu\bud\bdo\bo must be run from
- a shell that is already running as the superuser. If the
- command is being run as a login shell, additional
- _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf settings, such as the umask and environment
- variables, will be applied, if present. This option is only
- available on systems with BSD login classes.
-
- -\b-E\bE, -\b--\b-p\bpr\bre\bes\bse\ber\brv\bve\be-\b-e\ben\bnv\bv
- Indicates to the security policy that the user wishes to
- preserve their existing environment variables. The security
- policy may return an error if the user does not have
- permission to preserve the environment.
-
- -\b--\b-p\bpr\bre\bes\bse\ber\brv\bve\be-\b-e\ben\bnv\bv=\b=l\bli\bis\bst\bt
- Indicates to the security policy that the user wishes to add
- the comma-separated list of environment variables to those
- preserved from the user's environment. The security policy
- may return an error if the user does not have permission to
- preserve the environment.
-
- -\b-e\be, -\b--\b-e\bed\bdi\bit\bt Edit one or more files instead of running a command. In lieu
- of a path name, the string "sudoedit" is used when consulting
- the security policy. If the user is authorized by the
- policy, the following steps are taken:
-
- 1. Temporary copies are made of the files to be edited
- with the owner set to the invoking user.
-
- 2. The editor specified by the policy is run to edit the
- temporary files. The _\bs_\bu_\bd_\bo_\be_\br_\bs policy uses the
- SUDO_EDITOR, VISUAL and EDITOR environment variables
- (in that order). If none of SUDO_EDITOR, VISUAL or
- EDITOR are set, the first program listed in the _\be_\bd_\bi_\bt_\bo_\br
- sudoers(4) option is used.
-
- 3. If they have been modified, the temporary files are
- copied back to their original location and the
- temporary versions are removed.
-
- To help prevent the editing of unauthorized files, the
- following restrictions are enforced unless explicitly allowed
- by the security policy:
-
- +\b+\bo\bo Symbolic links may not be edited (version 1.8.15 and
- higher).
-
- +\b+\bo\bo Symbolic links along the path to be edited are not
- followed when the parent directory is writable by the
- invoking user unless that user is root (version 1.8.16
- and higher).
-
- +\b+\bo\bo Files located in a directory that is writable by the
- invoking user may not be edited unless that user is root
- (version 1.8.16 and higher).
-
- Users are never allowed to edit device special files.
-
- If the specified file does not exist, it will be created.
- Note that unlike most commands run by _\bs_\bu_\bd_\bo, the editor is run
- with the invoking user's environment unmodified. If, for
- some reason, s\bsu\bud\bdo\bo is unable to update a file with its edited
- version, the user will receive a warning and the edited copy
- will remain in a temporary file.
-
- -\b-g\bg _\bg_\br_\bo_\bu_\bp, -\b--\b-g\bgr\bro\bou\bup\bp=_\bg_\br_\bo_\bu_\bp
- Run the command with the primary group set to _\bg_\br_\bo_\bu_\bp instead
- of the primary group specified by the target user's password
- database entry. The _\bg_\br_\bo_\bu_\bp may be either a group name or a
- numeric group ID (GID) prefixed with the `#' character (e.g.,
- #0 for GID 0). When running a command as a GID, many shells
- require that the `#' be escaped with a backslash (`\'). If
- no -\b-u\bu option is specified, the command will be run as the
- invoking user. In either case, the primary group will be set
- to _\bg_\br_\bo_\bu_\bp. The _\bs_\bu_\bd_\bo_\be_\br_\bs policy permits any of the target
- user's groups to be specified via the -\b-g\bg option as long as
- the -\b-P\bP option is not in use.
-
- -\b-H\bH, -\b--\b-s\bse\bet\bt-\b-h\bho\bom\bme\be
- Request that the security policy set the HOME environment
- variable to the home directory specified by the target user's
- password database entry. Depending on the policy, this may
- be the default behavior.
-
- -\b-h\bh, -\b--\b-h\bhe\bel\blp\bp Display a short help message to the standard output and exit.
-
- -\b-h\bh _\bh_\bo_\bs_\bt, -\b--\b-h\bho\bos\bst\bt=_\bh_\bo_\bs_\bt
- Run the command on the specified _\bh_\bo_\bs_\bt if the security policy
- plugin supports remote commands. Note that the _\bs_\bu_\bd_\bo_\be_\br_\bs
- plugin does not currently support running remote commands.
- This may also be used in conjunction with the -\b-l\bl option to
- list a user's privileges for the remote host.
-
- -\b-i\bi, -\b--\b-l\blo\bog\bgi\bin\bn
- Run the shell specified by the target user's password
- database entry as a login shell. This means that login-
- specific resource files such as _\b._\bp_\br_\bo_\bf_\bi_\bl_\be, _\b._\bb_\ba_\bs_\bh_\b__\bp_\br_\bo_\bf_\bi_\bl_\be or
- _\b._\bl_\bo_\bg_\bi_\bn will be read by the shell. If a command is specified,
- it is passed to the shell for execution via the shell's -\b-c\bc
- option. If no command is specified, an interactive shell is
- executed. s\bsu\bud\bdo\bo attempts to change to that user's home
- directory before running the shell. The command is run with
- an environment similar to the one a user would receive at log
- in. Note that most shells behave differently when a command
- is specified as compared to an interactive session; consult
- the shell's manual for details. The _\bC_\bo_\bm_\bm_\ba_\bn_\bd _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt
- section in the sudoers(4) manual documents how the -\b-i\bi option
- affects the environment in which a command is run when the
- _\bs_\bu_\bd_\bo_\be_\br_\bs policy is in use.
-
- -\b-K\bK, -\b--\b-r\bre\bem\bmo\bov\bve\be-\b-t\bti\bim\bme\bes\bst\bta\bam\bmp\bp
- Similar to the -\b-k\bk option, except that it removes the user's
- cached credentials entirely and may not be used in
- conjunction with a command or other option. This option does
- not require a password. Not all security policies support
- credential caching.
-
- -\b-k\bk, -\b--\b-r\bre\bes\bse\bet\bt-\b-t\bti\bim\bme\bes\bst\bta\bam\bmp\bp
- When used without a command, invalidates the user's cached
- credentials. In other words, the next time s\bsu\bud\bdo\bo is run a
- password will be required. This option does not require a
- password and was added to allow a user to revoke s\bsu\bud\bdo\bo
- permissions from a _\b._\bl_\bo_\bg_\bo_\bu_\bt file.
-
- When used in conjunction with a command or an option that may
- require a password, this option will cause s\bsu\bud\bdo\bo to ignore the
- user's cached credentials. As a result, s\bsu\bud\bdo\bo will prompt for
- a password (if one is required by the security policy) and
- will not update the user's cached credentials.
-
- Not all security policies support credential caching.
-
- -\b-l\bl, -\b--\b-l\bli\bis\bst\bt If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, list the allowed (and forbidden)
- commands for the invoking user (or the user specified by the
- -\b-U\bU option) on the current host. A longer list format is used
- if this option is specified multiple times and the security
- policy supports a verbose output format.
-
- If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is permitted by the security
- policy, the fully-qualified path to the command is displayed
- along with any command line arguments. If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is
- specified but not allowed by the policy, s\bsu\bud\bdo\bo will exit with
- a status value of 1.
-
- -\b-n\bn, -\b--\b-n\bno\bon\bn-\b-i\bin\bnt\bte\ber\bra\bac\bct\bti\biv\bve\be
- Avoid prompting the user for input of any kind. If a
- password is required for the command to run, s\bsu\bud\bdo\bo will
- display an error message and exit.
-
- -\b-P\bP, -\b--\b-p\bpr\bre\bes\bse\ber\brv\bve\be-\b-g\bgr\bro\bou\bup\bps\bs
- Preserve the invoking user's group vector unaltered. By
- default, the _\bs_\bu_\bd_\bo_\be_\br_\bs policy will initialize the group vector
- to the list of groups the target user is a member of. The
- real and effective group IDs, however, are still set to match
- the target user.
-
- -\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt, -\b--\b-p\bpr\bro\bom\bmp\bpt\bt=_\bp_\br_\bo_\bm_\bp_\bt
- Use a custom password prompt with optional escape sequences.
- The following percent (`%') escape sequences are supported by
- the _\bs_\bu_\bd_\bo_\be_\br_\bs policy:
-
- %H expanded to the host name including the domain name (on
- if the machine's host name is fully qualified or the _\bf_\bq_\bd_\bn
- option is set in sudoers(4))
-
- %h expanded to the local host name without the domain name
-
- %p expanded to the name of the user whose password is being
- requested (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw, and _\br_\bu_\bn_\ba_\bs_\bp_\bw
- flags in sudoers(4))
-
- %U expanded to the login name of the user the command will
- be run as (defaults to root unless the -\b-u\bu option is also
- specified)
-
- %u expanded to the invoking user's login name
-
- %% two consecutive `%' characters are collapsed into a
- single `%' character
-
- The custom prompt will override the default prompt specified
- by either the security policy or the SUDO_PROMPT environment
- variable. On systems that use PAM, the custom prompt will
- also override the prompt specified by a PAM module unless the
- _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
- -\b-r\br _\br_\bo_\bl_\be, -\b--\b-r\bro\bol\ble\be=_\br_\bo_\bl_\be
- Run the command with an SELinux security context that
- includes the specified _\br_\bo_\bl_\be.
-
- -\b-S\bS, -\b--\b-s\bst\btd\bdi\bin\bn
- Write the prompt to the standard error and read the password
- from the standard input instead of using the terminal device.
-
- -\b-s\bs, -\b--\b-s\bsh\bhe\bel\bll\bl
- Run the shell specified by the SHELL environment variable if
- it is set or the shell specified by the invoking user's
- password database entry. If a command is specified, it is
- passed to the shell for execution via the shell's -\b-c\bc option.
- If no command is specified, an interactive shell is executed.
- Note that most shells behave differently when a command is
- specified as compared to an interactive session; consult the
- shell's manual for details.
-
- -\b-t\bt _\bt_\by_\bp_\be, -\b--\b-t\bty\byp\bpe\be=_\bt_\by_\bp_\be
- Run the command with an SELinux security context that
- includes the specified _\bt_\by_\bp_\be. If no _\bt_\by_\bp_\be is specified, the
- default type is derived from the role.
-
- -\b-U\bU _\bu_\bs_\be_\br, -\b--\b-o\bot\bth\bhe\ber\br-\b-u\bus\bse\ber\br=_\bu_\bs_\be_\br
- Used in conjunction with the -\b-l\bl option to list the privileges
- for _\bu_\bs_\be_\br instead of for the invoking user. The security
- policy may restrict listing other users' privileges. The
- _\bs_\bu_\bd_\bo_\be_\br_\bs policy only allows root or a user with the ALL
- privilege on the current host to use this option.
-
- -\b-T\bT _\bt_\bi_\bm_\be_\bo_\bu_\bt, -\b--\b-c\bco\bom\bmm\bma\ban\bnd\bd-\b-t\bti\bim\bme\beo\bou\but\bt=_\bt_\bi_\bm_\be_\bo_\bu_\bt
- Used to set a timeout for the command. If the timeout
- expires before the command has exited, the command will be
- terminated. The security policy may restrict the ability to
- set command timeouts. The _\bs_\bu_\bd_\bo_\be_\br_\bs policy requires that user-
- specified timeouts be explicitly enabled.
-
- -\b-u\bu _\bu_\bs_\be_\br, -\b--\b-u\bus\bse\ber\br=_\bu_\bs_\be_\br
- Run the command as a user other than the default target user
- (usually _\br_\bo_\bo_\bt). The _\bu_\bs_\be_\br may be either a user name or a
- numeric user ID (UID) prefixed with the `#' character (e.g.,
- #0 for UID 0). When running commands as a UID, many shells
- require that the `#' be escaped with a backslash (`\'). Some
- security policies may restrict UIDs to those listed in the
- password database. The _\bs_\bu_\bd_\bo_\be_\br_\bs policy allows UIDs that are
- not in the password database as long as the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw option
- is not set. Other security policies may not support this.
-
- -\b-V\bV, -\b--\b-v\bve\ber\brs\bsi\bio\bon\bn
- Print the s\bsu\bud\bdo\bo version string as well as the version string
- of the security policy plugin and any I/O plugins. If the
- invoking user is already root the -\b-V\bV option will display the
- arguments passed to configure when s\bsu\bud\bdo\bo was built and plugins
- may display more verbose information such as default options.
-
- -\b-v\bv, -\b--\b-v\bva\bal\bli\bid\bda\bat\bte\be
- Update the user's cached credentials, authenticating the user
- if necessary. For the _\bs_\bu_\bd_\bo_\be_\br_\bs plugin, this extends the s\bsu\bud\bdo\bo
- timeout for another 5 minutes by default, but does not run a
- command. Not all security policies support cached
- credentials.
-
- -\b--\b- The -\b--\b- option indicates that s\bsu\bud\bdo\bo should stop processing
- command line arguments.
-
- Environment variables to be set for the command may also be passed on the
- command line in the form of _\bV_\bA_\bR=_\bv_\ba_\bl_\bu_\be, e.g.,
- LD_LIBRARY_PATH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables passed on the command line
- are subject to restrictions imposed by the security policy plugin. The
- _\bs_\bu_\bd_\bo_\be_\br_\bs policy subjects variables passed on the command line to the same
- restrictions as normal environment variables with one important
- exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run
- has the SETENV tag set or the command matched is ALL, the user may set
- variables that would otherwise be forbidden. See sudoers(4) for more
- information.
-
-C\bCO\bOM\bMM\bMA\bAN\bND\bD E\bEX\bXE\bEC\bCU\bUT\bTI\bIO\bON\bN
- When s\bsu\bud\bdo\bo executes a command, the security policy specifies the execution
- environment for the command. Typically, the real and effective user and
- group and IDs are set to match those of the target user, as specified in
- the password database, and the group vector is initialized based on the
- group database (unless the -\b-P\bP option was specified).
-
- The following parameters may be specified by security policy:
-
- +\b+\bo\bo real and effective user ID
-
- +\b+\bo\bo real and effective group ID
-
- +\b+\bo\bo supplementary group IDs
-
- +\b+\bo\bo the environment list
-
- +\b+\bo\bo current working directory
-
- +\b+\bo\bo file creation mode mask (umask)
-
- +\b+\bo\bo SELinux role and type
-
- +\b+\bo\bo Solaris project
-
- +\b+\bo\bo Solaris privileges
-
- +\b+\bo\bo BSD login class
-
- +\b+\bo\bo scheduling priority (aka nice value)
-
- P\bPr\bro\boc\bce\bes\bss\bs m\bmo\bod\bde\bel\bl
- There are two distinct ways s\bsu\bud\bdo\bo can run a command.
-
- If an I/O logging plugin is configured or if the security policy
- explicitly requests it, a new pseudo-terminal ("pty") is allocated and
- fork(2) is used to create a second s\bsu\bud\bdo\bo process, referred to as the
- _\bm_\bo_\bn_\bi_\bt_\bo_\br. The _\bm_\bo_\bn_\bi_\bt_\bo_\br creates a new terminal session with itself as the
- leader and the pty as its controlling terminal, calls fork(2), sets up
- the execution environment as described above, and then uses the execve(2)
- system call to run the command in the child process. The _\bm_\bo_\bn_\bi_\bt_\bo_\br exists
- to relay job control signals between the user's existing terminal and the
- pty the command is being run in. This makes it possible to suspend and
- resume the command. Without the monitor, the command would be in what
- POSIX terms an "orphaned process group" and it would not receive any job
- control signals from the kernel. When the command exits or is terminated
- by a signal, the _\bm_\bo_\bn_\bi_\bt_\bo_\br passes the command's exit status to the main
- s\bsu\bud\bdo\bo process and exits. After receiving the command's exit status, the
- main s\bsu\bud\bdo\bo passes the command's exit status to the security policy's close
- function and exits.
-
- If no pty is used, s\bsu\bud\bdo\bo calls fork(2), sets up the execution environment
- as described above, and uses the execve(2) system call to run the command
- in the child process. The main s\bsu\bud\bdo\bo process waits until the command has
- completed, then passes the command's exit status to the security policy's
- close function and exits. As a special case, if the policy plugin does
- not define a close function, s\bsu\bud\bdo\bo will execute the command directly
- instead of calling fork(2) first. The _\bs_\bu_\bd_\bo_\be_\br_\bs policy plugin will only
- define a close function when I/O logging is enabled, a pty is required,
- or the _\bp_\ba_\bm_\b__\bs_\be_\bs_\bs_\bi_\bo_\bn or _\bp_\ba_\bm_\b__\bs_\be_\bt_\bc_\br_\be_\bd options are enabled. Note that
- _\bp_\ba_\bm_\b__\bs_\be_\bs_\bs_\bi_\bo_\bn and _\bp_\ba_\bm_\b__\bs_\be_\bt_\bc_\br_\be_\bd are enabled by default on systems using PAM.
-
- S\bSi\big\bgn\bna\bal\bl h\bha\ban\bnd\bdl\bli\bin\bng\bg
- When the command is run as a child of the s\bsu\bud\bdo\bo process, s\bsu\bud\bdo\bo will relay
- signals it receives to the command. The SIGINT and SIGQUIT signals are
- only relayed when the command is being run in a new pty or when the
- signal was sent by a user process, not the kernel. This prevents the
- command from receiving SIGINT twice each time the user enters control-C.
- Some signals, such as SIGSTOP and SIGKILL, cannot be caught and thus will
- not be relayed to the command. As a general rule, SIGTSTP should be used
- instead of SIGSTOP when you wish to suspend a command being run by s\bsu\bud\bdo\bo.
-
- As a special case, s\bsu\bud\bdo\bo will not relay signals that were sent by the
- command it is running. This prevents the command from accidentally
- killing itself. On some systems, the reboot(1m) command sends SIGTERM to
- all non-system processes other than itself before rebooting the system.
- This prevents s\bsu\bud\bdo\bo from relaying the SIGTERM signal it received back to
- reboot(1m), which might then exit before the system was actually rebooted,
- leaving it in a half-dead state similar to single user mode. Note,
- however, that this check only applies to the command run by s\bsu\bud\bdo\bo and not
- any other processes that the command may create. As a result, running a
- script that calls reboot(1m) or shutdown(1m) via s\bsu\bud\bdo\bo may cause the system
- to end up in this undefined state unless the reboot(1m) or shutdown(1m) are
- run using the e\bex\bxe\bec\bc() family of functions instead of s\bsy\bys\bst\bte\bem\bm() (which
- interposes a shell between the command and the calling process).
-
- If no I/O logging plugins are loaded and the policy plugin has not
- defined a c\bcl\blo\bos\bse\be() function, set a command timeout or required that the
- command be run in a new pty, s\bsu\bud\bdo\bo may execute the command directly
- instead of running it as a child process.
-
- P\bPl\blu\bug\bgi\bin\bns\bs
- Plugins may be specified via Plugin directives in the sudo.conf(4) file.
- They may be loaded as dynamic shared objects (on systems that support
- them), or compiled directly into the s\bsu\bud\bdo\bo binary. If no sudo.conf(4)
- file is present, or it contains no Plugin lines, s\bsu\bud\bdo\bo will use the
- traditional _\bs_\bu_\bd_\bo_\be_\br_\bs security policy and I/O logging. See the
- sudo.conf(4) manual for details of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf file and the
- sudo_plugin(4) manual for more information about the s\bsu\bud\bdo\bo plugin
- architecture.
-
-E\bEX\bXI\bIT\bT V\bVA\bAL\bLU\bUE\bE
- Upon successful execution of a command, the exit status from s\bsu\bud\bdo\bo will be
- the exit status of the program that was executed. If the command
- terminated due to receipt of a signal, s\bsu\bud\bdo\bo will send itself the same
- signal that terminated the command.
-
- If the -\b-l\bl option was specified without a command, s\bsu\bud\bdo\bo will exit with a
- value of 0 if the user is allowed to run s\bsu\bud\bdo\bo and they authenticated
- successfully (as required by the security policy). If a command is
- specified with the -\b-l\bl option, the exit value will only be 0 if the
- command is permitted by the security policy, otherwise it will be 1.
-
- If there is an authentication failure, a configuration/permission problem
- or if the given command cannot be executed, s\bsu\bud\bdo\bo exits with a value of 1.
- In the latter case, the error string is printed to the standard error.
- If s\bsu\bud\bdo\bo cannot stat(2) one or more entries in the user's PATH, an error
- is printed to the standard error. (If the directory does not exist or if
- it is not really a directory, the entry is ignored and no error is
- printed.) This should not happen under normal circumstances. The most
- common reason for stat(2) to return "permission denied" is if you are
- running an automounter and one of the directories in your PATH is on a
- machine that is currently unreachable.
-
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- s\bsu\bud\bdo\bo tries to be safe when executing external commands.
-
- To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting
- current directory) last when searching for a command in the user's PATH
- (if one or both are in the PATH). Note, however, that the actual PATH
- environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
- program that s\bsu\bud\bdo\bo executes.
-
- Users should _\bn_\be_\bv_\be_\br be granted s\bsu\bud\bdo\bo privileges to execute files that are
- writable by the user or that reside in a directory that is writable by
- the user. If the user can modify or replace the command there is no way
- to limit what additional commands they can run.
-
- Please note that s\bsu\bud\bdo\bo will normally only log the command it explicitly
- runs. If a user runs a command such as sudo su or sudo sh, subsequent
- commands run from that shell are not subject to s\bsu\bud\bdo\bo's security policy.
- The same is true for commands that offer shell escapes (including most
- editors). If I/O logging is enabled, subsequent commands will have their
- input and/or output logged, but there will not be traditional logs for
- those commands. Because of this, care must be taken when giving users
- access to commands via s\bsu\bud\bdo\bo to verify that the command does not
- inadvertently give the user an effective root shell. For more
- information, please see the _\bP_\br_\be_\bv_\be_\bn_\bt_\bi_\bn_\bg _\bs_\bh_\be_\bl_\bl _\be_\bs_\bc_\ba_\bp_\be_\bs section in
- sudoers(4).
-
- To prevent the disclosure of potentially sensitive information, s\bsu\bud\bdo\bo
- disables core dumps by default while it is executing (they are re-enabled
- for the command that is run). This historical practice dates from a time
- when most operating systems allowed setuid processes to dump core by
- default. To aid in debugging s\bsu\bud\bdo\bo crashes, you may wish to re-enable
- core dumps by setting "disable_coredump" to false in the sudo.conf(4)
- file as follows:
-
- Set disable_coredump false
-
- See the sudo.conf(4) manual for more information.
-
-E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
- s\bsu\bud\bdo\bo utilizes the following environment variables. The security policy
- has control over the actual content of the command's environment.
-
- EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
- SUDO_EDITOR nor VISUAL is set.
-
- MAIL Set to the mail spool of the target user when the -\b-i\bi
- option is specified or when _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is enabled in
- _\bs_\bu_\bd_\bo_\be_\br_\bs (unless MAIL is present in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list).
-
- HOME Set to the home directory of the target user when the -\b-i\bi
- or -\b-H\bH options are specified, when the -\b-s\bs option is
- specified and _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set in _\bs_\bu_\bd_\bo_\be_\br_\bs, when
- _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, or when _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt
- is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs and _\bH_\bO_\bM_\bE is not present in the
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp list.
-
- LOGNAME Set to the login name of the target user when the -\b-i\bi
- option is specified, when the _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be option is
- enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs or when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is
- enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs (unless LOGNAME is present in the
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp list).
-
- PATH May be overridden by the security policy.
-
- SHELL Used to determine shell to run with -\b-s\bs option.
-
- SUDO_ASKPASS Specifies the path to a helper program used to read the
- password if no terminal is available or if the -\b-A\bA option
- is specified.
-
- SUDO_COMMAND Set to the command run by sudo.
-
- SUDO_EDITOR Default editor to use in -\b-e\be (sudoedit) mode.
-
- SUDO_GID Set to the group ID of the user who invoked sudo.
-
- SUDO_PROMPT Used as the default password prompt unless the -\b-p\bp option
- was specified.
-
- SUDO_PS1 If set, PS1 will be set to its value for the program
- being run.
-
- SUDO_UID Set to the user ID of the user who invoked sudo.
-
- SUDO_USER Set to the login name of the user who invoked sudo.
-
- USER Set to the same value as LOGNAME, described above.
-
- VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
- SUDO_EDITOR is not set.
-
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf s\bsu\bud\bdo\bo front end configuration
-
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Note: the following examples assume a properly configured security
- policy.
-
- To get a file listing of an unreadable directory:
-
- $ sudo ls /usr/local/protected
-
- To list the home directory of user yaz on a machine where the file system
- holding ~yaz is not exported as root:
-
- $ sudo -u yaz ls ~yaz
-
- To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
-
- $ sudoedit -u www ~www/htdocs/index.html
-
- To view system logs only accessible to root and users in the adm group:
-
- $ sudo -g adm more /var/log/syslog
-
- To run an editor as jim with a different primary group:
-
- $ sudoedit -u jim -g audio ~jim/sound.txt
-
- To shut down a machine:
-
- $ sudo shutdown -r +15 "quick reboot"
-
- To make a usage listing of the directories in the /home partition. Note
- that this runs the commands in a sub-shell to make the cd and file
- redirection work.
-
- $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
-
-D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS
- Error messages produced by s\bsu\bud\bdo\bo include:
-
- editing files in a writable directory is not permitted
- By default, s\bsu\bud\bdo\boe\bed\bdi\bit\bt does not permit editing a file when any of the
- parent directories are writable by the invoking user. This avoids
- a race condition that could allow the user to overwrite an
- arbitrary file. See the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bc_\bh_\be_\bc_\bk_\bd_\bi_\br option in sudoers(4) for
- more information.
-
- editing symbolic links is not permitted
- By default, s\bsu\bud\bdo\boe\bed\bdi\bit\bt does not follow symbolic links when opening
- files. See the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bf_\bo_\bl_\bl_\bo_\bw option in sudoers(4) for more
- information.
-
- effective uid is not 0, is sudo installed setuid root?
- s\bsu\bud\bdo\bo was not run with root privileges. The s\bsu\bud\bdo\bo binary must be
- owned by the root user and have the Set-user-ID bit set. Also, it
- must not be located on a file system mounted with the `nosuid'
- option or on an NFS file system that maps uid 0 to an unprivileged
- uid.
-
- effective uid is not 0, is sudo on a file system with the 'nosuid' option
- set or an NFS file system without root privileges?
- s\bsu\bud\bdo\bo was not run with root privileges. The s\bsu\bud\bdo\bo binary has the
- proper owner and permissions but it still did not run with root
- privileges. The most common reason for this is that the file
- system the s\bsu\bud\bdo\bo binary is located on is mounted with the `nosuid'
- option or it is an NFS file system that maps uid 0 to an
- unprivileged uid.
-
- fatal error, unable to load plugins
- An error occurred while loading or initializing the plugins
- specified in sudo.conf(4).
-
- invalid environment variable name
- One or more environment variable names specified via the -\b-E\bE option
- contained an equal sign (`='). The arguments to the -\b-E\bE option
- should be environment variable names without an associated value.
-
- no password was provided
- When s\bsu\bud\bdo\bo tried to read the password, it did not receive any
- characters. This may happen if no terminal is available (or the -\b-S\bS
- option is specified) and the standard input has been redirected
- from _\b/_\bd_\be_\bv_\b/_\bn_\bu_\bl_\bl.
-
- no tty present and no askpass program specified
- s\bsu\bud\bdo\bo needs to read the password but there is no mechanism available
- to do so. A terminal is not present to read the password from,
- s\bsu\bud\bdo\bo has not been configured to read from the standard input, and
- no askpass program has been specified either via the -\b-A\bA option or
- the SUDO_ASKPASS environment variable.
-
- no writable temporary directory found
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt was unable to find a usable temporary directory in which
- to store its intermediate files.
-
- sudo must be owned by uid 0 and have the setuid bit set
- s\bsu\bud\bdo\bo was not run with root privileges. The s\bsu\bud\bdo\bo binary does not
- have the correct owner or permissions. It must be owned by the
- root user and have the Set-user-ID bit set.
-
- sudoedit is not supported on this platform
- It is only possible to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt on systems that support setting
- the effective user-ID.
-
- timed out reading password
- The user did not enter a password before the password timeout (5
- minutes by default) expired.
-
- you do not exist in the passwd database
- Your user ID does not appear in the system passwd database.
-
- you may not specify environment variables in edit mode
- It is only possible to specify environment variables when running a
- command. When editing a file, the editor is run with the user's
- environment unmodified.
-
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- su(1), stat(2), login_cap(3), passwd(4), sudo.conf(4), sudo_plugin(4),
- sudoers(4), sudoreplay(1m), visudo(1m)
-
-H\bHI\bIS\bST\bTO\bOR\bRY\bY
- See the HISTORY file in the s\bsu\bud\bdo\bo distribution
- (https://www.sudo.ws/history.html) for a brief history of sudo.
-
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists of
- code written primarily by:
-
- Todd C. Miller
-
- See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
- (https://www.sudo.ws/contributors.html) for an exhaustive list of people
- who have contributed to s\bsu\bud\bdo\bo.
-
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- There is no easy way to prevent a user from gaining a root shell if that
- user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many programs
- (such as editors) allow the user to run commands via shell escapes, thus
- avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is possible to
- prevent shell escapes with the sudoers(4) plugin's _\bn_\bo_\be_\bx_\be_\bc functionality.
-
- It is not meaningful to run the cd command directly via sudo, e.g.,
-
- $ sudo cd /usr/local/protected
-
- since when the command exits the parent process (your shell) will still
- be the same. Please see the _\bE_\bX_\bA_\bM_\bP_\bL_\bE_\bS section for more information.
-
- Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that make
- setuid shell scripts unsafe on some operating systems (if your OS has a
- /dev/fd/ directory, setuid shell scripts are generally safe).
-
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- https://bugzilla.sudo.ws/
-
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
-
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided "AS IS" and any express or implied warranties,
- including, but not limited to, the implied warranties of merchantability
- and fitness for a particular purpose are disclaimed. See the LICENSE
- file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
- complete details.
-
-Sudo 1.8.28 May 27, 2019 Sudo 1.8.28
+++ /dev/null
-SUDO.CONF(4) File Formats Manual SUDO.CONF(4)
-
-N\bNA\bAM\bME\bE
- s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf - configuration for sudo front end
-
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- The s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf file is used to configure the s\bsu\bud\bdo\bo front end. It specifies
- the security policy and I/O logging plugins, debug flags as well as
- plugin-agnostic path names and settings.
-
- The s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf file supports the following directives, described in detail
- below.
-
- Plugin a security policy or I/O logging plugin
-
- Path a plugin-agnostic path
-
- Set a front end setting, such as _\bd_\bi_\bs_\ba_\bb_\bl_\be_\b__\bc_\bo_\br_\be_\bd_\bu_\bm_\bp or _\bg_\br_\bo_\bu_\bp_\b__\bs_\bo_\bu_\br_\bc_\be
-
- Debug debug flags to aid in debugging s\bsu\bud\bdo\bo, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by, v\bvi\bis\bsu\bud\bdo\bo, and
- the s\bsu\bud\bdo\boe\ber\brs\bs plugin.
-
- The pound sign (`#') is used to indicate a comment. Both the comment
- character and any text after it, up to the end of the line, are ignored.
-
- Long lines can be continued with a backslash (`\') as the last character
- on the line. Note that leading white space is removed from the beginning
- of lines even when the continuation character is used.
-
- Non-comment lines that don't begin with Plugin, Path, Debug, or Set are
- silently ignored.
-
- The s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf file is always parsed in the "C" locale.
-
- P\bPl\blu\bug\bgi\bin\bn c\bco\bon\bnf\bfi\big\bgu\bur\bra\bat\bti\bio\bon\bn
- s\bsu\bud\bdo\bo supports a plugin architecture for security policies and
- input/output logging. Third parties can develop and distribute their own
- policy and I/O logging plugins to work seamlessly with the s\bsu\bud\bdo\bo front
- end. Plugins are dynamically loaded based on the contents of s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf.
-
- A Plugin line consists of the Plugin keyword, followed by the _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be
- and the _\bp_\ba_\bt_\bh to the dynamic shared object that contains the plugin. The
- _\bs_\by_\bm_\bb_\bo_\bl_\b__\bn_\ba_\bm_\be is the name of the struct policy_plugin or struct io_plugin
- symbol contained in the plugin. The _\bp_\ba_\bt_\bh may be fully qualified or
- relative. If not fully qualified, it is relative to the directory
- specified by the _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bd_\bi_\br Path setting, which defaults to
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo. In other words:
-
- Plugin sudoers_policy sudoers.so
-
- is equivalent to:
-
- Plugin sudoers_policy /usr/local/libexec/sudo/sudoers.so
-
- If the plugin was compiled statically into the s\bsu\bud\bdo\bo binary instead of
- being installed as a dynamic shared object, the _\bp_\ba_\bt_\bh should be specified
- without a leading directory, as it does not actually exist in the file
- system. For example:
-
- Plugin sudoers_policy sudoers.so
-
- Starting with s\bsu\bud\bdo\bo 1.8.5, any additional parameters after the _\bp_\ba_\bt_\bh are
- passed as arguments to the plugin's _\bo_\bp_\be_\bn function. For example, to
- override the compile-time default sudoers file mode:
-
- Plugin sudoers_policy sudoers.so sudoers_mode=0440
-
- See the sudoers(4) manual for a list of supported arguments.
-
- The same dynamic shared object may contain multiple plugins, each with a
- different symbol name. The file must be owned by uid 0 and only writable
- by its owner. Because of ambiguities that arise from composite policies,
- only a single policy plugin may be specified. This limitation does not
- apply to I/O plugins.
-
- If no s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf file is present, or if it contains no Plugin lines, the
- s\bsu\bud\bdo\boe\ber\brs\bs plugin will be used as the default security policy and for I/O
- logging (if enabled by the policy). This is equivalent to the following:
-
- Plugin sudoers_policy sudoers.so
- Plugin sudoers_io sudoers.so
-
- For more information on the s\bsu\bud\bdo\bo plugin architecture, see the
- sudo_plugin(4) manual.
-
- P\bPa\bat\bth\bh s\bse\bet\btt\bti\bin\bng\bgs\bs
- A Path line consists of the Path keyword, followed by the name of the
- path to set and its value. For example:
-
- Path noexec /usr/local/libexec/sudo/sudo_noexec.so
- Path askpass /usr/X11R6/bin/ssh-askpass
-
- If no path name is specified, features relying on the specified setting
- will be disabled. Disabling Path settings is only supported in s\bsu\bud\bdo\bo
- version 1.8.16 and higher.
-
- The following plugin-agnostic paths may be set in the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf
- file:
-
- askpass The fully qualified path to a helper program used to read the
- user's password when no terminal is available. This may be the
- case when s\bsu\bud\bdo\bo is executed from a graphical (as opposed to
- text-based) application. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs
- should display the argument passed to it as the prompt and
- write the user's password to the standard output. The value of
- _\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
- variable.
-
- devsearch
- An ordered, colon-separated search path of directories to look
- in for device nodes. This is used when mapping the process's
- tty device number to a device name on systems that do not
- provide such a mechanism. Sudo will _\bn_\bo_\bt recurse into sub-
- directories. If terminal devices may be located in a sub-
- directory of _\b/_\bd_\be_\bv, that path must be explicitly listed in
- _\bd_\be_\bv_\bs_\be_\ba_\br_\bc_\bh. The default value is:
- /dev/pts:/dev/vt:/dev/term:/dev/zcons:/dev/pty:/dev
-
- This option is ignored on systems that support either the
- d\bde\bev\bvn\bna\bam\bme\be() or _\b_t\btt\bty\byn\bna\bam\bme\be_\b_d\bde\bev\bv() functions, for example BSD, macOS
- and Solaris.
-
- noexec The fully-qualified path to a shared library containing
- wrappers for the e\bex\bxe\bec\bcl\bl(), e\bex\bxe\bec\bcl\ble\be(), e\bex\bxe\bec\bcl\blp\bp(), e\bex\bxe\bec\bct\bt(), e\bex\bxe\bec\bcv\bv(),
- e\bex\bxe\bec\bcv\bve\be(), e\bex\bxe\bec\bcv\bvP\bP(), e\bex\bxe\bec\bcv\bvp\bp(), e\bex\bxe\bec\bcv\bvp\bpe\be(), f\bfe\bex\bxe\bec\bcv\bve\be(), p\bpo\bop\bpe\ben\bn(),
- p\bpo\bos\bsi\bix\bx_\b_s\bsp\bpa\baw\bwn\bn(), p\bpo\bos\bsi\bix\bx_\b_s\bsp\bpa\baw\bwn\bnp\bp(), s\bsy\bys\bst\bte\bem\bm(), and w\bwo\bor\brd\bde\bex\bxp\bp() library
- functions that prevent the execution of further commands. This
- is used to implement the _\bn_\bo_\be_\bx_\be_\bc functionality on systems that
- support LD_PRELOAD or its equivalent. The default value is:
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
-
- plugin_dir
- The default directory to use when searching for plugins that
- are specified without a fully qualified path name. The default
- value is _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo.
-
- sesh The fully-qualified path to the s\bse\bes\bsh\bh binary. This setting is
- only used when s\bsu\bud\bdo\bo is built with SELinux support. The default
- value is _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b/_\bs_\be_\bs_\bh.
-
- O\bOt\bth\bhe\ber\br s\bse\bet\btt\bti\bin\bng\bgs\bs
- The s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf file also supports the following front end settings:
-
- disable_coredump
- Core dumps of s\bsu\bud\bdo\bo itself are disabled by default to prevent
- the disclosure of potentially sensitive information. To aid in
- debugging s\bsu\bud\bdo\bo crashes, you may wish to re-enable core dumps by
- setting "disable_coredump" to false in s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf as follows:
-
- Set disable_coredump false
-
- All modern operating systems place restrictions on core dumps
- from setuid processes like s\bsu\bud\bdo\bo so this option can be enabled
- without compromising security. To actually get a s\bsu\bud\bdo\bo core
- file you will likely need to enable core dumps for setuid
- processes. On BSD and Linux systems this is accomplished in
- the sysctl(1m) command. On Solaris, the coreadm(1m) command is
- used to configure core dump behavior.
-
- This setting is only available in s\bsu\bud\bdo\bo version 1.8.4 and
- higher.
-
- group_source
- s\bsu\bud\bdo\bo passes the invoking user's group list to the policy and
- I/O plugins. On most systems, there is an upper limit to the
- number of groups that a user may belong to simultaneously
- (typically 16 for compatibility with NFS). On systems with the
- getconf(1) utility, running:
- getconf NGROUPS_MAX
- will return the maximum number of groups.
-
- However, it is still possible to be a member of a larger number
- of groups--they simply won't be included in the group list
- returned by the kernel for the user. Starting with s\bsu\bud\bdo\bo
- version 1.8.7, if the user's kernel group list has the maximum
- number of entries, s\bsu\bud\bdo\bo will consult the group database
- directly to determine the group list. This makes it possible
- for the security policy to perform matching by group name even
- when the user is a member of more than the maximum number of
- groups.
-
- The _\bg_\br_\bo_\bu_\bp_\b__\bs_\bo_\bu_\br_\bc_\be setting allows the administrator to change
- this default behavior. Supported values for _\bg_\br_\bo_\bu_\bp_\b__\bs_\bo_\bu_\br_\bc_\be are:
-
- static Use the static group list that the kernel returns.
- Retrieving the group list this way is very fast but
- it is subject to an upper limit as described above.
- It is "static" in that it does not reflect changes to
- the group database made after the user logs in. This
- was the default behavior prior to s\bsu\bud\bdo\bo 1.8.7.
-
- dynamic Always query the group database directly. It is
- "dynamic" in that changes made to the group database
- after the user logs in will be reflected in the group
- list. On some systems, querying the group database
- for all of a user's groups can be time consuming when
- querying a network-based group database. Most
- operating systems provide an efficient method of
- performing such queries. Currently, s\bsu\bud\bdo\bo supports
- efficient group queries on AIX, BSD, HP-UX, Linux and
- Solaris.
-
- adaptive Only query the group database if the static group
- list returned by the kernel has the maximum number of
- entries. This is the default behavior in s\bsu\bud\bdo\bo 1.8.7
- and higher.
