+What's new in Sudo 1.7.8?
+
+ * Sudo will now use PAM by default on AIX 6 and higher.
+
+ * Added --enable-werror configure option for gcc's -Werror flag.
+
+ * Visudo no longer assumes all editors support the +linenumber
+ command line argument. It now uses a whitelist of editors known
+ to support the option.
+
+ * Fixed matching of network addresses when a netmask is specified
+ but the address is not the first one in the CIDR block.
+
+ * The configure script now check whether or not errno.h declares
+ the errno variable. Previously, sudo would always declare errno
+ itself for older systems that don't declare it in errno.h.
+
+ * The NOPASSWD tag is now honored for denied commands too, which
+ matches historic sudo behavior (prior to sudo 1.7.0).
+
+ * Sudo now honors the "DEREF" setting in ldap.conf which controls
+ how alias dereferencing is done during an LDAP search.
+
What's new in Sudo 1.7.7
* I/O logging is now supported for commands run in background mode
#! /bin/sh
# Guess values for system-dependent variables and create Makefiles.
-# Generated by GNU Autoconf 2.68 for sudo 1.7.7.
+# Generated by GNU Autoconf 2.68 for sudo 1.7.8.
#
# Report bugs to <http://www.sudo.ws/bugs/>.
#
# Identity of this package.
PACKAGE_NAME='sudo'
PACKAGE_TARNAME='sudo'
-PACKAGE_VERSION='1.7.7'
-PACKAGE_STRING='sudo 1.7.7'
+PACKAGE_VERSION='1.7.8'
+PACKAGE_STRING='sudo 1.7.8'
PACKAGE_BUGREPORT='http://www.sudo.ws/bugs/'
PACKAGE_URL=''
# Omit some internal or obsolete options to make the list less imposing.
# This message is too long to be a string in the A/UX 3.1 sh.
cat <<_ACEOF
-\`configure' configures sudo 1.7.7 to adapt to many kinds of systems.
+\`configure' configures sudo 1.7.8 to adapt to many kinds of systems.
Usage: $0 [OPTION]... [VAR=VALUE]...
if test -n "$ac_init_help"; then
case $ac_init_help in
- short | recursive ) echo "Configuration of sudo 1.7.7:";;
+ short | recursive ) echo "Configuration of sudo 1.7.8:";;
esac
cat <<\_ACEOF
test -n "$ac_init_help" && exit $ac_status
if $ac_init_version; then
cat <<\_ACEOF
-sudo configure 1.7.7
+sudo configure 1.7.8
generated by GNU Autoconf 2.68
Copyright (C) 2010 Free Software Foundation, Inc.
This file contains any messages produced by compilers while
running configure, to aid debugging if configure makes a mistake.
-It was created by sudo $as_me 1.7.7, which was
+It was created by sudo $as_me 1.7.8, which was
generated by GNU Autoconf 2.68. Invocation command line was
$ $0 $@
# report actual input values of CONFIG_FILES etc. instead of their
# values after options handling.
ac_log="
-This file was extended by sudo $as_me 1.7.7, which was
+This file was extended by sudo $as_me 1.7.8, which was
generated by GNU Autoconf 2.68. Invocation command line was
CONFIG_FILES = $CONFIG_FILES
cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1
ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`"
ac_cs_version="\\
-sudo config.status 1.7.7
+sudo config.status 1.7.8
configured by $0, generated by GNU Autoconf 2.68,
with options \\"\$ac_cs_config\\"
dnl
dnl Copyright (c) 1994-1996,1998-2011 Todd C. Miller <Todd.Miller@courtesan.com>
dnl
-AC_INIT([sudo], [1.7.7], [http://www.sudo.ws/bugs/], [sudo])
+AC_INIT([sudo], [1.7.8], [http://www.sudo.ws/bugs/], [sudo])
AC_CONFIG_HEADER(config.h pathnames.h zlib/zconf.h)
dnl
dnl Note: this must come after AC_INIT
-\e[1mNAME\e[0m
+N\bNA\bAM\bME\bE
sudo, sudoedit - execute a command as another user
-\e[1mSYNOPSIS\e[0m
- \e[1msudo -h \e[22m| \e[1m-K \e[22m| \e[1m-k \e[22m| \e[1m-L \e[22m| \e[1m-V\e[0m
+S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
+ s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-V\bV
- \e[1msudo -v \e[22m[\e[1m-AknS\e[22m] [\e[1m-a \e[4m\e[22mauth_type\e[24m] [\e[1m-g \e[4m\e[22mgroup\e[24m \e[4mname\e[24m|\e[4m#gid\e[24m] [\e[1m-p \e[4m\e[22mprompt\e[24m]
- [\e[1m-u \e[4m\e[22musername\e[24m|\e[4m#uid\e[24m]
+ s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd]
- \e[1msudo -l[l] \e[22m[\e[1m-AknS\e[22m] [\e[1m-a \e[4m\e[22mauth_type\e[24m] [\e[1m-g \e[4m\e[22mgroup\e[24m \e[4mname\e[24m|\e[4m#gid\e[24m] [\e[1m-p \e[4m\e[22mprompt\e[24m]
- [\e[1m-U \e[4m\e[22muser\e[24m \e[4mname\e[24m] [\e[1m-u \e[4m\e[22muser\e[24m \e[4mname\e[24m|\e[4m#uid\e[24m] [\e[4mcommand\e[24m]
+ s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- \e[1msudo \e[22m[\e[1m-AbEHnPS\e[22m] [\e[1m-a \e[4m\e[22mauth_type\e[24m] [\e[1m-C \e[4m\e[22mfd\e[24m] [\e[1m-c \e[4m\e[22mclass\e[24m|\e[4m-\e[24m]
- [\e[1m-g \e[4m\e[22mgroup\e[24m \e[4mname\e[24m|\e[4m#gid\e[24m] [\e[1m-p \e[4m\e[22mprompt\e[24m] [\e[1m-r \e[4m\e[22mrole\e[24m] [\e[1m-t \e[4m\e[22mtype\e[24m]
- [\e[1m-u \e[4m\e[22muser\e[24m \e[4mname\e[24m|\e[4m#uid\e[24m] [\e[1mVAR\e[22m=\e[4mvalue\e[24m] [\e[1m-i \e[22m| \e[1m-s\e[22m] [\e[4mcommand\e[24m]
+ s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be] [-\b-t\bt _\bt_\by_\bp_\be]
+ [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- \e[1msudoedit \e[22m[\e[1m-AnS\e[22m] [\e[1m-a \e[4m\e[22mauth_type\e[24m] [\e[1m-C \e[4m\e[22mfd\e[24m] [\e[1m-c \e[4m\e[22mclass\e[24m|\e[4m-\e[24m]
- [\e[1m-g \e[4m\e[22mgroup\e[24m \e[4mname\e[24m|\e[4m#gid\e[24m] [\e[1m-p \e[4m\e[22mprompt\e[24m] [\e[1m-u \e[4m\e[22muser\e[24m \e[4mname\e[24m|\e[4m#uid\e[24m] file ...
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
-\e[1mDESCRIPTION\e[0m
- \e[1msudo \e[22mallows a permitted user to execute a \e[4mcommand\e[24m as the superuser or
- another user, as specified in the \e[4msudoers\e[24m file. The real and effective
+D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
+ s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the superuser or
+ another user, as specified in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. The real and effective
uid and gid are set to match those of the target user as specified in
the passwd file and the group vector is initialized based on the group
- file (unless the \e[1m-P \e[22moption was specified). If the invoking user is
+ file (unless the -\b-P\bP option was specified). If the invoking user is
root or if the target user is the same as the invoking user, no
- password is required. Otherwise, \e[1msudo \e[22mrequires that users authenticate
+ password is required. Otherwise, s\bsu\bud\bdo\bo requires that users authenticate
themselves with a password by default (NOTE: in the default
configuration this is the user's password, not the root password).