-
- For example, to cause s\bsu\bud\bdo\bo to only use the kernel's static list
- of groups for the user:
-
- Set group_source static
-
- This setting is only available in s\bsu\bud\bdo\bo version 1.8.7 and
- higher.
-
- max_groups
- The maximum number of user groups to retrieve from the group
- database. Values less than one will be ignored. This setting
- is only used when querying the group database directly. It is
- intended to be used on systems where it is not possible to
- detect when the array to be populated with group entries is not
- sufficiently large. By default, s\bsu\bud\bdo\bo will allocate four times
- the system's maximum number of groups (see above) and retry
- with double that number if the group database query fails.
-
- This setting is only available in s\bsu\bud\bdo\bo version 1.8.7 and
- higher. It should not be required in s\bsu\bud\bdo\bo versions 1.8.24 and
- higher and may be removed in a later release.
-
- probe_interfaces
- By default, s\bsu\bud\bdo\bo will probe the system's network interfaces and
- pass the IP address of each enabled interface to the policy
- plugin. This makes it possible for the plugin to match rules
- based on the IP address without having to query DNS. On Linux
- systems with a large number of virtual interfaces, this may
- take a non-negligible amount of time. If IP-based matching is
- not required, network interface probing can be disabled as
- follows:
-
- Set probe_interfaces false
-
- This setting is only available in s\bsu\bud\bdo\bo version 1.8.10 and
- higher.
-
- D\bDe\beb\bbu\bug\bg f\bfl\bla\bag\bgs\bs
- s\bsu\bud\bdo\bo versions 1.8.4 and higher support a flexible debugging framework
- that can help track down what s\bsu\bud\bdo\bo is doing internally if there is a
- problem.
-
- A Debug line consists of the Debug keyword, followed by the name of the
- program (or plugin) to debug (s\bsu\bud\bdo\bo, v\bvi\bis\bsu\bud\bdo\bo, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by, s\bsu\bud\bdo\boe\ber\brs\bs), the
- debug file name and a comma-separated list of debug flags. The debug
- flag syntax used by s\bsu\bud\bdo\bo and the s\bsu\bud\bdo\boe\ber\brs\bs plugin is _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by but
- a plugin is free to use a different format so long as it does not include
- a comma (`,').
-
- For example:
-
- Debug sudo /var/log/sudo_debug all@warn,plugin@info
-
- would log all debugging statements at the _\bw_\ba_\br_\bn level and higher in
- addition to those at the _\bi_\bn_\bf_\bo level for the plugin subsystem.
-
- As of s\bsu\bud\bdo\bo 1.8.12, multiple Debug entries may be specified per program.
- Older versions of s\bsu\bud\bdo\bo only support a single Debug entry per program.
- Plugin-specific Debug entries are also supported starting with s\bsu\bud\bdo\bo
- 1.8.12 and are matched by either the base name of the plugin that was
- loaded (for example sudoers.so) or by the plugin's fully-qualified path
- name. Previously, the s\bsu\bud\bdo\boe\ber\brs\bs plugin shared the same Debug entry as the
- s\bsu\bud\bdo\bo front end and could not be configured separately.
-
- The following priorities are supported, in order of decreasing severity:
- _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg. Each priority,
- when specified, also includes all priorities higher than it. For
- example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages logged at
- _\bn_\bo_\bt_\bi_\bc_\be and higher.
-
- The priorities _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg also include function call tracing which
- logs when a function is entered and when it returns. For example, the
- following trace is for the g\bge\bet\bt_\b_u\bus\bse\ber\br_\b_g\bgr\bro\bou\bup\bps\bs() function located in
- src/sudo.c:
-
- sudo[123] -> get_user_groups @ src/sudo.c:385
- sudo[123] <- get_user_groups @ src/sudo.c:429 := groups=10,0,5
-
- When the function is entered, indicated by a right arrow `->', the
- program, process ID, function, source file and line number are logged.
- When the function returns, indicated by a left arrow `<-', the same
- information is logged along with the return value. In this case, the
- return value is a string.
-
- The following subsystems are used by the s\bsu\bud\bdo\bo front-end:
-
- _\ba_\bl_\bl matches every subsystem
-
- _\ba_\br_\bg_\bs command line argument processing
-
- _\bc_\bo_\bn_\bv user conversation
-
- _\be_\bd_\bi_\bt sudoedit
-
- _\be_\bv_\be_\bn_\bt event subsystem
-
- _\be_\bx_\be_\bc command execution
-
- _\bm_\ba_\bi_\bn s\bsu\bud\bdo\bo main function
-
- _\bn_\be_\bt_\bi_\bf network interface handling
-
- _\bp_\bc_\bo_\bm_\bm communication with the plugin
-
- _\bp_\bl_\bu_\bg_\bi_\bn plugin configuration
-
- _\bp_\bt_\by pseudo-tty related code
-
- _\bs_\be_\bl_\bi_\bn_\bu_\bx SELinux-specific handling
-
- _\bu_\bt_\bi_\bl utility functions
-
- _\bu_\bt_\bm_\bp utmp handling
-
- The sudoers(4) plugin includes support for additional subsystems.
-
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf s\bsu\bud\bdo\bo front end configuration
-
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- #
- # Default /etc/sudo.conf file
- #
- # Format:
- # Plugin plugin_name plugin_path plugin_options ...
- # Path askpass /path/to/askpass
- # Path noexec /path/to/sudo_noexec.so
- # Debug sudo /var/log/sudo_debug all@warn
- # Set disable_coredump true
- #
- # The plugin_path is relative to /usr/local/libexec/sudo unless
- # fully qualified.
- # The plugin_name corresponds to a global symbol in the plugin
- # that contains the plugin interface structure.
- # The plugin_options are optional.
- #
- # The sudoers plugin is used by default if no Plugin lines are
- # present.
- Plugin sudoers_policy sudoers.so
- Plugin sudoers_io sudoers.so
-
- #
- # Sudo askpass:
- #
- # An askpass helper program may be specified to provide a graphical
- # password prompt for "sudo -A" support. Sudo does not ship with
- # its own askpass program but can use the OpenSSH askpass.
- #
- # Use the OpenSSH askpass
- #Path askpass /usr/X11R6/bin/ssh-askpass
- #
- # Use the Gnome OpenSSH askpass
- #Path askpass /usr/libexec/openssh/gnome-ssh-askpass
-
- #
- # Sudo noexec:
- #
- # Path to a shared library containing dummy versions of the execv(),
- # execve() and fexecve() library functions that just return an error.
- # This is used to implement the "noexec" functionality on systems that
- # support C<LD_PRELOAD> or its equivalent.
- # The compiled-in value is usually sufficient and should only be
- # changed if you rename or move the sudo_noexec.so file.
- #
- #Path noexec /usr/local/libexec/sudo/sudo_noexec.so
-
- #
- # Core dumps:
- #
- # By default, sudo disables core dumps while it is executing
- # (they are re-enabled for the command that is run).
- # To aid in debugging sudo problems, you may wish to enable core
- # dumps by setting "disable_coredump" to false.
- #
- #Set disable_coredump false
-
- #
- # User groups:
- #
- # Sudo passes the user's group list to the policy plugin.
- # If the user is a member of the maximum number of groups (usually 16),
- # sudo will query the group database directly to be sure to include
- # the full list of groups.
- #
- # On some systems, this can be expensive so the behavior is configurable.
- # The "group_source" setting has three possible values:
- # static - use the user's list of groups returned by the kernel.
- # dynamic - query the group database to find the list of groups.
- # adaptive - if user is in less than the maximum number of groups.
- # use the kernel list, else query the group database.
- #
- #Set group_source static
-
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- sudo_plugin(4), sudoers(4), sudo(1m)
-
-H\bHI\bIS\bST\bTO\bOR\bRY\bY
- See the HISTORY file in the s\bsu\bud\bdo\bo distribution
- (https://www.sudo.ws/history.html) for a brief history of sudo.
-
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists of
- code written primarily by:
-
- Todd C. Miller
-
- See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
- (https://www.sudo.ws/contributors.html) for an exhaustive list of people
- who have contributed to s\bsu\bud\bdo\bo.
-
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- https://bugzilla.sudo.ws/
-
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
-
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided "AS IS" and any express or implied warranties,
- including, but not limited to, the implied warranties of merchantability
- and fitness for a particular purpose are disclaimed. See the LICENSE
- file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
- complete details.
-
-Sudo 1.8.28 October 7, 2018 Sudo 1.8.28
+++ /dev/null
-SUDO_PLUGIN(4) File Formats Manual SUDO_PLUGIN(4)
-
-N\bNA\bAM\bME\bE
- s\bsu\bud\bdo\bo_\b_p\bpl\blu\bug\bgi\bin\bn - Sudo Plugin API
-
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- Starting with version 1.8, s\bsu\bud\bdo\bo supports a plugin API for policy and
- session logging. Plugins may be compiled as dynamic shared objects (the
- default on systems that support them) or compiled statically into the
- s\bsu\bud\bdo\bo binary itself. By default, the s\bsu\bud\bdo\boe\ber\brs\bs policy plugin and an
- associated I/O logging plugin are used. Via the plugin API, s\bsu\bud\bdo\bo can be
- configured to use alternate policy and/or I/O logging plugins provided by
- third parties. The plugins to be used are specified in the sudo.conf(4)
- file.
-
- The API is versioned with a major and minor number. The minor version
- number is incremented when additions are made. The major number is
- incremented when incompatible changes are made. A plugin should be check
- the version passed to it and make sure that the major version matches.
-
- The plugin API is defined by the sudo_plugin.h header file.
-
- P\bPo\bol\bli\bic\bcy\by p\bpl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
- A policy plugin must declare and populate a policy_plugin struct in the
- global scope. This structure contains pointers to the functions that
- implement the s\bsu\bud\bdo\bo policy checks. The name of the symbol should be
- specified in sudo.conf(4) along with a path to the plugin so that s\bsu\bud\bdo\bo
- can load it.
-
- struct policy_plugin {
- #define SUDO_POLICY_PLUGIN 1
- unsigned int type; /* always SUDO_POLICY_PLUGIN */
- unsigned int version; /* always SUDO_API_VERSION */
- int (*open)(unsigned int version, sudo_conv_t conversation,
- sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], char * const user_env[],
- char * const plugin_options[]);
- void (*close)(int exit_status, int error);
- int (*show_version)(int verbose);
- int (*check_policy)(int argc, char * const argv[],
- char *env_add[], char **command_info[],
- char **argv_out[], char **user_env_out[]);
- int (*list)(int argc, char * const argv[], int verbose,
- const char *list_user);
- int (*validate)(void);
- void (*invalidate)(int remove);
- int (*init_session)(struct passwd *pwd, char **user_env[]);
- void (*register_hooks)(int version,
- int (*register_hook)(struct sudo_hook *hook));
- void (*deregister_hooks)(int version,
- int (*deregister_hook)(struct sudo_hook *hook));
- };
-
- The policy_plugin struct has the following fields:
-
- type The type field should always be set to SUDO_POLICY_PLUGIN.
-
- version
- The version field should be set to SUDO_API_VERSION.
-
- This allows s\bsu\bud\bdo\bo to determine the API version the plugin was built
- against.
-
- open
- int (*open)(unsigned int version, sudo_conv_t conversation,
- sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], char * const user_env[],
- char * const plugin_options[]);
-
- Returns 1 on success, 0 on failure, -1 if a general error occurred,
- or -2 if there was a usage error. In the latter case, s\bsu\bud\bdo\bo will
- print a usage message before it exits. If an error occurs, the
- plugin may optionally call the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf()
- function with SUDO_CONF_ERROR_MSG to present additional error
- information to the user.
-
- The function arguments are as follows:
-
- version
- The version passed in by s\bsu\bud\bdo\bo allows the plugin to determine
- the major and minor version number of the plugin API
- supported by s\bsu\bud\bdo\bo.
-
- conversation
- A pointer to the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function that can be used by
- the plugin to interact with the user (see below). Returns 0
- on success and -1 on failure.
-
- plugin_printf
- A pointer to a p\bpr\bri\bin\bnt\btf\bf()-style function that may be used to
- display informational or error messages (see below). Returns
- the number of characters printed on success and -1 on
- failure.
-
- settings
- A vector of user-supplied s\bsu\bud\bdo\bo settings in the form of
- "name=value" strings. The vector is terminated by a NULL
- pointer. These settings correspond to flags the user
- specified when running s\bsu\bud\bdo\bo. As such, they will only be
- present when the corresponding flag has been specified on the
- command line.
-
- When parsing _\bs_\be_\bt_\bt_\bi_\bn_\bg_\bs, the plugin should split on the f\bfi\bir\brs\bst\bt
- equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
- itself but the _\bv_\ba_\bl_\bu_\be might.
-
- bsdauth_type=string
- Authentication type, if specified by the -\b-a\ba flag, to
- use on systems where BSD authentication is supported.
-
- closefrom=number
- If specified, the user has requested via the -\b-C\bC flag
- that s\bsu\bud\bdo\bo close all files descriptors with a value of
- _\bn_\bu_\bm_\bb_\be_\br or higher. The plugin may optionally pass this,
- or another value, back in the _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b__\bi_\bn_\bf_\bo list.
-
- debug_flags=string
- A debug file path name followed by a space and a comma-
- separated list of debug flags that correspond to the
- plugin's Debug entry in sudo.conf(4), if there is one.
- The flags are passed to the plugin exactly as they
- appear in sudo.conf(4). The syntax used by s\bsu\bud\bdo\bo and
- the s\bsu\bud\bdo\boe\ber\brs\bs plugin is _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by but a plugin
- is free to use a different format so long as it does
- not include a comma (`,'). Prior to s\bsu\bud\bdo\bo 1.8.12, there
- was no way to specify plugin-specific _\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs so
- the value was always the same as that used by the s\bsu\bud\bdo\bo
- front end and did not include a path name, only the
- flags themselves. As of version 1.7 of the plugin
- interface, s\bsu\bud\bdo\bo will only pass _\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs if
- sudo.conf(4) contains a plugin-specific Debug entry.
-
- debug_level=number
- This setting has been deprecated in favor of
- _\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs.
-
- ignore_ticket=bool
- Set to true if the user specified the -\b-k\bk flag along
- with a command, indicating that the user wishes to
- ignore any cached authentication credentials.
- _\bi_\bm_\bp_\bl_\bi_\be_\bd_\b__\bs_\bh_\be_\bl_\bl to true. This allows s\bsu\bud\bdo\bo with no
- arguments to be used similarly to su(1). If the plugin
- does not to support this usage, it may return a value
- of -2 from the c\bch\bhe\bec\bck\bk_\b_p\bpo\bol\bli\bic\bcy\by() function, which will
- cause s\bsu\bud\bdo\bo to print a usage message and exit.
-
- implied_shell=bool
- If the user does not specify a program on the command
- line, s\bsu\bud\bdo\bo will pass the plugin the path to the user's
- shell and set
-
- login_class=string
- BSD login class to use when setting resource limits and
- nice value, if specified by the -\b-c\bc flag.
-
- login_shell=bool
- Set to true if the user specified the -\b-i\bi flag,
- indicating that the user wishes to run a login shell.
-
- max_groups=int
- The maximum number of groups a user may belong to.
- This will only be present if there is a corresponding
- setting in sudo.conf(4).
-
- network_addrs=list
- A space-separated list of IP network addresses and
- netmasks in the form "addr/netmask", e.g.,
- "192.168.1.2/255.255.255.0". The address and netmask
- pairs may be either IPv4 or IPv6, depending on what the
- operating system supports. If the address contains a
- colon (`:'), it is an IPv6 address, else it is IPv4.
-
- noninteractive=bool
- Set to true if the user specified the -\b-n\bn flag,
- indicating that s\bsu\bud\bdo\bo should operate in non-interactive
- mode. The plugin may reject a command run in non-
- interactive mode if user interaction is required.
-
- plugin_dir=string
- The default plugin directory used by the s\bsu\bud\bdo\bo front
- end. This is the default directory set at compile time
- and may not correspond to the directory the running
- plugin was loaded from. It may be used by a plugin to
- locate support files.
-
- plugin_path=string
- The path name of plugin loaded by the s\bsu\bud\bdo\bo front end.
- The path name will be a fully-qualified unless the
- plugin was statically compiled into s\bsu\bud\bdo\bo.
-
- preserve_environment=bool
- Set to true if the user specified the -\b-E\bE flag,
- indicating that the user wishes to preserve the
- environment.
-
- preserve_groups=bool
- Set to true if the user specified the -\b-P\bP flag,
- indicating that the user wishes to preserve the group
- vector instead of setting it based on the runas user.
-
- progname=string
- The command name that sudo was run as, typically "sudo"
- or "sudoedit".
-
- prompt=string
- The prompt to use when requesting a password, if
- specified via the -\b-p\bp flag.
-
- remote_host=string
- The name of the remote host to run the command on, if
- specified via the -\b-h\bh option. Support for running the
- command on a remote host is meant to be implemented via
- a helper program that is executed in place of the user-
- specified command. The s\bsu\bud\bdo\bo front end is only capable
- of executing commands on the local host. Only
- available starting with API version 1.4.
-
- run_shell=bool
- Set to true if the user specified the -\b-s\bs flag,
- indicating that the user wishes to run a shell.
-
- runas_group=string
- The group name or gid to run the command as, if
- specified via the -\b-g\bg flag.
-
- runas_user=string
- The user name or uid to run the command as, if
- specified via the -\b-u\bu flag.
-
- selinux_role=string
- SELinux role to use when executing the command, if
- specified by the -\b-r\br flag.
-
- selinux_type=string
- SELinux type to use when executing the command, if
- specified by the -\b-t\bt flag.
-
- set_home=bool
- Set to true if the user specified the -\b-H\bH flag. If
- true, set the HOME environment variable to the target
- user's home directory.
-
- sudoedit=bool
- Set to true when the -\b-e\be flag is specified or if invoked
- as s\bsu\bud\bdo\boe\bed\bdi\bit\bt. The plugin shall substitute an editor
- into _\ba_\br_\bg_\bv in the c\bch\bhe\bec\bck\bk_\b_p\bpo\bol\bli\bic\bcy\by() function or return -2
- with a usage error if the plugin does not support
- _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt. For more information, see the _\bc_\bh_\be_\bc_\bk_\b__\bp_\bo_\bl_\bi_\bc_\by
- section.
-
- timeout=string
- User-specified command timeout. Not all plugins
- support command timeouts and the ability for the user
- to set a timeout may be restricted by policy. The
- format of the timeout string is plugin-specific.
-
- Additional settings may be added in the future so the plugin
- should silently ignore settings that it does not recognize.
-
- user_info
- A vector of information about the user running the command in
- the form of "name=value" strings. The vector is terminated
- by a NULL pointer.
-
- When parsing _\bu_\bs_\be_\br_\b__\bi_\bn_\bf_\bo, the plugin should split on the f\bfi\bir\brs\bst\bt
- equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
- itself but the _\bv_\ba_\bl_\bu_\be might.
-
- cols=int
- The number of columns the user's terminal supports. If
- there is no terminal device available, a default value
- of 80 is used.
-
- cwd=string
- The user's current working directory.
-
- egid=gid_t
- The effective group ID of the user invoking s\bsu\bud\bdo\bo.
-
- euid=uid_t
- The effective user ID of the user invoking s\bsu\bud\bdo\bo.
-
- gid=gid_t
- The real group ID of the user invoking s\bsu\bud\bdo\bo.
-
- groups=list
- The user's supplementary group list formatted as a
- string of comma-separated group IDs.
-
- host=string
- The local machine's hostname as returned by the
- gethostname(2) system call.
-
- lines=int
- The number of lines the user's terminal supports. If
- there is no terminal device available, a default value
- of 24 is used.
-
- pgid=int
- The ID of the process group that the running s\bsu\bud\bdo\bo
- process is a member of. Only available starting with
- API version 1.2.
-
- pid=int
- The process ID of the running s\bsu\bud\bdo\bo process. Only
- available starting with API version 1.2.
-
- plugin_options
- Any (non-comment) strings immediately after the plugin
- path are passed as arguments to the plugin. These
- arguments are split on a white space boundary and are
- passed to the plugin in the form of a NULL-terminated
- array of strings. If no arguments were specified,
- _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs will be the NULL pointer.
-
- NOTE: the _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs parameter is only available
- starting with API version 1.2. A plugin m\bmu\bus\bst\bt check the
- API version specified by the s\bsu\bud\bdo\bo front end before
- using _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs. Failure to do so may result in a
- crash.
-
- ppid=int
- The parent process ID of the running s\bsu\bud\bdo\bo process.
- Only available starting with API version 1.2.
-
- sid=int
- The session ID of the running s\bsu\bud\bdo\bo process or 0 if s\bsu\bud\bdo\bo
- is not part of a POSIX job control session. Only
- available starting with API version 1.2.
-
- tcpgid=int
- The ID of the foreground process group associated with
- the terminal device associated with the s\bsu\bud\bdo\bo process or
- -1 if there is no terminal present. Only available
- starting with API version 1.2.
-
- tty=string
- The path to the user's terminal device. If the user
- has no terminal device associated with the session, the
- value will be empty, as in "tty=".
-
- uid=uid_t
- The real user ID of the user invoking s\bsu\bud\bdo\bo.
-
- umask=octal
- The invoking user's file creation mask. Only available
- starting with API version 1.10.
-
- user=string
- The name of the user invoking s\bsu\bud\bdo\bo.
-
- user_env
- The user's environment in the form of a NULL-terminated
- vector of "name=value" strings.
-
- When parsing _\bu_\bs_\be_\br_\b__\be_\bn_\bv, the plugin should split on the f\bfi\bir\brs\bst\bt
- equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
- itself but the _\bv_\ba_\bl_\bu_\be might.
-
- close
- void (*close)(int exit_status, int error);
-
- The c\bcl\blo\bos\bse\be() function is called when the command being run by s\bsu\bud\bdo\bo
- finishes.
-
- The function arguments are as follows:
-
- exit_status
- The command's exit status, as returned by the wait(2) system
- call. The value of exit_status is undefined if error is non-
- zero.
-
- error
- If the command could not be executed, this is set to the
- value of errno set by the execve(2) system call. The plugin
- is responsible for displaying error information via the
- c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf() function. If the command
- was successfully executed, the value of error is 0.
-
- If no c\bcl\blo\bos\bse\be() function is defined, no I/O logging plugins are
- loaded, and neither the _\bt_\bi_\bm_\be_\bo_\bu_\bt not _\bu_\bs_\be_\b__\bp_\bt_\by options are set in the
- command_info list, the s\bsu\bud\bdo\bo front end may execute the command
- directly instead of running it as a child process.
-
- show_version
- int (*show_version)(int verbose);
-
- The s\bsh\bho\bow\bw_\b_v\bve\ber\brs\bsi\bio\bon\bn() function is called by s\bsu\bud\bdo\bo when the user
- specifies the -\b-V\bV option. The plugin may display its version
- information to the user via the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf()
- function using SUDO_CONV_INFO_MSG. If the user requests detailed
- version information, the verbose flag will be set.
-
- Returns 1 on success, 0 on failure, -1 if a general error occurred,
- or -2 if there was a usage error, although the return value is
- currently ignored.
-
- check_policy
- int (*check_policy)(int argc, char * const argv[],
- char *env_add[], char **command_info[],
- char **argv_out[], char **user_env_out[]);
-
- The c\bch\bhe\bec\bck\bk_\b_p\bpo\bol\bli\bic\bcy\by() function is called by s\bsu\bud\bdo\bo to determine whether
- the user is allowed to run the specified commands.
-
- If the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt option was enabled in the _\bs_\be_\bt_\bt_\bi_\bn_\bg_\bs array passed to
- the o\bop\bpe\ben\bn() function, the user has requested _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode.
- _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt is a mechanism for editing one or more files where an
- editor is run with the user's credentials instead of with elevated
- privileges. s\bsu\bud\bdo\bo achieves this by creating user-writable temporary
- copies of the files to be edited and then overwriting the originals
- with the temporary copies after editing is complete. If the plugin
- supports _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt, it should choose the editor to be used,
- potentially from a variable in the user's environment, such as
- EDITOR, and include it in _\ba_\br_\bg_\bv_\b__\bo_\bu_\bt (note that environment variables
- may include command line flags). The files to be edited should be
- copied from _\ba_\br_\bg_\bv into _\ba_\br_\bg_\bv_\b__\bo_\bu_\bt, separated from the editor and its
- arguments by a "--" element. The "--" will be removed by s\bsu\bud\bdo\bo
- before the editor is executed. The plugin should also set
- _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b=_\bt_\br_\bu_\be in the _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b__\bi_\bn_\bf_\bo list.
-
- The c\bch\bhe\bec\bck\bk_\b_p\bpo\bol\bli\bic\bcy\by() function returns 1 if the command is allowed, 0
- if not allowed, -1 for a general error, or -2 for a usage error or
- if _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt was specified but is unsupported by the plugin. In the
- latter case, s\bsu\bud\bdo\bo will print a usage message before it exits. If
- an error occurs, the plugin may optionally call the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn()
- or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf() function with SUDO_CONF_ERROR_MSG to present
- additional error information to the user.
-
- The function arguments are as follows:
-
- argc The number of elements in _\ba_\br_\bg_\bv, not counting the final NULL
- pointer.
-
- argv The argument vector describing the command the user wishes to
- run, in the same form as what would be passed to the
- execve(2) system call. The vector is terminated by a NULL
- pointer.
-
- env_add
- Additional environment variables specified by the user on the
- command line in the form of a NULL-terminated vector of
- "name=value" strings. The plugin may reject the command if
- one or more variables are not allowed to be set, or it may
- silently ignore such variables.
-
- When parsing _\be_\bn_\bv_\b__\ba_\bd_\bd, the plugin should split on the f\bfi\bir\brs\bst\bt
- equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
- itself but the _\bv_\ba_\bl_\bu_\be might.
-
- command_info
- Information about the command being run in the form of
- "name=value" strings. These values are used by s\bsu\bud\bdo\bo to set
- the execution environment when running a command. The plugin
- is responsible for creating and populating the vector, which
- must be terminated with a NULL pointer. The following values
- are recognized by s\bsu\bud\bdo\bo:
-
- chroot=string
- The root directory to use when running the command.
-
- closefrom=number
- If specified, s\bsu\bud\bdo\bo will close all files descriptors
- with a value of _\bn_\bu_\bm_\bb_\be_\br or higher.
-
- command=string
- Fully qualified path to the command to be executed.
-
- cwd=string
- The current working directory to change to when
- executing the command.
-
- exec_background=bool
- By default, s\bsu\bud\bdo\bo runs a command as the foreground
- process as long as s\bsu\bud\bdo\bo itself is running in the
- foreground. When _\be_\bx_\be_\bc_\b__\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd is enabled and the
- command is being run in a pty (due to I/O logging or
- the _\bu_\bs_\be_\b__\bp_\bt_\by setting), the command will be run as a
- background process. Attempts to read from the
- controlling terminal (or to change terminal settings)
- will result in the command being suspended with the
- SIGTTIN signal (or SIGTTOU in the case of terminal
- settings). If this happens when s\bsu\bud\bdo\bo is a foreground
- process, the command will be granted the controlling
- terminal and resumed in the foreground with no user
- intervention required. The advantage of initially
- running the command in the background is that s\bsu\bud\bdo\bo need
- not read from the terminal unless the command
- explicitly requests it. Otherwise, any terminal input
- must be passed to the command, whether it has required
- it or not (the kernel buffers terminals so it is not
- possible to tell whether the command really wants the
- input). This is different from historic _\bs_\bu_\bd_\bo behavior
- or when the command is not being run in a pty.
-
- For this to work seamlessly, the operating system must
- support the automatic restarting of system calls.
- Unfortunately, not all operating systems do this by
- default, and even those that do may have bugs. For
- example, macOS fails to restart the t\btc\bcg\bge\bet\bta\bat\btt\btr\br() and
- t\btc\bcs\bse\bet\bta\bat\btt\btr\br() system calls (this is a bug in macOS).
- Furthermore, because this behavior depends on the
- command stopping with the SIGTTIN or SIGTTOU signals,
- programs that catch these signals and suspend
- themselves with a different signal (usually SIGTOP)
- will not be automatically foregrounded. Some versions
- of the linux su(1) command behave this way. Because of
- this, a plugin should not set _\be_\bx_\be_\bc_\b__\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd unless it
- is explicitly enabled by the administrator and there
- should be a way to enabled or disable it on a per-
- command basis.
-
- This setting has no effect unless I/O logging is
- enabled or _\bu_\bs_\be_\b__\bp_\bt_\by is enabled.
-
- execfd=number
- If specified, s\bsu\bud\bdo\bo will use the fexecve(2) system call
- to execute the command instead of execve(2). The
- specified _\bn_\bu_\bm_\bb_\be_\br must refer to an open file descriptor.
-
- iolog_compress=bool
- Set to true if the I/O logging plugins, if any, should
- compress the log data. This is a hint to the I/O
- logging plugin which may choose to ignore it.
-
- iolog_group=string
- The group that will own newly created I/O log files and
- directories. This is a hint to the I/O logging plugin
- which may choose to ignore it.
-
- iolog_mode=octal
- The file permission mode to use when creating I/O log
- files and directories. This is a hint to the I/O
- logging plugin which may choose to ignore it.
-
- iolog_user=string
- The user that will own newly created I/O log files and
- directories. This is a hint to the I/O logging plugin
- which may choose to ignore it.
-
- iolog_path=string
- Fully qualified path to the file or directory in which
- I/O log is to be stored. This is a hint to the I/O
- logging plugin which may choose to ignore it. If no
- I/O logging plugin is loaded, this setting has no
- effect.
-
- iolog_stdin=bool
- Set to true if the I/O logging plugins, if any, should
- log the standard input if it is not connected to a
- terminal device. This is a hint to the I/O logging
- plugin which may choose to ignore it.
-
- iolog_stdout=bool
- Set to true if the I/O logging plugins, if any, should
- log the standard output if it is not connected to a
- terminal device. This is a hint to the I/O logging
- plugin which may choose to ignore it.
-
- iolog_stderr=bool
- Set to true if the I/O logging plugins, if any, should
- log the standard error if it is not connected to a
- terminal device. This is a hint to the I/O logging
- plugin which may choose to ignore it.
-
- iolog_ttyin=bool
- Set to true if the I/O logging plugins, if any, should
- log all terminal input. This only includes input typed
- by the user and not from a pipe or redirected from a
- file. This is a hint to the I/O logging plugin which
- may choose to ignore it.
-
- iolog_ttyout=bool
- Set to true if the I/O logging plugins, if any, should
- log all terminal output. This only includes output to
- the screen, not output to a pipe or file. This is a
- hint to the I/O logging plugin which may choose to
- ignore it.
-
- login_class=string
- BSD login class to use when setting resource limits and
- nice value (optional). This option is only set on
- systems that support login classes.
-
- nice=int
- Nice value (priority) to use when executing the
- command. The nice value, if specified, overrides the
- priority associated with the _\bl_\bo_\bg_\bi_\bn_\b__\bc_\bl_\ba_\bs_\bs on BSD
- systems.
-
- noexec=bool
- If set, prevent the command from executing other
- programs.
-
- preserve_fds=list
- A comma-separated list of file descriptors that should
- be preserved, regardless of the value of the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm
- setting. Only available starting with API version 1.5.
-
- preserve_groups=bool
- If set, s\bsu\bud\bdo\bo will preserve the user's group vector
- instead of initializing the group vector based on
- runas_user.
-
- runas_egid=gid
- Effective group ID to run the command as. If not
- specified, the value of _\br_\bu_\bn_\ba_\bs_\b__\bg_\bi_\bd is used.
-
- runas_euid=uid
- Effective user ID to run the command as. If not
- specified, the value of _\br_\bu_\bn_\ba_\bs_\b__\bu_\bi_\bd is used.
-
- runas_gid=gid
- Group ID to run the command as.
-
- runas_groups=list
- The supplementary group vector to use for the command
- in the form of a comma-separated list of group IDs. If
- _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, this option is ignored.
-
- runas_uid=uid
- User ID to run the command as.
-
- selinux_role=string
- SELinux role to use when executing the command.
-
- selinux_type=string
- SELinux type to use when executing the command.
-
- set_utmp=bool
- Create a utmp (or utmpx) entry when a pseudo-tty is
- allocated. By default, the new entry will be a copy of
- the user's existing utmp entry (if any), with the tty,
- time, type and pid fields updated.
-
- sudoedit=bool
- Set to true when in _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode. The plugin may
- enable _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt mode even if s\bsu\bud\bdo\bo was not invoked as
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt. This allows the plugin to perform command
- substitution and transparently enable _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt when the
- user attempts to run an editor.
-
- sudoedit_checkdir=bool
- Set to false to disable directory writability checks in
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt. By default, s\bsu\bud\bdo\boe\bed\bdi\bit\bt 1.8.16 and higher will
- check all directory components of the path to be edited
- for writability by the invoking user. Symbolic links
- will not be followed in writable directories and
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt will refuse to edit a file located in a
- writable directory. These restrictions are not
- enforced when s\bsu\bud\bdo\boe\bed\bdi\bit\bt is run by root. The
- _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bf_\bo_\bl_\bl_\bo_\bw option can be set to false to disable
- this check. Only available starting with API version
- 1.8.
-
- sudoedit_follow=bool
- Set to true to allow s\bsu\bud\bdo\boe\bed\bdi\bit\bt to edit files that are
- symbolic links. By default, s\bsu\bud\bdo\boe\bed\bdi\bit\bt 1.8.15 and higher
- will refuse to open a symbolic link. The
- _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bf_\bo_\bl_\bl_\bo_\bw option can be used to restore the older
- behavior and allow s\bsu\bud\bdo\boe\bed\bdi\bit\bt to open symbolic links.
- Only available starting with API version 1.8.
-
- timeout=int
- Command timeout. If non-zero then when the timeout
- expires the command will be killed.
-
- umask=octal
- The file creation mask to use when executing the
- command.
-
- use_pty=bool
- Allocate a pseudo-tty to run the command in, regardless
- of whether or not I/O logging is in use. By default,
- s\bsu\bud\bdo\bo will only run the command in a pty when an I/O log
- plugin is loaded.
-
- utmp_user=string
- User name to use when constructing a new utmp (or
- utmpx) entry when _\bs_\be_\bt_\b__\bu_\bt_\bm_\bp is enabled. This option can
- be used to set the user field in the utmp entry to the
- user the command runs as rather than the invoking user.
- If not set, s\bsu\bud\bdo\bo will base the new entry on the
- invoking user's existing entry.
-
- Unsupported values will be ignored.
-
- argv_out
- The NULL-terminated argument vector to pass to the execve(2)
- system call when executing the command. The plugin is
- responsible for allocating and populating the vector.
-
- user_env_out
- The NULL-terminated environment vector to use when executing
- the command. The plugin is responsible for allocating and
- populating the vector.
-
- list
- int (*list)(int argc, char * const argv[],
- int verbose, const char *list_user);
-
- List available privileges for the invoking user. Returns 1 on
- success, 0 on failure and -1 on error. On error, the plugin may
- optionally call the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf() function with
- SUDO_CONF_ERROR_MSG to present additional error information to the
- user.
-
- Privileges should be output via the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or
- p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf() function using SUDO_CONV_INFO_MSG,
-
- verbose
- Flag indicating whether to list in verbose mode or not.
-
- list_user
- The name of a different user to list privileges for if the
- policy allows it. If NULL, the plugin should list the
- privileges of the invoking user.
-
- argc The number of elements in _\ba_\br_\bg_\bv, not counting the final NULL
- pointer.
-
- argv If non-NULL, an argument vector describing a command the user
- wishes to check against the policy in the same form as what
- would be passed to the execve(2) system call. If the command
- is permitted by the policy, the fully-qualified path to the
- command should be displayed along with any command line
- arguments.
-
- validate
- int (*validate)(void);
-
- The v\bva\bal\bli\bid\bda\bat\bte\be() function is called when s\bsu\bud\bdo\bo is run with the -\b-v\bv
- flag. For policy plugins such as s\bsu\bud\bdo\boe\ber\brs\bs that cache authentication
- credentials, this function will validate and cache the credentials.
-
- The v\bva\bal\bli\bid\bda\bat\bte\be() function should be NULL if the plugin does not
- support credential caching.
-
- Returns 1 on success, 0 on failure and -1 on error. On error, the
- plugin may optionally call the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf()
- function with SUDO_CONF_ERROR_MSG to present additional error
- information to the user.
-
- invalidate
- void (*invalidate)(int remove);
-
- The i\bin\bnv\bva\bal\bli\bid\bda\bat\bte\be() function is called when s\bsu\bud\bdo\bo is called with the -\b-k\bk
- or -\b-K\bK flag. For policy plugins such as s\bsu\bud\bdo\boe\ber\brs\bs that cache
- authentication credentials, this function will invalidate the
- credentials. If the _\br_\be_\bm_\bo_\bv_\be flag is set, the plugin may remove the
- credentials instead of simply invalidating them.
-
- The i\bin\bnv\bva\bal\bli\bid\bda\bat\bte\be() function should be NULL if the plugin does not
- support credential caching.
-
- init_session
- int (*init_session)(struct passwd *pwd, char **user_envp[);
-
- The i\bin\bni\bit\bt_\b_s\bse\bes\bss\bsi\bio\bon\bn() function is called before s\bsu\bud\bdo\bo sets up the
- execution environment for the command. It is run in the parent
- s\bsu\bud\bdo\bo process and before any uid or gid changes. This can be used
- to perform session setup that is not supported by _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b__\bi_\bn_\bf_\bo,
- such as opening the PAM session. The c\bcl\blo\bos\bse\be() function can be used
- to tear down the session that was opened by init_session.
-
- The _\bp_\bw_\bd argument points to a passwd struct for the user the command
- will be run as if the uid the command will run as was found in the
- password database, otherwise it will be NULL.
-
- The _\bu_\bs_\be_\br_\b__\be_\bn_\bv argument points to the environment the command will
- run in, in the form of a NULL-terminated vector of "name=value"
- strings. This is the same string passed back to the front end via
- the Policy Plugin's _\bu_\bs_\be_\br_\b__\be_\bn_\bv_\b__\bo_\bu_\bt parameter. If the i\bin\bni\bit\bt_\b_s\bse\bes\bss\bsi\bio\bon\bn()
- function needs to modify the user environment, it should update the
- pointer stored in _\bu_\bs_\be_\br_\b__\be_\bn_\bv. The expected use case is to merge the
- contents of the PAM environment (if any) with the contents of
- _\bu_\bs_\be_\br_\b__\be_\bn_\bv. NOTE: the _\bu_\bs_\be_\br_\b__\be_\bn_\bv parameter is only available starting
- with API version 1.2. A plugin m\bmu\bus\bst\bt check the API version
- specified by the s\bsu\bud\bdo\bo front end before using _\bu_\bs_\be_\br_\b__\be_\bn_\bv. Failure to
- do so may result in a crash.
-
- Returns 1 on success, 0 on failure and -1 on error. On error, the
- plugin may optionally call the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf()
- function with SUDO_CONF_ERROR_MSG to present additional error
- information to the user.
-
- register_hooks
- void (*register_hooks)(int version,
- int (*register_hook)(struct sudo_hook *hook));
-
- The r\bre\beg\bgi\bis\bst\bte\ber\br_\b_h\bho\boo\bok\bks\bs() function is called by the sudo front end to
- register any hooks the plugin needs. If the plugin does not
- support hooks, register_hooks should be set to the NULL pointer.
-
- The _\bv_\be_\br_\bs_\bi_\bo_\bn argument describes the version of the hooks API
- supported by the s\bsu\bud\bdo\bo front end.
-
- The r\bre\beg\bgi\bis\bst\bte\ber\br_\b_h\bho\boo\bok\bk() function should be used to register any
- supported hooks the plugin needs. It returns 0 on success, 1 if
- the hook type is not supported and -1 if the major version in
- struct hook does not match the front end's major hook API version.
-
- See the _\bH_\bo_\bo_\bk _\bf_\bu_\bn_\bc_\bt_\bi_\bo_\bn _\bA_\bP_\bI section below for more information about
- hooks.
-
- NOTE: the r\bre\beg\bgi\bis\bst\bte\ber\br_\b_h\bho\boo\bok\bks\bs() function is only available starting with
- API version 1.2. If the s\bsu\bud\bdo\bo front end doesn't support API version
- 1.2 or higher, register_hooks will not be called.