Once a user has been authenticated, a time stamp is updated and the
user may then use sudo without a password for a short period of time (5
- minutes unless overridden in \e[4msudoers\e[24m).
+ minutes unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
- When invoked as \e[1msudoedit\e[22m, the \e[1m-e \e[22moption (described below), is implied.
+ When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below), is implied.
- \e[1msudo \e[22mdetermines who is an authorized user by consulting the file
- \e[4m/etc/sudoers\e[24m. By running \e[1msudo \e[22mwith the \e[1m-v \e[22moption, a user can update
- the time stamp without running a \e[4mcommand\e[24m. If a password is required,
- \e[1msudo \e[22mwill exit if the user's password is not entered within a
+ s\bsu\bud\bdo\bo determines who is an authorized user by consulting the file
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By running s\bsu\bud\bdo\bo with the -\b-v\bv option, a user can update
+ the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd. If a password is required,
+ s\bsu\bud\bdo\bo will exit if the user's password is not entered within a
configurable time limit. The default password prompt timeout is 5
minutes.
- If a user who is not listed in the \e[4msudoers\e[24m file tries to run a command
- via \e[1msudo\e[22m, mail is sent to the proper authorities, as defined at
- configure time or in the \e[4msudoers\e[24m file (defaults to root). Note that
+ If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to run a command
+ via s\bsu\bud\bdo\bo, mail is sent to the proper authorities, as defined at
+ configure time or in the _\bs_\bu_\bd_\bo_\be_\br_\bs file (defaults to root). Note that
the mail will not be sent if an unauthorized user tries to run sudo
- with the \e[1m-l \e[22mor \e[1m-v \e[22moption. This allows users to determine for
- themselves whether or not they are allowed to use \e[1msudo\e[22m.
+ with the -\b-l\bl or -\b-v\bv option. This allows users to determine for
+ themselves whether or not they are allowed to use s\bsu\bud\bdo\bo.
- If \e[1msudo \e[22mis run by root and the SUDO_USER environment variable is set,
- \e[1msudo \e[22mwill use this value to determine who the actual user is. This can
+ If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment variable is set,
+ s\bsu\bud\bdo\bo will use this value to determine who the actual user is. This can
be used by a user to log commands through sudo even when a root shell
- has been invoked. It also allows the \e[1m-e \e[22moption to remain useful even
+ has been invoked. It also allows the -\b-e\be option to remain useful even
when being run via a sudo-run script or program. Note however, that
the sudoers lookup is still done for root, not the user specified by
SUDO_USER.
- \e[1msudo \e[22mcan log both successful and unsuccessful attempts (as well as
- errors) to \e[4msyslog\e[24m(3), a log file, or both. By default \e[1msudo \e[22mwill log
- via \e[4msyslog\e[24m(3) but this is changeable at configure time or via the
- \e[4msudoers\e[24m file.
+ s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as well as
+ errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By default s\bsu\bud\bdo\bo will log
+ via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable at configure time or via the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-\e[1mOPTIONS\e[0m
- \e[1msudo \e[22maccepts the following command line options:
+O\bOP\bPT\bTI\bIO\bON\bNS\bS
+ s\bsu\bud\bdo\bo accepts the following command line options:
- -A Normally, if \e[1msudo \e[22mrequires a password, it will read it from
- the current terminal. If the \e[1m-A \e[22m(\e[4maskpass\e[24m) option is
+ -A Normally, if s\bsu\bud\bdo\bo requires a password, it will read it from
+ the current terminal. If the -\b-A\bA (_\ba_\bs_\bk_\bp_\ba_\bs_\bs) option is
specified, a (possibly graphical) helper program is
executed to read the user's password and output the
password to the standard output. If the SUDO_ASKPASS
environment variable is set, it specifies the path to the
helper program. Otherwise, the value specified by the
- \e[4maskpass\e[24m option in \e[4msudoers\e[24m(4) is used.
+ _\ba_\bs_\bk_\bp_\ba_\bs_\bs option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4) is used.
- -a \e[4mtype\e[24m The \e[1m-a \e[22m(\e[4mauthentication\e[24m \e[4mtype\e[24m) option causes \e[1msudo \e[22mto use the
+ -a _\bt_\by_\bp_\be The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use the
specified authentication type when validating the user, as
- allowed by \e[4m/etc/login.conf\e[24m. The system administrator may
+ allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system administrator may
specify a list of sudo-specific authentication methods by
- adding an "auth-sudo" entry in \e[4m/etc/login.conf\e[24m. This
+ adding an "auth-sudo" entry in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This
option is only available on systems that support BSD
authentication.
- -b The \e[1m-b \e[22m(\e[4mbackground\e[24m) option tells \e[1msudo \e[22mto run the given
- command in the background. Note that if you use the \e[1m-b\e[0m
+ -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
+ command in the background. Note that if you use the -\b-b\bb
option you cannot use shell job control to manipulate the
process.
- -C \e[4mfd\e[24m Normally, \e[1msudo \e[22mwill close all open file descriptors other
+ -C _\bf_\bd Normally, s\bsu\bud\bdo\bo will close all open file descriptors other
than standard input, standard output and standard error.
- The \e[1m-C \e[22m(\e[4mclose\e[24m \e[4mfrom\e[24m) option allows the user to specify a
+ The -\b-C\bC (_\bc_\bl_\bo_\bs_\be _\bf_\br_\bo_\bm) option allows the user to specify a
starting point above the standard error (file descriptor
three). Values less than three are not permitted. This
option is only available if the administrator has enabled
- the \e[4mclosefrom_override\e[24m option in \e[4msudoers\e[24m(4).
+ the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
- -c \e[4mclass\e[24m The \e[1m-c \e[22m(\e[4mclass\e[24m) option causes \e[1msudo \e[22mto run the specified
+ -c _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
command with resources limited by the specified login
- class. The \e[4mclass\e[24m argument can be either a class name as
- defined in \e[4m/etc/login.conf\e[24m, or a single '-' character.
- Specifying a \e[4mclass\e[24m of - indicates that the command should
+ class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name as
+ defined in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single '-' character.
+ Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the command should
be run restricted by the default login capabilities for the
- user the command is run as. If the \e[4mclass\e[24m argument
+ user the command is run as. If the _\bc_\bl_\ba_\bs_\bs argument
specifies an existing user class, the command must be run
- as root, or the \e[1msudo \e[22mcommand must be run from a shell that
+ as root, or the s\bsu\bud\bdo\bo command must be run from a shell that
is already root. This option is only available on systems
with BSD login classes.
- -E The \e[1m-E \e[22m(\e[4mpreserve\e[24m \e[4menvironment\e[24m) option will override the
- \e[4menv_reset\e[24m option in \e[4msudoers\e[24m(4)). It is only available when
+ -E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)). It is only available when
either the matching command has the SETENV tag or the
- \e[4msetenv\e[24m option is set in \e[4msudoers\e[24m(4).
+ _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
- -e The \e[1m-e \e[22m(\e[4medit\e[24m) option indicates that, instead of running a
+ -e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
command, the user wishes to edit one or more files. In
lieu of a command, the string "sudoedit" is used when
- consulting the \e[4msudoers\e[24m file. If the user is authorized by
- \e[4msudoers\e[24m the following steps are taken:
+ consulting the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is authorized by
+ _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
1. Temporary copies are made of the files to be edited
with the owner set to the invoking user.