-
- deregister_hooks
- void (*deregister_hooks)(int version,
- int (*deregister_hook)(struct sudo_hook *hook));
-
- The d\bde\ber\bre\beg\bgi\bis\bst\bte\ber\br_\b_h\bho\boo\bok\bks\bs() function is called by the sudo front end to
- deregister any hooks the plugin has registered. If the plugin does
- not support hooks, deregister_hooks should be set to the NULL
- pointer.
-
- The _\bv_\be_\br_\bs_\bi_\bo_\bn argument describes the version of the hooks API
- supported by the s\bsu\bud\bdo\bo front end.
-
- The d\bde\ber\bre\beg\bgi\bis\bst\bte\ber\br_\b_h\bho\boo\bok\bk() function should be used to deregister any
- hooks that were put in place by the r\bre\beg\bgi\bis\bst\bte\ber\br_\b_h\bho\boo\bok\bk() function. If
- the plugin tries to deregister a hook that the front end does not
- support, deregister_hook will return an error.
-
- See the _\bH_\bo_\bo_\bk _\bf_\bu_\bn_\bc_\bt_\bi_\bo_\bn _\bA_\bP_\bI section below for more information about
- hooks.
-
- NOTE: the d\bde\ber\bre\beg\bgi\bis\bst\bte\ber\br_\b_h\bho\boo\bok\bks\bs() function is only available starting
- with API version 1.2. If the s\bsu\bud\bdo\bo front end doesn't support API
- version 1.2 or higher, deregister_hooks will not be called.
-
- _\bP_\bo_\bl_\bi_\bc_\by _\bP_\bl_\bu_\bg_\bi_\bn _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
-
- /* Plugin API version major/minor. */
- #define SUDO_API_VERSION_MAJOR 1
- #define SUDO_API_VERSION_MINOR 13
- #define SUDO_API_MKVERSION(x, y) ((x << 16) | y)
- #define SUDO_API_VERSION SUDO_API_MKVERSION(SUDO_API_VERSION_MAJOR,\
- SUDO_API_VERSION_MINOR)
-
- /* Getters and setters for API version */
- #define SUDO_API_VERSION_GET_MAJOR(v) ((v) >> 16)
- #define SUDO_API_VERSION_GET_MINOR(v) ((v) & 0xffff)
- #define SUDO_API_VERSION_SET_MAJOR(vp, n) do { \
- *(vp) = (*(vp) & 0x0000ffff) | ((n) << 16); \
- } while(0)
- #define SUDO_API_VERSION_SET_MINOR(vp, n) do { \
- *(vp) = (*(vp) & 0xffff0000) | (n); \
- } while(0)
-
- I\bI/\b/O\bO p\bpl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
- struct io_plugin {
- #define SUDO_IO_PLUGIN 2
- unsigned int type; /* always SUDO_IO_PLUGIN */
- unsigned int version; /* always SUDO_API_VERSION */
- int (*open)(unsigned int version, sudo_conv_t conversation,
- sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], char * const command_info[],
- int argc, char * const argv[], char * const user_env[],
- char * const plugin_options[]);
- void (*close)(int exit_status, int error); /* wait status or error */
- int (*show_version)(int verbose);
- int (*log_ttyin)(const char *buf, unsigned int len);
- int (*log_ttyout)(const char *buf, unsigned int len);
- int (*log_stdin)(const char *buf, unsigned int len);
- int (*log_stdout)(const char *buf, unsigned int len);
- int (*log_stderr)(const char *buf, unsigned int len);
- void (*register_hooks)(int version,
- int (*register_hook)(struct sudo_hook *hook));
- void (*deregister_hooks)(int version,
- int (*deregister_hook)(struct sudo_hook *hook));
- int (*change_winsize)(unsigned int lines, unsigned int cols);
- int (*log_suspend)(int signo);
- };
-
- When an I/O plugin is loaded, s\bsu\bud\bdo\bo runs the command in a pseudo-tty.
- This makes it possible to log the input and output from the user's
- session. If any of the standard input, standard output or standard error
- do not correspond to a tty, s\bsu\bud\bdo\bo will open a pipe to capture the I/O for
- logging before passing it on.
-
- The log_ttyin function receives the raw user input from the terminal
- device (note that this will include input even when echo is disabled,
- such as when a password is read). The log_ttyout function receives
- output from the pseudo-tty that is suitable for replaying the user's
- session at a later time. The l\blo\bog\bg_\b_s\bst\btd\bdi\bin\bn(), l\blo\bog\bg_\b_s\bst\btd\bdo\bou\but\bt() and l\blo\bog\bg_\b_s\bst\btd\bde\ber\brr\br()
- functions are only called if the standard input, standard output or
- standard error respectively correspond to something other than a tty.
-
- Any of the logging functions may be set to the NULL pointer if no logging
- is to be performed. If the open function returns 0, no I/O will be sent
- to the plugin.
-
- If a logging function returns an error (-1), the running command will be
- terminated and all of the plugin's logging functions will be disabled.
- Other I/O logging plugins will still receive any remaining input or
- output that has not yet been processed.
-
- If an input logging function rejects the data by returning 0, the command
- will be terminated and the data will not be passed to the command, though
- it will still be sent to any other I/O logging plugins. If an output
- logging function rejects the data by returning 0, the command will be
- terminated and the data will not be written to the terminal, though it
- will still be sent to any other I/O logging plugins.
-
- The io_plugin struct has the following fields:
-
- type The type field should always be set to SUDO_IO_PLUGIN.
-
- version
- The version field should be set to SUDO_API_VERSION.
-
- This allows s\bsu\bud\bdo\bo to determine the API version the plugin was built
- against.
-
- open
- int (*open)(unsigned int version, sudo_conv_t conversation,
- sudo_printf_t plugin_printf, char * const settings[],
- char * const user_info[], char * const command_info[],
- int argc, char * const argv[], char * const user_env[],
- char * const plugin_options[]);
-
- The o\bop\bpe\ben\bn() function is run before the l\blo\bog\bg_\b_t\btt\bty\byi\bin\bn(), l\blo\bog\bg_\b_t\btt\bty\byo\bou\but\bt(),
- l\blo\bog\bg_\b_s\bst\btd\bdi\bin\bn(), l\blo\bog\bg_\b_s\bst\btd\bdo\bou\but\bt(), l\blo\bog\bg_\b_s\bst\btd\bde\ber\brr\br(), l\blo\bog\bg_\b_s\bsu\bus\bsp\bpe\ben\bnd\bd(),
- c\bch\bha\ban\bng\bge\be_\b_w\bwi\bin\bns\bsi\biz\bze\be(), or s\bsh\bho\bow\bw_\b_v\bve\ber\brs\bsi\bio\bon\bn() functions are called. It is
- only called if the version is being requested or if the policy
- plugin's c\bch\bhe\bec\bck\bk_\b_p\bpo\bol\bli\bic\bcy\by() function has returned successfully. It
- returns 1 on success, 0 on failure, -1 if a general error occurred,
- or -2 if there was a usage error. In the latter case, s\bsu\bud\bdo\bo will
- print a usage message before it exits. If an error occurs, the
- plugin may optionally call the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf()
- function with SUDO_CONF_ERROR_MSG to present additional error
- information to the user.
-
- The function arguments are as follows:
-
- version
- The version passed in by s\bsu\bud\bdo\bo allows the plugin to determine
- the major and minor version number of the plugin API
- supported by s\bsu\bud\bdo\bo.
-
- conversation
- A pointer to the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function that may be used by
- the s\bsh\bho\bow\bw_\b_v\bve\ber\brs\bsi\bio\bon\bn() function to display version information
- (see s\bsh\bho\bow\bw_\b_v\bve\ber\brs\bsi\bio\bon\bn() below). The c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function may
- also be used to display additional error message to the user.
- The c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function returns 0 on success and -1 on
- failure.
-
- plugin_printf
- A pointer to a p\bpr\bri\bin\bnt\btf\bf()-style function that may be used by
- the s\bsh\bho\bow\bw_\b_v\bve\ber\brs\bsi\bio\bon\bn() function to display version information
- (see show_version below). The p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf() function may
- also be used to display additional error message to the user.
- The p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf() function returns number of characters
- printed on success and -1 on failure.
-
- settings
- A vector of user-supplied s\bsu\bud\bdo\bo settings in the form of
- "name=value" strings. The vector is terminated by a NULL
- pointer. These settings correspond to flags the user
- specified when running s\bsu\bud\bdo\bo. As such, they will only be
- present when the corresponding flag has been specified on the
- command line.
-
- When parsing _\bs_\be_\bt_\bt_\bi_\bn_\bg_\bs, the plugin should split on the f\bfi\bir\brs\bst\bt
- equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
- itself but the _\bv_\ba_\bl_\bu_\be might.
-
- See the _\bP_\bo_\bl_\bi_\bc_\by _\bp_\bl_\bu_\bg_\bi_\bn _\bA_\bP_\bI section for a list of all possible
- settings.
-
- user_info
- A vector of information about the user running the command in
- the form of "name=value" strings. The vector is terminated
- by a NULL pointer.
-
- When parsing _\bu_\bs_\be_\br_\b__\bi_\bn_\bf_\bo, the plugin should split on the f\bfi\bir\brs\bst\bt
- equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
- itself but the _\bv_\ba_\bl_\bu_\be might.
-
- See the _\bP_\bo_\bl_\bi_\bc_\by _\bp_\bl_\bu_\bg_\bi_\bn _\bA_\bP_\bI section for a list of all possible
- strings.
-
- argc The number of elements in _\ba_\br_\bg_\bv, not counting the final NULL
- pointer. It can be zero, when s\bsu\bud\bdo\bo is called with -\b-V\bV.
-
- argv If non-NULL, an argument vector describing a command the user
- wishes to run in the same form as what would be passed to the
- execve(2) system call.
-
- user_env
- The user's environment in the form of a NULL-terminated
- vector of "name=value" strings.
-
- When parsing _\bu_\bs_\be_\br_\b__\be_\bn_\bv, the plugin should split on the f\bfi\bir\brs\bst\bt
- equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
- itself but the _\bv_\ba_\bl_\bu_\be might.
-
- plugin_options
- Any (non-comment) strings immediately after the plugin path
- are treated as arguments to the plugin. These arguments are
- split on a white space boundary and are passed to the plugin
- in the form of a NULL-terminated array of strings. If no
- arguments were specified, _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs will be the NULL
- pointer.
-
- NOTE: the _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs parameter is only available starting
- with API version 1.2. A plugin m\bmu\bus\bst\bt check the API version
- specified by the s\bsu\bud\bdo\bo front end before using _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bo_\bp_\bt_\bi_\bo_\bn_\bs.
- Failure to do so may result in a crash.
-
- close
- void (*close)(int exit_status, int error);
-
- The c\bcl\blo\bos\bse\be() function is called when the command being run by s\bsu\bud\bdo\bo
- finishes.
-
- The function arguments are as follows:
-
- exit_status
- The command's exit status, as returned by the wait(2) system
- call. The value of exit_status is undefined if error is non-
- zero.
-
- error
- If the command could not be executed, this is set to the
- value of errno set by the execve(2) system call. If the
- command was successfully executed, the value of error is 0.
-
- show_version
- int (*show_version)(int verbose);
-
- The s\bsh\bho\bow\bw_\b_v\bve\ber\brs\bsi\bio\bon\bn() function is called by s\bsu\bud\bdo\bo when the user
- specifies the -\b-V\bV option. The plugin may display its version
- information to the user via the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() or p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf()
- function using SUDO_CONV_INFO_MSG. If the user requests detailed
- version information, the verbose flag will be set.
-
- Returns 1 on success, 0 on failure, -1 if a general error occurred,
- or -2 if there was a usage error, although the return value is
- currently ignored.
-
- log_ttyin
- int (*log_ttyin)(const char *buf, unsigned int len);
-
- The l\blo\bog\bg_\b_t\btt\bty\byi\bin\bn() function is called whenever data can be read from
- the user but before it is passed to the running command. This
- allows the plugin to reject data if it chooses to (for instance if
- the input contains banned content). Returns 1 if the data should
- be passed to the command, 0 if the data is rejected (which will
- terminate the running command) or -1 if an error occurred.
-
- The function arguments are as follows:
-
- buf The buffer containing user input.
-
- len The length of _\bb_\bu_\bf in bytes.
-
- log_ttyout
- int (*log_ttyout)(const char *buf, unsigned int len);
-
- The l\blo\bog\bg_\b_t\btt\bty\byo\bou\but\bt() function is called whenever data can be read from
- the command but before it is written to the user's terminal. This
- allows the plugin to reject data if it chooses to (for instance if
- the output contains banned content). Returns 1 if the data should
- be passed to the user, 0 if the data is rejected (which will
- terminate the running command) or -1 if an error occurred.
-
- The function arguments are as follows:
-
- buf The buffer containing command output.
-
- len The length of _\bb_\bu_\bf in bytes.
-
- log_stdin
- int (*log_stdin)(const char *buf, unsigned int len);
-
- The l\blo\bog\bg_\b_s\bst\btd\bdi\bin\bn() function is only used if the standard input does
- not correspond to a tty device. It is called whenever data can be
- read from the standard input but before it is passed to the running
- command. This allows the plugin to reject data if it chooses to
- (for instance if the input contains banned content). Returns 1 if
- the data should be passed to the command, 0 if the data is rejected
- (which will terminate the running command) or -1 if an error
- occurred.
-
- The function arguments are as follows:
-
- buf The buffer containing user input.
-
- len The length of _\bb_\bu_\bf in bytes.
-
- log_stdout
- int (*log_stdout)(const char *buf, unsigned int len);
-
- The l\blo\bog\bg_\b_s\bst\btd\bdo\bou\but\bt() function is only used if the standard output does
- not correspond to a tty device. It is called whenever data can be
- read from the command but before it is written to the standard
- output. This allows the plugin to reject data if it chooses to
- (for instance if the output contains banned content). Returns 1 if
- the data should be passed to the user, 0 if the data is rejected
- (which will terminate the running command) or -1 if an error
- occurred.
-
- The function arguments are as follows:
-
- buf The buffer containing command output.
-
- len The length of _\bb_\bu_\bf in bytes.
-
- log_stderr
- int (*log_stderr)(const char *buf, unsigned int len);
-
- The l\blo\bog\bg_\b_s\bst\btd\bde\ber\brr\br() function is only used if the standard error does
- not correspond to a tty device. It is called whenever data can be
- read from the command but before it is written to the standard
- error. This allows the plugin to reject data if it chooses to (for
- instance if the output contains banned content). Returns 1 if the
- data should be passed to the user, 0 if the data is rejected (which
- will terminate the running command) or -1 if an error occurred.
-
- The function arguments are as follows:
-
- buf The buffer containing command output.
-
- len The length of _\bb_\bu_\bf in bytes.
-
- register_hooks
- See the _\bP_\bo_\bl_\bi_\bc_\by _\bp_\bl_\bu_\bg_\bi_\bn _\bA_\bP_\bI section for a description of
- register_hooks.
-
- deregister_hooks
- See the _\bP_\bo_\bl_\bi_\bc_\by _\bp_\bl_\bu_\bg_\bi_\bn _\bA_\bP_\bI section for a description of
- deregister_hooks.
-
- change_winsize
- int (*change_winsize)(unsigned int lines, unsigned int cols);
-
- The c\bch\bha\ban\bng\bge\be_\b_w\bwi\bin\bns\bsi\biz\bze\be() function is called whenever the window size of
- the terminal changes from the initial values specified in the
- user_info list. Returns -1 if an error occurred, in which case no
- further calls to c\bch\bha\ban\bng\bge\be_\b_w\bwi\bin\bns\bsi\biz\bze\be() will be made,
-
- log_suspend
- int (*log_suspend)(int signo);
-
- The l\blo\bog\bg_\b_s\bsu\bus\bsp\bpe\ben\bnd\bd() function is called whenever a command is
- suspended or resumed. The _\bs_\bi_\bg_\bn_\bo argument is either the signal that
- caused the command to be suspended or SIGCONT if the command was
- resumed. Logging this information makes it possible to skip the
- period of time when the command was suspended during playback of a
- session. Returns -1 if an error occurred, in which case no further
- calls to l\blo\bog\bg_\b_s\bsu\bus\bsp\bpe\ben\bnd\bd() will be made,
-
- _\bI_\b/_\bO _\bP_\bl_\bu_\bg_\bi_\bn _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
-
- Same as for the _\bP_\bo_\bl_\bi_\bc_\by _\bp_\bl_\bu_\bg_\bi_\bn _\bA_\bP_\bI.
-
- S\bSi\big\bgn\bna\bal\bl h\bha\ban\bnd\bdl\ble\ber\brs\bs
- The s\bsu\bud\bdo\bo front end installs default signal handlers to trap common
- signals while the plugin functions are run. The following signals are
- trapped by default before the command is executed:
-
- +\b+\bo\bo SIGALRM
- +\b+\bo\bo SIGHUP
- +\b+\bo\bo SIGINT
- +\b+\bo\bo SIGPIPE
- +\b+\bo\bo SIGQUIT
- +\b+\bo\bo SIGTERM
- +\b+\bo\bo SIGTSTP
- +\b+\bo\bo SIGUSR1
- +\b+\bo\bo SIGUSR2
-
- If a fatal signal is received before the command is executed, s\bsu\bud\bdo\bo will
- call the plugin's c\bcl\blo\bos\bse\be() function with an exit status of 128 plus the
- value of the signal that was received. This allows for consistent
- logging of commands killed by a signal for plugins that log such
- information in their c\bcl\blo\bos\bse\be() function. An exception to this is SIGPIPE,
- which is ignored until the command is executed.
-
- A plugin may temporarily install its own signal handlers but must restore
- the original handler before the plugin function returns.
-
- H\bHo\boo\bok\bk f\bfu\bun\bnc\bct\bti\bio\bon\bn A\bAP\bPI\bI
- Beginning with plugin API version 1.2, it is possible to install hooks
- for certain functions called by the s\bsu\bud\bdo\bo front end.
-
- Currently, the only supported hooks relate to the handling of environment
- variables. Hooks can be used to intercept attempts to get, set, or
- remove environment variables so that these changes can be reflected in
- the version of the environment that is used to execute a command. A
- future version of the API will support hooking internal s\bsu\bud\bdo\bo front end
- functions as well.
-
- _\bH_\bo_\bo_\bk _\bs_\bt_\br_\bu_\bc_\bt_\bu_\br_\be
-
- Hooks in s\bsu\bud\bdo\bo are described by the following structure:
-
- typedef int (*sudo_hook_fn_t)();
-
- struct sudo_hook {
- unsigned int hook_version;
- unsigned int hook_type;
- sudo_hook_fn_t hook_fn;
- void *closure;
- };
-
- The sudo_hook structure has the following fields:
-
- hook_version
- The hook_version field should be set to SUDO_HOOK_VERSION.
-
- hook_type
- The hook_type field may be one of the following supported hook
- types:
-
- SUDO_HOOK_SETENV
- The C library setenv(3) function. Any registered hooks will
- run before the C library implementation. The hook_fn field
- should be a function that matches the following typedef:
-
- typedef int (*sudo_hook_fn_setenv_t)(const char *name,
- const char *value, int overwrite, void *closure);
-
- If the registered hook does not match the typedef the results
- are unspecified.
-
- SUDO_HOOK_UNSETENV
- The C library unsetenv(3) function. Any registered hooks
- will run before the C library implementation. The hook_fn
- field should be a function that matches the following
- typedef:
-
- typedef int (*sudo_hook_fn_unsetenv_t)(const char *name,
- void *closure);
-
- SUDO_HOOK_GETENV
- The C library getenv(3) function. Any registered hooks will
- run before the C library implementation. The hook_fn field
- should be a function that matches the following typedef:
-
- typedef int (*sudo_hook_fn_getenv_t)(const char *name,
- char **value, void *closure);
-
- If the registered hook does not match the typedef the results
- are unspecified.
-
- SUDO_HOOK_PUTENV
- The C library putenv(3) function. Any registered hooks will
- run before the C library implementation. The hook_fn field
- should be a function that matches the following typedef:
-
- typedef int (*sudo_hook_fn_putenv_t)(char *string,
- void *closure);
-
- If the registered hook does not match the typedef the results
- are unspecified.
-
- hook_fn
- sudo_hook_fn_t hook_fn;
-
- The hook_fn field should be set to the plugin's hook
- implementation. The actual function arguments will vary depending
- on the hook_type (see hook_type above). In all cases, the closure
- field of struct sudo_hook is passed as the last function parameter.
- This can be used to pass arbitrary data to the plugin's hook
- implementation.
-
- The function return value may be one of the following:
-
- SUDO_HOOK_RET_ERROR
- The hook function encountered an error.
-
- SUDO_HOOK_RET_NEXT
- The hook completed without error, go on to the next hook
- (including the native implementation if applicable). For
- example, a getenv(3) hook might return SUDO_HOOK_RET_NEXT if
- the specified variable was not found in the private copy of
- the environment.
-
- SUDO_HOOK_RET_STOP
- The hook completed without error, stop processing hooks for
- this invocation. This can be used to replace the native
- implementation. For example, a setenv hook that operates on
- a private copy of the environment but leaves environ
- unchanged.
-
- Note that it is very easy to create an infinite loop when hooking C
- library functions. For example, a getenv(3) hook that calls the
- snprintf(3) function may create a loop if the snprintf(3) implementation
- calls getenv(3) to check the locale. To prevent this, you may wish to
- use a static variable in the hook function to guard against nested calls.
- For example:
-
- static int in_progress = 0; /* avoid recursion */
- if (in_progress)
- return SUDO_HOOK_RET_NEXT;
- in_progress = 1;
- ...
- in_progress = 0;
- return SUDO_HOOK_RET_STOP;
-
- _\bH_\bo_\bo_\bk _\bA_\bP_\bI _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
-
- /* Hook API version major/minor */
- #define SUDO_HOOK_VERSION_MAJOR 1
- #define SUDO_HOOK_VERSION_MINOR 0
- #define SUDO_HOOK_VERSION SUDO_API_MKVERSION(SUDO_HOOK_VERSION_MAJOR,\
- SUDO_HOOK_VERSION_MINOR)
-
- For getters and setters see the _\bP_\bo_\bl_\bi_\bc_\by _\bp_\bl_\bu_\bg_\bi_\bn _\bA_\bP_\bI.
-
- R\bRe\bem\bmo\bot\bte\be c\bco\bom\bmm\bma\ban\bnd\bd e\bex\bxe\bec\bcu\but\bti\bio\bon\bn
- The s\bsu\bud\bdo\bo front end does not have native support for running remote
- commands. However, starting with s\bsu\bud\bdo\bo 1.8.8, the -\b-h\bh option may be used
- to specify a remote host that is passed to the policy plugin. A plugin
- may also accept a _\br_\bu_\bn_\ba_\bs_\b__\bu_\bs_\be_\br in the form of "user@hostname" which will
- work with older versions of s\bsu\bud\bdo\bo. It is anticipated that remote commands
- will be supported by executing a "helper" program. The policy plugin
- should setup the execution environment such that the s\bsu\bud\bdo\bo front end will
- run the helper which, in turn, will connect to the remote host and run
- the command.
-
- For example, the policy plugin could utilize s\bss\bsh\bh to perform remote
- command execution. The helper program would be responsible for running
- s\bss\bsh\bh with the proper options to use a private key or certificate that the
- remote host will accept and run a program on the remote host that would
- setup the execution environment accordingly.
-
- Note that remote s\bsu\bud\bdo\boe\bed\bdi\bit\bt functionality must be handled by the policy
- plugin, not s\bsu\bud\bdo\bo itself as the front end has no knowledge that a remote
- command is being executed. This may be addressed in a future revision of
- the plugin API.
-
- C\bCo\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn A\bAP\bPI\bI
- If the plugin needs to interact with the user, it may do so via the
- c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function. A plugin should not attempt to read directly
- from the standard input or the user's tty (neither of which are
- guaranteed to exist). The caller must include a trailing newline in msg
- if one is to be printed.
-
- A p\bpr\bri\bin\bnt\btf\bf()-style function is also available that can be used to display
- informational or error messages to the user, which is usually more
- convenient for simple messages where no use input is required.
-
- _\bC_\bo_\bn_\bv_\be_\br_\bs_\ba_\bt_\bi_\bo_\bn _\bf_\bu_\bn_\bc_\bt_\bi_\bo_\bn _\bs_\bt_\br_\bu_\bc_\bt_\bu_\br_\be_\bs
-
- The conversation function takes as arguments pointers to the following
- structures:
-
- struct sudo_conv_message {
- #define SUDO_CONV_PROMPT_ECHO_OFF 0x0001 /* do not echo user input */
- #define SUDO_CONV_PROMPT_ECHO_ON 0x0002 /* echo user input */
- #define SUDO_CONV_ERROR_MSG 0x0003 /* error message */
- #define SUDO_CONV_INFO_MSG 0x0004 /* informational message */
- #define SUDO_CONV_PROMPT_MASK 0x0005 /* mask user input */
- #define SUDO_CONV_PROMPT_ECHO_OK 0x1000 /* flag: allow echo if no tty */
- #define SUDO_CONV_PREFER_TTY 0x2000 /* flag: use tty if possible */
- int msg_type;
- int timeout;
- const char *msg;
- };
-
- #define SUDO_CONV_REPL_MAX 255
-
- struct sudo_conv_reply {
- char *reply;
- };
-
- typedef int (*sudo_conv_callback_fn_t)(int signo, void *closure);
- struct sudo_conv_callback {
- unsigned int version;
- void *closure;
- sudo_conv_callback_fn_t on_suspend;
- sudo_conv_callback_fn_t on_resume;
- };
-
- Pointers to the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() and p\bpr\bri\bin\bnt\btf\bf()-style functions are passed in
- to the plugin's o\bop\bpe\ben\bn() function when the plugin is initialized. The
- following type definitions can be used in the declaration of the o\bop\bpe\ben\bn()
- function:
-
- typedef int (*sudo_conv_t)(int num_msgs,
- const struct sudo_conv_message msgs[],
- struct sudo_conv_reply replies[],
- struct sudo_conv_callback *callback);
-
- typedef int (*sudo_printf_t)(int msg_type, const char *fmt, ...);
-
- To use the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function, the plugin must pass an array of
- sudo_conv_message and sudo_conv_reply structures. There must be a struct
- sudo_conv_message and struct sudo_conv_reply for each message in the
- conversation, that is, both arrays must have the same number of elements.
- Each struct sudo_conv_reply must have its _\br_\be_\bp_\bl_\by member initialized to
- NULL. The struct sudo_conv_callback pointer, if not NULL, should contain
- function pointers to be called when the s\bsu\bud\bdo\bo process is suspended and/or
- resumed during conversation input. The _\bo_\bn_\b__\bs_\bu_\bs_\bp_\be_\bn_\bd and _\bo_\bn_\b__\br_\be_\bs_\bu_\bm_\be
- functions are called with the signal that caused s\bsu\bud\bdo\bo to be suspended and
- the _\bc_\bl_\bo_\bs_\bu_\br_\be pointer from the struct sudo_conv_callback. These functions
- should return 0 on success and -1 on error. On error, the conversation
- will end and the conversation function will return a value of -1. The
- intended use is to allow the plugin to release resources, such as locks,
- that should not be held indefinitely while suspended and then reacquire
- them when the process is resumed. Note that the functions are not
- actually invoked from within a signal handler.
-
- The _\bm_\bs_\bg_\b__\bt_\by_\bp_\be must be set to one of the following values:
-
- SUDO_CONV_PROMPT_ECHO_OFF
- Prompt the user for input with echo disabled; this is generally
- used for passwords. The reply will be stored in the _\br_\be_\bp_\bl_\bi_\be_\bs array,
- and it will never be NULL.
-
- SUDO_CONV_PROMPT_ECHO_ON
- Prompt the user for input with echo enabled. The reply will be
- stored in the _\br_\be_\bp_\bl_\bi_\be_\bs array, and it will never be NULL.
-
- SUDO_CONV_ERROR_MSG
- Display an error message. The message is written to the standard
- error unless the SUDO_CONV_PREFER_TTY flag is set, in which case it
- is written to the user's terminal if possible.
-
- SUDO_CONV_INFO_MSG
- Display a message. The message is written to the standard output
- unless the SUDO_CONV_PREFER_TTY flag is set, in which case it is
- written to the user's terminal if possible.
-
- SUDO_CONV_PROMPT_MASK
- Prompt the user for input but echo an asterisk character for each
- character read. The reply will be stored in the _\br_\be_\bp_\bl_\bi_\be_\bs array, and
- it will never be NULL. This can be used to provide visual feedback
- to the user while reading sensitive information that should not be
- displayed.
-
- In addition to the above values, the following flag bits may also be set:
-
- SUDO_CONV_PROMPT_ECHO_OK
- Allow input to be read when echo cannot be disabled when the
- message type is SUDO_CONV_PROMPT_ECHO_OFF or SUDO_CONV_PROMPT_MASK.
- By default, s\bsu\bud\bdo\bo will refuse to read input if the echo cannot be
- disabled for those message types.
-
- SUDO_CONV_PREFER_TTY
- When displaying a message via SUDO_CONV_ERROR_MSG or
- SUDO_CONV_INFO_MSG, try to write the message to the user's
- terminal. If the terminal is unavailable, the standard error or
- standard output will be used, depending upon whether The user's
- terminal is always used when possible for input, this flag is only
- used for output. SUDO_CONV_ERROR_MSG or SUDO_CONV_INFO_MSG was
- used.
-
- The _\bt_\bi_\bm_\be_\bo_\bu_\bt in seconds until the prompt will wait for no more input. A
- zero value implies an infinite timeout.
-
- The plugin is responsible for freeing the reply buffer located in each
- struct sudo_conv_reply, if it is not NULL. SUDO_CONV_REPL_MAX represents
- the maximum length of the reply buffer (not including the trailing NUL
- character). In practical terms, this is the longest password s\bsu\bud\bdo\bo will
- support. It is also useful as a maximum value for the m\bme\bem\bms\bse\bet\bt_\b_s\bs()
- function when clearing passwords filled in by the conversation function.
-
- The p\bpr\bri\bin\bnt\btf\bf()-style function uses the same underlying mechanism as the
- c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function but only supports SUDO_CONV_INFO_MSG and
- SUDO_CONV_ERROR_MSG for the _\bm_\bs_\bg_\b__\bt_\by_\bp_\be parameter. It can be more
- convenient than using the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function if no user reply is
- needed and supports standard p\bpr\bri\bin\bnt\btf\bf() escape sequences.
-
- See the sample plugin for an example of the c\bco\bon\bnv\bve\ber\brs\bsa\bat\bti\bio\bon\bn() function
- usage.
-
- S\bSu\bud\bdo\boe\ber\brs\bs g\bgr\bro\bou\bup\bp p\bpl\blu\bug\bgi\bin\bn A\bAP\bPI\bI
- The s\bsu\bud\bdo\boe\ber\brs\bs plugin supports its own plugin interface to allow non-Unix
- group lookups. This can be used to query a group source other than the
- standard Unix group database. Two sample group plugins are bundled with
- s\bsu\bud\bdo\bo, _\bg_\br_\bo_\bu_\bp_\b__\bf_\bi_\bl_\be and _\bs_\by_\bs_\bt_\be_\bm_\b__\bg_\br_\bo_\bu_\bp, are detailed in sudoers(4). Third
- party group plugins include a QAS AD plugin available from Quest
- Software.
-
- A group plugin must declare and populate a sudoers_group_plugin struct in
- the global scope. This structure contains pointers to the functions that
- implement plugin initialization, cleanup and group lookup.
-
- struct sudoers_group_plugin {
- unsigned int version;
- int (*init)(int version, sudo_printf_t sudo_printf,
- char *const argv[]);
- void (*cleanup)(void);
- int (*query)(const char *user, const char *group,
- const struct passwd *pwd);
- };
-
- The sudoers_group_plugin struct has the following fields:
-
- version
- The version field should be set to GROUP_API_VERSION.
-
- This allows s\bsu\bud\bdo\boe\ber\brs\bs to determine the API version the group plugin
- was built against.
-
- init
- int (*init)(int version, sudo_printf_t plugin_printf,
- char *const argv[]);
-
- The i\bin\bni\bit\bt() function is called after _\bs_\bu_\bd_\bo_\be_\br_\bs has been parsed but
- before any policy checks. It returns 1 on success, 0 on failure
- (or if the plugin is not configured), and -1 if a error occurred.
- If an error occurs, the plugin may call the p\bpl\blu\bug\bgi\bin\bn_\b_p\bpr\bri\bin\bnt\btf\bf()
- function with SUDO_CONF_ERROR_MSG to present additional error
- information to the user.
-
- The function arguments are as follows:
-
- version
- The version passed in by s\bsu\bud\bdo\boe\ber\brs\bs allows the plugin to
- determine the major and minor version number of the group
- plugin API supported by s\bsu\bud\bdo\boe\ber\brs\bs.
-
- plugin_printf
- A pointer to a p\bpr\bri\bin\bnt\btf\bf()-style function that may be used to
- display informational or error message to the user. Returns
- the number of characters printed on success and -1 on
- failure.
-
- argv A NULL-terminated array of arguments generated from the
- _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs. If no arguments were given,
- _\ba_\br_\bg_\bv will be NULL.
-
- cleanup
- void (*cleanup)();
-
- The c\bcl\ble\bea\ban\bnu\bup\bp() function is called when s\bsu\bud\bdo\boe\ber\brs\bs has finished its
- group checks. The plugin should free any memory it has allocated
- and close open file handles.
-
- query
- int (*query)(const char *user, const char *group,
- const struct passwd *pwd);
-
- The q\bqu\bue\ber\bry\by() function is used to ask the group plugin whether _\bu_\bs_\be_\br
- is a member of _\bg_\br_\bo_\bu_\bp.
-
- The function arguments are as follows:
-
- user The name of the user being looked up in the external group
- database.
-
- group
- The name of the group being queried.
-
- pwd The password database entry for _\bu_\bs_\be_\br, if any. If _\bu_\bs_\be_\br is not
- present in the password database, _\bp_\bw_\bd will be NULL.
-
- _\bG_\br_\bo_\bu_\bp _\bA_\bP_\bI _\bV_\be_\br_\bs_\bi_\bo_\bn _\bM_\ba_\bc_\br_\bo_\bs
-
- /* Sudoers group plugin version major/minor */
- #define GROUP_API_VERSION_MAJOR 1
- #define GROUP_API_VERSION_MINOR 0
- #define GROUP_API_VERSION ((GROUP_API_VERSION_MAJOR << 16) | \
- GROUP_API_VERSION_MINOR)
- For getters and setters see the _\bP_\bo_\bl_\bi_\bc_\by _\bp_\bl_\bu_\bg_\bi_\bn _\bA_\bP_\bI.
-
-P\bPL\bLU\bUG\bGI\bIN\bN A\bAP\bPI\bI C\bCH\bHA\bAN\bNG\bGE\bEL\bLO\bOG\bG
- The following revisions have been made to the Sudo Plugin API.
-
- Version 1.0
- Initial API version.
-
- Version 1.1 (sudo 1.8.0)
- The I/O logging plugin's o\bop\bpe\ben\bn() function was modified to take the
- command_info list as an argument.
-
- Version 1.2 (sudo 1.8.5)
- The Policy and I/O logging plugins' o\bop\bpe\ben\bn() functions are now passed
- a list of plugin parameters if any are specified in sudo.conf(4).
-
- A simple hooks API has been introduced to allow plugins to hook in
- to the system's environment handling functions.
-
- The init_session Policy plugin function is now passed a pointer to
- the user environment which can be updated as needed. This can be
- used to merge in environment variables stored in the PAM handle
- before a command is run.
-
- Version 1.3 (sudo 1.8.7)
- Support for the _\be_\bx_\be_\bc_\b__\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd entry has been added to the
- command_info list.
-
- The _\bm_\ba_\bx_\b__\bg_\br_\bo_\bu_\bp_\bs and _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bd_\bi_\br entries were added to the settings
- list.
-
- The v\bve\ber\brs\bsi\bio\bon\bn() and c\bcl\blo\bos\bse\be() functions are now optional. Previously,
- a missing v\bve\ber\brs\bsi\bio\bon\bn() or c\bcl\blo\bos\bse\be() function would result in a crash.
- If no policy plugin c\bcl\blo\bos\bse\be() function is defined, a default c\bcl\blo\bos\bse\be()
- function will be provided by the s\bsu\bud\bdo\bo front end that displays a
- warning if the command could not be executed.
-
- The s\bsu\bud\bdo\bo front end now installs default signal handlers to trap
- common signals while the plugin functions are run.
-
- Version 1.4 (sudo 1.8.8)
- The _\br_\be_\bm_\bo_\bt_\be_\b__\bh_\bo_\bs_\bt entry was added to the settings list.
-
- Version 1.5 (sudo 1.8.9)
- The _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bf_\bd_\bs entry was added to the command_info list.
-
- Version 1.6 (sudo 1.8.11)
- The behavior when an I/O logging plugin returns an error (-1) has
- changed. Previously, the s\bsu\bud\bdo\bo front end took no action when the
- l\blo\bog\bg_\b_t\btt\bty\byi\bin\bn(), l\blo\bog\bg_\b_t\btt\bty\byo\bou\but\bt(), l\blo\bog\bg_\b_s\bst\btd\bdi\bin\bn(), l\blo\bog\bg_\b_s\bst\btd\bdo\bou\but\bt(), or
- l\blo\bog\bg_\b_s\bst\btd\bde\ber\brr\br() function returned an error.
-
- The behavior when an I/O logging plugin returns 0 has changed.
- Previously, output from the command would be displayed to the
- terminal even if an output logging function returned 0.
-
- Version 1.7 (sudo 1.8.12)
- The _\bp_\bl_\bu_\bg_\bi_\bn_\b__\bp_\ba_\bt_\bh entry was added to the settings list.
-
- The _\bd_\be_\bb_\bu_\bg_\b__\bf_\bl_\ba_\bg_\bs entry now starts with a debug file path name and
- may occur multiple times if there are multiple plugin-specific
- Debug lines in the sudo.conf(4) file.
-
- Version 1.8 (sudo 1.8.15)
- The _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bc_\bh_\be_\bc_\bk_\bd_\bi_\br and _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bf_\bo_\bl_\bl_\bo_\bw entries were added to the
- command_info list. The default value of _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bc_\bh_\be_\bc_\bk_\bd_\bi_\br was
- changed to true in sudo 1.8.16.
-
- The sudo _\bc_\bo_\bn_\bv_\be_\br_\bs_\ba_\bt_\bi_\bo_\bn function now takes a pointer to a struct
- sudo_conv_callback as its fourth argument. The sudo_conv_t
- definition has been updated to match. The plugin must specify that
- it supports plugin API version 1.8 or higher to receive a
- conversation function pointer that supports this argument.
-
- Version 1.9 (sudo 1.8.16)
- The _\be_\bx_\be_\bc_\bf_\bd entry was added to the command_info list.
-
- Version 1.10 (sudo 1.8.19)
- The _\bu_\bm_\ba_\bs_\bk entry was added to the user_info list. The _\bi_\bo_\bl_\bo_\bg_\b__\bg_\br_\bo_\bu_\bp,
- _\bi_\bo_\bl_\bo_\bg_\b__\bm_\bo_\bd_\be, and _\bi_\bo_\bl_\bo_\bg_\b__\bu_\bs_\be_\br entries were added to the command_info
- list.
-
- Version 1.11 (sudo 1.8.20)
- The _\bt_\bi_\bm_\be_\bo_\bu_\bt entry was added to the settings list.
-
- Version 1.12 (sudo 1.8.21)
- The change_winsize field was added to the io_plugin struct.
-
- Version 1.13 (sudo 1.8.26)
- The log_suspend field was added to the io_plugin struct.
-
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- sudo.conf(4), sudoers(4), sudo(1m)
-
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists of
- code written primarily by:
-
- Todd C. Miller
-
- See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
- (https://www.sudo.ws/contributors.html) for an exhaustive list of people
- who have contributed to s\bsu\bud\bdo\bo.
-
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- https://bugzilla.sudo.ws/
-
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
-
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided "AS IS" and any express or implied warranties,
- including, but not limited to, the implied warranties of merchantability
- and fitness for a particular purpose are disclaimed. See the LICENSE
- file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
- complete details.