2. The editor specified by the SUDO_EDITOR, VISUAL or
EDITOR environment variables is run to edit the
temporary files. If none of SUDO_EDITOR, VISUAL or
- EDITOR are set, the first program listed in the \e[4meditor\e[0m
- \e[4msudoers\e[24m variable is used.
+ EDITOR are set, the first program listed in the _\be_\bd_\bi_\bt_\bo_\br
+ _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
3. If they have been modified, the temporary files are
copied back to their original location and the
temporary versions are removed.
If the specified file does not exist, it will be created.
- Note that unlike most commands run by \e[1msudo\e[22m, the editor is
+ Note that unlike most commands run by s\bsu\bud\bdo\bo, the editor is
run with the invoking user's environment unmodified. If,
- for some reason, \e[1msudo \e[22mis unable to update a file with its
+ for some reason, s\bsu\bud\bdo\bo is unable to update a file with its
edited version, the user will receive a warning and the
edited copy will remain in a temporary file.
- -g \e[4mgroup\e[24m Normally, \e[1msudo \e[22msets the primary group to the one specified
+ -g _\bg_\br_\bo_\bu_\bp Normally, s\bsu\bud\bdo\bo sets the primary group to the one specified
by the passwd database for the user the command is being
- run as (by default, root). The \e[1m-g \e[22m(\e[4mgroup\e[24m) option causes
- \e[1msudo \e[22mto run the specified command with the primary group
- set to \e[4mgroup\e[24m. To specify a \e[4mgid\e[24m instead of a \e[4mgroup\e[24m \e[4mname\e[24m,
- use \e[4m#gid\e[24m. When running commands as a \e[4mgid\e[24m, many shells
+ run as (by default, root). The -\b-g\bg (_\bg_\br_\bo_\bu_\bp) option causes
+ s\bsu\bud\bdo\bo to run the specified command with the primary group
+ set to _\bg_\br_\bo_\bu_\bp. To specify a _\bg_\bi_\bd instead of a _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be,
+ use _\b#_\bg_\bi_\bd. When running commands as a _\bg_\bi_\bd, many shells
require that the '#' be escaped with a backslash ('\'). If
- no \e[1m-u \e[22moption is specified, the command will be run as the
+ no -\b-u\bu option is specified, the command will be run as the
invoking user (not root). In either case, the primary
- group will be set to \e[4mgroup\e[24m.
+ group will be set to _\bg_\br_\bo_\bu_\bp.
- -H The \e[1m-H \e[22m(\e[4mHOME\e[24m) option sets the HOME environment variable to
+ -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment variable to
the homedir of the target user (root by default) as
- specified in \e[4mpasswd\e[24m(4). The default handling of the HOME
- environment variable depends on \e[4msudoers\e[24m(4) settings. By
- default, \e[1msudo \e[22mwill set HOME if \e[4menv_reset\e[24m or \e[4malways_set_home\e[0m
- are set, or if \e[4mset_home\e[24m is set and the \e[1m-s \e[22moption is
+ specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). The default handling of the HOME
+ environment variable depends on _\bs_\bu_\bd_\bo_\be_\br_\bs(4) settings. By
+ default, s\bsu\bud\bdo\bo will set HOME if _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be
+ are set, or if _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set and the -\b-s\bs option is
specified on the command line.
- -h The \e[1m-h \e[22m(\e[4mhelp\e[24m) option causes \e[1msudo \e[22mto print a short help
+ -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a short help
message to the standard output and exit.
-i [command]
- The \e[1m-i \e[22m(\e[4msimulate\e[24m \e[4minitial\e[24m \e[4mlogin\e[24m) option runs the shell
- specified in the \e[4mpasswd\e[24m(4) entry of the target user as a
+ The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
+ specified in the _\bp_\ba_\bs_\bs_\bw_\bd(4) entry of the target user as a
login shell. This means that login-specific resource files
such as .profile or .login will be read by the shell. If a
command is specified, it is passed to the shell for
execution. Otherwise, an interactive shell is executed.
- \e[1msudo \e[22mattempts to change to that user's home directory
+ s\bsu\bud\bdo\bo attempts to change to that user's home directory
before running the shell. It also initializes the
- environment, leaving \e[4mDISPLAY\e[24m and \e[4mTERM\e[24m unchanged, setting
- \e[4mHOME\e[24m, \e[4mMAIL\e[24m, \e[4mSHELL\e[24m, \e[4mUSER\e[24m, \e[4mLOGNAME\e[24m, and \e[4mPATH\e[24m, as well as the
- contents of \e[4m/etc/environment\e[24m on Linux and AIX systems. All
+ environment, leaving _\bD_\bI_\bS_\bP_\bL_\bA_\bY and _\bT_\bE_\bR_\bM unchanged, setting
+ _\bH_\bO_\bM_\bE, _\bM_\bA_\bI_\bL, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and _\bP_\bA_\bT_\bH, as well as the
+ contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt on Linux and AIX systems. All
other environment variables are removed.
- -K The \e[1m-K \e[22m(sure \e[4mkill\e[24m) option is like \e[1m-k \e[22mexcept that it removes
+ -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
the user's time stamp entirely and may not be used in
conjunction with a command or other option. This option
does not require a password.
- -k When used by itself, the \e[1m-k \e[22m(\e[4mkill\e[24m) option to \e[1msudo\e[0m
+ -k When used by itself, the -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo
invalidates the user's time stamp by setting the time on it
- to the Epoch. The next time \e[1msudo \e[22mis run a password will be
+ to the Epoch. The next time s\bsu\bud\bdo\bo is run a password will be
required. This option does not require a password and was
- added to allow a user to revoke \e[1msudo \e[22mpermissions from a
+ added to allow a user to revoke s\bsu\bud\bdo\bo permissions from a
.logout file.
When used in conjunction with a command or an option that
- may require a password, the \e[1m-k \e[22moption will cause \e[1msudo \e[22mto
- ignore the user's time stamp file. As a result, \e[1msudo \e[22mwill
- prompt for a password (if one is required by \e[4msudoers\e[24m) and
+ may require a password, the -\b-k\bk option will cause s\bsu\bud\bdo\bo to
+ ignore the user's time stamp file. As a result, s\bsu\bud\bdo\bo will
+ prompt for a password (if one is required by _\bs_\bu_\bd_\bo_\be_\br_\bs) and
will not update the user's time stamp file.
- -L The \e[1m-L \e[22m(\e[4mlist\e[24m defaults) option will list the parameters that
- may be set in a \e[4mDefaults\e[24m line along with a short
+ -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list the parameters that
+ may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a short
description for each. This option will be removed from a
- future version of \e[1msudo\e[22m.
+ future version of s\bsu\bud\bdo\bo.
- -l[l] [\e[4mcommand\e[24m]
- If no \e[4mcommand\e[24m is specified, the \e[1m-l \e[22m(\e[4mlist\e[24m) option will list
+ -l[l] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt) option will list
the allowed (and forbidden) commands for the invoking user
- (or the user specified by the \e[1m-U \e[22moption) on the current
- host. If a \e[4mcommand\e[24m is specified and is permitted by
- \e[4msudoers\e[24m, the fully-qualified path to the command is
+ (or the user specified by the -\b-U\bU option) on the current
+ host. If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is permitted by
+ _\bs_\bu_\bd_\bo_\be_\br_\bs, the fully-qualified path to the command is
displayed along with any command line arguments. If
- \e[4mcommand\e[24m is specified but not allowed, \e[1msudo \e[22mwill exit with a
- status value of 1. If the \e[1m-l \e[22moption is specified with an \e[1ml\e[0m
- argument (i.e. \e[1m-ll\e[22m), or if \e[1m-l \e[22mis specified multiple times,
+ _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified but not allowed, s\bsu\bud\bdo\bo will exit with a
+ status value of 1. If the -\b-l\bl option is specified with an l\bl
+ argument (i.e. -\b-l\bll\bl), or if -\b-l\bl is specified multiple times,
a longer list format is used.
- -n The \e[1m-n \e[22m(\e[4mnon-interactive\e[24m) option prevents \e[1msudo \e[22mfrom
+ -n The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from
prompting the user for a password. If a password is
- required for the command to run, \e[1msudo \e[22mwill display an error
+ required for the command to run, s\bsu\bud\bdo\bo will display an error
messages and exit.
- -P The \e[1m-P \e[22m(\e[4mpreserve\e[24m \e[4mgroup\e[24m \e[4mvector\e[24m) option causes \e[1msudo \e[22mto
+ -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
preserve the invoking user's group vector unaltered. By
- default, \e[1msudo \e[22mwill initialize the group vector to the list
+ default, s\bsu\bud\bdo\bo will initialize the group vector to the list
of groups the target user is in. The real and effective
group IDs, however, are still set to match the target user.
- -p \e[4mprompt\e[24m The \e[1m-p \e[22m(\e[4mprompt\e[24m) option allows you to override the default
+ -p _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
password prompt and use a custom one. The following
percent (`%') escapes are supported:
%H expanded to the local host name including the domain
name (on if the machine's host name is fully qualified
- or the \e[4mfqdn\e[24m \e[4msudoers\e[24m option is set)
+ or the _\bf_\bq_\bd_\bn _\bs_\bu_\bd_\bo_\be_\br_\bs option is set)
%h expanded to the local host name without the domain name
%p expanded to the user whose password is being asked for
- (respects the \e[4mrootpw\e[24m, \e[4mtargetpw\e[24m and \e[4mrunaspw\e[24m flags in
- \e[4msudoers\e[24m)
+ (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs)
%U expanded to the login name of the user the command will
be run as (defaults to root)
%% two consecutive % characters are collapsed into a
single % character
- The prompt specified by the \e[1m-p \e[22moption will override the
+ The prompt specified by the -\b-p\bp option will override the
system password prompt on systems that support PAM unless
- the \e[4mpassprompt_override\e[24m flag is disabled in \e[4msudoers\e[24m.
+ the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
- -r \e[4mrole\e[24m The \e[1m-r \e[22m(\e[4mrole\e[24m) option causes the new (SELinux) security
- context to have the role specified by \e[4mrole\e[24m.
+ -r _\br_\bo_\bl_\be The -\b-r\br (_\br_\bo_\bl_\be) option causes the new (SELinux) security
+ context to have the role specified by _\br_\bo_\bl_\be.
- -S The \e[1m-S \e[22m(\e[4mstdin\e[24m) option causes \e[1msudo \e[22mto read the password from
+ -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
the standard input instead of the terminal device. The
password must be followed by a newline character.
-s [command]
- The \e[1m-s \e[22m(\e[4mshell\e[24m) option runs the shell specified by the \e[4mSHELL\e[0m
+ The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the _\bS_\bH_\bE_\bL_\bL
environment variable if it is set or the shell as specified
- in \e[4mpasswd\e[24m(4). If a command is specified, it is passed to
+ in _\bp_\ba_\bs_\bs_\bw_\bd(4). If a command is specified, it is passed to
the shell for execution. Otherwise, an interactive shell
is executed.
- -t \e[4mtype\e[24m The \e[1m-t \e[22m(\e[4mtype\e[24m) option causes the new (SELinux) security
- context to have the type specified by \e[4mtype\e[24m. If no type is
+ -t _\bt_\by_\bp_\be The -\b-t\bt (_\bt_\by_\bp_\be) option causes the new (SELinux) security
+ context to have the type specified by _\bt_\by_\bp_\be. If no type is
specified, the default type is derived from the specified
role.
- -U \e[4muser\e[24m The \e[1m-U \e[22m(\e[4mother\e[24m \e[4muser\e[24m) option is used in conjunction with the
- \e[1m-l \e[22moption to specify the user whose privileges should be
- listed. Only root or a user with \e[1msudo \e[22mALL on the current
+ -U _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the
+ -\b-l\bl option to specify the user whose privileges should be
+ listed. Only root or a user with s\bsu\bud\bdo\bo ALL on the current
host may use this option.
- -u \e[4muser\e[24m The \e[1m-u \e[22m(\e[4muser\e[24m) option causes \e[1msudo \e[22mto run the specified
- command as a user other than \e[4mroot\e[24m. To specify a \e[4muid\e[0m
- instead of a \e[4muser\e[24m \e[4mname\e[24m, use \e[4m#uid\e[24m. When running commands as
- a \e[4muid\e[24m, many shells require that the '#' be escaped with a
- backslash ('\'). Note that if the \e[4mtargetpw\e[24m Defaults option
- is set (see \e[4msudoers\e[24m(4)) it is not possible to run commands
+ -u _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
+ command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
+ instead of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as
+ a _\bu_\bi_\bd, many shells require that the '#' be escaped with a
+ backslash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option
+ is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
with a uid not listed in the password database.
- -V The \e[1m-V \e[22m(\e[4mversion\e[24m) option causes \e[1msudo \e[22mto print the version
+ -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the version
number and exit. If the invoking user is already root the
- \e[1m-V \e[22moption will print out a list of the defaults \e[1msudo \e[22mwas
+ -\b-V\bV option will print out a list of the defaults s\bsu\bud\bdo\bo was
compiled with as well as the machine's local network
addresses.
- -v If given the \e[1m-v \e[22m(\e[4mvalidate\e[24m) option, \e[1msudo \e[22mwill update the
+ -v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
user's time stamp, prompting for the user's password if
- necessary. This extends the \e[1msudo \e[22mtimeout for another 5
- minutes (or whatever the timeout is set to in \e[4msudoers\e[24m) but
+ necessary. This extends the s\bsu\bud\bdo\bo timeout for another 5
+ minutes (or whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but
does not run a command.
- -- The \e[1m-- \e[22moption indicates that \e[1msudo \e[22mshould stop processing
+ -- The -\b--\b- option indicates that s\bsu\bud\bdo\bo should stop processing
command line arguments.
Environment variables to be set for the command may also be passed on
- the command line in the form of \e[1mVAR\e[22m=\e[4mvalue\e[24m, e.g.
- \e[1mLD_LIBRARY_PATH\e[22m=\e[4m/usr/local/pkg/lib\e[24m. Variables passed on the command
+ the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be, e.g.
+ L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables passed on the command
line are subject to the same restrictions as normal environment
- variables with one important exception. If the \e[4msetenv\e[24m option is set in
- \e[4msudoers\e[24m, the command to be run has the SETENV tag set or the command
+ variables with one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run has the SETENV tag set or the command
matched is ALL, the user may set variables that would overwise be
- forbidden. See \e[4msudoers\e[24m(4) for more information.
+ forbidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
-\e[1mRETURN VALUES\e[0m
- Upon successful execution of a program, the exit status from \e[1msudo \e[22mwill
+R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
+ Upon successful execution of a program, the exit status from s\bsu\bud\bdo\bo will
simply be the exit status of the program that was executed.