-
-Sudo 1.8.28 October 24, 2018 Sudo 1.8.28
+++ /dev/null
-SUDOERS(4) File Formats Manual SUDOERS(4)
-
-N\bNA\bAM\bME\bE
- s\bsu\bud\bdo\boe\ber\brs\bs - default sudo security policy plugin
-
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- The s\bsu\bud\bdo\boe\ber\brs\bs policy plugin determines a user's s\bsu\bud\bdo\bo privileges. It is the
- default s\bsu\bud\bdo\bo policy plugin. The policy is driven by the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs
- file or, optionally in LDAP. The policy format is described in detail in
- the _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bF_\bI_\bL_\bE _\bF_\bO_\bR_\bM_\bA_\bT section. For information on storing s\bsu\bud\bdo\boe\ber\brs\bs
- policy information in LDAP, please see sudoers.ldap(4).
-
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf f\bfo\bor\br s\bsu\bud\bdo\boe\ber\brs\bs
- s\bsu\bud\bdo\bo consults the sudo.conf(4) file to determine which policy and I/O
- logging plugins to load. If no sudo.conf(4) file is present, or if it
- contains no Plugin lines, s\bsu\bud\bdo\boe\ber\brs\bs will be used for policy decisions and
- I/O logging. To explicitly configure sudo.conf(4) to use the s\bsu\bud\bdo\boe\ber\brs\bs
- plugin, the following configuration can be used.
-
- Plugin sudoers_policy sudoers.so
- Plugin sudoers_io sudoers.so
-
- Starting with s\bsu\bud\bdo\bo 1.8.5, it is possible to specify optional arguments to
- the s\bsu\bud\bdo\boe\ber\brs\bs plugin in the sudo.conf(4) file. These arguments, if
- present, should be listed after the path to the plugin (i.e., after
- _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bs_\bo). Multiple arguments may be specified, separated by white
- space. For example:
-
- Plugin sudoers_policy sudoers.so sudoers_mode=0400
-
- The following plugin arguments are supported:
-
- ldap_conf=pathname
- The _\bl_\bd_\ba_\bp_\b__\bc_\bo_\bn_\bf argument can be used to override the default path
- to the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file.
-
- ldap_secret=pathname
- The _\bl_\bd_\ba_\bp_\b__\bs_\be_\bc_\br_\be_\bt argument can be used to override the default
- path to the _\bl_\bd_\ba_\bp_\b._\bs_\be_\bc_\br_\be_\bt file.
-
- sudoers_file=pathname
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bf_\bi_\bl_\be argument can be used to override the default
- path to the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
- sudoers_uid=uid
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bu_\bi_\bd argument can be used to override the default
- owner of the sudoers file. It should be specified as a numeric
- user ID.
-
- sudoers_gid=gid
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bg_\bi_\bd argument can be used to override the default
- group of the sudoers file. It must be specified as a numeric
- group ID (not a group name).
-
- sudoers_mode=mode
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bm_\bo_\bd_\be argument can be used to override the default
- file mode for the sudoers file. It should be specified as an
- octal value.
-
- For more information on configuring sudo.conf(4), please refer to its
- manual.
-
- U\bUs\bse\ber\br A\bAu\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bti\bio\bon\bn
- The s\bsu\bud\bdo\boe\ber\brs\bs security policy requires that most users authenticate
- themselves before they can use s\bsu\bud\bdo\bo. A password is not required if the
- invoking user is root, if the target user is the same as the invoking
- user, or if the policy has disabled authentication for the user or
- command. Unlike su(1), when s\bsu\bud\bdo\boe\ber\brs\bs requires authentication, it
- validates the invoking user's credentials, not the target user's (or
- root's) credentials. This can be changed via the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and
- _\br_\bu_\bn_\ba_\bs_\bp_\bw flags, described later.
-
- If a user who is not listed in the policy tries to run a command via
- s\bsu\bud\bdo\bo, mail is sent to the proper authorities. The address used for such
- mail is configurable via the _\bm_\ba_\bi_\bl_\bt_\bo Defaults entry (described later) and
- defaults to root.
-
- Note that no mail will be sent if an unauthorized user tries to run s\bsu\bud\bdo\bo
- with the -\b-l\bl or -\b-v\bv option unless there is an authentication error and
- either the _\bm_\ba_\bi_\bl_\b__\ba_\bl_\bw_\ba_\by_\bs or _\bm_\ba_\bi_\bl_\b__\bb_\ba_\bd_\bp_\ba_\bs_\bs flags are enabled. This allows
- users to determine for themselves whether or not they are allowed to use
- s\bsu\bud\bdo\bo. All attempts to run s\bsu\bud\bdo\bo (successful or not) will be logged,
- regardless of whether or not mail is sent.
-
- If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment variable is set, the
- s\bsu\bud\bdo\boe\ber\brs\bs policy will use this value to determine who the actual user is.
- This can be used by a user to log commands through sudo even when a root
- shell has been invoked. It also allows the -\b-e\be option to remain useful
- even when invoked via a sudo-run script or program. Note, however, that
- the _\bs_\bu_\bd_\bo_\be_\br_\bs file lookup is still done for root, not the user specified by
- SUDO_USER.
-
- s\bsu\bud\bdo\boe\ber\brs\bs uses per-user time stamp files for credential caching. Once a
- user has been authenticated, a record is written containing the user ID
- that was used to authenticate, the terminal session ID, the start time of
- the session leader (or parent process) and a time stamp (using a
- monotonic clock if one is available). The user may then use s\bsu\bud\bdo\bo without
- a password for a short period of time (5 minutes unless overridden by the
- _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\bi_\bm_\be_\bo_\bu_\bt option). By default, s\bsu\bud\bdo\boe\ber\brs\bs uses a separate record
- for each terminal, which means that a user's login sessions are
- authenticated separately. The _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\by_\bp_\be option can be used to
- select the type of time stamp record s\bsu\bud\bdo\boe\ber\brs\bs will use.
-
- L\bLo\bog\bgg\bgi\bin\bng\bg
- s\bsu\bud\bdo\boe\ber\brs\bs can log both successful and unsuccessful attempts (as well as
- errors) to syslog(3), a log file, or both. By default, s\bsu\bud\bdo\boe\ber\brs\bs will log
- via syslog(3) but this is changeable via the _\bs_\by_\bs_\bl_\bo_\bg and _\bl_\bo_\bg_\bf_\bi_\bl_\be Defaults
- settings. See _\bL_\bO_\bG _\bF_\bO_\bR_\bM_\bA_\bT for a description of the log file format.
-
- s\bsu\bud\bdo\boe\ber\brs\bs is also capable of running a command in a pseudo-tty and logging
- all input and/or output. The standard input, standard output and
- standard error can be logged even when not associated with a terminal.
- I/O logging is not on by default but can be enabled using the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt
- and _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt options as well as the LOG_INPUT and LOG_OUTPUT command
- tags. See _\bI_\b/_\bO _\bL_\bO_\bG _\bF_\bI_\bL_\bE_\bS for details on how I/O log files are stored.
-
- C\bCo\bom\bmm\bma\ban\bnd\bd e\ben\bnv\bvi\bir\bro\bon\bnm\bme\ben\bnt\bt
- Since environment variables can influence program behavior, s\bsu\bud\bdo\boe\ber\brs\bs
- provides a means to restrict which variables from the user's environment
- are inherited by the command to be run. There are two distinct ways
- s\bsu\bud\bdo\boe\ber\brs\bs can deal with environment variables.
-
- By default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled. This causes commands to be
- executed with a new, minimal environment. On AIX (and Linux systems
- without PAM), the environment is initialized with the contents of the
- _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt file. On BSD systems, if the _\bu_\bs_\be_\b__\bl_\bo_\bg_\bi_\bn_\bc_\bl_\ba_\bs_\bs option is
- enabled, the environment is initialized based on the _\bp_\ba_\bt_\bh and _\bs_\be_\bt_\be_\bn_\bv
- settings in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The HOME, MAIL, SHELL, LOGNAME and USER
- environment variables are initialized based on the target user and the
- SUDO_* variables are set based on the invoking user. Additional
- variables, such as DISPLAY, PATH and TERM, are preserved from the
- invoking user's environment if permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk or _\be_\bn_\bv_\b__\bk_\be_\be_\bp
- options. This is effectively a whitelist for environment variables. A
- few environment variables are treated specially. If the PATH and TERM
- variables are not preserved from the user's environment, they will be set
- to default values. The LOGNAME and USER are handled as a single entity.
- If one of them is preserved (or removed) from the user's environment, the
- other will be as well. If LOGNAME and USER are to be preserved but only
- one of them is present in the user's environment, the other will be set
- to the same value. This avoids an inconsistent environment where one of
- the variables describing the user name is set to the invoking user and
- one is set to the target user. Environment variables with a value
- beginning with () are removed unless both the name and value parts are
- matched by _\be_\bn_\bv_\b__\bk_\be_\be_\bp or _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, as they may be interpreted as functions
- by the b\bba\bas\bsh\bh shell. Prior to version 1.8.11, such variables were always
- removed.
-
- If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled, any variables not
- explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are inherited
- from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave
- like a blacklist. Prior to version 1.8.21, environment variables with a
- value beginning with () were always removed. Beginning with version
- 1.8.21, a pattern in _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be is used to match b\bba\bas\bsh\bh shell functions
- instead. Since it is not possible to blacklist all potentially dangerous
- environment variables, use of the default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is
- encouraged.
-
- Environment variables specified by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp may
- include one or more `*' characters which will match zero or more
- characters. No other wildcard characters are supported.
-
- By default, environment variables are matched by name. However, if the
- pattern includes an equal sign (`='), both the variables name and value
- must match. For example, a b\bba\bas\bsh\bh shell function could be matched as
- follows:
-
- env_keep += "BASH_FUNC_my_func%%=()*"
-
- Without the "=()*" suffix, this would not match, as b\bba\bas\bsh\bh shell functions
- are not preserved by default.
-
- The complete list of environment variables that are preserved or removed,
- as modified by global Defaults parameters in _\bs_\bu_\bd_\bo_\be_\br_\bs, is displayed when
- s\bsu\bud\bdo\bo is run by root with the -\b-V\bV option. Please note that the list of
- environment variables to remove varies based on the operating system s\bsu\bud\bdo\bo
- is running on.
-
- Other s\bsu\bud\bdo\boe\ber\brs\bs options may influence the command environment, such as
- _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be, _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh, _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be, and _\bs_\be_\bt_\b__\bh_\bo_\bm_\be.
-
- On systems that support PAM where the p\bpa\bam\bm_\b_e\ben\bnv\bv module is enabled for s\bsu\bud\bdo\bo,
- variables in the PAM environment may be merged in to the environment. If
- a variable in the PAM environment is already present in the user's
- environment, the value will only be overridden if the variable was not
- preserved by s\bsu\bud\bdo\boe\ber\brs\bs. When _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is enabled, variables preserved
- from the invoking user's environment by the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list take precedence
- over those in the PAM environment. When _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled, variables
- present the invoking user's environment take precedence over those in the
- PAM environment unless they match a pattern in the _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be list.
-
- Note that the dynamic linker on most operating systems will remove
- variables that can control dynamic linking from the environment of setuid
- executables, including s\bsu\bud\bdo\bo. Depending on the operating system this may
- include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
- These type of variables are removed from the environment before s\bsu\bud\bdo\bo even
- begins execution and, as such, it is not possible for s\bsu\bud\bdo\bo to preserve
- them.
-
- As a special case, if s\bsu\bud\bdo\bo's -\b-i\bi option (initial login) is specified,
- s\bsu\bud\bdo\boe\ber\brs\bs will initialize the environment regardless of the value of
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
- MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
- (and Linux systems without PAM), the contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt are
- also included. On BSD systems, if the _\bu_\bs_\be_\b__\bl_\bo_\bg_\bi_\bn_\bc_\bl_\ba_\bs_\bs flag is enabled,
- the _\bp_\ba_\bt_\bh and _\bs_\be_\bt_\be_\bn_\bv variables in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf are also applied. All
- other environment variables are removed unless permitted by _\be_\bn_\bv_\b__\bk_\be_\be_\bp or
- _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, described above.
-
- Finally, the _\br_\be_\bs_\bt_\br_\bi_\bc_\bt_\be_\bd_\b__\be_\bn_\bv_\b__\bf_\bi_\bl_\be and _\be_\bn_\bv_\b__\bf_\bi_\bl_\be files are applied, if
- present. The variables in _\br_\be_\bs_\bt_\br_\bi_\bc_\bt_\be_\bd_\b__\be_\bn_\bv_\b__\bf_\bi_\bl_\be are applied first and are
- subject to the same restrictions as the invoking user's environment, as
- detailed above. The variables in _\be_\bn_\bv_\b__\bf_\bi_\bl_\be are applied last and are not
- subject to these restrictions. In both cases, variables present in the
- files will only be set to their specified values if they would not
- conflict with an existing environment variable.
-
-S\bSU\bUD\bDO\bOE\bER\bRS\bS F\bFI\bIL\bLE\bE F\bFO\bOR\bRM\bMA\bAT\bT
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases (basically
- variables) and user specifications (which specify who may run what).
-
- When multiple entries match for a user, they are applied in order. Where
- there are multiple matches, the last match is used (which is not
- necessarily the most specific match).
-
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file grammar will be described below in Extended Backus-Naur
- Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
- simple, and the definitions below are annotated.
-
- Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
- EBNF is a concise and exact way of describing the grammar of a language.
- Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
-
- symbol ::= definition | alternate1 | alternate2 ...
-
- Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a grammar for
- the language. EBNF also contains the following operators, which many
- readers will recognize from regular expressions. Do not, however,
- confuse them with "wildcard" characters, which have different meanings.
-
- ? Means that the preceding symbol (or group of symbols) is optional.
- That is, it may appear once or not at all.
-
- * Means that the preceding symbol (or group of symbols) may appear
- zero or more times.
-
- + Means that the preceding symbol (or group of symbols) may appear
- one or more times.
-
- Parentheses may be used to group symbols together. For clarity, we will
- use single quotes ('') to designate what is a verbatim character string
- (as opposed to a symbol name).
-
- A\bAl\bli\bia\bas\bse\bes\bs
- There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
- Cmnd_Alias.
-
- Alias ::= 'User_Alias' User_Alias_Spec (':' User_Alias_Spec)* |
- 'Runas_Alias' Runas_Alias_Spec (':' Runas_Alias_Spec)* |
- 'Host_Alias' Host_Alias_Spec (':' Host_Alias_Spec)* |
- 'Cmnd_Alias' Cmnd_Alias_Spec (':' Cmnd_Alias_Spec)*
-
- User_Alias ::= NAME
-
- User_Alias_Spec ::= User_Alias '=' User_List
-
- Runas_Alias ::= NAME
-
- Runas_Alias_Spec ::= Runas_Alias '=' Runas_List
-
- Host_Alias ::= NAME
-
- Host_Alias_Spec ::= Host_Alias '=' Host_List
-
- Cmnd_Alias ::= NAME
-
- Cmnd_Alias_Spec ::= Cmnd_Alias '=' Cmnd_List
-
- NAME ::= [A-Z]([A-Z][0-9]_)*
-
- Each _\ba_\bl_\bi_\ba_\bs definition is of the form
-
- Alias_Type NAME = item1, item2, ...
-
- where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias, Host_Alias, or
- Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
- underscore characters (`_'). A NAME m\bmu\bus\bst\bt start with an uppercase letter.
- It is possible to put several alias definitions of the same type on a
- single line, joined by a colon (`:'). E.g.,
-
- Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
-
- It is a syntax error to redefine an existing _\ba_\bl_\bi_\ba_\bs. It is possible to
- use the same name for _\ba_\bl_\bi_\ba_\bs_\be_\bs of different types, but this is not
- recommended.
-
- The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member follow.
-
- User_List ::= User |
- User ',' User_List
-
- User ::= '!'* user name |
- '!'* #uid |
- '!'* %group |
- '!'* %#gid |
- '!'* +netgroup |
- '!'* %:nonunix_group |
- '!'* %:#nonunix_gid |
- '!'* User_Alias
-
- A User_List is made up of one or more user names, user IDs (prefixed with
- `#'), system group names and IDs (prefixed with `%' and `%#'
- respectively), netgroups (prefixed with `+'), non-Unix group names and
- IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
- list item may be prefixed with zero or more `!' operators. An odd number
- of `!' operators negate the value of the item; an even number just cancel
- each other out. User netgroups are matched using the user and domain
- members only; the host member is not used when matching.
-
- A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
- be enclosed in double quotes to avoid the need for escaping special
- characters. Alternately, special characters may be specified in escaped
- hex mode, e.g., \x20 for space. When using double quotes, any prefix
- characters must be included inside the quotes.
-
- The actual nonunix_group and nonunix_gid syntax depends on the underlying
- group provider plugin. For instance, the QAS AD plugin supports the
- following formats:
-
- +\b+\bo\bo Group in the same domain: "%:Group Name"
-
- +\b+\bo\bo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
-
- +\b+\bo\bo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
-
- See _\bG_\bR_\bO_\bU_\bP _\bP_\bR_\bO_\bV_\bI_\bD_\bE_\bR _\bP_\bL_\bU_\bG_\bI_\bN_\bS for more information.
-
- Note that quotes around group names are optional. Unquoted strings must
- use a backslash (`\') to escape spaces and special characters. See _\bO_\bt_\bh_\be_\br
- _\bs_\bp_\be_\bc_\bi_\ba_\bl _\bc_\bh_\ba_\br_\ba_\bc_\bt_\be_\br_\bs _\ba_\bn_\bd _\br_\be_\bs_\be_\br_\bv_\be_\bd _\bw_\bo_\br_\bd_\bs for a list of characters that need
- to be escaped.
-
- Runas_List ::= Runas_Member |
- Runas_Member ',' Runas_List
-
- Runas_Member ::= '!'* user name |
- '!'* #uid |
- '!'* %group |
- '!'* %#gid |
- '!'* %:nonunix_group |
- '!'* %:#nonunix_gid |
- '!'* +netgroup |
- '!'* Runas_Alias
-
- A Runas_List is similar to a User_List except that instead of
- User_Aliases it can contain Runas_Aliases. Note that user names and
- groups are matched as strings. In other words, two users (groups) with
- the same uid (gid) are considered to be distinct. If you wish to match
- all user names with the same uid (e.g., root and toor), you can use a uid
- instead (#0 in the example given).
-
- Host_List ::= Host |
- Host ',' Host_List
-
- Host ::= '!'* host name |
- '!'* ip_addr |
- '!'* network(/netmask)? |
- '!'* +netgroup |
- '!'* Host_Alias
-
- A Host_List is made up of one or more host names, IP addresses, network
- numbers, netgroups (prefixed with `+') and other aliases. Again, the
- value of an item may be negated with the `!' operator. Host netgroups
- are matched using the host (both qualified and unqualified) and domain
- members only; the user member is not used when matching. If you specify
- a network number without a netmask, s\bsu\bud\bdo\bo will query each of the local
- host's network interfaces and, if the network number corresponds to one
- of the hosts's network interfaces, will use the netmask of that
- interface. The netmask may be specified either in standard IP address
- notation (e.g., 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR notation
- (number of bits, e.g., 24 or 64). A host name may include shell-style
- wildcards (see the _\bW_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs section below), but unless the host name
- command on your machine returns the fully qualified host name, you'll
- need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful. Note that s\bsu\bud\bdo\bo
- only inspects actual network interfaces; this means that IP address
- 127.0.0.1 (localhost) will never match. Also, the host name "localhost"
- will only match if that is the actual host name, which is usually only
- the case for non-networked systems.
-
- digest ::= [A-Fa-f0-9]+ |
- [A-Za-z0-9\+/=]+
-
- Digest_Spec ::= "sha224" ':' digest |
- "sha256" ':' digest |
- "sha384" ':' digest |
- "sha512" ':' digest
-
- Cmnd_List ::= Cmnd |
- Cmnd ',' Cmnd_List
-
- command name ::= file name |
- file name args |
- file name '""'
-
- Cmnd ::= Digest_Spec? '!'* command name |
- '!'* directory |
- '!'* "sudoedit" |
- '!'* Cmnd_Alias
-
- A Cmnd_List is a list of one or more command names, directories, and
- other aliases. A command name is a fully qualified file name which may
- include shell-style wildcards (see the _\bW_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs section below). A
- simple file name allows the user to run the command with any arguments
- they wish. However, you may also specify command line arguments
- (including wildcards). Alternately, you can specify "" to indicate that
- the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A directory
- is a fully qualified path name ending in a `/'. When you specify a
- directory in a Cmnd_List, the user will be able to run any file within
- that directory (but not in any sub-directories therein).
-
- If a Cmnd has associated command line arguments, then the arguments in
- the Cmnd must match exactly those given by the user on the command line
- (or match the wildcards if there are any). Note that the following
- characters must be escaped with a `\' if they are used in command
- arguments: `,', `:', `=', `\'. The built-in command "sudoedit" is used
- to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may
- take command line arguments just as a normal command does. Note that
- "sudoedit" is a command built into s\bsu\bud\bdo\bo itself and must be specified in
- the _\bs_\bu_\bd_\bo_\be_\br_\bs file without a leading path.
-
- If a command name is prefixed with a Digest_Spec, the command will only
- match successfully if it can be verified using the specified SHA-2
- digest. The following digest formats are supported: sha224, sha256,
- sha384 and sha512. The string may be specified in either hex or base64
- format (base64 is more compact). There are several utilities capable of
- generating SHA-2 digests in hex format such as openssl, shasum,
- sha224sum, sha256sum, sha384sum, sha512sum.
-
- For example, using openssl:
-
- $ openssl dgst -sha224 /bin/ls
- SHA224(/bin/ls)= 118187da8364d490b4a7debbf483004e8f3e053ec954309de2c41a25
-
- It is also possible to use openssl to generate base64 output:
-
- $ openssl dgst -binary -sha224 /bin/ls | openssl base64
- EYGH2oNk1JC0p9679IMATo8+BT7JVDCd4sQaJQ==
-
- Warning, if the user has write access to the command itself (directly or
- via a s\bsu\bud\bdo\bo command), it may be possible for the user to replace the
- command after the digest check has been performed but before the command
- is executed. A similar race condition exists on systems that lack the
- fexecve(2) system call when the directory in which the command is located
- is writable by the user. See the description of the _\bf_\bd_\be_\bx_\be_\bc setting for
- more information on how s\bsu\bud\bdo\bo executes commands that have an associated
- digest.
-
- Command digests are only supported by version 1.8.7 or higher.
-
- D\bDe\bef\bfa\bau\bul\blt\bts\bs
- Certain configuration options may be changed from their default values at
- run-time via one or more Default_Entry lines. These may affect all users
- on any host, all users on a specific host, a specific user, a specific
- command, or commands being run as a specific user. Note that per-command
- entries may not include command line arguments. If you need to specify
- arguments, define a Cmnd_Alias and reference that instead.
-
- Default_Type ::= 'Defaults' |
- 'Defaults' '@' Host_List |
- 'Defaults' ':' User_List |
- 'Defaults' '!' Cmnd_List |
- 'Defaults' '>' Runas_List
-
- Default_Entry ::= Default_Type Parameter_List
-
- Parameter_List ::= Parameter |
- Parameter ',' Parameter_List
-
- Parameter ::= Parameter '=' Value |
- Parameter '+=' Value |
- Parameter '-=' Value |
- '!'* Parameter
-
- Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
- implicitly boolean and can be turned off via the `!' operator. Some
- integer, string and list parameters may also be used in a boolean context
- to disable them. Values may be enclosed in double quotes ("") when they
- contain multiple words. Special characters may be escaped with a
- backslash (`\').
-
- Lists have two additional assignment operators, += and -=. These
- operators are used to add to and delete from a list respectively. It is
- not an error to use the -= operator to remove an element that does not
- exist in a list.
-
- Defaults entries are parsed in the following order: generic, host, user
- and runas Defaults first, then command defaults. If there are multiple
- Defaults settings of the same type, the last matching setting is used.
- The following Defaults settings are parsed before all others since they
- may affect subsequent entries: _\bf_\bq_\bd_\bn, _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn, _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt,
- _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bl_\bo_\bc_\ba_\bl_\be.
-
- See _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS for a list of supported Defaults parameters.
-
- U\bUs\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
- User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
- (':' Host_List '=' Cmnd_Spec_List)*
-
- Cmnd_Spec_List ::= Cmnd_Spec |
- Cmnd_Spec ',' Cmnd_Spec_List
-
- Cmnd_Spec ::= Runas_Spec? Option_Spec* Tag_Spec* Cmnd
-
- Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
-
- Option_Spec ::= (SELinux_Spec | Solaris_Priv_Spec | Date_Spec | Timeout_Spec)
-
- SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
-
- Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
-
- Date_Spec ::= ('NOTBEFORE=timestamp' | 'NOTAFTER=timestamp')
-
- Timeout_Spec ::= 'TIMEOUT=timeout'
-
- Tag_Spec ::= ('EXEC:' | 'NOEXEC:' | 'FOLLOW:' | 'NOFOLLOW' |
- 'LOG_INPUT:' | 'NOLOG_INPUT:' | 'LOG_OUTPUT:' |
- 'NOLOG_OUTPUT:' | 'MAIL:' | 'NOMAIL:' | 'PASSWD:' |
- 'NOPASSWD:' | 'SETENV:' | 'NOSETENV:')
-
- A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
- what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt, but
- this can be changed on a per-command basis.
-
- The basic structure of a user specification is "who where = (as_whom)
- what". Let's break that down into its constituent parts:
-
- R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
- A Runas_Spec determines the user and/or the group that a command may be
- run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
- defined above) separated by a colon (`:') and enclosed in a set of
- parentheses. The first Runas_List indicates which users the command may
- be run as via s\bsu\bud\bdo\bo's -\b-u\bu option. The second defines a list of groups that
- can be specified via s\bsu\bud\bdo\bo's -\b-g\bg option in addition to any of the target
- user's groups. If both Runas_Lists are specified, the command may be run
- with any combination of users and groups listed in their respective
- Runas_Lists. If only the first is specified, the command may be run as
- any user in the list but no -\b-g\bg option may be specified. If the first
- Runas_List is empty but the second is specified, the command may be run
- as the invoking user with the group set to any listed in the Runas_List.
- If both Runas_Lists are empty, the command may only be run as the
- invoking user. If no Runas_Spec is specified the command may be run as
- r\bro\boo\bot\bt and no group may be specified.
-
- A Runas_Spec sets the default for the commands that follow it. What this
- means is that for the entry:
-
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
-
- The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm on the host
- boulder--but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
-
- $ sudo -u operator /bin/ls
-
- It is also possible to override a Runas_Spec later on in an entry. If we
- modify the entry like so:
-
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
-
- Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
- and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
-
- We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
- group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
-
- dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
- /usr/bin/lprm
-
- Note that while the group portion of the Runas_Spec permits the user to
- run as command with that group, it does not force the user to do so. If
- no group is specified on the command line, the command will run with the
- group listed in the target user's password database entry. The following
- would all be permitted by the sudoers entry above:
-
- $ sudo -u operator /bin/ls
- $ sudo -u operator -g operator /bin/ls
- $ sudo -g operator /bin/ls
-
- In the following example, user t\btc\bcm\bm may run commands that access a modem
- device file with the dialer group.
-
- tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
- /usr/local/bin/minicom
-
- Note that in this example only the group will be set, the command still
- runs as user t\btc\bcm\bm. E.g.
-
- $ sudo -g dialer /usr/bin/cu
-
- Multiple users and groups may be present in a Runas_Spec, in which case
- the user may select any combination of users and groups via the -\b-u\bu and -\b-g\bg
- options. In this example:
-
- alan ALL = (root, bin : operator, system) ALL
-
- user a\bal\bla\ban\bn may run any command as either user root or bin, optionally
- setting the group to operator or system.
-
- O\bOp\bpt\bti\bio\bon\bn_\b_S\bSp\bpe\bec\bc
- A Cmnd may have zero or more options associated with it. Options may
- consist of SELinux roles and/or types, Solaris privileges sets, start
- and/or end dates and command timeouts. Once an option is set for a Cmnd,
- subsequent Cmnds in the Cmnd_Spec_List, inherit that option unless it is
- overridden by another option.
-
- S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
- On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs file entries may optionally have
- an SELinux role and/or type associated with a command. If a role or type
- is specified with the command it will override any default values
- specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line,
- however, will supersede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
- S\bSo\bol\bla\bar\bri\bis\bs_\b_P\bPr\bri\biv\bv_\b_S\bSp\bpe\bec\bc
- On Solaris systems, _\bs_\bu_\bd_\bo_\be_\br_\bs file entries may optionally specify Solaris
- privilege set and/or limit privilege set associated with a command. If
- privileges or limit privileges are specified with the command it will
- override any default values specified in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
- A privilege set is a comma-separated list of privilege names. The
- ppriv(1) command can be used to list all privileges known to the system.
- For example:
-
- $ ppriv -l
-
- In addition, there are several "special" privilege strings:
-
- none the empty set
-
- all the set of all privileges
-
- zone the set of all privileges available in the current zone
-
- basic the default set of privileges normal users are granted at login
- time
-
- Privileges can be excluded from a set by prefixing the privilege name
- with either an `!' or `-' character.
-
- D\bDa\bat\bte\be_\b_S\bSp\bpe\bec\bc
- s\bsu\bud\bdo\boe\ber\brs\bs rules can be specified with a start and end date via the
- NOTBEFORE and NOTAFTER settings. The time stamp must be specified in
- _\bG_\be_\bn_\be_\br_\ba_\bl_\bi_\bz_\be_\bd _\bT_\bi_\bm_\be as defined by RFC 4517. The format is effectively
- yyyymmddHHMMSSZ where the minutes and seconds are optional. The `Z'
- suffix indicates that the time stamp is in Coordinated Universal Time
- (UTC). It is also possible to specify a timezone offset from UTC in
- hours and minutes instead of a `Z'. For example, `-0500' would
- correspond to Eastern Standard time in the US. As an extension, if no
- `Z' or timezone offset is specified, local time will be used.
-
- The following are all valid time stamps:
-
- 20170214083000Z
- 2017021408Z
- 20160315220000-0500
- 20151201235900
-
- T\bTi\bim\bme\beo\bou\but\bt_\b_S\bSp\bpe\bec\bc
- A command may have a timeout associated with it. If the timeout expires
- before the command has exited, the command will be terminated. The
- timeout may be specified in combinations of days, hours, minutes and
- seconds with a single-letter case-insensitive suffix that indicates the
- unit of time. For example, a timeout of 7 days, 8 hours, 30 minutes and
- 10 seconds would be written as 7d8h30m10s. If a number is specified
- without a unit, seconds are assumed. Any of the days, minutes, hours or
- seconds may be omitted. The order must be from largest to smallest unit
- and a unit may not be specified more than once.
-
- The following are all _\bv_\ba_\bl_\bi_\bd timeout values: 7d8h30m10s, 14d, 8h30m, 600s,
- 3600. The following are _\bi_\bn_\bv_\ba_\bl_\bi_\bd timeout values: 12m2w1d, 30s10m4h,
- 1d2d3h.
-
- This option is only supported by version 1.8.20 or higher.
-
- T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
- A command may have zero or more tags associated with it. The following
- tag values are supported: EXEC, NOEXEC, FOLLOW, NOFOLLOW, LOG_INPUT,
- NOLOG_INPUT, LOG_OUTPUT, NOLOG_OUTPUT, MAIL, NOMAIL, PASSWD, NOPASSWD,
- SETENV, and NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in
- the Cmnd_Spec_List, inherit the tag unless it is overridden by the
- opposite tag (in other words, PASSWD overrides NOPASSWD and NOEXEC
- overrides EXEC).
-
- _\bE_\bX_\bE_\bC and _\bN_\bO_\bE_\bX_\bE_\bC
-
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
- operating system supports it, the NOEXEC tag can be used to prevent a
- dynamically-linked executable from running further commands itself.
-
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
-
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
- See the _\bP_\br_\be_\bv_\be_\bn_\bt_\bi_\bn_\bg _\bs_\bh_\be_\bl_\bl _\be_\bs_\bc_\ba_\bp_\be_\bs section below for more details on how
- NOEXEC works and whether or not it will work on your system.
-
- _\bF_\bO_\bL_\bL_\bO_\bW and _\bN_\bO_\bF_\bO_\bL_\bL_\bO_\bW Starting with version 1.8.15, s\bsu\bud\bdo\boe\bed\bdi\bit\bt will not open
- a file that is a symbolic link unless the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bf_\bo_\bl_\bl_\bo_\bw option is
- enabled. The _\bF_\bO_\bL_\bL_\bO_\bW and _\bN_\bO_\bF_\bO_\bL_\bL_\bO_\bW tags override the value of
- _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bf_\bo_\bl_\bl_\bo_\bw and can be used to permit (or deny) the editing of
- symbolic links on a per-command basis. These tags are only effective
- for the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt command and are ignored for all other commands.
-
- _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT and _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
-
- These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
- basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
- _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
-
- _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT and _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
-
- These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
- basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
- _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
-
- _\bM_\bA_\bI_\bL and _\bN_\bO_\bM_\bA_\bI_\bL
-
- These tags provide fine-grained control over whether mail will be sent
- when a user runs a command by overriding the value of the
- _\bm_\ba_\bi_\bl_\b__\ba_\bl_\bl_\b__\bc_\bm_\bn_\bd_\bs option on a per-command basis. They have no effect when
- s\bsu\bud\bdo\bo is run with the -\b-l\bl or -\b-v\bv options. A _\bN_\bO_\bM_\bA_\bI_\bL tag will also override
- the _\bm_\ba_\bi_\bl_\b__\ba_\bl_\bw_\ba_\by_\bs and _\bm_\ba_\bi_\bl_\b__\bn_\bo_\b__\bp_\be_\br_\bm_\bs options. For more information, see
- the descriptions of _\bm_\ba_\bi_\bl_\b__\ba_\bl_\bl_\b__\bc_\bm_\bn_\bd_\bs, _\bm_\ba_\bi_\bl_\b__\ba_\bl_\bw_\ba_\by_\bs, and _\bm_\ba_\bi_\bl_\b__\bn_\bo_\b__\bp_\be_\br_\bm_\bs in
- the _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
-
- _\bP_\bA_\bS_\bS_\bW_\bD and _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD
-
- By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself
- before running a command. This behavior can be modified via the
- NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
- the commands that follow it in the Cmnd_Spec_List. Conversely, the
- PASSWD tag can be used to reverse things. For example:
-
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
-
- would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
- as r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we
- only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry
- would be:
-
- ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
-
- Note, however, that the PASSWD tag has no effect on users who are in
- the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
-
- By default, if the NOPASSWD tag is applied to any of a user's entries
- for the current host, the user will be able to run "sudo -l" without a
- password. Additionally, a user may only run "sudo -v" without a
- password if all of the user's entries for the current host have the
- NOPASSWD tag. This behavior may be overridden via the _\bv_\be_\br_\bi_\bf_\by_\bp_\bw and
- _\bl_\bi_\bs_\bt_\bp_\bw options.
-
- _\bS_\bE_\bT_\bE_\bN_\bV and _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
-
- These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
- basis. Note that if SETENV has been set for a command, the user may
- disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
- Additionally, environment variables set on the command line are not
- subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set
- variables in this manner. If the command matched is A\bAL\bLL\bL, the SETENV
- tag is implied for that command; this default may be overridden by use
- of the NOSETENV tag.
-
- W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
- s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
- used in host names, path names and command line arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
- as specified by IEEE Std 1003.1 ("POSIX.1").
-
- * Matches any set of zero or more characters (including white
- space).
-
- ? Matches any single character (including white space).
-
- [...] Matches any character in the specified range.
-
- [!...] Matches any character _\bn_\bo_\bt in the specified range.
-
- \x For any character `x', evaluates to `x'. This is used to
- escape special characters such as: `*', `?', `[', and `]'.
-
- N\bNo\bot\bte\be t\bth\bha\bat\bt t\bth\bhe\bes\bse\be a\bar\bre\be n\bno\bot\bt r\bre\beg\bgu\bul\bla\bar\br e\bex\bxp\bpr\bre\bes\bss\bsi\bio\bon\bns\bs.\b. Unlike a regular expression
- there is no way to match one or more characters within a range.
-
- Character classes may be used if your system's glob(3) and fnmatch(3)
- functions support them. However, because the `:' character has special
- meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
-
- /bin/ls [[\:alpha\:]]*
-
- Would match any file name beginning with a letter.
-
- Note that a forward slash (`/') will _\bn_\bo_\bt be matched by wildcards used in
- the file name portion of the command. This is to make a path like:
-
- /usr/bin/*
-
- match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
-
- When matching the command line arguments, however, a slash _\bd_\bo_\be_\bs get
- matched by wildcards since command line arguments may contain arbitrary
- strings and not just path names.
-
- W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs i\bin\bn c\bco\bom\bmm\bma\ban\bnd\bd l\bli\bin\bne\be a\bar\brg\bgu\bum\bme\ben\bnt\bts\bs s\bsh\bho\bou\bul\bld\bd b\bbe\be u\bus\bse\bed\bd w\bwi\bit\bth\bh c\bca\bar\bre\be.\b.
- Command line arguments are matched as a single, concatenated string.
- This mean a wildcard character such as `?' or `*' will match across word
- boundaries, which may be unexpected. For example, while a sudoers entry
- like:
-
- %operator ALL = /bin/cat /var/log/messages*
-
- will allow command like:
-
- $ sudo cat /var/log/messages.1
-
- It will also allow:
-
- $ sudo cat /var/log/messages /etc/shadow
-
- which is probably not what was intended. In most cases it is better to
- do command line processing outside of the _\bs_\bu_\bd_\bo_\be_\br_\bs file in a scripting
- language.
-
- E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
- The following exceptions apply to the above rules:
-
- "" If the empty string "" is the only command line argument in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file entry it means that command is not allowed to be
- run with _\ba_\bn_\by arguments.
-
- sudoedit Command line arguments to the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt built-in command should
- always be path names, so a forward slash (`/') will not be
- matched by a wildcard.
-
- I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
- It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file currently being parsed using the #include and #includedir
- directives.
-
- This can be used, for example, to keep a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in
- addition to a local, per-machine file. For the sake of this example the
- site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will
- be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from within
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
-
- #include /etc/sudoers.local
-
- When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
- file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching the
- end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be processed.
- Files that are included may themselves include other files. A hard limit
- of 128 nested include files is enforced to prevent include file loops.
-
- If the path to the include file is not fully-qualified (does not begin
- with a `/'), it must be located in the same directory as the sudoers file
- it was included from. For example, if _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs contains the line:
-
- #include sudoers.local
-
- the file that will be included is _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl.
-
- The file name may also include the %h escape, signifying the short form
- of the host name. In other words, if the machine's host name is
- "xerxes", then
-
- #include /etc/sudoers.%h
-
- will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
-
- The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd directory
- that the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs file rules into as part
- of package installation. For example, given:
-
- #includedir /etc/sudoers.d
-
- s\bsu\bud\bdo\bo will suspend processing of the current file and read each file in
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that end in `~' or contain a `.'
- character to avoid causing problems with package manager or editor
- temporary/backup files. Files are parsed in sorted lexical order. That
- is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed before
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is lexical,
- not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded _\ba_\bf_\bt_\be_\br
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes in
- the file names can be used to avoid such problems. After parsing the
- files in the directory, control returns to the file that contained the
- #includedir directive.
-
- Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
- files in a #includedir directory unless one of them contains a syntax
- error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -\b-f\bf flag to edit the
- files directly, but this will not catch the redefinition of an _\ba_\bl_\bi_\ba_\bs that
- is also present in a different file.
-
- O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
- The pound sign (`#') is used to indicate a comment (unless it is part of
- a #include directive or unless it occurs in the context of a user name
- and is followed by one or more digits, in which case it is treated as a
- uid). Both the comment character and any text after it, up to the end of
- the line, are ignored.
-
- The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
- succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
- User_Alias, Runas_Alias, or Host_Alias. You should not try to define
- your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
- preference to your own. Please note that using A\bAL\bLL\bL can be dangerous
- since in a command context, it allows the user to run _\ba_\bn_\by command on the
- system.
-
- An exclamation point (`!') can be used as a logical _\bn_\bo_\bt operator in a
- list or _\ba_\bl_\bi_\ba_\bs as well as in front of a Cmnd. This allows one to exclude
- certain values. For the `!' operator to be effective, there must be
- something for it to exclude. For example, to match all users except for
- root one would use:
-
- ALL,!root
-
- If the A\bAL\bLL\bL, is omitted, as in:
-
- !root
-
- it would explicitly deny root but not match any other users. This is
- different from a true "negation" operator.
-
- Note, however, that using a `!' in conjunction with the built-in A\bAL\bLL\bL
- alias to allow a user to run "all but a few" commands rarely works as
- intended (see _\bS_\bE_\bC_\bU_\bR_\bI_\bT_\bY _\bN_\bO_\bT_\bE_\bS below).
-
- Long lines can be continued with a backslash (`\') as the last character
- on the line.
-
- White space between elements in a list as well as special syntactic
- characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn (`=', `:', `(', `)') is optional.
-
- The following characters must be escaped with a backslash (`\') when used
- as part of a word (e.g., a user name or host name): `!', `=', `:', `,',
- `(', `)', `\'.
-
-S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
- s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
- earlier. A list of all supported Defaults parameters, grouped by type,
- are listed below.
-
- B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
-
- always_query_group_plugin
- If a _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn is configured, use it to resolve
- groups of the form %group as long as there is not also
- a system group of the same name. Normally, only groups
- of the form %:group are passed to the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn.
- This flag is _\bo_\bf_\bf by default.
-
- always_set_home If enabled, s\bsu\bud\bdo\bo will set the HOME environment variable
- to the home directory of the target user (which is root
- unless the -\b-u\bu option is used). This effectively means
- that the -\b-H\bH option is always implied. Note that by
- default, HOME will be set to the home directory of the
- target user when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled, so
- _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be only has an effect for configurations
- where either _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled or HOME is present
- in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This flag is _\bo_\bf_\bf by default.
-
- authenticate If set, users must authenticate themselves via a
- password (or other means of authentication) before they
- may run commands. This default may be overridden via
- the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
- default.
-
- case_insensitive_group
- If enabled, group names in _\bs_\bu_\bd_\bo_\be_\br_\bs will be matched in a
- case insensitive manner. This may be necessary when
- users are stored in LDAP or AD. This flag is _\bo_\bn by
- default.
-
- case_insensitive_user
- If enabled, user names in _\bs_\bu_\bd_\bo_\be_\br_\bs will be matched in a
- case insensitive manner. This may be necessary when
- groups are stored in LDAP or AD. This flag is _\bo_\bn by
- default.
-
- closefrom_override
- If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
- overrides the default starting point at which s\bsu\bud\bdo\bo
- begins closing open file descriptors. This flag is _\bo_\bf_\bf
- by default.
-
- compress_io If set, and s\bsu\bud\bdo\bo is configured to log a command's input
- or output, the I/O logs will be compressed using z\bzl\bli\bib\bb.
- This flag is _\bo_\bn by default when s\bsu\bud\bdo\bo is compiled with
- z\bzl\bli\bib\bb support.
-
- exec_background By default, s\bsu\bud\bdo\bo runs a command as the foreground
- process as long as s\bsu\bud\bdo\bo itself is running in the
- foreground. When the _\be_\bx_\be_\bc_\b__\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd flag is enabled
- and the command is being run in a pty (due to I/O
- logging or the _\bu_\bs_\be_\b__\bp_\bt_\by flag), the command will be run
- as a background process. Attempts to read from the
- controlling terminal (or to change terminal settings)
- will result in the command being suspended with the
- SIGTTIN signal (or SIGTTOU in the case of terminal
- settings). If this happens when s\bsu\bud\bdo\bo is a foreground
- process, the command will be granted the controlling
- terminal and resumed in the foreground with no user
- intervention required. The advantage of initially
- running the command in the background is that s\bsu\bud\bdo\bo need
- not read from the terminal unless the command
- explicitly requests it. Otherwise, any terminal input
- must be passed to the command, whether it has required
- it or not (the kernel buffers terminals so it is not
- possible to tell whether the command really wants the
- input). This is different from historic _\bs_\bu_\bd_\bo behavior
- or when the command is not being run in a pty.
-
- For this to work seamlessly, the operating system must
- support the automatic restarting of system calls.
- Unfortunately, not all operating systems do this by
- default, and even those that do may have bugs. For
- example, macOS fails to restart the t\btc\bcg\bge\bet\bta\bat\btt\btr\br() and
- t\btc\bcs\bse\bet\bta\bat\btt\btr\br() system calls (this is a bug in macOS).
- Furthermore, because this behavior depends on the
- command stopping with the SIGTTIN or SIGTTOU signals,
- programs that catch these signals and suspend
- themselves with a different signal (usually SIGTOP)
- will not be automatically foregrounded. Some versions
- of the linux su(1) command behave this way. This flag
- is _\bo_\bf_\bf by default.
-
- This setting is only supported by version 1.8.7 or
- higher. It has no effect unless I/O logging is enabled
- or the _\bu_\bs_\be_\b__\bp_\bt_\by flag is enabled.
-
- env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the SUDO_EDITOR,
- VISUAL or EDITOR environment variables before falling
- back on the default editor list. Note that v\bvi\bis\bsu\bud\bdo\bo is
- typically run as root so this option may allow a user
- with v\bvi\bis\bsu\bud\bdo\bo privileges to run arbitrary commands as
- root without logging. An alternative is to place a
- colon-separated list of "safe" editors int the _\be_\bd_\bi_\bt_\bo_\br
- variable. v\bvi\bis\bsu\bud\bdo\bo will then only use SUDO_EDITOR,
- VISUAL or EDITOR if they match a value specified in
- _\be_\bd_\bi_\bt_\bo_\br. If the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt flag is enabled, the
- SUDO_EDITOR, VISUAL and/or EDITOR environment variables
- must be present in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list for the _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br
- flag to function when v\bvi\bis\bsu\bud\bdo\bo is invoked via s\bsu\bud\bdo\bo. This
- flag is _\bo_\bn by default.
-
- env_reset If set, s\bsu\bud\bdo\bo will run the command in a minimal
- environment containing the TERM, PATH, HOME, MAIL,
- SHELL, LOGNAME, USER and SUDO_* variables. Any
- variables in the caller's environment or in the file
- specified by the _\br_\be_\bs_\bt_\br_\bi_\bc_\bt_\be_\bd_\b__\be_\bn_\bv_\b__\bf_\bi_\bl_\be option that match
- the env_keep and env_check lists are then added,
- followed by any variables present in the file specified
- by the _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option (if any). The contents of the
- env_keep and env_check lists, as modified by global
- Defaults parameters in _\bs_\bu_\bd_\bo_\be_\br_\bs, are displayed when s\bsu\bud\bdo\bo
- is run by root with the -\b-V\bV option. If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh
- option is set, its value will be used for the PATH
- environment variable. This flag is _\bo_\bn by default.
-
- fast_glob Normally, s\bsu\bud\bdo\bo uses the glob(3) function to do shell-
- style globbing when matching path names. However,
- since it accesses the file system, glob(3) can take a
- long time to complete for some patterns, especially
- when the pattern references a network file system that
- is mounted on demand (auto mounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
- option causes s\bsu\bud\bdo\bo to use the fnmatch(3) function,
- which does not access the file system to do its
- matching. The disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is
- unable to match relative path names such as _\b._\b/_\bl_\bs or
- _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has security implications when path
- names that include globbing characters are used with
- the negation operator, `!', as such rules can be
- trivially bypassed. As such, this option should not be
- used when the _\bs_\bu_\bd_\bo_\be_\br_\bs file contains rules that contain
- negated path names which include globbing characters.
- This flag is _\bo_\bf_\bf by default.
-
- fqdn Set this flag if you want to put fully qualified host
- names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file when the local host name (as
- returned by the hostname command) does not contain the
- domain name. In other words, instead of myhost you
- would use myhost.mydomain.edu. You may still use the
- short form if you wish (and even mix the two). This
- option is only effective when the "canonical" host
- name, as returned by the g\bge\bet\bta\bad\bdd\bdr\bri\bin\bnf\bfo\bo() or
- g\bge\bet\bth\bho\bos\bst\btb\bby\byn\bna\bam\bme\be() function, is a fully-qualified domain
- name. This is usually the case when the system is
- configured to use DNS for host name resolution.
-
- If the system is configured to use the _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\bs file
- in preference to DNS, the "canonical" host name may not
- be fully-qualified. The order that sources are queried
- for host name resolution is usually specified in the
- _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf, _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\b._\bc_\bo_\bn_\bf,
- or, in some cases, _\b/_\be_\bt_\bc_\b/_\br_\be_\bs_\bo_\bl_\bv_\b._\bc_\bo_\bn_\bf file. In the
- _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\bs file, the first host name of the entry is
- considered to be the "canonical" name; subsequent names
- are aliases that are not used by s\bsu\bud\bdo\boe\ber\brs\bs. For example,
- the following hosts file line for the machine "xyzzy"
- has the fully-qualified domain name as the "canonical"
- host name, and the short version as an alias.
-
- 192.168.1.1 xyzzy.sudo.ws xyzzy
-
- If the machine's hosts file entry is not formatted
- properly, the _\bf_\bq_\bd_\bn option will not be effective if it
- is queried before DNS.
-
- Beware that when using DNS for host name resolution,
- turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\boe\ber\brs\bs to make DNS lookups
- which renders s\bsu\bud\bdo\bo unusable if DNS stops working (for
- example if the machine is disconnected from the
- network). Also note that just like with the hosts
- file, you must use the "canonical" name as DNS knows
- it. That is, you may not use a host alias (CNAME
- entry) due to performance issues and the fact that
- there is no way to get all aliases from DNS.
-
- This flag is _\bo_\bf_\bf by default.
-
- ignore_audit_errors
- Allow commands to be run even if s\bsu\bud\bdo\boe\ber\brs\bs cannot write
- to the audit log. If enabled, an audit log write
- failure is not treated as a fatal error. If disabled,
- a command may only be run after the audit event is
- successfully written. This flag is only effective on
- systems for which s\bsu\bud\bdo\boe\ber\brs\bs supports audit logging,
- including FreeBSD, Linux, macOS and Solaris. This flag
- is _\bo_\bn by default.
-
- ignore_dot If set, s\bsu\bud\bdo\bo will ignore "." or "" (both denoting
- current directory) in the PATH environment variable;
- the PATH itself is not modified. This flag is _\bo_\bf_\bf by
- default.
-
- ignore_iolog_errors
- Allow commands to be run even if s\bsu\bud\bdo\boe\ber\brs\bs cannot write
- to the I/O log. If enabled, an I/O log write failure
- is not treated as a fatal error. If disabled, the
- command will be terminated if the I/O log cannot be
- written to. This flag is _\bo_\bf_\bf by default.
-
- ignore_logfile_errors
- Allow commands to be run even if s\bsu\bud\bdo\boe\ber\brs\bs cannot write
- to the log file. If enabled, a log file write failure
- is not treated as a fatal error. If disabled, a
- command may only be run after the log file entry is
- successfully written. This flag only has an effect
- when s\bsu\bud\bdo\boe\ber\brs\bs is configured to use file-based logging
- via the _\bl_\bo_\bg_\bf_\bi_\bl_\be option. This flag is _\bo_\bn by default.
-
- ignore_local_sudoers
- If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
- skipped. This is intended for Enterprises that wish to
- prevent the usage of local sudoers files so that only
- LDAP is used. This thwarts the efforts of rogue
- operators who would attempt to add roles to
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option is present,
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
- option tells s\bsu\bud\bdo\bo how to behave when no specific LDAP
- entries have been matched, this sudoOption is only
- meaningful for the cn=defaults section. This flag is
- _\bo_\bf_\bf by default.
-
- ignore_unknown_defaults
- If set, s\bsu\bud\bdo\bo will not produce a warning if it
- encounters an unknown Defaults entry in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file or an unknown sudoOption in LDAP. This flag is
- _\bo_\bf_\bf by default.
-
- insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
- incorrect password. This flag is _\bo_\bf_\bf by default.
-
- log_host If set, the host name will be logged in the (non-
- syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
-
- log_input If set, s\bsu\bud\bdo\bo will run the command in a pseudo-tty and
- log all user input. If the standard input is not
- connected to the user's tty, due to I/O redirection or
- because the command is part of a pipeline, that input
- is also captured and stored in a separate log file.
- Anything sent to the standard input will be consumed,
- regardless of whether or not the command run via s\bsu\bud\bdo\bo
- is actually reading the standard input. This may have
- unexpected results when using s\bsu\bud\bdo\bo in a shell script
- that expects to process the standard input. For more
- information about I/O logging, see the _\bI_\b/_\bO _\bL_\bO_\bG _\bF_\bI_\bL_\bE_\bS
- section. This flag is _\bo_\bf_\bf by default.
-
- log_output If set, s\bsu\bud\bdo\bo will run the command in a pseudo-tty and
- log all output that is sent to the screen, similar to
- the script(1) command. For more information about I/O
- logging, see the _\bI_\b/_\bO _\bL_\bO_\bG _\bF_\bI_\bL_\bE_\bS section. This flag is
- _\bo_\bf_\bf by default.
-
- log_year If set, the four-digit year will be logged in the (non-
- syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
-
- long_otp_prompt When validating with a One Time Password (OTP) scheme
- such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
- make it easier to cut and paste the challenge to a
- local window. It's not as pretty as the default but
- some people find it more convenient. This flag is _\bo_\bf_\bf
- by default.
-
- mail_all_cmnds Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a user attempts
- to run a command via s\bsu\bud\bdo\bo (this includes s\bsu\bud\bdo\boe\bed\bdi\bit\bt). No
- mail will be sent if the user runs s\bsu\bud\bdo\bo with the -\b-l\bl or
- -\b-v\bv option unless there is an authentication error and
- the _\bm_\ba_\bi_\bl_\b__\bb_\ba_\bd_\bp_\ba_\bs_\bs flag is also set. This flag is _\bo_\bf_\bf by
- default.
-
- mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a user runs
- s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
-
- mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
- does not enter the correct password. If the command
- the user is attempting to run is not permitted by
- s\bsu\bud\bdo\boe\ber\brs\bs and one of the _\bm_\ba_\bi_\bl_\b__\ba_\bl_\bl_\b__\bc_\bm_\bn_\bd_\bs, _\bm_\ba_\bi_\bl_\b__\ba_\bl_\bw_\ba_\by_\bs,
- _\bm_\ba_\bi_\bl_\b__\bn_\bo_\b__\bh_\bo_\bs_\bt, _\bm_\ba_\bi_\bl_\b__\bn_\bo_\b__\bp_\be_\br_\bm_\bs or _\bm_\ba_\bi_\bl_\b__\bn_\bo_\b__\bu_\bs_\be_\br flags are
- set, this flag will have no effect. This flag is _\bo_\bf_\bf
- by default.
-
- mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
- invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
- allowed to run commands on the current host. This flag
- is _\bo_\bf_\bf by default.
-
- mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
- invoking user is allowed to use s\bsu\bud\bdo\bo but the command
- they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
- entry or is explicitly denied. This flag is _\bo_\bf_\bf by
- default.
-
- mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
- invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
- _\bo_\bn by default.
-
- match_group_by_gid
- By default, s\bsu\bud\bdo\boe\ber\brs\bs will look up each group the user is
- a member of by group ID to determine the group name
- (this is only done once). The resulting list of the
- user's group names is used when matching groups listed
- in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This works well on systems where
- the number of groups listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file is
- larger than the number of groups a typical user belongs
- to. On systems where group lookups are slow, where
- users may belong to a large number of groups, and where
- the number of groups listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file is
- relatively small, it may be prohibitively expensive and
- running commands via s\bsu\bud\bdo\bo may take longer than normal.
- On such systems it may be faster to use the
- _\bm_\ba_\bt_\bc_\bh_\b__\bg_\br_\bo_\bu_\bp_\b__\bb_\by_\b__\bg_\bi_\bd flag to avoid resolving the user's
- group IDs to group names. In this case, s\bsu\bud\bdo\boe\ber\brs\bs must
- look up any group name listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file and
- use the group ID instead of the group name when
- determining whether the user is a member of the group.
-
- Note that if _\bm_\ba_\bt_\bc_\bh_\b__\bg_\br_\bo_\bu_\bp_\b__\bb_\by_\b__\bg_\bi_\bd is enabled, group
- database lookups performed by s\bsu\bud\bdo\boe\ber\brs\bs will be keyed by
- group name as opposed to group ID. On systems where
- there are multiple sources for the group database, it
- is possible to have conflicting group names or group
- IDs in the local _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp file and the remote group
- database. On such systems, enabling or disabling
- _\bm_\ba_\bt_\bc_\bh_\b__\bg_\br_\bo_\bu_\bp_\b__\bb_\by_\b__\bg_\bi_\bd can be used to choose whether group
- database queries are performed by name (enabled) or ID
- (disabled), which may aid in working around group entry
- conflicts.
-
- The _\bm_\ba_\bt_\bc_\bh_\b__\bg_\br_\bo_\bu_\bp_\b__\bb_\by_\b__\bg_\bi_\bd flag has no effect when _\bs_\bu_\bd_\bo_\be_\br_\bs
- data is stored in LDAP. This flag is _\bo_\bf_\bf by default.
-
- This setting is only supported by version 1.8.18 or
- higher.
-
- netgroup_tuple If set, netgroup lookups will be performed using the
- full netgroup tuple: host name, user name and domain
- (if one is set). Historically, s\bsu\bud\bdo\bo only matched the
- user name and domain for netgroups used in a User_List
- and only matched the host name and domain for netgroups
- used in a Host_List. This flag is _\bo_\bf_\bf by default.
-
- noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
- NOEXEC tag has been set, unless overridden by an EXEC
- tag. See the description of _\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bN_\bO_\bE_\bX_\bE_\bC above as
- well as the _\bP_\br_\be_\bv_\be_\bn_\bt_\bi_\bn_\bg _\bs_\bh_\be_\bl_\bl _\be_\bs_\bc_\ba_\bp_\be_\bs section at the end
- of this manual. This flag is _\bo_\bf_\bf by default.
-
- pam_acct_mgmt On systems that use PAM for authentication, s\bsu\bud\bdo\bo will
- perform PAM account validation for the invoking user by
- default. The actual checks performed depend on which
- PAM modules are configured. If enabled, account
- validation will be performed regardless of whether or
- not a password is required. This flag is _\bo_\bn by
- default.
-
- This setting is only supported by version 1.8.28 or
- higher.
-
- pam_session On systems that use PAM for authentication, s\bsu\bud\bdo\bo will
- create a new PAM session for the command to be run in.
- Disabling _\bp_\ba_\bm_\b__\bs_\be_\bs_\bs_\bi_\bo_\bn may be needed on older PAM
- implementations or on operating systems where opening a
- PAM session changes the utmp or wtmp files. If PAM
- session support is disabled, resource limits may not be
- updated for the command being run. If _\bp_\ba_\bm_\b__\bs_\be_\bs_\bs_\bi_\bo_\bn,
- _\bp_\ba_\bm_\b__\bs_\be_\bt_\bc_\br_\be_\bd, and _\bu_\bs_\be_\b__\bp_\bt_\by are disabled and I/O logging
- has not been configured, s\bsu\bud\bdo\bo will execute the command
- directly instead of running it as a child process.
- This flag is _\bo_\bn by default.
-
- This setting is only supported by version 1.8.7 or
- higher.
-
- pam_setcred On systems that use PAM for authentication, s\bsu\bud\bdo\bo will
- attempt to establish credentials for the target user by
- default, if supported by the underlying authentication
- system. One example of a credential is a Kerberos
- ticket. If _\bp_\ba_\bm_\b__\bs_\be_\bs_\bs_\bi_\bo_\bn, _\bp_\ba_\bm_\b__\bs_\be_\bt_\bc_\br_\be_\bd, and _\bu_\bs_\be_\b__\bp_\bt_\by are
- disabled and I/O logging has not been configured, s\bsu\bud\bdo\bo
- will execute the command directly instead of running it
- as a child process. This flag is _\bo_\bn by default.
-
- This setting is only supported by version 1.8.8 or
- higher.
-
- passprompt_override
- If set, the prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt or the
- SUDO_PROMPT environment variable will always be used
- and will replace the prompt provided by a PAM module or
- other authentication method. This flag is _\bo_\bf_\bf by
- default.
-
- path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
- not be found in their PATH environment variable. Some
- sites may wish to disable this as it could be used to
- gather information on the location of executables that
- the normal user does not have access to. The
- disadvantage is that if the executable is simply not in
- the user's PATH, s\bsu\bud\bdo\bo will tell the user that they are
- not allowed to run it, which can be confusing. This
- flag is _\bo_\bn by default.
-
- preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
- the list of groups the target user is in. When
- _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
- vector is left unaltered. The real and effective group
- IDs, however, are still set to match the target user.
- This flag is _\bo_\bf_\bf by default.
-
- pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
- Unix programs, by turning off echo until the user hits
- the return (or enter) key. Some users become confused
- by this as it appears to them that s\bsu\bud\bdo\bo has hung at
- this point. When _\bp_\bw_\bf_\be_\be_\bd_\bb_\ba_\bc_\bk is set, s\bsu\bud\bdo\bo will provide
- visual feedback when the user presses a key. Note that
- this does have a security impact as an onlooker may be
- able to determine the length of the password being
- entered. This flag is _\bo_\bf_\bf by default.
-
- requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
- to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
- run from a login session and not via other means such
- as cron(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
- default.
-
- root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
- this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
- get a root shell by doing something like "sudo sudo
- /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
- will also prevent root from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
- Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
- security; it exists purely for historical reasons.
- This flag is _\bo_\bn by default.
-
- rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
- of the password of the invoking user when running a
- command or editing a file. This flag is _\bo_\bf_\bf by
- default.
-
- runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
- defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option (defaults to root)
- instead of the password of the invoking user when
- running a command or editing a file. This flag is _\bo_\bf_\bf
- by default.
-
- set_home If enabled and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the
- HOME environment variable will be set to the home
- directory of the target user (which is root unless the
- -\b-u\bu option is used). This effectively makes the -\b-s\bs
- option imply -\b-H\bH. Note that HOME is already set when
- the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled, so _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is only
- effective for configurations where either _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is
- disabled or HOME is present in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This
- flag is _\bo_\bf_\bf by default.
-
- set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME and USER
- environment variables to the name of the target user
- (usually root unless the -\b-u\bu option is given). However,
- since some programs (including the RCS revision control
- system) use LOGNAME to determine the real identity of
- the user, it may be desirable to change this behavior.
- This can be done by negating the set_logname option.
- Note that _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be will have no effect if the
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been disabled and the _\be_\bn_\bv_\b__\bk_\be_\be_\bp
- list contains LOGNAME or USER. This flag is _\bo_\bn by
- default.
-
- set_utmp When enabled, s\bsu\bud\bdo\bo will create an entry in the utmp (or
- utmpx) file when a pseudo-tty is allocated. A pseudo-
- tty is allocated by s\bsu\bud\bdo\bo when the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt, _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt
- or _\bu_\bs_\be_\b__\bp_\bt_\by flags are enabled. By default, the new
- entry will be a copy of the user's existing utmp entry
- (if any), with the tty, time, type and pid fields
- updated. This flag is _\bo_\bn by default.
-
- setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
- command line via the -\b-E\bE option. Additionally,
- environment variables set via the command line are not
- subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk,
- _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users
- should be allowed to set variables in this manner.
- This flag is _\bo_\bf_\bf by default.
-
- shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
- if the -\b-s\bs option had been given. That is, it runs a
- shell as root (the shell is determined by the SHELL
- environment variable if it is set, falling back on the
- shell listed in the invoking user's /etc/passwd entry
- if not). This flag is _\bo_\bf_\bf by default.
-
- stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
- effective UIDs are set to the target user (root by
- default). This option changes that behavior such that
- the real UID is left as the invoking user's UID. In
- other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
- This can be useful on systems that disable some
- potentially dangerous functionality when a program is
- run setuid. This option is only effective on systems
- that support either the setreuid(2) or setresuid(2)
- system call. This flag is _\bo_\bf_\bf by default.
-
- sudoedit_checkdir
- If set, s\bsu\bud\bdo\boe\bed\bdi\bit\bt will check all directory components of
- the path to be edited for writability by the invoking
- user. Symbolic links will not be followed in writable
- directories and s\bsu\bud\bdo\boe\bed\bdi\bit\bt will refuse to edit a file
- located in a writable directory. These restrictions
- are not enforced when s\bsu\bud\bdo\boe\bed\bdi\bit\bt is run by root. On some
- systems, if all directory components of the path to be
- edited are not readable by the target user, s\bsu\bud\bdo\boe\bed\bdi\bit\bt
- will be unable to edit the file. This flag is _\bo_\bn by
- default.
-
- This setting was first introduced in version 1.8.15 but
- initially suffered from a race condition. The check
- for symbolic links in writable intermediate directories
- was added in version 1.8.16.
-
- sudoedit_follow By default, s\bsu\bud\bdo\boe\bed\bdi\bit\bt will not follow symbolic links
- when opening files. The _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bf_\bo_\bl_\bl_\bo_\bw option can be
- enabled to allow s\bsu\bud\bdo\boe\bed\bdi\bit\bt to open symbolic links. It
- may be overridden on a per-command basis by the _\bF_\bO_\bL_\bL_\bO_\bW
- and _\bN_\bO_\bF_\bO_\bL_\bL_\bO_\bW tags. This flag is _\bo_\bf_\bf by default.
-
- This setting is only supported by version 1.8.15 or
- higher.
-
- syslog_pid When logging via syslog(3), include the process ID in
- the log entry. This flag is _\bo_\bf_\bf by default.
-
- This setting is only supported by version 1.8.21 or
- higher.
-
- targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
- specified by the -\b-u\bu option (defaults to root) instead
- of the password of the invoking user when running a
- command or editing a file. Note that this flag
- precludes the use of a uid not listed in the passwd
- database as an argument to the -\b-u\bu option. This flag is
- _\bo_\bf_\bf by default.
-
- tty_tickets If set, users must authenticate on a per-tty basis.
- With this flag enabled, s\bsu\bud\bdo\bo will use a separate record
- in the time stamp file for each terminal. If disabled,
- a single record is used for all login sessions.
-
- This option has been superseded by the _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\by_\bp_\be
- option.
-
- umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file without modification. This makes it
- possible to specify a umask in the _\bs_\bu_\bd_\bo_\be_\br_\bs file that is
- more permissive than the user's own umask and matches
- historical behavior. If _\bu_\bm_\ba_\bs_\bk_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is not set,
- s\bsu\bud\bdo\bo will set the umask to be the union of the user's
- umask and what is specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is
- _\bo_\bf_\bf by default.
-
- use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
- target user's login class if one exists. Only
- available if s\bsu\bud\bdo\bo is configured with the
- --with-logincap option. This flag is _\bo_\bf_\bf by default.
-
- use_netgroups If set, netgroups (prefixed with `+'), may be used in
- place of a user or host. For LDAP-based sudoers,
- netgroup support requires an expensive sub-string match
- on the server unless the N\bNE\bET\bTG\bGR\bRO\bOU\bUP\bP_\b_B\bBA\bAS\bSE\bE directive is
- present in the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file. If netgroups are
- not needed, this option can be disabled to reduce the
- load on the LDAP server. This flag is _\bo_\bn by default.
-
- use_pty If set, and s\bsu\bud\bdo\bo is running in a terminal, the command
- will be run in a pseudo-pty (even if no I/O logging is
- being done). If the s\bsu\bud\bdo\bo process is not attached to a
- terminal, _\bu_\bs_\be_\b__\bp_\bt_\by has no effect.
-
- A malicious program run under s\bsu\bud\bdo\bo may be capable of
- injecting commands into the user's terminal or running
- a background process that retains access to the user's
- terminal device even after the main program has
- finished executing. By running the command in a
- separate pseudo-pty, this attack is no longer possible.
- This flag is _\bo_\bf_\bf by default.
-
- user_command_timeouts
- If set, the user may specify a timeout on the command
- line. If the timeout expires before the command has
- exited, the command will be terminated. If a timeout
- is specified both in the _\bs_\bu_\bd_\bo_\be_\br_\bs file and on the
- command line, the smaller of the two timeouts will be
- used. See the Timeout_Spec section for a description
- of the timeout syntax. This flag is _\bo_\bf_\bf by default.
-
- This setting is only supported by version 1.8.20 or
- higher.
-
- utmp_runas If set, s\bsu\bud\bdo\bo will store the name of the runas user when
- updating the utmp (or utmpx) file. By default, s\bsu\bud\bdo\bo
- stores the name of the invoking user. This flag is _\bo_\bf_\bf
- by default.
-
- visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
- enter a password but it is not possible to disable echo
- on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
- will prompt for a password even when it would be
- visible on the screen. This makes it possible to run
- things like "ssh somehost sudo ls" since by default,
- ssh(1) does not allocate a tty when running a command.
- This flag is _\bo_\bf_\bf by default.
-
- I\bIn\bnt\bte\beg\bge\ber\brs\bs:
-
- closefrom Before it executes a command, s\bsu\bud\bdo\bo will close all open
- file descriptors other than standard input, standard
- output and standard error (ie: file descriptors 0-2).
- The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to specify a different
- file descriptor at which to start closing. The default
- is 3.
-
- command_timeout The maximum amount of time a command is allowed to run
- before it is terminated. See the Timeout_Spec section
- for a description of the timeout syntax.
-
- This setting is only supported by version 1.8.20 or
- higher.
-
- maxseq The maximum sequence number that will be substituted
- for the "%{seq}" escape in the I/O log file (see the
- _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br description below for more information).
- While the value substituted for "%{seq}" is in base 36,
- _\bm_\ba_\bx_\bs_\be_\bq itself should be expressed in decimal. Values
- larger than 2176782336 (which corresponds to the base
- 36 sequence number "ZZZZZZ") will be silently truncated
- to 2176782336. The default value is 2176782336.
-
- Once the local sequence number reaches the value of
- _\bm_\ba_\bx_\bs_\be_\bq, it will "roll over" to zero, after which
- s\bsu\bud\bdo\boe\ber\brs\bs will truncate and re-use any existing I/O log
- path names.
-
- This setting is only supported by version 1.8.7 or
- higher.
-
- passwd_tries The number of tries a user gets to enter his/her
- password before s\bsu\bud\bdo\bo logs the failure and exits. The
- default is 3.
-
- syslog_maxlen On many systems, syslog(3) has a relatively small log
- buffer. IETF RFC 5424 states that syslog servers must
- support messages of at least 480 bytes and should
- support messages up to 2048 bytes. By default, s\bsu\bud\bdo\boe\ber\brs\bs
- creates log messages up to 980 bytes which corresponds
- to the historic BSD syslog implementation which used a
- 1024 byte buffer to store the message, date, hostname
- and program name. To prevent syslog messages from
- being truncated, s\bsu\bud\bdo\boe\ber\brs\bs will split up log messages
- that are larger than _\bs_\by_\bs_\bl_\bo_\bg_\b__\bm_\ba_\bx_\bl_\be_\bn bytes. When a
- message is split, additional parts will include the
- string "(command continued)" after the user name and
- before the continued command line arguments.
-
- This setting is only supported by version 1.8.19 or
- higher.
-
- I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
-
- loglinelen Number of characters per line for the file log. This
- value is used to decide when to wrap lines for nicer
- log files. This has no effect on the syslog log file,
- only the file log. The default is 80 (use 0 or negate
- the option to disable word wrap).
-
- passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
- out, or 0 for no timeout. The timeout may include a
- fractional component if minute granularity is
- insufficient, for example 2.5. The default is 5.
-
- timestamp_timeout
- Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
- for a passwd again. The timeout may include a
- fractional component if minute granularity is
- insufficient, for example 2.5. The default is 5. Set
- this to 0 to always prompt for a password. If set to a
- value less than 0 the user's time stamp will not expire
- until the system is rebooted. This can be used to
- allow users to create or delete their own time stamps
- via "sudo -v" and "sudo -k" respectively.
-
- umask Umask to use when running the command. Negate this
- option or set it to 0777 to preserve the user's umask.
- The actual umask that is used will be the union of the
- user's umask and the value of the _\bu_\bm_\ba_\bs_\bk option, which
- defaults to 0022. This guarantees that s\bsu\bud\bdo\bo never
- lowers the umask when running a command. Note: on
- systems that use PAM, the default PAM configuration may
- specify its own umask which will override the value set
- in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
- S\bSt\btr\bri\bin\bng\bgs\bs:
-
- authfail_message Message that is displayed after a user fails to
- authenticate. The message may include the `%d' escape
- which will expand to the number of failed password
- attempts. If set, it overrides the default message, %d
- incorrect password attempt(s).
-
- badpass_message Message that is displayed if a user enters an incorrect
- password. The default is Sorry, try again. unless
- insults are enabled.
-
- editor A colon (`:') separated list of editors path names used
- by s\bsu\bud\bdo\boe\bed\bdi\bit\bt and v\bvi\bis\bsu\bud\bdo\bo. For s\bsu\bud\bdo\boe\bed\bdi\bit\bt, this list is
- used to find an editor when none of the SUDO_EDITOR,
- VISUAL or EDITOR environment variables are set to an
- editor that exists and is executable. For v\bvi\bis\bsu\bud\bdo\bo, it
- is used as a white list of allowed editors; v\bvi\bis\bsu\bud\bdo\bo will
- choose the editor that matches the user's SUDO_EDITOR,
- VISUAL or EDITOR environment variable if possible, or
- the first editor in the list that exists and is
- executable if not. Unless invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, s\bsu\bud\bdo\bo
- does not preserve the SUDO_EDITOR, VISUAL or EDITOR
- environment variables unless they are present in the
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp list or the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled. The
- default is _\bv_\bi.
-
- iolog_dir The top-level directory to use when constructing the
- path name for the input/output log directory. Only
- used if the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt options are enabled
- or when the LOG_INPUT or LOG_OUTPUT tags are present
- for a command. The session sequence number, if any, is
- stored in the directory. The default is
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo.
-
- The following percent (`%') escape sequences are
- supported:
-
- %{seq}
- expanded to a monotonically increasing base-36
- sequence number, such as 0100A5, where every two
- digits are used to form a new directory, e.g.,
- _\b0_\b1_\b/_\b0_\b0_\b/_\bA_\b5
-
- %{user}
- expanded to the invoking user's login name
-
- %{group}
- expanded to the name of the invoking user's real
- group ID
-
- %{runas_user}
- expanded to the login name of the user the
- command will be run as (e.g., root)
-
- %{runas_group}
- expanded to the group name of the user the
- command will be run as (e.g., wheel)
-
- %{hostname}
- expanded to the local host name without the
- domain name
-
- %{command}
- expanded to the base name of the command being
- run
-
- In addition, any escape sequences supported by the
- system's strftime(3) function will be expanded.
-
- To include a literal `%' character, the string `%%'
- should be used.
-
- iolog_file The path name, relative to _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br, in which to store
- input/output logs when the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt
- options are enabled or when the LOG_INPUT or LOG_OUTPUT
- tags are present for a command. Note that _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be
- may contain directory components. The default is
- "%{seq}".
-
- See the _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option above for a list of supported
- percent (`%') escape sequences.
-
- In addition to the escape sequences, path names that
- end in six or more Xs will have the Xs replaced with a
- unique combination of digits and letters, similar to
- the mktemp(3) function.
-
- If the path created by concatenating _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br and
- _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be already exists, the existing I/O log file
- will be truncated and overwritten unless _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be
- ends in six or more Xs.
-
- iolog_flush If set, s\bsu\bud\bdo\bo will flush I/O log data to disk after each
- write instead of buffering it. This makes it possible
- to view the logs in real-time as the program is
- executing but may significantly reduce the
- effectiveness of I/O log compression. This flag is _\bo_\bf_\bf
- by default.
-
- This setting is only supported by version 1.8.20 or
- higher.
-
- iolog_group The group name to look up when setting the group ID on
- new I/O log files and directories. If _\bi_\bo_\bl_\bo_\bg_\b__\bg_\br_\bo_\bu_\bp is
- not set, the primary group ID of the user specified by
- _\bi_\bo_\bl_\bo_\bg_\b__\bu_\bs_\be_\br is used. If neither _\bi_\bo_\bl_\bo_\bg_\b__\bg_\br_\bo_\bu_\bp nor
- _\bi_\bo_\bl_\bo_\bg_\b__\bu_\bs_\be_\br are set, I/O log files and directories are
- created with group ID 0.
-
- This setting is only supported by version 1.8.19 or
- higher.
-
- iolog_mode The file mode to use when creating I/O log files. Mode
- bits for read and write permissions for owner, group or
- other are honored, everything else is ignored. The
- file permissions will always include the owner read and
- write bits, even if they are not present in the
- specified mode. When creating I/O log directories,
- search (execute) bits are added to match the read and
- write bits specified by _\bi_\bo_\bl_\bo_\bg_\b__\bm_\bo_\bd_\be. Defaults to 0600
- (read and write by user only).
-
- This setting is only supported by version 1.8.19 or
- higher.
-
- iolog_user The user name to look up when setting the user and
- group IDs on new I/O log files and directories. If
- _\bi_\bo_\bl_\bo_\bg_\b__\bg_\br_\bo_\bu_\bp is set, it will be used instead of the
- user's primary group ID. By default, I/O log files and
- directories are created with user and group ID 0.
-
- This setting can be useful when the I/O logs are stored
- on a Network File System (NFS) share. Having a
- dedicated user own the I/O log files means that s\bsu\bud\bdo\boe\ber\brs\bs
- does not write to the log files as user ID 0, which is
- usually not permitted by NFS.
-
- This setting is only supported by version 1.8.19 or
- higher.
-
- lecture_status_dir
- The directory in which s\bsu\bud\bdo\bo stores per-user lecture
- status files. Once a user has received the lecture, a
- zero-length file is created in this directory so that
- s\bsu\bud\bdo\bo will not lecture the user again. This directory
- should _\bn_\bo_\bt be cleared when the system reboots. The
- default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo_\b/_\bl_\be_\bc_\bt_\bu_\br_\be_\bd.
-
- limitprivs The default Solaris limit privileges to use when
- constructing a new privilege set for a command. This
- bounds all privileges of the executing process. The
- default limit privileges may be overridden on a per-
- command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs. This option is only
- available if s\bsu\bud\bdo\boe\ber\brs\bs is built on Solaris 10 or higher.
-
- mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The
- escape %h will expand to the host name of the machine.
- Default is "*** SECURITY information for %h ***".
-
- noexec_file As of s\bsu\bud\bdo\bo version 1.8.1 this option is no longer
- supported. The path to the noexec file should now be
- set in the sudo.conf(4) file.
-
- pam_login_service
- On systems that use PAM for authentication, this is the
- service name used when the -\b-i\bi option is specified. The
- default value is "sudo". See the description of
- _\bp_\ba_\bm_\b__\bs_\be_\br_\bv_\bi_\bc_\be for more information.
-
- This setting is only supported by version 1.8.8 or
- higher.
-
- pam_service On systems that use PAM for authentication, the service
- name specifies the PAM policy to apply. This usually
- corresponds to an entry in the _\bp_\ba_\bm_\b._\bc_\bo_\bn_\bf file or a file
- in the _\b/_\be_\bt_\bc_\b/_\bp_\ba_\bm_\b._\bd directory. The default value is
- "sudo".
-
- This setting is only supported by version 1.8.8 or
- higher.
-
- passprompt The default prompt to use when asking for a password;
- can be overridden via the -\b-p\bp option or the SUDO_PROMPT
- environment variable. The following percent (`%')
- escape sequences are supported:
-
- %H expanded to the local host name including the
- domain name (only if the machine's host name is
- fully qualified or the _\bf_\bq_\bd_\bn option is set)
-
- %h expanded to the local host name without the
- domain name
-
- %p expanded to the user whose password is being
- asked for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and
- _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
-
- %U expanded to the login name of the user the
- command will be run as (defaults to root)
-
- %u expanded to the invoking user's login name
-
- %% two consecutive % characters are collapsed into a
- single % character
-
- On systems that use PAM for authentication, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt
- will only be used if the prompt provided by the PAM
- module matches the string "Password: " or "username's
- Password: ". This ensures that the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt setting
- does not interfere with challenge-response style
- authentication. The _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag can be
- used to change this behavior.