- Otherwise, \e[1msudo \e[22mquits with an exit value of 1 if there is a
- configuration/permission problem or if \e[1msudo \e[22mcannot execute the given
+ Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is a
+ configuration/permission problem or if s\bsu\bud\bdo\bo cannot execute the given
command. In the latter case the error string is printed to stderr. If
- \e[1msudo \e[22mcannot \e[4mstat\e[24m(2) one or more entries in the user's PATH an error is
+ s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one or more entries in the user's PATH an error is
printed on stderr. (If the directory does not exist or if it is not
really a directory, the entry is ignored and no error is printed.)
This should not happen under normal circumstances. The most common
- reason for \e[4mstat\e[24m(2) to return "permission denied" is if you are running
+ reason for _\bs_\bt_\ba_\bt(2) to return "permission denied" is if you are running
an automounter and one of the directories in your PATH is on a machine
that is currently unreachable.
-\e[1mSECURITY NOTES\e[0m
- \e[1msudo \e[22mtries to be safe when executing external commands.
+S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ s\bsu\bud\bdo\bo tries to be safe when executing external commands.
There are two distinct ways to deal with environment variables. By
- default, the \e[4menv_reset\e[24m \e[4msudoers\e[24m option is enabled. This causes commands
+ default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt _\bs_\bu_\bd_\bo_\be_\br_\bs option is enabled. This causes commands
to be executed with a minimal environment containing TERM, PATH, HOME,
SHELL, LOGNAME, USER and USERNAME in addition to variables from the
- invoking process permitted by the \e[4menv_check\e[24m and \e[4menv_keep\e[24m \e[4msudoers\e[0m
+ invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp _\bs_\bu_\bd_\bo_\be_\br_\bs
options. There is effectively a whitelist for environment variables.
- If, however, the \e[4menv_reset\e[24m option is disabled in \e[4msudoers\e[24m, any variables
- not explicitly denied by the \e[4menv_check\e[24m and \e[4menv_delete\e[24m options are
- inherited from the invoking process. In this case, \e[4menv_check\e[24m and
- \e[4menv_delete\e[24m behave like a blacklist. Since it is not possible to
+ If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, any variables
+ not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are
+ inherited from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
+ _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave like a blacklist. Since it is not possible to
blacklist all potentially dangerous environment variables, use of the
- default \e[4menv_reset\e[24m behavior is encouraged.
+ default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
In all cases, environment variables with a value beginning with () are
- removed as they could be interpreted as \e[1mbash \e[22mfunctions. The list of
- environment variables that \e[1msudo \e[22mallows or denies is contained in the
+ removed as they could be interpreted as b\bba\bas\bsh\bh functions. The list of
+ environment variables that s\bsu\bud\bdo\bo allows or denies is contained in the
output of sudo -V when run as root.
Note that the dynamic linker on most operating systems will remove
variables that can control dynamic linking from the environment of
- setuid executables, including \e[1msudo\e[22m. Depending on the operating system
+ setuid executables, including s\bsu\bud\bdo\bo. Depending on the operating system
this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
others. These type of variables are removed from the environment
- before \e[1msudo \e[22meven begins execution and, as such, it is not possible for
- \e[1msudo \e[22mto preserve them.
+ before s\bsu\bud\bdo\bo even begins execution and, as such, it is not possible for
+ s\bsu\bud\bdo\bo to preserve them.
- To prevent command spoofing, \e[1msudo \e[22mchecks "." and "" (both denoting
+ To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting
current directory) last when searching for a command in the user's PATH
(if one or both are in the PATH). Note, however, that the actual PATH
- environment variable is \e[4mnot\e[24m modified and is passed unchanged to the
- program that \e[1msudo \e[22mexecutes.
+ environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
+ program that s\bsu\bud\bdo\bo executes.
- \e[1msudo \e[22mwill check the ownership of its time stamp directory
- (\e[4m/var/adm/sudo\e[24m by default) and ignore the directory's contents if it is
+ s\bsu\bud\bdo\bo will check the ownership of its time stamp directory
+ (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
not owned by root or if it is writable by a user other than root. On
- systems that allow non-root users to give away files via \e[4mchown\e[24m(2), if
+ systems that allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if
the time stamp directory is located in a directory writable by anyone
- (e.g., \e[4m/tmp\e[24m), it is possible for a user to create the time stamp
- directory before \e[1msudo \e[22mis run. However, because \e[1msudo \e[22mchecks the
+ (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the time stamp
+ directory before s\bsu\bud\bdo\bo is run. However, because s\bsu\bud\bdo\bo checks the
ownership and mode of the directory and its contents, the only damage
that can be done is to "hide" files by putting them in the time stamp
dir. This is unlikely to happen since once the time stamp dir is owned
by root and inaccessible by any other user, the user placing files
there would be unable to get them back out. To get around this issue
you can use a directory that is not world-writable for the time stamps
- (\e[4m/var/adm/sudo\e[24m for instance) or create \e[4m/var/adm/sudo\e[24m with the
+ (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or create _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo with the
appropriate owner (root) and permissions (0700) in the system startup
files.
- \e[1msudo \e[22mwill not honor time stamps set far in the future. Timestamps with
+ s\bsu\bud\bdo\bo will not honor time stamps set far in the future. Timestamps with
a date greater than current_time + 2 * TIMEOUT will be ignored and sudo
will log and complain. This is done to keep a user from creating
his/her own time stamp with a bogus date on systems that allow users to
give away files.
- On systems where the boot time is available, \e[1msudo \e[22mwill also not honor
+ On systems where the boot time is available, s\bsu\bud\bdo\bo will also not honor
time stamps from before the machine booted.
Since time stamp files live in the file system, they can outlive a
user's login session. As a result, a user may be able to login, run a
- command with \e[1msudo \e[22mafter authenticating, logout, login again, and run
- \e[1msudo \e[22mwithout authenticating so long as the time stamp file's
+ command with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run
+ s\bsu\bud\bdo\bo without authenticating so long as the time stamp file's
modification time is within 5 minutes (or whatever the timeout is set
- to in \e[4msudoers\e[24m). When the \e[4mtty_tickets\e[24m option is enabled in \e[4msudoers\e[24m, the
+ to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, the
time stamp has per-tty granularity but still may outlive the user's
session. On Linux systems where the devpts filesystem is used, Solaris
systems with the devices filesystem, as well as other systems that
utilize a devfs filesystem that monotonically increase the inode number
- of devices as they are created (such as Mac OS X), \e[1msudo \e[22mis able to
+ of devices as they are created (such as Mac OS X), s\bsu\bud\bdo\bo is able to
determine when a tty-based time stamp file is stale and will ignore it.
Administrators should not rely on this feature as it is not universally
available.
- Please note that \e[1msudo \e[22mwill normally only log the command it explicitly
+ Please note that s\bsu\bud\bdo\bo will normally only log the command it explicitly
runs. If a user runs a command such as sudo su or sudo sh, subsequent
- commands run from that shell will \e[4mnot\e[24m be logged, nor will \e[1msudo\e[22m's access
+ commands run from that shell will _\bn_\bo_\bt be logged, nor will s\bsu\bud\bdo\bo's access
control affect them. The same is true for commands that offer shell
escapes (including most editors). Because of this, care must be taken
- when giving users access to commands via \e[1msudo \e[22mto verify that the
+ when giving users access to commands via s\bsu\bud\bdo\bo to verify that the
command does not inadvertently give the user an effective root shell.
For more information, please see the PREVENTING SHELL ESCAPES section
- in \e[4msudoers\e[24m(4).