-
- The default value is "Password: ".
-
- privs The default Solaris privileges to use when constructing
- a new privilege set for a command. This is passed to
- the executing process via the inherited privilege set,
- but is bounded by the limit privileges. If the _\bp_\br_\bi_\bv_\bs
- option is specified but the _\bl_\bi_\bm_\bi_\bt_\bp_\br_\bi_\bv_\bs option is not,
- the limit privileges of the executing process is set to
- _\bp_\br_\bi_\bv_\bs. The default privileges may be overridden on a
- per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs. This option is only
- available if s\bsu\bud\bdo\boe\ber\brs\bs is built on Solaris 10 or higher.
-
- role The default SELinux role to use when constructing a new
- security context to run the command. The default role
- may be overridden on a per-command basis in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file or via command line options. This option is only
- available when s\bsu\bud\bdo\bo is built with SELinux support.
-
- runas_default The default user to run commands as if the -\b-u\bu option is
- not specified on the command line. This defaults to
- root.
-
- sudoers_locale Locale to use when parsing the sudoers file, logging
- commands, and sending email. Note that changing the
- locale may affect how sudoers is interpreted. Defaults
- to "C".
-
- timestamp_type s\bsu\bud\bdo\boe\ber\brs\bs uses per-user time stamp files for credential
- caching. The _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\by_\bp_\be option can be used to
- specify the type of time stamp record used. It has the
- following possible values:
-
- global A single time stamp record is used for all of a
- user's login sessions, regardless of the
- terminal or parent process ID. An additional
- record is used to serialize password prompts
- when s\bsu\bud\bdo\bo is used multiple times in a pipeline,
- but this does not affect authentication.
-
- ppid A single time stamp record is used for all
- processes with the same parent process ID
- (usually the shell). Commands run from the
- same shell (or other common parent process)
- will not require a password for
- _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\bi_\bm_\be_\bo_\bu_\bt minutes (5 by default).
- Commands run via s\bsu\bud\bdo\bo with a different parent
- process ID, for example from a shell script,
- will be authenticated separately.
-
- tty One time stamp record is used for each
- terminal, which means that a user's login
- sessions are authenticated separately. If no
- terminal is present, the behavior is the same
- as _\bp_\bp_\bi_\bd. Commands run from the same terminal
- will not require a password for
- _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\bi_\bm_\be_\bo_\bu_\bt minutes (5 by default).
-
- kernel The time stamp is stored in the kernel as an
- attribute of the terminal device. If no
- terminal is present, the behavior is the same
- as _\bp_\bp_\bi_\bd. Negative _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\bi_\bm_\be_\bo_\bu_\bt values are
- not supported and positive values are limited
- to a maximum of 60 minutes. This is currently
- only supported on OpenBSD.
-
- The default value is _\bt_\bt_\by.
-
- This setting is only supported by version 1.8.21 or
- higher.
-
- timestampdir The directory in which s\bsu\bud\bdo\bo stores its time stamp
- files. This directory should be cleared when the
- system reboots. The default is _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo_\b/_\bt_\bs.
-
- timestampowner The owner of the lecture status directory, time stamp
- directory and all files stored therein. The default is
- root.
-
- type The default SELinux type to use when constructing a new
- security context to run the command. The default type
- may be overridden on a per-command basis in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file or via command line options. This option is only
- available when s\bsu\bud\bdo\bo is built with SELinux support.
-
- S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
-
- env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option specifies the fully qualified path to a
- file containing variables to be set in the environment of
- the program being run. Entries in this file should either
- be of the form "VARIABLE=value" or "export VARIABLE=value".
- The value may optionally be surrounded by single or double
- quotes. Variables in this file are only added if the
- variable does not already exist in the environment. This
- file is considered to be part of the security policy, its
- contents are not subject to other s\bsu\bud\bdo\bo environment
- restrictions such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
-
- exempt_group Users in this group are exempt from password and PATH
- requirements. The group name specified should not include
- a % prefix. This is not set by default.
-
- fdexec Determines whether s\bsu\bud\bdo\bo will execute a command by its path
- or by an open file descriptor. It has the following
- possible values:
-
- always Always execute by file descriptor.
-
- never Never execute by file descriptor.
-
- digest_only
- Only execute by file descriptor if the command has
- an associated digest in the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
- The default value is _\bd_\bi_\bg_\be_\bs_\bt_\b__\bo_\bn_\bl_\by. This avoids a time of
- check versus time of use race condition when the command is
- located in a directory writable by the invoking user.
-
- Note that _\bf_\bd_\be_\bx_\be_\bc will change the first element of the
- argument vector for scripts ($0 in the shell) due to the
- way the kernel runs script interpreters. Instead of being
- a normal path, it will refer to a file descriptor. For
- example, _\b/_\bd_\be_\bv_\b/_\bf_\bd_\b/_\b4 on Solaris and _\b/_\bp_\br_\bo_\bc_\b/_\bs_\be_\bl_\bf_\b/_\bf_\bd_\b/_\b4 on Linux.
- A workaround is to use the SUDO_COMMAND environment
- variable instead.
-
- The _\bf_\bd_\be_\bx_\be_\bc setting is only used when the command is matched
- by path name. It has no effect if the command is matched
- by the built-in A\bAL\bLL\bL alias.
-
- This setting is only supported by version 1.8.20 or higher.
- If the operating system does not support the fexecve(2)
- system call, this setting has no effect.
-
- group_plugin A string containing a s\bsu\bud\bdo\boe\ber\brs\bs group plugin with optional
- arguments. The string should consist of the plugin path,
- either fully-qualified or relative to the
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo directory, followed by any
- configuration arguments the plugin requires. These
- arguments (if any) will be passed to the plugin's
- initialization function. If arguments are present, the
- string must be enclosed in double quotes ("").
-
- For more information see _\bG_\bR_\bO_\bU_\bP _\bP_\bR_\bO_\bV_\bI_\bD_\bE_\bR _\bP_\bL_\bU_\bG_\bI_\bN_\bS.
-
- lecture This option controls when a short lecture will be printed
- along with the password prompt. It has the following
- possible values:
-
- always Always lecture the user.
-
- never Never lecture the user.
-
- once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
-
- If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
- Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
- The default value is _\bo_\bn_\bc_\be.
-
- lecture_file Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
- will be used in place of the standard lecture if the named
- file exists. By default, s\bsu\bud\bdo\bo uses a built-in lecture.
-
- listpw This option controls when a password will be required when
- a user runs s\bsu\bud\bdo\bo with the -\b-l\bl option. It has the following
- possible values:
-
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs file entries for the
- current host must have the NOPASSWD flag set to
- avoid entering a password.
-
- always The user must always enter a password to use the
- -\b-l\bl option.
-
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs file entries
- for the current host must have the NOPASSWD flag
- set to avoid entering a password.
-
- never The user need never enter a password to use the
- -\b-l\bl option.
-
- If no value is specified, a value of _\ba_\bn_\by is implied.
- Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
- The default value is _\ba_\bn_\by.
-
- logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
- Setting a path turns on logging to a file; negating this
- option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
-
- mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
-
- mailerpath Path to mail program used to send warning mail. Defaults
- to the path to sendmail found at configure time.
-
- mailfrom Address to use for the "from" address when sending warning
- and error mail. The address should be enclosed in double
- quotes ("") to protect against s\bsu\bud\bdo\bo interpreting the @
- sign. Defaults to the name of the user running s\bsu\bud\bdo\bo.
-
- mailto Address to send warning and error mail to. The address
- should be enclosed in double quotes ("") to protect against
- s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
-
- restricted_env_file
- The _\br_\be_\bs_\bt_\br_\bi_\bc_\bt_\be_\bd_\b__\be_\bn_\bv_\b__\bf_\bi_\bl_\be option specifies the fully
- qualified path to a file containing variables to be set in
- the environment of the program being run. Entries in this
- file should either be of the form "VARIABLE=value" or
- "export VARIABLE=value". The value may optionally be
- surrounded by single or double quotes. Variables in this
- file are only added if the variable does not already exist
- in the environment. Unlike _\be_\bn_\bv_\b__\bf_\bi_\bl_\be, the file's contents
- are not trusted and are processed in a manner similar to
- that of the invoking user's environment. If _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is
- enabled, variables in the file will only be added if they
- are matched by either the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk or _\be_\bn_\bv_\b__\bk_\be_\be_\bp list. If
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled, variables in the file are added as
- long as they are not matched by the _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be list. In
- either case, the contents of _\br_\be_\bs_\bt_\br_\bi_\bc_\bt_\be_\bd_\b__\be_\bn_\bv_\b__\bf_\bi_\bl_\be are
- processed before the contents of _\be_\bn_\bv_\b__\bf_\bi_\bl_\be.
-
- secure_path If set, s\bsu\bud\bdo\bo will use this value in place of the user's
- PATH environment variable. This option can be used to
- reset the PATH to a known good value that contains
- directories for system administrator commands such as
- _\b/_\bu_\bs_\br_\b/_\bs_\bb_\bi_\bn.
-
- Users in the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are
- not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This option is not set by
- default.
-
- syslog Syslog facility if syslog is being used for logging (negate
- to disable syslog logging). Defaults to auth.
-
- The following syslog facilities are supported: a\bau\but\bth\bhp\bpr\bri\biv\bv (if
- your OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1,
- l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3, l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7.
-
- syslog_badpri
- Syslog priority to use when the user is not allowed to run
- a command or when authentication is unsuccessful. Defaults
- to alert.
-
- The following syslog priorities are supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt,
- d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be, w\bwa\bar\brn\bni\bin\bng\bg, and n\bno\bon\bne\be.
- Negating the option or setting it to a value of n\bno\bon\bne\be will
- disable logging of unsuccessful commands.
-
- syslog_goodpri
- Syslog priority to use when the user is allowed to run a
- command and authentication is successful. Defaults to
- notice.
-
- See _\bs_\by_\bs_\bl_\bo_\bg_\b__\bb_\ba_\bd_\bp_\br_\bi for the list of supported syslog
- priorities. Negating the option or setting it to a value
- of n\bno\bon\bne\be will disable logging of successful commands.
-
- verifypw This option controls when a password will be required when
- a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
- possible values:
-
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs file entries for the current
- host must have the NOPASSWD flag set to avoid
- entering a password.
-
- always The user must always enter a password to use the -\b-v\bv
- option.
-
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs file entries for
- the current host must have the NOPASSWD flag set to
- avoid entering a password.
-
- never The user need never enter a password to use the -\b-v\bv
- option.
-
- If no value is specified, a value of _\ba_\bl_\bl is implied.
- Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
- The default value is _\ba_\bl_\bl.
-
- L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
-
- env_check Environment variables to be removed from the user's
- environment unless they are considered "safe". For all
- variables except TZ, "safe" means that the variable's
- value does not contain any `%' or `/' characters. This
- can be used to guard against printf-style format
- vulnerabilities in poorly-written programs. The TZ
- variable is considered unsafe if any of the following
- are true:
-
- +\b+\bo\bo It consists of a fully-qualified path name,
- optionally prefixed with a colon (`:'), that does
- not match the location of the _\bz_\bo_\bn_\be_\bi_\bn_\bf_\bo directory.
-
- +\b+\bo\bo It contains a _\b._\b. path element.
-
- +\b+\bo\bo It contains white space or non-printable characters.
-
- +\b+\bo\bo It is longer than the value of PATH_MAX.
-
- The argument may be a double-quoted, space-separated
- list or a single value without double-quotes. The list
- can be replaced, added to, deleted from, or disabled by
- using the =, +=, -=, and ! operators respectively.
- Regardless of whether the env_reset option is enabled
- or disabled, variables specified by env_check will be
- preserved in the environment if they pass the
- aforementioned check. The global list of environment
- variables to check is displayed when s\bsu\bud\bdo\bo is run by
- root with the -\b-V\bV option.
-
- env_delete Environment variables to be removed from the user's
- environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
- The argument may be a double-quoted, space-separated
- list or a single value without double-quotes. The list
- can be replaced, added to, deleted from, or disabled by
- using the =, +=, -=, and ! operators respectively. The
- global list of environment variables to remove is
- displayed when s\bsu\bud\bdo\bo is run by root with the -\b-V\bV option.
- Note that many operating systems will remove
- potentially dangerous variables from the environment of
- any setuid process (such as s\bsu\bud\bdo\bo).
-
- env_keep Environment variables to be preserved in the user's
- environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
- This allows fine-grained control over the environment
- s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
- be a double-quoted, space-separated list or a single
- value without double-quotes. The list can be replaced,
- added to, deleted from, or disabled by using the =, +=,
- -=, and ! operators respectively. The global list of
- variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
- with the -\b-V\bV option.
-
-G\bGR\bRO\bOU\bUP\bP P\bPR\bRO\bOV\bVI\bID\bDE\bER\bR P\bPL\bLU\bUG\bGI\bIN\bNS\bS
- The s\bsu\bud\bdo\boe\ber\brs\bs plugin supports its own plugin interface to allow non-Unix
- group lookups which can query a group source other than the standard Unix
- group database. This can be used to implement support for the
- nonunix_group syntax described earlier.
-
- Group provider plugins are specified via the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn Defaults
- setting. The argument to _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn should consist of the plugin path,
- either fully-qualified or relative to the _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo
- directory, followed by any configuration options the plugin requires.
- These options (if specified) will be passed to the plugin's
- initialization function. If options are present, the string must be
- enclosed in double quotes ("").
-
- The following group provider plugins are installed by default:
-
- group_file
- The _\bg_\br_\bo_\bu_\bp_\b__\bf_\bi_\bl_\be plugin supports an alternate group file that
- uses the same syntax as the _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp file. The path to the
- group file should be specified as an option to the plugin. For
- example, if the group file to be used is _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-_\bg_\br_\bo_\bu_\bp:
-
- Defaults group_plugin="group_file.so /etc/sudo-group"
-
- system_group
- The _\bs_\by_\bs_\bt_\be_\bm_\b__\bg_\br_\bo_\bu_\bp plugin supports group lookups via the standard
- C library functions g\bge\bet\btg\bgr\brn\bna\bam\bm() and g\bge\bet\btg\bgr\bri\bid\bd(). This plugin can
- be used in instances where the user belongs to groups not
- present in the user's supplemental group vector. This plugin
- takes no options:
-
- Defaults group_plugin=system_group.so
-
- The group provider plugin API is described in detail in sudo_plugin(4).
-
-L\bLO\bOG\bG F\bFO\bOR\bRM\bMA\bAT\bT
- s\bsu\bud\bdo\boe\ber\brs\bs can log events using either syslog(3) or a simple log file. The
- log format is almost identical in both cases.
-
- A\bAc\bcc\bce\bep\bpt\bte\bed\bd c\bco\bom\bmm\bma\ban\bnd\bd l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
- Commands that sudo runs are logged using the following format (split into
- multiple lines for readability):
-
- date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
- USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
- ENV=env_vars COMMAND=command
-
- Where the fields are as follows:
-
- date The date the command was run. Typically, this is in the
- format "MMM, DD, HH:MM:SS". If logging via syslog(3), the
- actual date format is controlled by the syslog daemon. If
- logging to a file and the _\bl_\bo_\bg_\b__\by_\be_\ba_\br option is enabled, the
- date will also include the year.
-
- hostname The name of the host s\bsu\bud\bdo\bo was run on. This field is only
- present when logging via syslog(3).
-
- progname The name of the program, usually _\bs_\bu_\bd_\bo or _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt. This
- field is only present when logging via syslog(3).
-
- username The login name of the user who ran s\bsu\bud\bdo\bo.
-
- ttyname The short name of the terminal (e.g., "console", "tty01",
- or "pts/0") s\bsu\bud\bdo\bo was run on, or "unknown" if there was no
- terminal present.
-
- cwd The current working directory that s\bsu\bud\bdo\bo was run in.
-
- runasuser The user the command was run as.
-
- runasgroup The group the command was run as if one was specified on
- the command line.
-
- logid An I/O log identifier that can be used to replay the
- command's output. This is only present when the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt
- or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option is enabled.
-
- env_vars A list of environment variables specified on the command
- line, if specified.
-
- command The actual command that was executed.
-
- Messages are logged using the locale specified by _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bl_\bo_\bc_\ba_\bl_\be, which
- defaults to the "C" locale.
-
- D\bDe\ben\bni\bie\bed\bd c\bco\bom\bmm\bma\ban\bnd\bd l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
- If the user is not allowed to run the command, the reason for the denial
- will follow the user name. Possible reasons include:
-
- user NOT in sudoers
- The user is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
- user NOT authorized on host
- The user is listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file but is not allowed to run
- commands on the host.
-
- command not allowed
- The user is listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file for the host but they are not
- allowed to run the specified command.
-
- 3 incorrect password attempts
- The user failed to enter their password after 3 tries. The actual
- number of tries will vary based on the number of failed attempts and
- the value of the _\bp_\ba_\bs_\bs_\bw_\bd_\b__\bt_\br_\bi_\be_\bs option.
-
- a password is required
- s\bsu\bud\bdo\bo's -\b-n\bn option was specified but a password was required.
-
- sorry, you are not allowed to set the following environment variables
- The user specified environment variables on the command line that were
- not allowed by _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
- E\bEr\brr\bro\bor\br l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
- If an error occurs, s\bsu\bud\bdo\boe\ber\brs\bs will log a message and, in most cases, send a
- message to the administrator via email. Possible errors include:
-
- parse error in /etc/sudoers near line N
- s\bsu\bud\bdo\boe\ber\brs\bs encountered an error when parsing the specified file. In some
- cases, the actual error may be one line above or below the line number
- listed, depending on the type of error.
-
- problem with defaults entries
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file contains one or more unknown Defaults settings. This
- does not prevent s\bsu\bud\bdo\bo from running, but the _\bs_\bu_\bd_\bo_\be_\br_\bs file should be
- checked using v\bvi\bis\bsu\bud\bdo\bo.
-
- timestamp owner (username): No such user
- The time stamp directory owner, as specified by the _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\bo_\bw_\bn_\be_\br
- setting, could not be found in the password database.
-
- unable to open/read /etc/sudoers
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file could not be opened for reading. This can happen
- when the _\bs_\bu_\bd_\bo_\be_\br_\bs file is located on a remote file system that maps
- user ID 0 to a different value. Normally, s\bsu\bud\bdo\boe\ber\brs\bs tries to open the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file using group permissions to avoid this problem. Consider
- either changing the ownership of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs or adding an argument
- like "sudoers_uid=N" (where `N' is the user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file) to the end of the s\bsu\bud\bdo\boe\ber\brs\bs Plugin line in the sudo.conf(4) file.
-
- unable to stat /etc/sudoers
- The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file is missing.
-
- /etc/sudoers is not a regular file
- The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file exists but is not a regular file or symbolic
- link.
-
- /etc/sudoers is owned by uid N, should be 0
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file has the wrong owner. If you wish to change the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file owner, please add "sudoers_uid=N" (where `N' is the user
- ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs Plugin line in the
- sudo.conf(4) file.
-
- /etc/sudoers is world writable
- The permissions on the _\bs_\bu_\bd_\bo_\be_\br_\bs file allow all users to write to it.
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file must not be world-writable, the default file mode is
- 0440 (readable by owner and group, writable by none). The default
- mode may be changed via the "sudoers_mode" option to the s\bsu\bud\bdo\boe\ber\brs\bs
- Plugin line in the sudo.conf(4) file.
-
- /etc/sudoers is owned by gid N, should be 1
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file has the wrong group ownership. If you wish to change
- the _\bs_\bu_\bd_\bo_\be_\br_\bs file group ownership, please add "sudoers_gid=N" (where
- `N' is the group ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs Plugin
- line in the sudo.conf(4) file.
-
- unable to open /var/run/sudo/ts/username
- s\bsu\bud\bdo\boe\ber\brs\bs was unable to read or create the user's time stamp file. This
- can happen when _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\bo_\bw_\bn_\be_\br is set to a user other than root and
- the mode on _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo is not searchable by group or other. The
- default mode for _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo is 0711.
-
- unable to write to /var/run/sudo/ts/username
- s\bsu\bud\bdo\boe\ber\brs\bs was unable to write to the user's time stamp file.
-
- /var/run/sudo/ts is owned by uid X, should be Y
- The time stamp directory is owned by a user other than _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\bo_\bw_\bn_\be_\br.
- This can occur when the value of _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\bo_\bw_\bn_\be_\br has been changed.
- s\bsu\bud\bdo\boe\ber\brs\bs will ignore the time stamp directory until the owner is
- corrected.
-
- /var/run/sudo/ts is group writable
- The time stamp directory is group-writable; it should be writable only
- by _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\bo_\bw_\bn_\be_\br. The default mode for the time stamp directory is
- 0700. s\bsu\bud\bdo\boe\ber\brs\bs will ignore the time stamp directory until the mode is
- corrected.
-
- N\bNo\bot\bte\bes\bs o\bon\bn l\blo\bog\bgg\bgi\bin\bng\bg v\bvi\bia\ba s\bsy\bys\bsl\blo\bog\bg
- By default, s\bsu\bud\bdo\boe\ber\brs\bs logs messages via syslog(3). The _\bd_\ba_\bt_\be, _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be, and
- _\bp_\br_\bo_\bg_\bn_\ba_\bm_\be fields are added by the system's s\bsy\bys\bsl\blo\bog\bg() function, not s\bsu\bud\bdo\boe\ber\brs\bs
- itself. As such, they may vary in format on different systems.
-
- The maximum size of syslog messages varies from system to system. The
- _\bs_\by_\bs_\bl_\bo_\bg_\b__\bm_\ba_\bx_\bl_\be_\bn setting can be used to change the maximum syslog message
- size from the default value of 980 bytes. For more information, see the
- description of _\bs_\by_\bs_\bl_\bo_\bg_\b__\bm_\ba_\bx_\bl_\be_\bn.
-
- N\bNo\bot\bte\bes\bs o\bon\bn l\blo\bog\bgg\bgi\bin\bng\bg t\bto\bo a\ba f\bfi\bil\ble\be
- If the _\bl_\bo_\bg_\bf_\bi_\bl_\be option is set, s\bsu\bud\bdo\boe\ber\brs\bs will log to a local file, such as
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo. When logging to a file, s\bsu\bud\bdo\boe\ber\brs\bs uses a format similar to
- syslog(3), with a few important differences:
-
- 1. The _\bp_\br_\bo_\bg_\bn_\ba_\bm_\be and _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be fields are not present.
-
- 2. If the _\bl_\bo_\bg_\b__\by_\be_\ba_\br option is enabled, the date will also include the
- year.
-
- 3. Lines that are longer than _\bl_\bo_\bg_\bl_\bi_\bn_\be_\bl_\be_\bn characters (80 by default) are
- word-wrapped and continued on the next line with a four character
- indent. This makes entries easier to read for a human being, but
- makes it more difficult to use grep(1) on the log files. If the
- _\bl_\bo_\bg_\bl_\bi_\bn_\be_\bl_\be_\bn option is set to 0 (or negated with a `!'), word wrap
- will be disabled.
-
-I\bI/\b/O\bO L\bLO\bOG\bG F\bFI\bIL\bLE\bES\bS
- When I/O logging is enabled, s\bsu\bud\bdo\bo will run the command in a pseudo-tty
- and log all user input and/or output, depending on which options are
- enabled. I/O is logged to the directory specified by the _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br
- option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a unique session ID that is
- included in the s\bsu\bud\bdo\bo log line, prefixed with "TSID=". The _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be
- option may be used to control the format of the session ID.
-
- Each I/O log is stored in a separate directory that contains the
- following files:
-
- _\bl_\bo_\bg a text file containing the time the command was run, the name
- of the user who ran s\bsu\bud\bdo\bo, the name of the target user, the name
- of the target group (optional), the terminal that s\bsu\bud\bdo\bo was run
- from, the number of rows and columns of the terminal, the
- working directory the command was run from and the path name of
- the command itself (with arguments if present)
-
- _\bt_\bi_\bm_\bi_\bn_\bg a log of the amount of time between, and the number of bytes
- in, each I/O log entry (used for session playback)
-
- _\bt_\bt_\by_\bi_\bn input from the user's tty (what the user types)
-
- _\bs_\bt_\bd_\bi_\bn input from a pipe or file
-
- _\bt_\bt_\by_\bo_\bu_\bt output from the pseudo-tty (what the command writes to the
- screen)
-
- _\bs_\bt_\bd_\bo_\bu_\bt standard output to a pipe or redirected to a file
-
- _\bs_\bt_\bd_\be_\br_\br standard error to a pipe or redirected to a file
-
- All files other than _\bl_\bo_\bg are compressed in gzip format unless the
- _\bc_\bo_\bm_\bp_\br_\be_\bs_\bs_\b__\bi_\bo flag has been disabled. Due to buffering, it is not normally
- possible to display the I/O logs in real-time as the program is executing
- The I/O log data will not be complete until the program run by s\bsu\bud\bdo\bo has
- exited or has been terminated by a signal. The _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bl_\bu_\bs_\bh flag can be
- used to disable buffering, in which case I/O log data is written to disk
- as soon as it is available. The output portion of an I/O log file can be
- viewed with the sudoreplay(1m) utility, which can also be used to list or
- search the available logs.
-
- Note that user input may contain sensitive information such as passwords
- (even if they are not echoed to the screen), which will be stored in the
- log file unencrypted. In most cases, logging the command output via
- _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt or LOG_OUTPUT is all that is required.
-
- Since each session's I/O logs are stored in a separate directory,
- traditional log rotation utilities cannot be used to limit the number of
- I/O logs. The simplest way to limit the number of I/O is by setting the
- _\bm_\ba_\bx_\bs_\be_\bq option to the maximum number of logs you wish to store. Once the
- I/O log sequence number reaches _\bm_\ba_\bx_\bs_\be_\bq, it will be reset to zero and
- s\bsu\bud\bdo\boe\ber\brs\bs will truncate and re-use any existing I/O logs.
-
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf Sudo front end configuration
-
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
-
- _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
-
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
-
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
-
- _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo_\b/_\bt_\bs Directory containing time stamps for the
- s\bsu\bud\bdo\boe\ber\brs\bs security policy
-
- _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo_\b/_\bl_\be_\bc_\bt_\bu_\br_\be_\bd Directory containing lecture status files for
- the s\bsu\bud\bdo\boe\ber\brs\bs security policy
-
- _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on AIX and
- Linux systems
-
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs file entries. Admittedly, some of these are a
- bit contrived. First, we allow a few environment variables to pass and
- then define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
-
- # Run X applications through sudo; HOME is used to find the
- # .Xauthority file. Note that other programs use HOME to find
- # configuration files and this may lead to privilege escalation!
- Defaults env_keep += "DISPLAY HOME"
-
- # User alias specification
- User_Alias FULLTIMERS = millert, mikef, dowdy
- User_Alias PARTTIMERS = bostley, jwfox, crawl
- User_Alias WEBMASTERS = will, wendy, wim
-
- # Runas alias specification
- Runas_Alias OP = root, operator
- Runas_Alias DB = oracle, sybase
- Runas_Alias ADMINGRP = adm, oper
-
- # Host alias specification
- Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
- SGI = grolsch, dandelion, black :\
- ALPHA = widget, thalamus, foobar :\
- HPPA = boa, nag, python
- Host_Alias CUNETS = 128.138.0.0/255.255.0.0
- Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
- Host_Alias SERVERS = master, mail, www, ns
- Host_Alias CDROM = orion, perseus, hercules
-
- # Cmnd alias specification
- Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
- /usr/sbin/restore, /usr/sbin/rrestore,\
- sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ== \
- /home/operator/bin/start_backups
- Cmnd_Alias KILL = /usr/bin/kill
- Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
- Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
- Cmnd_Alias HALT = /usr/sbin/halt
- Cmnd_Alias REBOOT = /usr/sbin/reboot
- Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
- /usr/local/bin/tcsh, /usr/bin/rsh,\
- /usr/local/bin/zsh
- Cmnd_Alias SU = /usr/bin/su
- Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
-
- Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo to
- log via syslog(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't want to
- subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt need not
- give a password, and we don't want to reset the LOGNAME or USER
- environment variables when running commands as root. Additionally, on
- the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an additional local log
- file and make sure we log the year in each log line since the log entries
- will be kept around for several years. Lastly, we disable shell escapes
- for the commands in the PAGERS Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs). Note that this will not effectively constrain users with
- s\bsu\bud\bdo\bo A\bAL\bLL\bL privileges.
-
- # Override built-in defaults
- Defaults syslog=auth
- Defaults>root !set_logname
- Defaults:FULLTIMERS !lecture
- Defaults:millert !authenticate
- Defaults@SERVERS log_year, logfile=/var/log/sudo.log
- Defaults!PAGERS noexec
-
- The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
- what.
-
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
-
- We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
- any user.
-
- FULLTIMERS ALL = NOPASSWD: ALL
-
- Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
- any host without authenticating themselves.
-
- PARTTIMERS ALL = ALL
-
- Part time sysadmins b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on any
- host but they must authenticate themselves first (since the entry lacks
- the NOPASSWD tag).
-
- jack CSNETS = ALL
-
- The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
- (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
- networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
- indicating it is a class C network. For the other networks in _\bC_\bS_\bN_\bE_\bT_\bS,
- the local machine's netmask will be used during matching.
-
- lisa CUNETS = ALL
-
- The user l\bli\bis\bsa\ba may run any command on any host in the _\bC_\bU_\bN_\bE_\bT_\bS alias (the
- class B network 128.138.0.0).
-
- operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
- sudoedit /etc/printcap, /usr/oper/bin/
-
- The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance. Here,
- those are commands related to backups, killing processes, the printing
- system, shutting down the system, and any commands in the directory
- _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/. Note that one command in the DUMPS Cmnd_Alias includes a
- sha224 digest, _\b/_\bh_\bo_\bm_\be_\b/_\bo_\bp_\be_\br_\ba_\bt_\bo_\br_\b/_\bb_\bi_\bn_\b/_\bs_\bt_\ba_\br_\bt_\b__\bb_\ba_\bc_\bk_\bu_\bp_\bs. This is because the
- directory containing the script is writable by the operator user. If the
- script is modified (resulting in a digest mismatch) it will no longer be
- possible to run it via s\bsu\bud\bdo\bo.
-
- joe ALL = /usr/bin/su operator
-
- The user j\bjo\boe\be may only su(1) to operator.
-
- pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd *root*
-
- %opers ALL = (: ADMINGRP) /usr/sbin/
-
- Users in the o\bop\bpe\ber\brs\bs group may run commands in _\b/_\bu_\bs_\br_\b/_\bs_\bb_\bi_\bn_\b/ as themselves
- with any group in the _\bA_\bD_\bM_\bI_\bN_\bG_\bR_\bP Runas_Alias (the a\bad\bdm\bm and o\bop\bpe\ber\br groups).
-
- The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
- the _\bH_\bP_\bP_\bA machines. Because command line arguments are matched as a
- single, concatenated string, the `*' wildcard will match _\bm_\bu_\bl_\bt_\bi_\bp_\bl_\be words.
- This example assumes that passwd(1) does not take multiple user names on
- the command line. Note that on GNU systems, options to passwd(1) may be
- specified after the user argument. As a result, this rule will also
- allow:
-
- passwd username --expire
-
- which may not be desirable.
-
- bob SPARC = (OP) ALL : SGI = (OP) ALL
-
- The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
- listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br.)
-
- jim +biglab = ALL
-
- The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
- s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the `+' prefix.
-
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-
- Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
- well as add and remove users, so they are allowed to run those commands
- on all machines.
-
- fred ALL = (DB) NOPASSWD: ALL
-
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias (o\bor\bra\bac\bcl\ble\be
- or s\bsy\byb\bba\bas\bse\be) without giving a password.
-
- john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
-
- On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
- not allowed to specify any options to the su(1) command.
-
- jen ALL, !SERVERS = ALL
-
- The user j\bje\ben\bn may run any command on any machine except for those in the
- _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and ns).
-
- jill SERVERS = /usr/bin/, !SU, !SHELLS
-
- For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
- the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU and
- _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases. While not specifically mentioned in the rule, the
- commands in the _\bP_\bA_\bG_\bE_\bR_\bS Cmnd_Alias all reside in _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and have the
- _\bn_\bo_\be_\bx_\be_\bc option set.
-
- steve CSNETS = (operator) /usr/local/op_commands/
-
- The user s\bst\bte\bev\bve\be may run any command in the directory
- /usr/local/op_commands/ but only as user operator.
-
- matt valkyrie = KILL
-
- On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be able to kill hung
- processes.
-
- WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
-
- On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias (will, wendy, and
- wim), may run any command as user www (which owns the web pages) or
- simply su(1) to www.
-
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
-
- Any user may mount or unmount a CD-ROM on the machines in the CDROM
- Host_Alias (orion, perseus, hercules) without entering a password. This
- is a bit tedious for users to type, so it is a prime candidate for
- encapsulating in a shell script.
-
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- L\bLi\bim\bmi\bit\bta\bat\bti\bio\bon\bns\bs o\bof\bf t\bth\bhe\be `\b`!\b!'\b' o\bop\bpe\ber\bra\bat\bto\bor\br
- It is generally not effective to "subtract" commands from A\bAL\bLL\bL using the
- `!' operator. A user can trivially circumvent this by copying the
- desired command to a different name and then executing that. For
- example:
-
- bill ALL = ALL, !SU, !SHELLS
-
- Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
- _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
- use a shell escape from an editor or other program. Therefore, these
- kind of restrictions should be considered advisory at best (and
- reinforced by policy).
-
- In general, if a user has sudo A\bAL\bLL\bL there is nothing to prevent them from
- creating their own program that gives them a root shell (or making their
- own copy of a shell) regardless of any `!' elements in the user
- specification.
-
- S\bSe\bec\bcu\bur\bri\bit\bty\by i\bim\bmp\bpl\bli\bic\bca\bat\bti\bio\bon\bns\bs o\bof\bf _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
- If the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to reliably negate
- commands where the path name includes globbing (aka wildcard) characters.
- This is because the C library's fnmatch(3) function cannot resolve
- relative paths. While this is typically only an inconvenience for rules
- that grant privileges, it can result in a security issue for rules that
- subtract or revoke privileges.
-
- For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs file entry:
-
- john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
- /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
-
- User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
- changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
-
- P\bPr\bre\bev\bve\ben\bnt\bti\bin\bng\bg s\bsh\bhe\bel\bll\bl e\bes\bsc\bca\bap\bpe\bes\bs
- Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
- pleases, including run other programs. This can be a security issue
- since it is not uncommon for a program to allow shell escapes, which lets
- a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs that
- permit shell escapes include shells (obviously), editors, paginators,
- mail and terminal programs.
-
- There are two basic approaches to this problem:
-
- restrict Avoid giving users access to commands that allow the user to
- run arbitrary commands. Many editors have a restricted mode
- where shell escapes are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better
- solution to running editors via s\bsu\bud\bdo\bo. Due to the large number
- of programs that offer shell escapes, restricting users to the
- set of programs that do not is often unworkable.
-
- noexec Many systems that support shared libraries have the ability to
- override default library functions by pointing an environment
- variable (usually LD_PRELOAD) to an alternate shared library.
- On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality can be used to
- prevent a program run by s\bsu\bud\bdo\bo from executing any other
- programs. Note, however, that this applies only to native
- dynamically-linked executables. Statically-linked executables
- and foreign executables running under binary emulation are not
- affected.
-
- The _\bn_\bo_\be_\bx_\be_\bc feature is known to work on SunOS, Solaris, *BSD,
- Linux, IRIX, Tru64 UNIX, macOS, HP-UX 11.x and AIX 5.3 and
- above. It should be supported on most operating systems that
- support the LD_PRELOAD environment variable. Check your
- operating system's manual pages for the dynamic linker (usually
- ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
- LD_PRELOAD is supported.
-
- On Solaris 10 and higher, _\bn_\bo_\be_\bx_\be_\bc uses Solaris privileges
- instead of the LD_PRELOAD environment variable.
-
- To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as
- documented in the User Specification section above. Here is
- that example again:
-
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
- This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
- with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands from
- executing other commands (such as a shell). If you are unsure
- whether or not your system is capable of supporting _\bn_\bo_\be_\bx_\be_\bc you
- can always just try it out and check whether shell escapes work
- when _\bn_\bo_\be_\bx_\be_\bc is enabled.
-
- Note that restricting shell escapes is not a panacea. Programs running
- as root are still capable of many potentially hazardous operations (such
- as changing or overwriting files) that could lead to unintended privilege
- escalation. In the specific case of an editor, a safer approach is to
- give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt (see below).
-
- S\bSe\bec\bcu\bur\bre\be e\bed\bdi\bit\bti\bin\bng\bg
- The s\bsu\bud\bdo\boe\ber\brs\bs plugin includes s\bsu\bud\bdo\boe\bed\bdi\bit\bt support which allows users to
- securely edit files with the editor of their choice. As s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a
- built-in command, it must be specified in the _\bs_\bu_\bd_\bo_\be_\br_\bs file without a
- leading path. However, it may take command line arguments just as a
- normal command does. Wildcards used in _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt command line arguments
- are expected to be path names, so a forward slash (`/') will not be
- matched by a wildcard.
-
- Unlike other s\bsu\bud\bdo\bo commands, the editor is run with the permissions of the
- invoking user and with the environment unmodified. More information may
- be found in the description of the -\b-e\be option in sudo(1m).
-
- For example, to allow user operator to edit the "message of the day"
- file:
-
- operator sudoedit /etc/motd
-
- The operator user then runs s\bsu\bud\bdo\boe\bed\bdi\bit\bt as follows:
-
- $ sudoedit /etc/motd
-
- The editor will run as the operator user, not root, on a temporary copy
- of _\b/_\be_\bt_\bc_\b/_\bm_\bo_\bt_\bd. After the file has been edited, _\b/_\be_\bt_\bc_\b/_\bm_\bo_\bt_\bd will be updated
- with the contents of the temporary copy.
-
- Users should _\bn_\be_\bv_\be_\br be granted s\bsu\bud\bdo\boe\bed\bdi\bit\bt permission to edit a file that
- resides in a directory the user has write access to, either directly or
- via a wildcard. If the user has write access to the directory it is
- possible to replace the legitimate file with a link to another file,
- allowing the editing of arbitrary files. To prevent this, starting with
- version 1.8.16, symbolic links will not be followed in writable
- directories and s\bsu\bud\bdo\boe\bed\bdi\bit\bt will refuse to edit a file located in a writable
- directory unless the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bc_\bh_\be_\bc_\bk_\bd_\bi_\br option has been disabled or the
- invoking user is root. Additionally, in version 1.8.15 and higher,
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt will refuse to open a symbolic link unless either the
- _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b__\bf_\bo_\bl_\bl_\bo_\bw option is enabled or the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt command is prefixed
- with the FOLLOW tag in the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
- T\bTi\bim\bme\be s\bst\bta\bam\bmp\bp f\bfi\bil\ble\be c\bch\bhe\bec\bck\bks\bs
- s\bsu\bud\bdo\boe\ber\brs\bs will check the ownership of its time stamp directory
- (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo_\b/_\bt_\bs by default) and ignore the directory's contents if it
- is not owned by root or if it is writable by a user other than root.
- Older versions of s\bsu\bud\bdo\bo stored time stamp files in _\b/_\bt_\bm_\bp; this is no longer
- recommended as it may be possible for a user to create the time stamp
- themselves on systems that allow unprivileged users to change the
- ownership of files they create.
-
- While the time stamp directory _\bs_\bh_\bo_\bu_\bl_\bd be cleared at reboot time, not all
- systems contain a _\b/_\br_\bu_\bn or _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn directory. To avoid potential
- problems, s\bsu\bud\bdo\boe\ber\brs\bs will ignore time stamp files that date from before the
- machine booted on systems where the boot time is available.
-
- Some systems with graphical desktop environments allow unprivileged users
- to change the system clock. Since s\bsu\bud\bdo\boe\ber\brs\bs relies on the system clock for
- time stamp validation, it may be possible on such systems for a user to
- run s\bsu\bud\bdo\bo for longer than _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\bi_\bm_\be_\bo_\bu_\bt by setting the clock back. To
- combat this, s\bsu\bud\bdo\boe\ber\brs\bs uses a monotonic clock (which never moves backwards)
- for its time stamps if the system supports it.
-
- s\bsu\bud\bdo\boe\ber\brs\bs will not honor time stamps set far in the future. Time stamps
- with a date greater than current_time + 2 * TIMEOUT will be ignored and
- s\bsu\bud\bdo\boe\ber\brs\bs will log and complain.
-
- If the _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\by_\bp_\be option is set to "tty", the time stamp record
- includes the device number of the terminal the user authenticated with.
- This provides per-terminal granularity but time stamp records may still
- outlive the user's session.
-
- Unless the _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\by_\bp_\be option is set to "global", the time stamp
- record also includes the session ID of the process that last
- authenticated. This prevents processes in different terminal sessions
- from using the same time stamp record. On systems where a process's
- start time can be queried, the start time of the session leader is
- recorded in the time stamp record. If no terminal is present or the
- _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\by_\bp_\be option is set to "ppid", the start time of the parent
- process is used instead. In most cases this will prevent a time stamp
- record from being re-used without the user entering a password when
- logging out and back in again.
-
-D\bDE\bEB\bBU\bUG\bGG\bGI\bIN\bNG\bG
- Versions 1.8.4 and higher of the s\bsu\bud\bdo\boe\ber\brs\bs plugin support a flexible
- debugging framework that can help track down what the plugin is doing
- internally if there is a problem. This can be configured in the
- sudo.conf(4) file.
-
- The s\bsu\bud\bdo\boe\ber\brs\bs plugin uses the same debug flag format as the s\bsu\bud\bdo\bo front-end:
- _\bs_\bu_\bb_\bs_\by_\bs_\bt_\be_\bm@_\bp_\br_\bi_\bo_\br_\bi_\bt_\by.
-
- The priorities used by s\bsu\bud\bdo\boe\ber\brs\bs, in order of decreasing severity, are:
- _\bc_\br_\bi_\bt, _\be_\br_\br, _\bw_\ba_\br_\bn, _\bn_\bo_\bt_\bi_\bc_\be, _\bd_\bi_\ba_\bg, _\bi_\bn_\bf_\bo, _\bt_\br_\ba_\bc_\be and _\bd_\be_\bb_\bu_\bg. Each priority,
- when specified, also includes all priorities higher than it. For
- example, a priority of _\bn_\bo_\bt_\bi_\bc_\be would include debug messages logged at
- _\bn_\bo_\bt_\bi_\bc_\be and higher.
-
- The following subsystems are used by the s\bsu\bud\bdo\boe\ber\brs\bs plugin:
-
- _\ba_\bl_\bi_\ba_\bs User_Alias, Runas_Alias, Host_Alias and Cmnd_Alias processing
-
- _\ba_\bl_\bl matches every subsystem
-
- _\ba_\bu_\bd_\bi_\bt BSM and Linux audit code
-
- _\ba_\bu_\bt_\bh user authentication
-
- _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs file _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs settings
-
- _\be_\bn_\bv environment handling
-
- _\bl_\bd_\ba_\bp LDAP-based sudoers
-
- _\bl_\bo_\bg_\bg_\bi_\bn_\bg logging support
-
- _\bm_\ba_\bt_\bc_\bh matching of users, groups, hosts and netgroups in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file
-
- _\bn_\be_\bt_\bi_\bf network interface handling
-
- _\bn_\bs_\bs network service switch handling in s\bsu\bud\bdo\boe\ber\brs\bs
-
- _\bp_\ba_\br_\bs_\be_\br _\bs_\bu_\bd_\bo_\be_\br_\bs file parsing
-
- _\bp_\be_\br_\bm_\bs permission setting
-
- _\bp_\bl_\bu_\bg_\bi_\bn The equivalent of _\bm_\ba_\bi_\bn for the plugin.
-
- _\bp_\bt_\by pseudo-tty related code
-
- _\br_\bb_\bt_\br_\be_\be redblack tree internals
-
- _\bs_\bs_\bs_\bd SSSD-based sudoers
-
- _\bu_\bt_\bi_\bl utility functions
- For example:
-
- Debug sudo /var/log/sudo_debug match@info,nss@info
-
- For more information, see the sudo.conf(4) manual.
-
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3), sudo.conf(4),
- sudo_plugin(4), sudoers.ldap(4), sudoers_timestamp(4), sudo(1m), visudo(1m)
-
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists of
- code written primarily by:
-
- Todd C. Miller
-
- See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
- (https://www.sudo.ws/contributors.html) for an exhaustive list of people
- who have contributed to s\bsu\bud\bdo\bo.
-
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
- locks the file and does grammatical checking. It is imperative that the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
- syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
- When using netgroups of machines (as opposed to users), if you store
- fully qualified host name in the netgroup (as is usually the case), you
- either need to have the machine's host name be fully qualified as
- returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- https://bugzilla.sudo.ws/
-
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
-
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided "AS IS" and any express or implied warranties,
- including, but not limited to, the implied warranties of merchantability
- and fitness for a particular purpose are disclaimed. See the LICENSE
- file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
- complete details.
-
-Sudo 1.8.28 June 20, 2019 Sudo 1.8.28
+++ /dev/null
-SUDOERS.LDAP(4) File Formats Manual SUDOERS.LDAP(4)
-
-N\bNA\bAM\bME\bE
- s\bsu\bud\bdo\boe\ber\brs\bs.\b.l\bld\bda\bap\bp - sudo LDAP configuration
-
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- In addition to the standard _\bs_\bu_\bd_\bo_\be_\br_\bs file, s\bsu\bud\bdo\bo may be configured via
- LDAP. This can be especially useful for synchronizing _\bs_\bu_\bd_\bo_\be_\br_\bs in a
- large, distributed environment.
-
- Using LDAP for _\bs_\bu_\bd_\bo_\be_\br_\bs has several benefits:
-
- +\b+\bo\bo s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety. When LDAP is
- used, there are only two or three LDAP queries per invocation. This
- makes it especially fast and particularly usable in LDAP environments.
-
- +\b+\bo\bo s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs. It is not
- possible to load LDAP data into the server that does not conform to
- the sudoers schema, so proper syntax is guaranteed. It is still
- possible to have typos in a user or host name, but this will not
- prevent s\bsu\bud\bdo\bo from running.
-
- +\b+\bo\bo It is possible to specify per-entry options that override the global
- default options. _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs only supports default options and
- limited options associated with user/host/commands/aliases. The
- syntax is complicated and can be difficult for users to understand.
- Placing the options directly in the entry is more natural.
-
- +\b+\bo\bo The v\bvi\bis\bsu\bud\bdo\bo program is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking and
- syntax checking of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file. Since LDAP updates are
- atomic, locking is no longer necessary. Because syntax is checked
- when the data is inserted into LDAP, there is no need for a
- specialized tool to check syntax.
-
- S\bSU\bUD\bDO\bOe\ber\brs\bs L\bLD\bDA\bAP\bP c\bco\bon\bnt\bta\bai\bin\bne\ber\br
- The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers LDAP container.
-
- Sudo first looks for the cn=defaults entry in the SUDOers container. If
- found, the multi-valued sudoOption attribute is parsed in the same manner
- as a global Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following example, the
- SSH_AUTH_SOCK variable will be preserved in the environment for all
- users.
-
- dn: cn=defaults,ou=SUDOers,dc=my-domain,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: defaults
- description: Default sudoOption's go here
- sudoOption: env_keep+=SSH_AUTH_SOCK
-
- The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
- following attributes:
-
- s\bsu\bud\bdo\boU\bUs\bse\ber\br
- A user name, user ID (prefixed with `#'), Unix group name or ID
- (prefixed with `%' or `%#' respectively), user netgroup (prefixed
- with `+'), or non-Unix group name or ID (prefixed with `%:' or
- `%:#' respectively). User netgroups are matched using the user and
- domain members only; the host member is not used when matching.
- Non-Unix group support is only available when an appropriate
- _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn is defined in the global _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs sudoRole object.
-
- s\bsu\bud\bdo\boH\bHo\bos\bst\bt
- A host name, IP address, IP network, or host netgroup (prefixed
- with a `+'). The special value ALL will match any host. Host
- netgroups are matched using the host (both qualified and
- unqualified) and domain members only; the user member is not used
- when matching. If a sudoHost entry is preceded by an exclamation
- point, `!', and the entry matches, the sudoRole in which it resides
- will be ignored. Negated sudoHost entries are only supported by
- version 1.8.18 or higher.
-
- s\bsu\bud\bdo\boC\bCo\bom\bmm\bma\ban\bnd\bd
- A fully-qualified Unix command name with optional command line
- arguments, potentially including globbing characters (aka wild
- cards). If a command name is preceded by an exclamation point,
- `!', the user will be prohibited from running that command.
-
- The built-in command "sudoedit" is used to permit a user to run
- s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may take command line
- arguments just as a normal command does. Note that "sudoedit" is a
- command built into s\bsu\bud\bdo\bo itself and must be specified in without a
- leading path.
-
- The special value ALL will match any command.
-
- If a command name is prefixed with a SHA-2 digest, it will only be
- allowed if the digest matches. This may be useful in situations
- where the user invoking s\bsu\bud\bdo\bo has write access to the command or its
- parent directory. The following digest formats are supported:
- sha224, sha256, sha384 and sha512. The digest name must be
- followed by a colon (`:') and then the actual digest, in either hex
- or base64 format. For example, given the following value for
- sudoCommand:
-
- sha224:0GomF8mNN3wlDt1HD9XldjJ3SNgpFdbjO1+NsQ /bin/ls
-
- The user may only run _\b/_\bb_\bi_\bn_\b/_\bl_\bs if its sha224 digest matches the
- specified value. Command digests are only supported by version
- 1.8.7 or higher.
-
- s\bsu\bud\bdo\boO\bOp\bpt\bti\bio\bon\bn
- Identical in function to the global options described above, but
- specific to the sudoRole in which it resides.
-
- s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsU\bUs\bse\ber\br
- A user name or uid (prefixed with `#') that commands may be run as
- or a Unix group (prefixed with a `%') or user netgroup (prefixed
- with a `+') that contains a list of users that commands may be run
- as. The special value ALL will match any user. If a sudoRunAsUser
- entry is preceded by an exclamation point, `!', and the entry
- matches, the sudoRole in which it resides will be ignored. If
- sudoRunAsUser is specified but empty, it will match the invoking
- user. If neither sudoRunAsUser nor sudoRunAsGroup are present, the
- value of the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt sudoOption is used (defaults to root).
-
- The sudoRunAsUser attribute is only available in s\bsu\bud\bdo\bo versions
- 1.7.0 and higher. Older versions of s\bsu\bud\bdo\bo use the sudoRunAs
- attribute instead. Negated sudoRunAsUser entries are only
- supported by version 1.8.26 or higher.
-
- s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsG\bGr\bro\bou\bup\bp
- A Unix group or gid (prefixed with `#') that commands may be run
- as. The special value ALL will match any group. If a
- sudoRunAsGroup entry is preceded by an exclamation point, `!', and
- the entry matches, the sudoRole in which it resides will be
- ignored.
-
- The sudoRunAsGroup attribute is only available in s\bsu\bud\bdo\bo versions
- 1.7.0 and higher. Negated sudoRunAsGroup entries are only
- supported by version 1.8.26 or higher.
-
- s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be
- A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
- a start date/time for when the sudoRole will be valid. If multiple
- sudoNotBefore entries are present, the earliest is used. Note that
- timestamps must be in Coordinated Universal Time (UTC), not the
- local timezone. The minute and seconds portions are optional, but
- some LDAP servers require that they be present (contrary to the
- RFC).
-
- The sudoNotBefore attribute is only available in s\bsu\bud\bdo\bo versions
- 1.7.5 and higher and must be explicitly enabled via the
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
-
- s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
- A timestamp in the form yyyymmddHHMMSSZ that indicates an
- expiration date/time, after which the sudoRole will no longer be
- valid. If multiple sudoNotAfter entries are present, the last one
- is used. Note that timestamps must be in Coordinated Universal
- Time (UTC), not the local timezone. The minute and seconds
- portions are optional, but some LDAP servers require that they be
- present (contrary to the RFC).
-
- The sudoNotAfter attribute is only available in s\bsu\bud\bdo\bo versions 1.7.5
- and higher and must be explicitly enabled via the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD
- option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
-
- s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br
- The sudoRole entries retrieved from the LDAP directory have no
- inherent order. The sudoOrder attribute is an integer (or floating
- point value for LDAP servers that support it) that is used to sort
- the matching entries. This allows LDAP-based sudoers entries to
- more closely mimic the behavior of the sudoers file, where the
- order of the entries influences the result. If multiple entries
- match, the entry with the highest sudoOrder attribute is chosen.
- This corresponds to the "last match" behavior of the sudoers file.
- If the sudoOrder attribute is not present, a value of 0 is assumed.
-
- The sudoOrder attribute is only available in s\bsu\bud\bdo\bo versions 1.7.5
- and higher.
-
- Each attribute listed above should contain a single value, but there may
- be multiple instances of each attribute type. A sudoRole must contain at
- least one sudoUser, sudoHost and sudoCommand.
-
- The following example allows users in group wheel to run any command on
- any host via s\bsu\bud\bdo\bo:
-
- dn: cn=%wheel,ou=SUDOers,dc=my-domain,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: %wheel
- sudoUser: %wheel
- sudoHost: ALL
- sudoCommand: ALL
-
- A\bAn\bna\bat\bto\bom\bmy\by o\bof\bf L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs l\blo\boo\bok\bku\bup\bp
- When looking up a sudoer using LDAP there are only two or three LDAP
- queries per invocation. The first query is to parse the global options.
- The second is to match against the user's name and the groups that the
- user belongs to. (The special ALL tag is matched in this query too.) If
- no match is returned for the user's name and groups, a third query
- returns all entries containing user netgroups and other non-Unix groups
- and checks to see if the user belongs to any of them.
-
- If timed entries are enabled with the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD configuration
- directive, the LDAP queries include a sub-filter that limits retrieval to
- entries that satisfy the time constraints, if any.
-
- If the N\bNE\bET\bTG\bGR\bRO\bOU\bUP\bP_\b_B\bBA\bAS\bSE\bE configuration directive is present (see _\bC_\bo_\bn_\bf_\bi_\bg_\bu_\br_\bi_\bn_\bg
- _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf below), queries are performed to determine the list of
- netgroups the user belongs to before the sudoers query. This makes it
- possible to include netgroups in the sudoers query string in the same
- manner as Unix groups. The third query mentioned above is not performed
- unless a group provider plugin is also configured. The actual LDAP
- queries performed by s\bsu\bud\bdo\bo are as follows:
-
- 1. Match all nisNetgroup records with a nisNetgroupTriple containing
- the user, host and NIS domain. The query will match
- nisNetgroupTriple entries with either the short or long form of the
- host name or no host name specified in the tuple. If the NIS domain
- is set, the query will match only match entries that include the
- domain or for which there is no domain present. If the NIS domain
- is _\bn_\bo_\bt set, a wildcard is used to match any domain name but be aware
- that the NIS schema used by some LDAP servers may not support wild
- cards for nisNetgroupTriple.
-
- 2. Repeated queries are performed to find any nested nisNetgroup
- records with a memberNisNetgroup entry that refers to an already-
- matched record.
-
- For sites with a large number of netgroups, using N\bNE\bET\bTG\bGR\bRO\bOU\bUP\bP_\b_B\bBA\bAS\bSE\bE can
- significantly speed up s\bsu\bud\bdo\bo's execution time.
-
- D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
- One of the major differences between LDAP and file-based _\bs_\bu_\bd_\bo_\be_\br_\bs is that
- in LDAP, s\bsu\bud\bdo\bo-specific Aliases are not supported.
-
- For the most part, there is little need for s\bsu\bud\bdo\bo-specific Aliases. Unix
- groups, non-Unix groups (via the _\bg_\br_\bo_\bu_\bp_\b__\bp_\bl_\bu_\bg_\bi_\bn) or user netgroups can be
- used in place of User_Aliases and Runas_Aliases. Host netgroups can be
- used in place of Host_Aliases. Since groups and netgroups can also be
- stored in LDAP there is no real need for s\bsu\bud\bdo\bo-specific aliases.
-
- There are also some subtle differences in the way sudoers is handled once
- in LDAP. Probably the biggest is that according to the RFC, LDAP
- ordering is arbitrary and you cannot expect that Attributes and Entries
- are returned in any specific order.
-
- The order in which different entries are applied can be controlled using
- the sudoOrder attribute, but there is no way to guarantee the order of
- attributes within a specific entry. If there are conflicting command
- rules in an entry, the negative takes precedence. This is called
- paranoid behavior (not necessarily the most specific match).
-
- Here is an example:
-
- # /etc/sudoers:
- # Allow all commands except shell
- johnny ALL=(root) ALL,!/bin/sh
- # Always allows all commands because ALL is matched last
- puddles ALL=(root) !/bin/sh,ALL
-
- # LDAP equivalent of johnny
- # Allows all commands except shell
- dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role1
- sudoUser: johnny
- sudoHost: ALL
- sudoCommand: ALL
- sudoCommand: !/bin/sh
-
- # LDAP equivalent of puddles
- # Notice that even though ALL comes last, it still behaves like
- # role1 since the LDAP code assumes the more paranoid configuration
- dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role2
- sudoUser: puddles
- sudoHost: ALL
- sudoCommand: !/bin/sh
- sudoCommand: ALL
-
- Another difference is that it is not possible to use negation in a
- sudoUser, sudoRunAsUser or sudoRunAsGroup attribute. For example, the
- following attributes do not behave the way one might expect.
-
- # does not match all but joe
- # rather, does not match anyone
- sudoUser: !joe
-
- # does not match all but joe
- # rather, matches everyone including Joe
- sudoUser: ALL
- sudoUser: !joe
-
- C\bCo\bon\bnv\bve\ber\brt\bti\bin\bng\bg b\bbe\bet\btw\bwe\bee\ben\bn f\bfi\bil\ble\be-\b-b\bba\bas\bse\bed\bd a\ban\bnd\bd L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
- The cvtsudoers(1) utility can be used to convert between file-based and
- LDAP _\bs_\bu_\bd_\bo_\be_\br_\bs. However, there are features in the file-based sudoers that
- have no equivalent in LDAP-based sudoers (and vice versa). These cannot
- be converted automatically.
-
- For example, a Cmnd_Alias in a _\bs_\bu_\bd_\bo_\be_\br_\bs file may be converted to a
- sudoRole that contains multiple commands. Multiple users and/or groups
- may be assigned to the sudoRole.
-
- Also, host, user, runas and command-based Defaults entries are not
- supported. However, a sudoRole may contain one or more sudoOption
- attributes which can often serve the same purpose.
-
- Consider the following _\bs_\bu_\bd_\bo_\be_\br_\bs lines:
-
- Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
- Defaults!PAGERS noexec
- alice, bob ALL = ALL
-
- In this example, alice and bob are allowed to run all commands, but the
- commands listed in PAGERS will have the noexec flag set, preventing shell
- escapes.
-
- When converting this to LDAP, two sudoRole objects can be used:
-
- dn: cn=PAGERS,ou=SUDOers,dc=my-domain,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: PAGERS
- sudoUser: alice
- sudoUser: bob
- sudoHost: ALL
- sudoCommand: /usr/bin/more
- sudoCommand: /usr/bin/pg
- sudoCommand: /usr/bin/less
- sudoOption: noexec
- sudoOrder: 900
-
- dn: cn=ADMINS,ou=SUDOers,dc=my-domain,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: ADMINS
- sudoUser: alice
- sudoUser: bob
- sudoHost: ALL
- sudoCommand: ALL
- sudoOrder: 100
-
- In the LDAP version, the sudoOrder attribute is used to guarantee that
- the PAGERS sudoRole with _\bn_\bo_\be_\bx_\be_\bc has precedence. Unlike the _\bs_\bu_\bd_\bo_\be_\br_\bs
- version, the LDAP version requires that all users for whom the
- restriction should apply be assigned to the PAGERS sudoRole. Using a
- Unix group or netgroup in PAGERS rather than listing each user would make
- this easier to maintain.
-
- Per-user Defaults entries can be emulated by using one or more sudoOption
- attributes in a sudoRole. Consider the following _\bs_\bu_\bd_\bo_\be_\br_\bs lines:
-
- User_Alias ADMINS = john, sally
- Defaults:ADMINS !authenticate
- ADMINS ALL = (ALL:ALL) ALL
-
- In this example, john and sally are allowed to run any command as any
- user or group.
-
- When converting this to LDAP, we can use a Unix group instead of the
- User_Alias.
-
- dn: cn=admins,ou=SUDOers,dc=my-domain,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: admins
- sudoUser: %admin
- sudoHost: ALL
- sudoRunAsUser: ALL
- sudoRunAsGroup: ALL
- sudoCommand: ALL
- sudoOption: !authenticate
-
- This assumes that users john and sally are members of the "admins" Unix
- group.
-
- S\bSu\bud\bdo\boe\ber\brs\bs s\bsc\bch\bhe\bem\bma\ba
- In order to use s\bsu\bud\bdo\bo's LDAP support, the s\bsu\bud\bdo\bo schema must be installed on
- your LDAP server. In addition, be sure to index the sudoUser attribute.
-
- The s\bsu\bud\bdo\bo distribution includes versions of the s\bsu\bud\bdo\boe\ber\brs\bs schema for
- multiple LDAP servers:
-
- _\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP
- OpenLDAP slapd and OpenBSD ldapd
-
- _\bs_\bc_\bh_\be_\bm_\ba_\b._\bo_\bl_\bc_\bS_\bu_\bd_\bo
- OpenLDAP slapd 2.3 and higher when on-line configuration is enabled
-
- _\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt
- Netscape-derived servers such as the iPlanet, Oracle, and 389
- Directory Servers
-
- _\bs_\bc_\bh_\be_\bm_\ba_\b._\bA_\bc_\bt_\bi_\bv_\be_\bD_\bi_\br_\be_\bc_\bt_\bo_\br_\by
- Microsoft Active Directory
-
- The schema in OpenLDAP format is also included in the _\bE_\bX_\bA_\bM_\bP_\bL_\bE_\bS section.
-
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
- Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific configuration.
- Typically, this file is shared between different LDAP-aware clients. As
- such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo parses
- _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ from those
- described in the system's ldap.conf(4) manual. The path to _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf may
- be overridden via the _\bl_\bd_\ba_\bp_\b__\bc_\bo_\bn_\bf plugin argument in sudo.conf(4).
-
- Also note that on systems using the OpenLDAP libraries, default values
- specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are not
- used.
-
- Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf as being supported
- by s\bsu\bud\bdo\bo are honored. Configuration options are listed below in upper
- case but are parsed in a case-independent manner.
-
- Lines beginning with a pound sign (`#') are ignored. Leading white space
- is removed from the beginning of lines.
-
- B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT _\bs_\be_\bc_\bo_\bn_\bd_\bs
- The B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in
- seconds, to wait while trying to connect to an LDAP server. If
- multiple U\bUR\bRI\bIs or H\bHO\bOS\bST\bTs are specified, this is the amount of time to
- wait before trying the next one in the list.
-
- B\bBI\bIN\bND\bDD\bDN\bN _\bD_\bN
- The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
- Distinguished Name (DN), to use when performing LDAP operations.
- If not specified, LDAP operations are performed with an anonymous
- identity. By default, most LDAP servers will allow anonymous
- access.
-
- B\bBI\bIN\bND\bDP\bPW\bW _\bs_\be_\bc_\br_\be_\bt
- The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
- LDAP operations. This is typically used in conjunction with the
- B\bBI\bIN\bND\bDD\bDN\bN parameter. The _\bs_\be_\bc_\br_\be_\bt may be a plain text password or a
- base64-encoded string with a "base64:" prefix. For example:
-
- BINDPW base64:dGVzdA==
-
- If a plain text password is used, it should be a simple string
- without quotes. Plain text passwords may not include the comment
- character (`#') and the escaping of special characters with a
- backslash (`\') is not supported.
-
- D\bDE\bER\bRE\bEF\bF _\bn_\be_\bv_\be_\br_\b/_\bs_\be_\ba_\br_\bc_\bh_\bi_\bn_\bg_\b/_\bf_\bi_\bn_\bd_\bi_\bn_\bg_\b/_\ba_\bl_\bw_\ba_\by_\bs
- How alias dereferencing is to be performed when searching. See the
- ldap.conf(4) manual for a full description of this option.
-
- H\bHO\bOS\bST\bT _\bn_\ba_\bm_\be_\b[_\b:_\bp_\bo_\br_\bt_\b] _\b._\b._\b.
- If no U\bUR\bRI\bI is specified (see below), the H\bHO\bOS\bST\bT parameter specifies a
- white space-delimited list of LDAP servers to connect to. Each
- host may include an optional _\bp_\bo_\br_\bt separated by a colon (`:'). The
- H\bHO\bOS\bST\bT parameter is deprecated in favor of the U\bUR\bRI\bI specification and
- is included for backwards compatibility only.
-
- K\bKR\bRB\bB5\b5_\b_C\bCC\bCN\bNA\bAM\bME\bE _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
- The path to the Kerberos 5 credential cache to use when
- authenticating with the remote server. This option is only
- relevant when using SASL authentication (see below).
-
- L\bLD\bDA\bAP\bP_\b_V\bVE\bER\bRS\bSI\bIO\bON\bN _\bn_\bu_\bm_\bb_\be_\br
- The version of the LDAP protocol to use when connecting to the
- server. The default value is protocol version 3.
-
- N\bNE\bET\bTG\bGR\bRO\bOU\bUP\bP_\b_B\bBA\bAS\bSE\bE _\bb_\ba_\bs_\be
- The base DN to use when performing LDAP netgroup queries.
- Typically this is of the form ou=netgroup,dc=my-domain,dc=com for
- the domain my-domain.com. Multiple N\bNE\bET\bTG\bGR\bRO\bOU\bUP\bP_\b_B\bBA\bAS\bSE\bE lines may be
- specified, in which case they are queried in the order specified.
-
- This option can be used to query a user's netgroups directly via
- LDAP which is usually faster than fetching every sudoRole object
- containing a sudoUser that begins with a `+' prefix. The NIS
- schema used by some LDAP servers need a modification to support
- querying the nisNetgroup object by its nisNetgroupTriple member.
- OpenLDAP's s\bsl\bla\bap\bpd\bd requires the following change to the
- nisNetgroupTriple attribute:
-
- attributetype ( 1.3.6.1.1.1.1.14 NAME 'nisNetgroupTriple'
- DESC 'Netgroup triple'
- EQUALITY caseIgnoreIA5Match
- SUBSTR caseIgnoreIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- N\bNE\bET\bTG\bGR\bRO\bOU\bUP\bP_\b_S\bSE\bEA\bAR\bRC\bCH\bH_\b_F\bFI\bIL\bLT\bTE\bER\bR _\bl_\bd_\ba_\bp_\b__\bf_\bi_\bl_\bt_\be_\br
- An LDAP filter which is used to restrict the set of records
- returned when performing an LDAP netgroup query. Typically, this
- is of the form attribute=value or
- (&(attribute=value)(attribute2=value2)). The default search filter
- is: objectClass=nisNetgroup. If _\bl_\bd_\ba_\bp_\b__\bf_\bi_\bl_\bt_\be_\br is omitted, no search
- filter will be used. This option is only when querying netgroups
- directly via LDAP.
-
- N\bNE\bET\bTW\bWO\bOR\bRK\bK_\b_T\bTI\bIM\bME\bEO\bOU\bUT\bT _\bs_\be_\bc_\bo_\bn_\bd_\bs
- An alias for B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT provided for OpenLDAP compatibility.
-
- P\bPO\bOR\bRT\bT _\bp_\bo_\br_\bt_\b__\bn_\bu_\bm_\bb_\be_\br
- If no U\bUR\bRI\bI is specified, the P\bPO\bOR\bRT\bT parameter specifies the default
- port to connect to on the LDAP server if a H\bHO\bOS\bST\bT parameter does not
- specify the port itself. If no P\bPO\bOR\bRT\bT parameter is used, the default
- is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
- P\bPO\bOR\bRT\bT parameter is deprecated in favor of the U\bUR\bRI\bI specification and
- is included for backwards compatibility only.
-
- R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN _\bD_\bN
- The R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
- Distinguished Name (DN), to use when performing privileged LDAP
- operations, such as _\bs_\bu_\bd_\bo_\be_\br_\bs queries. The password corresponding to
- the identity should be stored in the or the path specified by the
- _\bl_\bd_\ba_\bp_\b__\bs_\be_\bc_\br_\be_\bt plugin argument in sudo.conf(4), which defaults to
- _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bs_\be_\bc_\br_\be_\bt. If no R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN is specified, the B\bBI\bIN\bND\bDD\bDN\bN
- identity is used (if any).
-
- R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
- Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
- to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
-
- S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD _\bi_\bd_\be_\bn_\bt_\bi_\bt_\by
- The SASL user name to use when connecting to the LDAP server. By
- default, s\bsu\bud\bdo\bo will use an anonymous connection. This option is
- only relevant when using SASL authentication.
-
- S\bSA\bAS\bSL\bL_\b_M\bME\bEC\bCH\bH _\bm_\be_\bc_\bh_\ba_\bn_\bi_\bs_\bm_\bs
- A white space-delimited list of SASL authentication mechanisms to
- use. By default, s\bsu\bud\bdo\bo will use GSSAPI authentication.
-
- S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS _\bn_\bo_\bn_\be_\b/_\bp_\br_\bo_\bp_\be_\br_\bt_\bi_\be_\bs
- SASL security properties or _\bn_\bo_\bn_\be for no properties. See the SASL
- programmer's manual for details. This option is only relevant when
- using SASL authentication.
-
- S\bSS\bSL\bL _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
- If the S\bSS\bSL\bL parameter is set to on, true or yes, TLS (SSL)
- encryption is always used when communicating with the LDAP server.
- Typically, this involves connecting to the server on port 636
- (ldaps).
-
- S\bSS\bSL\bL _\bs_\bt_\ba_\br_\bt_\b__\bt_\bl_\bs
- If the S\bSS\bSL\bL parameter is set to start_tls, the LDAP server
- connection is initiated normally and TLS encryption is begun before
- the bind credentials are sent. This has the advantage of not
- requiring a dedicated port for encrypted communications. This
- parameter is only supported by LDAP servers that honor the
- _\bs_\bt_\ba_\br_\bt_\b__\bt_\bl_\bs extension, such as the OpenLDAP and Tivoli Directory
- servers.
-
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE _\bb_\ba_\bs_\be
- The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries. Typically
- this is of the form ou=SUDOers,dc=my-domain,dc=com for the domain
- my-domain.com. Multiple S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE lines may be specified, in
- which case they are queried in the order specified.
-
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG _\bd_\be_\bb_\bu_\bg_\b__\bl_\be_\bv_\be_\bl
- This sets the debug level for s\bsu\bud\bdo\bo LDAP queries. Debugging
- information is printed to the standard error. A value of 1 results
- in a moderate amount of debugging information. A value of 2 shows
- the results of the matches themselves. This parameter should not
- be set in a production environment as the extra information is
- likely to confuse users.
-
- The S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG parameter is deprecated and will be removed in a
- future release. The same information is now logged via the s\bsu\bud\bdo\bo
- debugging framework using the "ldap" subsystem at priorities _\bd_\bi_\ba_\bg
- and _\bi_\bn_\bf_\bo for _\bd_\be_\bb_\bu_\bg_\b__\bl_\be_\bv_\be_\bl values 1 and 2 respectively. See the
- sudo.conf(4) manual for details on how to configure s\bsu\bud\bdo\bo debugging.
-
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_S\bSE\bEA\bAR\bRC\bCH\bH_\b_F\bFI\bIL\bLT\bTE\bER\bR _\bl_\bd_\ba_\bp_\b__\bf_\bi_\bl_\bt_\be_\br
- An LDAP filter which is used to restrict the set of records
- returned when performing a s\bsu\bud\bdo\bo LDAP query. Typically, this is of
- the form attribute=value or
- (&(attribute=value)(attribute2=value2)). The default search filter
- is: objectClass=sudoRole. If _\bl_\bd_\ba_\bp_\b__\bf_\bi_\bl_\bt_\be_\br is omitted, no search
- filter will be used.
-
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
- Whether or not to evaluate the sudoNotBefore and sudoNotAfter
- attributes that implement time-dependent sudoers entries.
-
- T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT _\bs_\be_\bc_\bo_\bn_\bd_\bs
- The T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in seconds,
- to wait for a response to an LDAP query.
-
- T\bTI\bIM\bME\bEO\bOU\bUT\bT _\bs_\be_\bc_\bo_\bn_\bd_\bs
- The T\bTI\bIM\bME\bEO\bOU\bUT\bT parameter specifies the amount of time, in seconds, to
- wait for a response from the various LDAP APIs.
-
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bT _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
- An alias for T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE for OpenLDAP compatibility.
-
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
- The path to a certificate authority bundle which contains the
- certificates for all the Certificate Authorities the client knows
- to be valid, e.g., _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only
- supported by the OpenLDAP libraries. Netscape-derived LDAP
- libraries use the same certificate database for CA and client
- certificates (see T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT).
-
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by
- Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
- containing individual Certificate Authority certificates, e.g.,
- _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\be_\br_\bt_\bs. The directory specified by T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR is
- checked after T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE. This option is only supported by the
- OpenLDAP libraries.
-
- T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
- The path to a file containing the client certificate which can be
- used to authenticate the client to the LDAP server. The
- certificate type depends on the LDAP libraries used.
-
- OpenLDAP:
- tls_cert /etc/ssl/client_cert.pem
-
- Netscape-derived:
- tls_cert /var/ldap/cert7.db
-
- Tivoli Directory Server:
- Unused, the key database specified by T\bTL\bLS\bS_\b_K\bKE\bEY\bY contains both
- keys and certificates.
-
- When using Netscape-derived libraries, this file may also
- contain Certificate Authority certificates.
-
- T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
- If enabled, T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR will cause the LDAP server's TLS
- certificated to be verified. If the server's TLS certificate
- cannot be verified (usually because it is signed by an unknown
- certificate authority), s\bsu\bud\bdo\bo will be unable to connect to it. If
- T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR is disabled, no check is made. Note that disabling
- the check creates an opportunity for man-in-the-middle attacks
- since the server's identity will not be authenticated. If
- possible, the CA's certificate should be installed locally so it
- can be verified. This option is not supported by the Tivoli
- Directory Server LDAP libraries.
-
- T\bTL\bLS\bS_\b_K\bKE\bEY\bY _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
- The path to a file containing the private key which matches the
- certificate specified by T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT. The private key must not be
- password-protected. The key type depends on the LDAP libraries
- used.
-
- OpenLDAP:
- tls_key /etc/ssl/client_key.pem
-
- Netscape-derived:
- tls_key /var/ldap/key3.db
-
- Tivoli Directory Server:
- tls_key /usr/ldap/ldapkey.kdb
- When using Tivoli LDAP libraries, this file may also contain
- Certificate Authority and client certificates and may be encrypted.
-
- T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS _\bc_\bi_\bp_\bh_\be_\br _\bl_\bi_\bs_\bt
- The T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS parameter allows the administer to restrict which
- encryption algorithms may be used for TLS (SSL) connections. See
- the OpenLDAP or Tivoli Directory Server manual for a list of valid
- ciphers. This option is not supported by Netscape-derived
- libraries.
-
- T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW _\bs_\be_\bc_\br_\be_\bt
- The T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW contains the password used to decrypt the key
- database on clients using the Tivoli Directory Server LDAP library.
- The _\bs_\be_\bc_\br_\be_\bt may be a plain text password or a base64-encoded string
- with a "base64:" prefix. For example:
-
- TLS_KEYPW base64:dGVzdA==
-
- If a plain text password is used, it should be a simple string
- without quotes. Plain text passwords may not include the comment
- character (`#') and the escaping of special characters with a
- backslash (`\') is not supported. If this option is used,
- _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf must not be world-readable to avoid exposing the
- password. Alternately, a _\bs_\bt_\ba_\bs_\bh _\bf_\bi_\bl_\be can be used to store the
- password in encrypted form (see below).
-
- If no T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW is specified, a _\bs_\bt_\ba_\bs_\bh _\bf_\bi_\bl_\be will be used if it
- exists. The _\bs_\bt_\ba_\bs_\bh _\bf_\bi_\bl_\be must have the same path as the file
- specified by T\bTL\bLS\bS_\b_K\bKE\bEY\bY, but use a .sth file extension instead of
- .kdb, e.g., ldapkey.sth. The default ldapkey.kdb that ships with
- Tivoli Directory Server is encrypted with the password
- ssl_password. The _\bg_\bs_\bk_\b8_\bc_\ba_\bp_\bi_\bc_\bm_\bd utility can be used to manage the
- key database and create a _\bs_\bt_\ba_\bs_\bh _\bf_\bi_\bl_\be. This option is only
- supported by the Tivoli LDAP libraries.
-
- T\bTL\bLS\bS_\b_R\bRE\bEQ\bQC\bCE\bER\bRT\bT _\bl_\be_\bv_\be_\bl
- The T\bTL\bLS\bS_\b_R\bRE\bEQ\bQC\bCE\bER\bRT\bT parameter controls how the LDAP server's TLS
- certificated will be verified (if at all). If the server's TLS
- certificate cannot be verified (usually because it is signed by an
- unknown certificate authority), s\bsu\bud\bdo\bo will be unable to connect to
- it. The following _\bl_\be_\bv_\be_\bl values are supported:
-
- never The server certificate will not be requested or
- checked.
-
- allow The server certificate will be requested. A missing
- or invalid certificate is ignored and not considered
- an error.
-
- try The server certificate will be requested. A missing
- certificate is ignored but an invalid certificate
- will result in a connection error.
-
- demand | _\bh_\ba_\br_\bd
- The server certificate will be requested. A missing
- or invalid certificate will result in a connection
- error. This is the default behavior.
-
- This option is only supported by the OpenLDAP libraries. Other
- LDAP libraries only support the T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR parameter.
-
- T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
- The T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE parameter specifies the path to an entropy source
- for systems that lack a random device. It is generally used in
- conjunction with _\bp_\br_\bn_\bg_\bd or _\be_\bg_\bd. This option is only supported by
- the OpenLDAP libraries.
-
- U\bUR\bRI\bI _\bl_\bd_\ba_\bp_\b[_\bs_\b]_\b:_\b/_\b/_\b[_\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be_\b[_\b:_\bp_\bo_\br_\bt_\b]_\b] _\b._\b._\b.
- Specifies a white space-delimited list of one or more URIs
- describing the LDAP server(s) to connect to. The _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be
- either _\bl_\bd_\ba_\bp _\bl_\bd_\ba_\bp_\bs, the latter being for servers that support TLS
- (SSL) encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389
- for ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
- s\bsu\bud\bdo\bo will connect to _\bl_\bo_\bc_\ba_\bl_\bh_\bo_\bs_\bt. Multiple U\bUR\bRI\bI lines are treated
- identically to a U\bUR\bRI\bI line containing multiple entries. Only
- systems using the OpenSSL libraries support the mixing of ldap://
- and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP
- libraries used on most commercial versions of Unix are only capable
- of supporting one or the other.
-
- U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
- Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL authentication.
-
- R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD _\bi_\bd_\be_\bn_\bt_\bi_\bt_\by
- The SASL user name to use when R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL is enabled.
-
- See the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf entry in the _\bE_\bX_\bA_\bM_\bP_\bL_\bE_\bS section.
-
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
- Unless it is disabled at build time, s\bsu\bud\bdo\bo consults the Name Service
- Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order.
- Sudo looks for a line beginning with sudoers: and uses this to determine
- the search order. Note that s\bsu\bud\bdo\bo does not stop searching after the first
- match and later matches take precedence over earlier ones. The following
- sources are recognized:
-
- files read sudoers from _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs
- ldap read sudoers from LDAP
-
- In addition, the entry [NOTFOUND=return] will short-circuit the search if
- the user was not found in the preceding source.
-
- To consult LDAP first followed by the local sudoers file (if it exists),
- use:
-
- sudoers: ldap files
-
- The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
-
- sudoers: ldap
-
- If the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
- line, the following default is assumed:
-
- sudoers: files
-
- Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
- operating system does not use an nsswitch.conf file, except on AIX (see
- below).