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
-\e[1mENVIRONMENT\e[0m
- \e[1msudo \e[22mutilizes the following environment variables:
+E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
+ s\bsu\bud\bdo\bo utilizes the following environment variables:
- EDITOR Default editor to use in \e[1m-e \e[22m(sudoedit) mode if neither
+ EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
SUDO_EDITOR nor VISUAL is set
- MAIL In \e[1m-i \e[22mmode or when \e[4menv_reset\e[24m is enabled in \e[4msudoers\e[24m, set
+ MAIL In -\b-i\bi mode or when _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, set
to the mail spool of the target user
- HOME Set to the home directory of the target user if \e[1m-i \e[22mor
- \e[1m-H \e[22mare specified, \e[4menv_reset\e[24m or \e[4malways_set_home\e[24m are set
- in \e[4msudoers\e[24m, or when the \e[1m-s \e[22moption is specified and
- \e[4mset_home\e[24m is set in \e[4msudoers\e[0m
+ HOME Set to the home directory of the target user if -\b-i\bi or
+ -\b-H\bH are specified, _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be are set
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs, or when the -\b-s\bs option is specified and
+ _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set in _\bs_\bu_\bd_\bo_\be_\br_\bs
- PATH Set to a sane value if the \e[4msecure_path\e[24m sudoers option
+ PATH Set to a sane value if the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh sudoers option
is set.
SHELL Used to determine shell to run with -s option
SUDO_COMMAND Set to the command run by sudo
- SUDO_EDITOR Default editor to use in \e[1m-e \e[22m(sudoedit) mode
+ SUDO_EDITOR Default editor to use in -\b-e\be (sudoedit) mode
SUDO_GID Set to the group ID of the user who invoked sudo
SUDO_USER Set to the login of the user who invoked sudo
- USER Set to the target user (root unless the \e[1m-u \e[22moption is
+ USER Set to the target user (root unless the -\b-u\bu option is
specified)
- VISUAL Default editor to use in \e[1m-e \e[22m(sudoedit) mode if
+ VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
SUDO_EDITOR is not set
-\e[1mFILES\e[0m
- \e[4m/etc/sudoers\e[24m List of who can run what
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- \e[4m/var/adm/sudo\e[24m Directory containing time stamps
+ _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo Directory containing time stamps
- \e[4m/etc/environment\e[24m Initial environment for \e[1m-i \e[22mmode on Linux and
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on Linux and
AIX
-\e[1mEXAMPLES\e[0m
- Note: the following examples assume suitable \e[4msudoers\e[24m(4) entries.
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4) entries.
To get a file listing of an unreadable directory:
$ sudo -u yaz ls ~yaz
- To edit the \e[4mindex.html\e[24m file as user www:
+ To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
$ sudo -u www vi ~www/htdocs/index.html
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
-\e[1mSEE ALSO\e[0m
- \e[4mgrep\e[24m(1), \e[4msu\e[24m(1), \e[4mstat\e[24m(2), \e[4mlogin_cap\e[24m(3), \e[4mpasswd\e[24m(4), \e[4msudoers\e[24m(5),
- \e[4mvisudo\e[24m(1m)
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5),
+ _\bv_\bi_\bs_\bu_\bd_\bo(1m)
-\e[1mAUTHORS\e[0m
- Many people have worked on \e[1msudo \e[22mover the years; this version consists
+A\bAU\bUT\bTH\bHO\bOR\bRS\bS
+ Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
of code written primarily by:
Todd C. Miller
- See the HISTORY file in the \e[1msudo \e[22mdistribution or visit
- http://www.sudo.ws/sudo/history.html for a short history of \e[1msudo\e[22m.
+ See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
+ http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
-\e[1mCAVEATS\e[0m
+C\bCA\bAV\bVE\bEA\bAT\bTS\bS
There is no easy way to prevent a user from gaining a root shell if
- that user is allowed to run arbitrary commands via \e[1msudo\e[22m. Also, many
+ that user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many
programs (such as editors) allow the user to run commands via shell
- escapes, thus avoiding \e[1msudo\e[22m's checks. However, on most systems it is
- possible to prevent shell escapes with \e[1msudo\e[22m's \e[4mnoexec\e[24m functionality.
- See the \e[4msudoers\e[24m(4) manual for details.
+ escapes, thus avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is
+ possible to prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
+ See the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual for details.
It is not meaningful to run the cd command directly via sudo, e.g.,
their own program that gives them a root shell regardless of any '!'
elements in the user specification.
- Running shell scripts via \e[1msudo \e[22mcan expose the same kernel bugs that
+ Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that
make setuid shell scripts unsafe on some operating systems (if your OS
has a /dev/fd/ directory, setuid shell scripts are generally safe).
-\e[1mBUGS\e[0m
- If you feel you have found a bug in \e[1msudo\e[22m, please submit a bug report at
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
http://www.sudo.ws/sudo/bugs/
-\e[1mSUPPORT\e[0m
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-\e[1mDISCLAIMER\e[0m
- \e[1msudo \e[22mis provided ``AS IS'' and any express or implied warranties,
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with \e[1msudo \e[22mor
+ See the LICENSE file distributed with s\bsu\bud\bdo\bo or
http://www.sudo.ws/sudo/license.html for complete details.
-1.7.7 August 13, 2011 SUDO(1m)
+1.7.8 September 16, 2011 SUDO(1m)
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "September 16, 2011" "1.7.8" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
-\e[1mNAME\e[0m
+N\bNA\bAM\bME\bE
sudoers - list of which users may execute what
-\e[1mDESCRIPTION\e[0m
- The \e[4msudoers\e[24m file is composed of two types of entries: aliases
+D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases
(basically variables) and user specifications (which specify who may
run what).
Where there are multiple matches, the last match is used (which is not
necessarily the most specific match).
- The \e[4msudoers\e[24m grammar will be described below in Extended Backus-Naur
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended Backus-Naur
Form (EBNF). Don't despair if you don't know what EBNF is; it is
fairly simple, and the definitions below are annotated.
- \e[1mQuick guide to EBNF\e[0m
+ Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
EBNF is a concise and exact way of describing the grammar of a
- language. Each EBNF definition is made up of \e[4mproduction\e[24m \e[4mrules\e[24m. E.g.,
+ language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
symbol ::= definition | alternate1 | alternate2 ...
- Each \e[4mproduction\e[24m \e[4mrule\e[24m references others and thus makes up a grammar for
+ Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a grammar for
the language. EBNF also contains the following operators, which many
readers will recognize from regular expressions. Do not, however,
confuse them with "wildcard" characters, which have different meanings.
will use single quotes ('') to designate what is a verbatim character
string (as opposed to a symbol name).
- \e[1mAliases\e[0m
+ A\bAl\bli\bia\bas\bse\bes\bs
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
and Cmnd_Alias.
NAME ::= [A-Z]([A-Z][0-9]_)*
- Each \e[4malias\e[24m definition is of the form
+ Each _\ba_\bl_\bi_\ba_\bs definition is of the form
Alias_Type NAME = item1, item2, ...
- where \e[4mAlias_Type\e[24m is one of User_Alias, Runas_Alias, Host_Alias, or
+ where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias, Host_Alias, or
Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
- underscore characters ('_'). A NAME \e[1mmust \e[22mstart with an uppercase
+ underscore characters ('_'). A NAME m\bmu\bus\bst\bt start with an uppercase
letter. It is possible to put several alias definitions of the same
type on a single line, joined by a colon (':'). E.g.,
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
- The definitions of what constitutes a valid \e[4malias\e[24m member follow.
+ The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member follow.
User_List ::= User |
User ',' User_List
A Host_List is made up of one or more host names, IP addresses, network
numbers, netgroups (prefixed with '+') and other aliases. Again, the
value of an item may be negated with the '!' operator. If you do not
- specify a netmask along with the network number, \e[1msudo \e[22mwill query each
+ specify a netmask along with the network number, s\bsu\bud\bdo\bo will query each
of the local host's network interfaces and, if the network number
corresponds to one of the hosts's network interfaces, the corresponding
netmask will be used. The netmask may be specified either in standard
CIDR notation (number of bits, e.g. 24 or 64). A host name may include
shell-style wildcards (see the Wildcards section below), but unless the
host name command on your machine returns the fully qualified host
- name, you'll need to use the \e[4mfqdn\e[24m option for wildcards to be useful.
- Note \e[1msudo \e[22monly inspects actual network interfaces; this means that IP
+ name, you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
+ Note s\bsu\bud\bdo\bo only inspects actual network interfaces; this means that IP
address 127.0.0.1 (localhost) will never match. Also, the host name
"localhost" will only match if that is the actual host name, which is
usually only the case for non-networked systems.
simple file name allows the user to run the command with any arguments
he/she wishes. However, you may also specify command line arguments
(including wildcards). Alternately, you can specify "" to indicate
- that the command may only be run \e[1mwithout \e[22mcommand line arguments. A
+ that the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A
directory is a fully qualified path name ending in a '/'. When you
specify a directory in a Cmnd_List, the user will be able to run any
file within that directory (but not in any subdirectories therein).
(or match the wildcards if there are any). Note that the following
characters must be escaped with a '\' if they are used in command
arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
- to permit a user to run \e[1msudo \e[22mwith the \e[1m-e \e[22moption (or as \e[1msudoedit\e[22m). It
+ to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It
may take command line arguments just as a normal command does.
- \e[1mDefaults\e[0m
+ D\bDe\bef\bfa\bau\bul\blt\bts\bs
Certain configuration options may be changed from their default values
at runtime via one or more Default_Entry lines. These may affect all
users on any host, all users on a specific host, a specific user, a
Parameter '-=' Value |
'!'* Parameter
- Parameters may be \e[1mflags\e[22m, \e[1minteger \e[22mvalues, \e[1mstrings\e[22m, or \e[1mlists\e[22m. Flags are
+ Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
implicitly boolean and can be turned off via the '!' operator. Some
integer, string and list parameters may also be used in a boolean
context to disable them. Values may be enclosed in double quotes (")
See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
- \e[1mUser Specification\e[0m
+ U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
(':' Host_List '=' Cmnd_Spec_List)*
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
- A \e[1muser specification \e[22mdetermines which commands a user may run (and as
- what user) on specified hosts. By default, commands are run as \e[1mroot\e[22m,
+ A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
+ what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
but this can be changed on a per-command basis.
The basic structure of a user specification is `who where = (as_whom)
what'. Let's break that down into its constituent parts:
- \e[1mRunas_Spec\e[0m
+ R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
A Runas_Spec determines the user and/or the group that a command may be
run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
defined above) separated by a colon (':') and enclosed in a set of
parentheses. The first Runas_List indicates which users the command
- may be run as via \e[1msudo\e[22m's \e[1m-u \e[22moption. The second defines a list of
- groups that can be specified via \e[1msudo\e[22m's \e[1m-g \e[22moption. If both Runas_Lists
+ may be run as via s\bsu\bud\bdo\bo's -\b-u\bu option. The second defines a list of
+ groups that can be specified via s\bsu\bud\bdo\bo's -\b-g\bg option. If both Runas_Lists
are specified, the command may be run with any combination of users and
groups listed in their respective Runas_Lists. If only the first is
- specified, the command may be run as any user in the list but no \e[1m-g\e[0m
+ specified, the command may be run as any user in the list but no -\b-g\bg
option may be specified. If the first Runas_List is empty but the
second is specified, the command may be run as the invoking user with
the group set to any listed in the Runas_List. If no Runas_Spec is
- specified the command may be run as \e[1mroot \e[22mand no group may be specified.
+ specified the command may be run as r\bro\boo\bot\bt and no group may be specified.
A Runas_Spec sets the default for the commands that follow it. What
this means is that for the entry:
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
- The user \e[1mdgb \e[22mmay run \e[4m/bin/ls\e[24m, \e[4m/bin/kill\e[24m, and \e[4m/usr/bin/lprm\e[24m -- but only
- as \e[1moperator\e[22m. E.g.,
+ The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm -- but only
+ as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
$ sudo -u operator /bin/ls
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
- Then user \e[1mdgb \e[22mis now allowed to run \e[4m/bin/ls\e[24m as \e[1moperator\e[22m, but \e[4m/bin/kill\e[0m
- and \e[4m/usr/bin/lprm\e[24m as \e[1mroot\e[22m.
+ Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
+ and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
- We can extend this to allow \e[1mdgb \e[22mto run /bin/ls with either the user or
- group set to \e[1moperator\e[22m:
+ We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
+ group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
/usr/bin/lprm
$ sudo -u operator -g operator /bin/ls
$ sudo -g operator /bin/ls
- In the following example, user \e[1mtcm \e[22mmay run commands that access a modem
+ In the following example, user t\btc\bcm\bm may run commands that access a modem
device file with the dialer group.
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
Note that in this example only the group will be set, the command still
- runs as user \e[1mtcm\e[22m. E.g.
+ runs as user t\btc\bcm\bm. E.g.
$ sudo -g dialer /usr/bin/cu
Multiple users and groups may be present in a Runas_Spec, in which case
- the user may select any combination of users and groups via the \e[1m-u \e[22mand
- \e[1m-g \e[22moptions. In this example:
+ the user may select any combination of users and groups via the -\b-u\bu and
+ -\b-g\bg options. In this example:
alan ALL = (root, bin : operator, system) ALL
- user \e[1malan \e[22mmay run any command as either user root or bin, optionally
+ user a\bal\bla\ban\bn may run any command as either user root or bin, optionally
setting the group to operator or system.
- \e[1mSELinux_Spec\e[0m
- On systems with SELinux support, \e[4msudoers\e[24m entries may optionally have an
+ S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
+ On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
SELinux role and/or type associated with a command. If a role or type
is specified with the command it will override any default values
- specified in \e[4msudoers\e[24m. A role or type specified on the command line,
- however, will supercede the values in \e[4msudoers\e[24m.
+ specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line,
+ however, will supercede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
- \e[1mTag_Spec\e[0m
+ T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
A command may have zero or more tags associated with it. There are
eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
the tag unless it is overridden by the opposite tag (i.e.: PASSWD
overrides NOPASSWD and NOEXEC overrides EXEC).
- \e[4mNOPASSWD\e[24m \e[4mand\e[24m \e[4mPASSWD\e[0m
+ _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
- By default, \e[1msudo \e[22mrequires that a user authenticate him or herself
+ By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself
before running a command. This behavior can be modified via the
NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
the commands that follow it in the Cmnd_Spec_List. Conversely, the
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
- would allow the user \e[1mray \e[22mto run \e[4m/bin/kill\e[24m, \e[4m/bin/ls\e[24m, and \e[4m/usr/bin/lprm\e[0m
- as \e[1mroot \e[22mon the machine rushmore without authenticating himself. If we
- only want \e[1mray \e[22mto be able to run \e[4m/bin/kill\e[24m without a password the entry
+ would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
+ as r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we
+ only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry
would be:
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note, however, that the PASSWD tag has no effect on users who are in
- the group specified by the \e[4mexempt_group\e[24m option.
+ the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
By default, if the NOPASSWD tag is applied to any of the entries for a
user on the current host, he or she will be able to run sudo -l without
pertain to the current host. This behavior may be overridden via the
verifypw and listpw options.