-
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bne\bet\bts\bsv\bvc\bc.\b.c\bco\bon\bnf\bf
- On AIX systems, the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is consulted instead of
- _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf. s\bsu\bud\bdo\bo simply treats _\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf as a variant of
- _\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the file
- format itself still applies.
-
- To consult LDAP first followed by the local sudoers file (if it exists),
- use:
-
- sudoers = ldap, files
-
- The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
-
- sudoers = ldap
-
- To treat LDAP as authoritative and only use the local sudoers file if the
- user is not present in LDAP, use:
-
- sudoers = ldap = auth, files
-
- Note that in the above example, the auth qualifier only affects user
- lookups; both LDAP and _\bs_\bu_\bd_\bo_\be_\br_\bs will be queried for Defaults entries.
-
- If the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers line,
- the following default is assumed:
-
- sudoers = files
-
- I\bIn\bnt\bte\beg\bgr\bra\bat\bti\bio\bon\bn w\bwi\bit\bth\bh s\bss\bss\bsd\bd
- On systems with the _\bS_\by_\bs_\bt_\be_\bm _\bS_\be_\bc_\bu_\br_\bi_\bt_\by _\bS_\be_\br_\bv_\bi_\bc_\be_\bs _\bD_\ba_\be_\bm_\bo_\bn (SSSD) and where s\bsu\bud\bdo\bo
- has been built with SSSD support, it is possible to use SSSD to cache
- LDAP _\bs_\bu_\bd_\bo_\be_\br_\bs rules. To use SSSD as the _\bs_\bu_\bd_\bo_\be_\br_\bs source, you should use
- sss instead of ldap for the sudoers entry in _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf. Note
- that the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file is not used by the SSSD s\bsu\bud\bdo\bo back end.
- Please see sssd-sudo(4) for more information on configuring s\bsu\bud\bdo\bo to work
- with SSSD.
-
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
-
- _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
-
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf determines sudoers source order on AIX
-
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
- # Either specify one or more URIs or one or more host:port pairs.
- # If neither is specified sudo will default to localhost, port 389.
- #
- #host ldapserver
- #host ldapserver1 ldapserver2:390
- #
- # Default port if host is specified without one, defaults to 389.
- #port 389
- #
- # URI will override the host and port settings.
- uri ldap://ldapserver
- #uri ldaps://secureldapserver
- #uri ldaps://secureldapserver ldap://ldapserver
- #
- # The amount of time, in seconds, to wait while trying to connect to
- # an LDAP server.
- bind_timelimit 30
- #
- # The amount of time, in seconds, to wait while performing an LDAP query.
- timelimit 30
- #
- # Must be set or sudo will ignore LDAP; may be specified multiple times.
- sudoers_base ou=SUDOers,dc=my-domain,dc=com
- #
- # verbose sudoers matching from ldap
- #sudoers_debug 2
- #
- # Enable support for time-based entries in sudoers.
- #sudoers_timed yes
- #
- # optional proxy credentials
- #binddn <who to search as>
- #bindpw <password>
- #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
- #
- # LDAP protocol version, defaults to 3
- #ldap_version 3
- #
- # Define if you want to use an encrypted LDAP connection.
- # Typically, you must also set the port to 636 (ldaps).
- #ssl on
- #
- # Define if you want to use port 389 and switch to
- # encryption before the bind credentials are sent.
- # Only supported by LDAP servers that support the start_tls
- # extension such as OpenLDAP.
- #ssl start_tls
- #
- # Additional TLS options follow that allow tweaking of the
- # SSL/TLS connection.
- #
- #tls_checkpeer yes # verify server SSL certificate
- #tls_checkpeer no # ignore server SSL certificate
- #
- # If you enable tls_checkpeer, specify either tls_cacertfile
- # or tls_cacertdir. Only supported when using OpenLDAP.
- #
- #tls_cacertfile /etc/certs/trusted_signers.pem
- #tls_cacertdir /etc/certs
- #
- # For systems that don't have /dev/random
- # use this along with PRNGD or EGD.pl to seed the
- # random number pool to generate cryptographic session keys.
- # Only supported when using OpenLDAP.
- #
- #tls_randfile /etc/egd-pool
- #
- # You may restrict which ciphers are used. Consult your SSL
- # documentation for which options go here.
- # Only supported when using OpenLDAP.
- #
- #tls_ciphers <cipher-list>
- #
- # Sudo can provide a client certificate when communicating to
- # the LDAP server.
- # Tips:
- # * Enable both lines at the same time.
- # * Do not password protect the key file.
- # * Ensure the keyfile is only readable by root.
- #
- # For OpenLDAP:
- #tls_cert /etc/certs/client_cert.pem
- #tls_key /etc/certs/client_key.pem
- #
- # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
- # a directory, in which case the files in the directory must have the
- # default names (e.g., cert8.db and key4.db), or the path to the cert
- # and key files themselves. However, a bug in version 5.0 of the LDAP
- # SDK will prevent specific file names from working. For this reason
- # it is suggested that tls_cert and tls_key be set to a directory,
- # not a file name.
- #
- # The certificate database specified by tls_cert may contain CA certs
- # and/or the client's cert. If the client's cert is included, tls_key
- # should be specified as well.
- # For backward compatibility, "sslpath" may be used in place of tls_cert.
- #tls_cert /var/ldap
- #tls_key /var/ldap
- #
- # If using SASL authentication for LDAP (OpenSSL)
- # use_sasl yes
- # sasl_auth_id <SASL user name>
- # rootuse_sasl yes
- # rootsasl_auth_id <SASL user name for root access>
- # sasl_secprops none
- # krb5_ccname /etc/.ldapcache
-
- S\bSu\bud\bdo\boe\ber\brs\bs s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
- The following schema, in OpenLDAP format, is included with s\bsu\bud\bdo\bo source
- and binary distributions as _\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP. Simply copy it to the
- schema directory (e.g., _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba), add the proper include
- line in _\bs_\bl_\ba_\bp_\bd_\b._\bc_\bo_\bn_\bf and restart s\bsl\bla\bap\bpd\bd. Sites using the optional on-line
- configuration supported by OpenLDAP 2.3 and higher should apply the
- _\bs_\bc_\bh_\be_\bm_\ba_\b._\bo_\bl_\bc_\bS_\bu_\bd_\bo file instead.
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.1
- NAME 'sudoUser'
- DESC 'User(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.2
- NAME 'sudoHost'
- DESC 'Host(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.3
- NAME 'sudoCommand'
- DESC 'Command(s) to be executed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.4
- NAME 'sudoRunAs'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.5
- NAME 'sudoOption'
- DESC 'Options(s) followed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.6
- NAME 'sudoRunAsUser'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.7
- NAME 'sudoRunAsGroup'
- DESC 'Group(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.8
- NAME 'sudoNotBefore'
- DESC 'Start of time interval for which the entry is valid'
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.9
- NAME 'sudoNotAfter'
- DESC 'End of time interval for which the entry is valid'
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.10
- NAME 'sudoOrder'
- DESC 'an integer to order the sudoRole entries'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
- objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
- DESC 'Sudoer Entries'
- MUST ( cn )
- MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
- sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
- sudoOrder $ description )
- )
-
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- cvtsudoers(1), ldap.conf(4), sssd-sudo(4), sudo.conf(4), sudoers(4)
-
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists of
- code written primarily by:
-
- Todd C. Miller
-
- See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
- (https://www.sudo.ws/contributors.html) for an exhaustive list of people
- who have contributed to s\bsu\bud\bdo\bo.
-
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- Note that there are differences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs is
- parsed compared to file-based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the _\bD_\bi_\bf_\bf_\be_\br_\be_\bn_\bc_\be_\bs _\bb_\be_\bt_\bw_\be_\be_\bn _\bL_\bD_\bA_\bP
- _\ba_\bn_\bd _\bn_\bo_\bn_\b-_\bL_\bD_\bA_\bP _\bs_\bu_\bd_\bo_\be_\br_\bs section for more information.
-
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- https://bugzilla.sudo.ws/
-
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
-
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided "AS IS" and any express or implied warranties,
- including, but not limited to, the implied warranties of merchantability
- and fitness for a particular purpose are disclaimed. See the LICENSE
- file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
- complete details.
-
-Sudo 1.8.28 February 26, 2018 Sudo 1.8.28
+++ /dev/null
-SUDOERS_TIMESTAMP(4) File Formats Manual SUDOERS_TIMESTAMP(4)
-
-N\bNA\bAM\bME\bE
- s\bsu\bud\bdo\boe\ber\brs\bs_\b_t\bti\bim\bme\bes\bst\bta\bam\bmp\bp - Sudoers Time Stamp Format
-
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- The s\bsu\bud\bdo\boe\ber\brs\bs plugin uses per-user time stamp files for credential caching.
- Once a user has been authenticated, they may use s\bsu\bud\bdo\bo without a password
- for a short period of time (5 minutes unless overridden by the
- _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\bi_\bm_\be_\bo_\bu_\bt option). By default, s\bsu\bud\bdo\boe\ber\brs\bs uses a separate record
- for each terminal, which means that a user's login sessions are
- authenticated separately. The _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\by_\bp_\be option can be used to
- select the type of time stamp record s\bsu\bud\bdo\boe\ber\brs\bs will use.
-
- A multi-record time stamp file format was introduced in s\bsu\bud\bdo\bo 1.8.10 that
- uses a single file per user. Previously, a separate file was used for
- each user and terminal combination unless tty-based time stamps were
- disabled. The new format is extensible and records of multiple types and
- versions may coexist within the same file.
-
- All records, regardless of type or version, begin with a 16-bit version
- number and a 16-bit record size.
-
- Time stamp records have the following structure:
-
- /* Time stamp entry types */
- #define TS_GLOBAL 0x01 /* not restricted by tty or ppid */
- #define TS_TTY 0x02 /* restricted by tty */
- #define TS_PPID 0x03 /* restricted by ppid */
- #define TS_LOCKEXCL 0x04 /* special lock record */
-
- /* Time stamp flags */
- #define TS_DISABLED 0x01 /* entry disabled */
- #define TS_ANYUID 0x02 /* ignore uid, only valid in key */
-
- struct timestamp_entry {
- unsigned short version; /* version number */
- unsigned short size; /* entry size */
- unsigned short type; /* TS_GLOBAL, TS_TTY, TS_PPID */
- unsigned short flags; /* TS_DISABLED, TS_ANYUID */
- uid_t auth_uid; /* uid to authenticate as */
- pid_t sid; /* session ID associated with tty/ppid */
- struct timespec start_time; /* session/ppid start time */
- struct timespec ts; /* time stamp (CLOCK_MONOTONIC) */
- union {
- dev_t ttydev; /* tty device number */
- pid_t ppid; /* parent pid */
- } u;
- };
-
- The timestamp_entry struct fields are as follows:
-
- version
- The version number of the timestamp_entry struct. New entries are
- created with a version number of 2. Records with different version
- numbers may coexist in the same file but are not inter-operable.
-
- size The size of the record in bytes.
-
- type The record type, currently TS_GLOBAL, TS_TTY, or TS_PPID.
-
- flags
- Zero or more record flags which can be bit-wise ORed together.
- Supported flags are TS_DISABLED, for records disabled via s\bsu\bud\bdo\bo -\b-k\bk
- and TS_ANYUID, which is used only when matching records.
-
- auth_uid
- The user ID that was used for authentication. Depending on the
- value of the _\br_\bo_\bo_\bt_\bp_\bw, _\br_\bu_\bn_\ba_\bs_\bp_\bw and _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw options, the user ID may
- be that of the invoking user, the root user, the default runas user
- or the target user.
-
- sid The ID of the user's terminal session, if present. The session ID
- is only used when matching records of type TS_TTY.
-
- start_time
- The start time of the session leader for records of type TS_TTY or
- of the parent process for records of type TS_PPID. The _\bs_\bt_\ba_\br_\bt_\b__\bt_\bi_\bm_\be
- is used to help prevent re-use of a time stamp record after a user
- has logged out. Not all systems support a method to easily
- retrieve a process's start time. The _\bs_\bt_\ba_\br_\bt_\b__\bt_\bi_\bm_\be field was added in
- s\bsu\bud\bdo\boe\ber\brs\bs version 1.8.22 for the second revision of the
- timestamp_entry struct.
-
- ts The actual time stamp. A monotonic time source (which does not
- move backward) is used if the system supports it. Where possible,
- s\bsu\bud\bdo\boe\ber\brs\bs uses a monotonic timer that increments even while the
- system is suspended. The value of _\bt_\bs is updated each time a
- command is run via s\bsu\bud\bdo\bo. If the difference between _\bt_\bs and the
- current time is less than the value of the _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\bi_\bm_\be_\bo_\bu_\bt
- option, no password is required.
-
- u.ttydev
- The device number of the terminal associated with the session for
- records of type TS_TTY.
-
- u.ppid
- The ID of the parent process for records of type TS_PPID.
-
-L\bLO\bOC\bCK\bKI\bIN\bNG\bG
- In s\bsu\bud\bdo\boe\ber\brs\bs versions 1.8.10 through 1.8.14, the entire time stamp file was
- locked for exclusive access when reading or writing to the file.
- Starting in s\bsu\bud\bdo\boe\ber\brs\bs 1.8.15, individual records are locked in the time
- stamp file instead of the entire file and the lock is held for a longer
- period of time. This scheme is described below.
-
- The first record in the time stamp file is of type TS_LOCKEXCL and is
- used as a _\bl_\bo_\bc_\bk record to prevent more than one s\bsu\bud\bdo\bo process from adding a
- new record at the same time. Once the desired time stamp record has been
- located or created (and locked), the TS_LOCKEXCL record is unlocked. The
- lock on the individual time stamp record, however, is held until
- authentication is complete. This allows s\bsu\bud\bdo\boe\ber\brs\bs to avoid prompting for a
- password multiple times when it is used more than once in a pipeline.
-
- Records of type TS_GLOBAL cannot be locked for a long period of time
- since doing so would interfere with other s\bsu\bud\bdo\bo processes. Instead, a
- separate lock record is used to prevent multiple s\bsu\bud\bdo\bo processes using the
- same terminal (or parent process ID) from prompting for a password as the
- same time.
-
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- sudoers(4), sudo(1m)
-
-H\bHI\bIS\bST\bTO\bOR\bRY\bY
- Originally, s\bsu\bud\bdo\bo used a single zero-length file per user and the file's
- modification time was used as the time stamp. Later versions of s\bsu\bud\bdo\bo
- added restrictions on the ownership of the time stamp files and directory
- as well as sanity checks on the time stamp itself. Notable changes were
- introduced in the following s\bsu\bud\bdo\bo versions:
-
- 1.4.0
- Support for tty-based time stamp file was added by appending the
- terminal name to the time stamp file name.
-
- 1.6.2
- The time stamp file was replaced by a per-user directory which
- contained any tty-based time stamp files.
-
- 1.6.3p2
- The target user name was added to the time stamp file name when the
- _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw option was set.
-
- 1.7.3
- Information about the terminal device was stored in tty-based time
- stamp files for sanity checking. This included the terminal device
- numbers, inode number and, on systems where it was not updated when
- the device was written to, the inode change time. This helped
- prevent re-use of the time stamp file after logout.
-
- 1.8.6p7
- The terminal session ID was added to tty-based time stamp files to
- prevent re-use of the time stamp by the same user in a different
- terminal session. It also helped prevent re-use of the time stamp
- file on systems where the terminal device's inode change time was
- updated by writing.
-
- 1.8.10
- A new, multi-record time stamp file format was introduced that uses
- a single file per user. The terminal device's change time was not
- included since most systems now update the change time after a
- write is performed as required by POSIX.
-
- 1.8.15
- Individual records are locked in the time stamp file instead of the
- entire file and the lock is held until authentication is complete.
-
- 1.8.22
- The start time of the terminal session leader or parent process is
- now stored in non-global time stamp records. This prevents re-use
- of the time stamp file after logout in most cases.
-
- Support was added for the kernel-based tty time stamps available in
- OpenBSD which do not use an on-disk time stamp file.
-
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists of
- code written primarily by:
-
- Todd C. Miller
-
- See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
- (https://www.sudo.ws/contributors.html) for an exhaustive list of people
- who have contributed to s\bsu\bud\bdo\bo.
-
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- https://bugzilla.sudo.ws/
-
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
-
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided "AS IS" and any express or implied warranties,
- including, but not limited to, the implied warranties of merchantability
- and fitness for a particular purpose are disclaimed. See the LICENSE
- file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
- complete details.
-
-Sudo 1.8.28 October 7, 2018 Sudo 1.8.28
+++ /dev/null
-SUDOREPLAY(1m) System Manager's Manual SUDOREPLAY(1m)
-
-N\bNA\bAM\bME\bE
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by - replay sudo session logs
-
-S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bhn\bnR\bRS\bS] [-\b-d\bd _\bd_\bi_\br] [-\b-f\bf _\bf_\bi_\bl_\bt_\be_\br] [-\b-m\bm _\bn_\bu_\bm] [-\b-s\bs _\bn_\bu_\bm] ID
-
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br] -\b-l\bl [search expression]
-
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by plays back or lists the output logs created by s\bsu\bud\bdo\bo. When
- replaying, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can play the session back in real-time, or the
- playback speed may be adjusted (faster or slower) based on the command
- line options.
-
- The _\bI_\bD should either be a six character sequence of digits and upper case
- letters, e.g., 0100A5, or a pattern matching the _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be option in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file. When a command is run via s\bsu\bud\bdo\bo with _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt enabled in
- the _\bs_\bu_\bd_\bo_\be_\br_\bs file, a TSID=ID string is logged via syslog or to the s\bsu\bud\bdo\bo
- log file. The _\bI_\bD may also be determined using s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by's list mode.
-
- In list mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can be used to find the ID of a session based on
- a number of criteria such as the user, tty or command run.
-
- In replay mode, if the standard input and output are connected to a
- terminal and the -\b-n\bn option is not specified, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will operate
- interactively. In interactive mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will attempt to adjust
- the terminal size to match that of the session and write directly to the
- terminal (not all terminals support this). Additionally, it will poll
- the keyboard and act on the following keys:
-
- `\n' or `\r' Skip to the next replay event; useful for long pauses.
-
- ` ' (space) Pause output; press any key to resume.
-
- `<' Reduce the playback speed by one half.
-
- `>' Double the playback speed.
-
- The session can be interrupted via control-C. When the session has
- finished, the terminal is restored to its original size if it was changed
- during playback.
-
- The options are as follows:
-
- -\b-d\bd _\bd_\bi_\br, -\b--\b-d\bdi\bir\bre\bec\bct\bto\bor\bry\by=_\bd_\bi_\br
- Store session logs in _\bd_\bi_\br instead of the default,
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo.
-
- -\b-f\bf _\bf_\bi_\bl_\bt_\be_\br, -\b--\b-f\bfi\bil\blt\bte\ber\br=_\bf_\bi_\bl_\bt_\be_\br
- Select which I/O type(s) to display. By default, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by
- will display the command's standard output, standard error
- and tty output. The _\bf_\bi_\bl_\bt_\be_\br argument is a comma-separated
- list, consisting of one or more of following: _\bs_\bt_\bd_\bi_\bn, _\bs_\bt_\bd_\bo_\bu_\bt,
- _\bs_\bt_\bd_\be_\br_\br, _\bt_\bt_\by_\bi_\bn, and _\bt_\bt_\by_\bo_\bu_\bt.
-
- -\b-h\bh, -\b--\b-h\bhe\bel\blp\bp Display a short help message to the standard output and exit.
-
- -\b-l\bl, -\b--\b-l\bli\bis\bst\bt [_\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn]
- Enable "list mode". In this mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will list
- available sessions in a format similar to the s\bsu\bud\bdo\bo log file
- format, sorted by file name (or sequence number). If a
- _\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn is specified, it will be used to restrict
- the IDs that are displayed. An expression is composed of the
- following predicates:
-
- command _\bp_\ba_\bt_\bt_\be_\br_\bn
- Evaluates to true if the command run matches the
- POSIX extended regular expression _\bp_\ba_\bt_\bt_\be_\br_\bn.
-
- cwd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by
- Evaluates to true if the command was run with the
- specified current working directory.
-
- fromdate _\bd_\ba_\bt_\be
- Evaluates to true if the command was run on or after
- _\bd_\ba_\bt_\be. See _\bD_\ba_\bt_\be _\ba_\bn_\bd _\bt_\bi_\bm_\be _\bf_\bo_\br_\bm_\ba_\bt for a description of
- supported date and time formats.
-
- group _\br_\bu_\bn_\ba_\bs_\b__\bg_\br_\bo_\bu_\bp
- Evaluates to true if the command was run with the
- specified _\br_\bu_\bn_\ba_\bs_\b__\bg_\br_\bo_\bu_\bp. Note that unless a
- _\br_\bu_\bn_\ba_\bs_\b__\bg_\br_\bo_\bu_\bp was explicitly specified when s\bsu\bud\bdo\bo was
- run this field will be empty in the log.
-
- runas _\br_\bu_\bn_\ba_\bs_\b__\bu_\bs_\be_\br
- Evaluates to true if the command was run as the
- specified _\br_\bu_\bn_\ba_\bs_\b__\bu_\bs_\be_\br. Note that s\bsu\bud\bdo\bo runs commands
- as user _\br_\bo_\bo_\bt by default.
-
- todate _\bd_\ba_\bt_\be
- Evaluates to true if the command was run on or prior
- to _\bd_\ba_\bt_\be. See _\bD_\ba_\bt_\be _\ba_\bn_\bd _\bt_\bi_\bm_\be _\bf_\bo_\br_\bm_\ba_\bt for a description
- of supported date and time formats.
-
- tty _\bt_\bt_\by _\bn_\ba_\bm_\be
- Evaluates to true if the command was run on the
- specified terminal device. The _\bt_\bt_\by _\bn_\ba_\bm_\be should be
- specified without the _\b/_\bd_\be_\bv_\b/ prefix, e.g., _\bt_\bt_\by_\b0_\b1
- instead of _\b/_\bd_\be_\bv_\b/_\bt_\bt_\by_\b0_\b1.
-
- user _\bu_\bs_\be_\br _\bn_\ba_\bm_\be
- Evaluates to true if the ID matches a command run by
- _\bu_\bs_\be_\br _\bn_\ba_\bm_\be.
-
- Predicates may be abbreviated to the shortest unique string.
-
- Predicates may be combined using _\ba_\bn_\bd, _\bo_\br and _\b! operators as
- well as `(' and `)' grouping (note that parentheses must
- generally be escaped from the shell). The _\ba_\bn_\bd operator is
- optional, adjacent predicates have an implied _\ba_\bn_\bd unless
- separated by an _\bo_\br.
-
- -\b-m\bm, -\b--\b-m\bma\bax\bx-\b-w\bwa\bai\bit\bt _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt
- Specify an upper bound on how long to wait between key
- presses or output data. By default, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will
- accurately reproduce the delays between key presses or
- program output. However, this can be tedious when the
- session includes long pauses. When the -\b-m\bm option is
- specified, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will limit these pauses to at most
- _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt seconds. The value may be specified as a floating
- point number, e.g., _\b2_\b._\b5. A _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt of zero or less will
- eliminate the pauses entirely.
-
- -\b-n\bn, -\b--\b-n\bno\bon\bn-\b-i\bin\bnt\bte\ber\bra\bac\bct\bti\biv\bve\be
- Do not prompt for user input or attempt to re-size the
- terminal. The session is written to the standard output, not
- directly to the user's terminal.
-
- -\b-R\bR, -\b--\b-n\bno\bo-\b-r\bre\bes\bsi\biz\bze\be
- Do not attempt to re-size the terminal to match the terminal
- size of the session.
-
- -\b-S\bS, -\b--\b-s\bsu\bus\bsp\bpe\ben\bnd\bd-\b-w\bwa\bai\bit\bt
- Wait while the command was suspended. By default, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by
- will ignore the time interval between when the command was
- suspended and when it was resumed. If the -\b-S\bS option is
- specified, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will wait instead.
-
- -\b-s\bs, -\b--\b-s\bsp\bpe\bee\bed\bd _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br
- This option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to adjust the number of seconds
- it will wait between key presses or program output. This can
- be used to slow down or speed up the display. For example, a
- _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of _\b2 would make the output twice as fast whereas
- a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of _\b._\b5 would make the output twice as slow.
-
- -\b-V\bV, -\b--\b-v\bve\ber\brs\bsi\bio\bon\bn
- Print the s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by versions version number and exit.
-
- D\bDa\bat\bte\be a\ban\bnd\bd t\bti\bim\bme\be f\bfo\bor\brm\bma\bat\bt
- The time and date may be specified multiple ways, common formats include:
-
- HH:MM:SS am MM/DD/CCYY timezone
- 24 hour time may be used in place of am/pm.
-
- HH:MM:SS am Month, Day Year timezone
- 24 hour time may be used in place of am/pm, and month and day
- names may be abbreviated. Note that month and day of the week
- names must be specified in English.
-
- CCYY-MM-DD HH:MM:SS
- ISO time format
-
- DD Month CCYY HH:MM:SS
- The month name may be abbreviated.
-
- Either time or date may be omitted, the am/pm and timezone are optional.
- If no date is specified, the current day is assumed; if no time is
- specified, the first second of the specified date is used. The less
- significant parts of both time and date may also be omitted, in which
- case zero is assumed.
-
- The following are all valid time and date specifications:
-
- now The current time and date.
-
- tomorrow
- Exactly one day from now.
-
- yesterday
- 24 hours ago.
-
- 2 hours ago
- 2 hours ago.
-
- next Friday
- The first second of the Friday in the next (upcoming) week. Not
- to be confused with "this Friday" which would match the Friday of
- the current week.
-
- last week
- The current time but 7 days ago. This is equivalent to "a week
- ago".
-
- a fortnight ago
- The current time but 14 days ago.
-
- 10:01 am 9/17/2009
- 10:01 am, September 17, 2009.
-
- 10:01 am
- 10:01 am on the current day.
-
- 10 10:00 am on the current day.
-
- 9/17/2009
- 00:00 am, September 17, 2009.
-
- 10:01 am Sep 17, 2009
- 10:01 am, September 17, 2009.
-
- Note that relative time specifications do not always work as expected.
- For example, the "next" qualifier is intended to be used in conjunction
- with a day such as "next Monday". When used with units of weeks, months,
- years, etc the result will be one more than expected. For example, "next
- week" will result in a time exactly two weeks from now, which is probably
- not what was intended. This will be addressed in a future version of
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by.
-
- D\bDe\beb\bbu\bug\bgg\bgi\bin\bng\bg s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by versions 1.8.4 and higher support a flexible debugging
- framework that is configured via Debug lines in the sudo.conf(4) file.
-
- For more information on configuring sudo.conf(4), please refer to its
- manual.
-
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf Debugging framework configuration
-
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo The default I/O log directory.
-
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bl_\bo_\bg
- Example session log info.
-
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\bi_\bn
- Example session standard input log.
-
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\bo_\bu_\bt
- Example session standard output log.
-
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\be_\br_\br
- Example session standard error log.
-
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bt_\by_\bi_\bn
- Example session tty input file.
-
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bt_\by_\bo_\bu_\bt
- Example session tty output file.
-
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bi_\bm_\bi_\bn_\bg
- Example session timing file.
-
- Note that the _\bs_\bt_\bd_\bi_\bn, _\bs_\bt_\bd_\bo_\bu_\bt and _\bs_\bt_\bd_\be_\br_\br files will be empty unless s\bsu\bud\bdo\bo
- was used as part of a pipeline for a particular command.
-
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- List sessions run by user _\bm_\bi_\bl_\bl_\be_\br_\bt:
-
- # sudoreplay -l user millert
-
- List sessions run by user _\bb_\bo_\bb with a command containing the string vi:
-
- # sudoreplay -l user bob command vi
-
- List sessions run by user _\bj_\be_\bf_\bf that match a regular expression:
-
- # sudoreplay -l user jeff command '/bin/[a-z]*sh'
-
- List sessions run by jeff or bob on the console:
-
- # sudoreplay -l ( user jeff or user bob ) tty console
-
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- script(1), sudo.conf(4), sudo(1m)
-
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists of
- code written primarily by:
-
- Todd C. Miller
-
- See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
- (https://www.sudo.ws/contributors.html) for an exhaustive list of people
- who have contributed to s\bsu\bud\bdo\bo.
-
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by, please submit a bug
- report at https://bugzilla.sudo.ws/
-
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
-
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by is provided "AS IS" and any express or implied warranties,
- including, but not limited to, the implied warranties of merchantability
- and fitness for a particular purpose are disclaimed. See the LICENSE
- file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
- complete details.
-
-Sudo 1.8.28 October 6, 2018 Sudo 1.8.28
+++ /dev/null
-VISUDO(1m) System Manager's Manual VISUDO(1m)
-
-N\bNA\bAM\bME\bE
- v\bvi\bis\bsu\bud\bdo\bo - edit the sudoers file
-
-S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- v\bvi\bis\bsu\bud\bdo\bo [-\b-c\bch\bhq\bqs\bsV\bV] [[-\b-f\bf] _\bs_\bu_\bd_\bo_\be_\br_\bs]
-
-D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- v\bvi\bis\bsu\bud\bdo\bo edits the _\bs_\bu_\bd_\bo_\be_\br_\bs file in a safe fashion, analogous to vipw(1m).
- v\bvi\bis\bsu\bud\bdo\bo locks the _\bs_\bu_\bd_\bo_\be_\br_\bs file against multiple simultaneous edits,
- provides basic sanity checks, and checks for parse errors before
- installing the edited file. If the _\bs_\bu_\bd_\bo_\be_\br_\bs file is currently being
- edited you will receive a message to try again later.
-
- v\bvi\bis\bsu\bud\bdo\bo parses the _\bs_\bu_\bd_\bo_\be_\br_\bs file after editing and will not save the
- changes if there is a syntax error. Upon finding an error, v\bvi\bis\bsu\bud\bdo\bo will
- print a message stating the line number(s) where the error occurred and
- the user will receive the "What now?" prompt. At this point the user may
- enter `e' to re-edit the _\bs_\bu_\bd_\bo_\be_\br_\bs file, `x' to exit without saving the
- changes, or `Q' to quit and save changes. The `Q' option should be used
- with extreme caution because if v\bvi\bis\bsu\bud\bdo\bo believes there to be a parse
- error, so will s\bsu\bud\bdo\bo and no one will be able to run s\bsu\bud\bdo\bo again until the
- error is fixed. If `e' is typed to edit the _\bs_\bu_\bd_\bo_\be_\br_\bs file after a parse
- error has been detected, the cursor will be placed on the line where the
- error occurred (if the editor supports this feature).
-
- There are two _\bs_\bu_\bd_\bo_\be_\br_\bs settings that determine which editor v\bvi\bis\bsu\bud\bdo\bo will
- run.
-
- editor A colon (`:') separated list of editors allowed to be used with
- v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will choose the editor that matches the user's
- SUDO_EDITOR, VISUAL or EDITOR environment variable if possible,
- or the first editor in the list that exists and is executable.
- Note that s\bsu\bud\bdo\bo does not preserve the SUDO_EDITOR, VISUAL or
- EDITOR environment variables unless they are present in the
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp list or the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file. The default editor path is _\bv_\bi which can be set
- at compile time via the --with-editor configure option.
-
- env_editor
- If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the SUDO_EDITOR, VISUAL or
- EDITOR environment variables before falling back on the default
- editor list. Note that v\bvi\bis\bsu\bud\bdo\bo is typically run as root so this
- option may allow a user with v\bvi\bis\bsu\bud\bdo\bo privileges to run arbitrary
- commands as root without logging. An alternative is to place a
- colon-separated list of "safe" editors int the _\be_\bd_\bi_\bt_\bo_\br variable.
- v\bvi\bis\bsu\bud\bdo\bo will then only use SUDO_EDITOR, VISUAL or EDITOR if they
- match a value specified in _\be_\bd_\bi_\bt_\bo_\br. If the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt flag is
- enabled, the SUDO_EDITOR, VISUAL and/or EDITOR environment
- variables must be present in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list for the
- _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br flag to function when v\bvi\bis\bsu\bud\bdo\bo is invoked via s\bsu\bud\bdo\bo.
- The default value is _\bo_\bn, which can be set at compile time via
- the --with-env-editor configure option.
-
- The options are as follows:
-
- -\b-c\bc, -\b--\b-c\bch\bhe\bec\bck\bk
- Enable _\bc_\bh_\be_\bc_\bk_\b-_\bo_\bn_\bl_\by mode. The existing _\bs_\bu_\bd_\bo_\be_\br_\bs file (and any
- other files it includes) will be checked for syntax errors.
- If the path to the _\bs_\bu_\bd_\bo_\be_\br_\bs file was not specified, v\bvi\bis\bsu\bud\bdo\bo
- will also check the file owner and mode. A message will be
- printed to the standard output describing the status of
- _\bs_\bu_\bd_\bo_\be_\br_\bs unless the -\b-q\bq option was specified. If the check
- completes successfully, v\bvi\bis\bsu\bud\bdo\bo will exit with a value of 0.
- If an error is encountered, v\bvi\bis\bsu\bud\bdo\bo will exit with a value of
- 1.
-
- -\b-f\bf _\bs_\bu_\bd_\bo_\be_\br_\bs, -\b--\b-f\bfi\bil\ble\be=_\bs_\bu_\bd_\bo_\be_\br_\bs
- Specify an alternate _\bs_\bu_\bd_\bo_\be_\br_\bs file location, see below. As of
- version 1.8.27, the _\bs_\bu_\bd_\bo_\be_\br_\bs path can be specified without
- using the -\b-f\bf option.
-
- -\b-h\bh, -\b--\b-h\bhe\bel\blp\bp Display a short help message to the standard output and exit.
-
- -\b-q\bq, -\b--\b-q\bqu\bui\bie\bet\bt
- Enable _\bq_\bu_\bi_\be_\bt mode. In this mode details about syntax errors
- are not printed. This option is only useful when combined
- with the -\b-c\bc option.
-
- -\b-s\bs, -\b--\b-s\bst\btr\bri\bic\bct\bt
- Enable _\bs_\bt_\br_\bi_\bc_\bt checking of the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If an alias is
- referenced but not actually defined or if there is a cycle in
- an alias, v\bvi\bis\bsu\bud\bdo\bo will consider this a parse error. Note that
- it is not possible to differentiate between an alias and a
- host name or user name that consists solely of uppercase
- letters, digits, and the underscore (`_') character.
-
- -\b-V\bV, -\b--\b-v\bve\ber\brs\bsi\bio\bon\bn
- Print the v\bvi\bis\bsu\bud\bdo\bo and _\bs_\bu_\bd_\bo_\be_\br_\bs grammar versions and exit.
-
- A _\bs_\bu_\bd_\bo_\be_\br_\bs file may be specified instead of the default, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs.
- The temporary file used is the specified _\bs_\bu_\bd_\bo_\be_\br_\bs file with ".tmp"
- appended to it. In _\bc_\bh_\be_\bc_\bk_\b-_\bo_\bn_\bl_\by mode only, `-' may be used to indicate
- that _\bs_\bu_\bd_\bo_\be_\br_\bs will be read from the standard input. Because the policy is
- evaluated in its entirety, it is not sufficient to check an individual
- _\bs_\bu_\bd_\bo_\be_\br_\bs include file for syntax errors.
-
- D\bDe\beb\bbu\bug\bgg\bgi\bin\bng\bg a\ban\bnd\bd s\bsu\bud\bdo\boe\ber\brs\bs p\bpl\blu\bug\bgi\bin\bn a\bar\brg\bgu\bum\bme\ben\bnt\bts\bs
- v\bvi\bis\bsu\bud\bdo\bo versions 1.8.4 and higher support a flexible debugging framework
- that is configured via Debug lines in the sudo.conf(4) file.
-
- Starting with s\bsu\bud\bdo\bo 1.8.12, v\bvi\bis\bsu\bud\bdo\bo will also parse the arguments to the
- _\bs_\bu_\bd_\bo_\be_\br_\bs plugin to override the default _\bs_\bu_\bd_\bo_\be_\br_\bs path name, UID, GID and
- file mode. These arguments, if present, should be listed after the path
- to the plugin (i.e., after _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bs_\bo). Multiple arguments may be
- specified, separated by white space. For example:
-
- Plugin sudoers_policy sudoers.so sudoers_mode=0400
-
- The following arguments are supported:
-
- sudoers_file=pathname
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bf_\bi_\bl_\be argument can be used to override the default
- path to the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
- sudoers_uid=uid
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bu_\bi_\bd argument can be used to override the default
- owner of the sudoers file. It should be specified as a numeric
- user ID.
-
- sudoers_gid=gid
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bg_\bi_\bd argument can be used to override the default
- group of the sudoers file. It must be specified as a numeric
- group ID (not a group name).
-
- sudoers_mode=mode
- The _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bm_\bo_\bd_\be argument can be used to override the default
- file mode for the sudoers file. It should be specified as an
- octal value.
-
- For more information on configuring sudo.conf(4), please refer to its
- manual.
-
-E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
- The following environment variables may be consulted depending on the
- value of the _\be_\bd_\bi_\bt_\bo_\br and _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs settings:
-
- SUDO_EDITOR Invoked by v\bvi\bis\bsu\bud\bdo\bo as the editor to use
-
- VISUAL Used by v\bvi\bis\bsu\bud\bdo\bo if SUDO_EDITOR is not set
-
- EDITOR Used by v\bvi\bis\bsu\bud\bdo\bo if neither SUDO_EDITOR nor VISUAL is set
-
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b._\bc_\bo_\bn_\bf Sudo front end configuration
-
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
-
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bt_\bm_\bp Default temporary file used by visudo
-
-D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS
- In addition to reporting _\bs_\bu_\bd_\bo_\be_\br_\bs parse errors, v\bvi\bis\bsu\bud\bdo\bo may produce the
- following messages:
-
- sudoers file busy, try again later.
- Someone else is currently editing the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
- /etc/sudoers: Permission denied
- You didn't run v\bvi\bis\bsu\bud\bdo\bo as root.
-
- you do not exist in the passwd database
- Your user ID does not appear in the system passwd database.
-
- Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
- Either you are trying to use an undeclared
- {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
- that consists solely of uppercase letters, digits, and the
- underscore (`_') character. In the latter case, you can ignore the
- warnings (s\bsu\bud\bdo\bo will not complain). The message is prefixed with
- the path name of the _\bs_\bu_\bd_\bo_\be_\br_\bs file and the line number where the
- undefined alias was used. In -\b-s\bs (strict) mode these are errors,
- not warnings.
-
- Warning: unused {User,Runas,Host,Cmnd}_Alias
- The specified {User,Runas,Host,Cmnd}_Alias was defined but never
- used. The message is prefixed with the path name of the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file and the line number where the unused alias was defined. You
- may wish to comment out or remove the unused alias.
-
- Warning: cycle in {User,Runas,Host,Cmnd}_Alias
- The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
- itself, either directly or through an alias it includes. The
- message is prefixed with the path name of the _\bs_\bu_\bd_\bo_\be_\br_\bs file and the
- line number where the cycle was detected. This is only a warning
- unless v\bvi\bis\bsu\bud\bdo\bo is run in -\b-s\bs (strict) mode as s\bsu\bud\bdo\bo will ignore cycles
- when parsing the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
- unknown defaults entry "name"
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file contains a Defaults setting not recognized by
- v\bvi\bis\bsu\bud\bdo\bo.
-
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- vi(1), sudo.conf(4), sudoers(4), sudo(1m), vipw(1m)
-
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists of
- code written primarily by:
-
- Todd C. Miller
-
- See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
- (https://www.sudo.ws/contributors.html) for an exhaustive list of people
- who have contributed to s\bsu\bud\bdo\bo.
-
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- There is no easy way to prevent a user from gaining a root shell if the
- editor used by v\bvi\bis\bsu\bud\bdo\bo allows shell escapes.
-
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in v\bvi\bis\bsu\bud\bdo\bo, please submit a bug report at
- https://bugzilla.sudo.ws/
-
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- https://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
-
-D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- v\bvi\bis\bsu\bud\bdo\bo is provided "AS IS" and any express or implied warranties,
- including, but not limited to, the implied warranties of merchantability
- and fitness for a particular purpose are disclaimed. See the LICENSE
- file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
- complete details.
-
-Sudo 1.8.28 June 20, 2019 Sudo 1.8.28
projects / sudo / commitdiff