- \e[4mNOEXEC\e[24m \e[4mand\e[24m \e[4mEXEC\e[0m
+ _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
- If \e[1msudo \e[22mhas been compiled with \e[4mnoexec\e[24m support and the underlying
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
operating system supports it, the NOEXEC tag can be used to prevent a
dynamically-linked executable from running further commands itself.
- In the following example, user \e[1maaron \e[22mmay run \e[4m/usr/bin/more\e[24m and
- \e[4m/usr/bin/vi\e[24m but shell escapes will be disabled.
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more details on
how NOEXEC works and whether or not it will work on your system.
- \e[4mSETENV\e[24m \e[4mand\e[24m \e[4mNOSETENV\e[0m
+ _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
- These tags override the value of the \e[4msetenv\e[24m option on a per-command
+ These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
basis. Note that if SETENV has been set for a command, the user may
- disable the \e[4menv_reset\e[24m option from the command line via the \e[1m-E \e[22moption.
+ disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
Additionally, environment variables set on the command line are not
- subject to the restrictions imposed by \e[4menv_check\e[24m, \e[4menv_delete\e[24m, or
- \e[4menv_keep\e[24m. As such, only trusted users should be allowed to set
- variables in this manner. If the command matched is \e[1mALL\e[22m, the SETENV
+ subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set
+ variables in this manner. If the command matched is A\bAL\bLL\bL, the SETENV
tag is implied for that command; this default may be overridden by use
of the NOSETENV tag.
- \e[4mLOG_INPUT\e[24m \e[4mand\e[24m \e[4mNOLOG_INPUT\e[0m
+ _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
- These tags override the value of the \e[4mlog_input\e[24m option on a per-command
- basis. For more information, see the description of \e[4mlog_input\e[24m in the
+ These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
"SUDOERS OPTIONS" section below.
- \e[4mLOG_OUTPUT\e[24m \e[4mand\e[24m \e[4mNOLOG_OUTPUT\e[0m
+ _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
- These tags override the value of the \e[4mlog_output\e[24m option on a per-command
- basis. For more information, see the description of \e[4mlog_output\e[24m in the
+ These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
"SUDOERS OPTIONS" section below.
- \e[1mWildcards\e[0m
- \e[1msudo \e[22mallows shell-style \e[4mwildcards\e[24m (aka meta or glob characters) to be
+ W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
+ s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
used in host names, path names and command line arguments in the
- \e[4msudoers\e[24m file. Wildcard matching is done via the \e[1mPOSIX \e[4m\e[22mglob\e[24m(3) and
- \e[4mfnmatch\e[24m(3) routines. Note that these are \e[4mnot\e[24m regular expressions.
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX _\bg_\bl_\bo_\bb(3) and
+ _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routines. Note that these are _\bn_\bo_\bt regular expressions.
* Matches any set of zero or more characters.
[...] Matches any character in the specified range.
- [!...] Matches any character \e[1mnot \e[22min the specified range.
+ [!...] Matches any character n\bno\bot\bt in the specified range.
\x For any character "x", evaluates to "x". This is used to
escape special characters such as: "*", "?", "[", and "}".
- POSIX character classes may also be used if your system's \e[4mglob\e[24m(3) and
- \e[4mfnmatch\e[24m(3) functions support them. However, because the ':' character
- has special meaning in \e[4msudoers\e[24m, it must be escaped. For example:
+ POSIX character classes may also be used if your system's _\bg_\bl_\bo_\bb(3) and
+ _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) functions support them. However, because the ':' character
+ has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
/bin/ls [[\:alpha\:]]*
Would match any file name beginning with a letter.
- Note that a forward slash ('/') will \e[1mnot \e[22mbe matched by wildcards used
+ Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
in the path name. When matching the command line arguments, however, a
- slash \e[1mdoes \e[22mget matched by wildcards. This is to make a path like:
+ slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
/usr/bin/*
- match \e[4m/usr/bin/who\e[24m but not \e[4m/usr/bin/X11/xterm\e[24m.
+ match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
- \e[1mExceptions to wildcard rules\e[0m
+ E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
The following exceptions apply to the above rules:
"" If the empty string "" is the only command line argument in the
- \e[4msudoers\e[24m entry it means that command is not allowed to be run
- with \e[1many \e[22marguments.
+ _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
+ with a\ban\bny\by arguments.
- \e[1mIncluding other files from within sudoers\e[0m
- It is possible to include other \e[4msudoers\e[24m files from within the \e[4msudoers\e[0m
+ I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
+ It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
file currently being parsed using the #include and #includedir
directives.
- This can be used, for example, to keep a site-wide \e[4msudoers\e[24m file in
+ This can be used, for example, to keep a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in
addition to a local, per-machine file. For the sake of this example
- the site-wide \e[4msudoers\e[24m will be \e[4m/etc/sudoers\e[24m and the per-machine one will
- be \e[4m/etc/sudoers.local\e[24m. To include \e[4m/etc/sudoers.local\e[24m from within
- \e[4m/etc/sudoers\e[24m we would use the following line in \e[4m/etc/sudoers\e[24m:
+ the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will
+ be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from within
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
#include /etc/sudoers.local
- When \e[1msudo \e[22mreaches this line it will suspend processing of the current
- file (\e[4m/etc/sudoers\e[24m) and switch to \e[4m/etc/sudoers.local\e[24m. Upon reaching
- the end of \e[4m/etc/sudoers.local\e[24m, the rest of \e[4m/etc/sudoers\e[24m will be
+ When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
+ file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching
+ the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
processed. Files that are included may themselves include other files.
A hard limit of 128 nested include files is enforced to prevent include
file loops.
#include /etc/sudoers.%h
- will cause \e[1msudo \e[22mto include the file \e[4m/etc/sudoers.xerxes\e[24m.
+ will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
- The #includedir directive can be used to create a \e[4msudo.d\e[24m directory that
- the system package manager can drop \e[4msudoers\e[24m rules into as part of
+ The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
+ the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
package installation. For example, given:
#includedir /etc/sudoers.d
- \e[1msudo \e[22mwill read each file in \e[4m/etc/sudoers.d\e[24m, skipping file names that
+ s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
end in ~ or contain a . character to avoid causing problems with
package manager or editor temporary/backup files. Files are parsed in
- sorted lexical order. That is, \e[4m/etc/sudoers.d/01_first\e[24m will be parsed
- before \e[4m/etc/sudoers.d/10_second\e[24m. Be aware that because the sorting is
- lexical, not numeric, \e[4m/etc/sudoers.d/1_whoops\e[24m would be loaded \e[1mafter\e[0m
- \e[4m/etc/sudoers.d/10_second\e[24m. Using a consistent number of leading zeroes
+ sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
+ before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
+ lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
in the file names can be used to avoid such problems.
- Note that unlike files included via #include, \e[1mvisudo \e[22mwill not edit the
+ Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
files in a #includedir directory unless one of them contains a syntax
- error. It is still possible to run \e[1mvisudo \e[22mwith the -f flag to edit the
+ error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
files directly.
- \e[1mOther special characters and reserved words\e[0m
+ O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
The pound sign ('#') is used to indicate a comment (unless it is part
of a #include directive or unless it occurs in the context of a user
name and is followed by one or more digits, in which case it is treated
as a uid). Both the comment character and any text after it, up to the
end of the line, are ignored.
- The reserved word \e[1mALL \e[22mis a built-in \e[4malias\e[24m that always causes a match to
+ The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
User_Alias, Runas_Alias, or Host_Alias. You should not try to define
- your own \e[4malias\e[24m called \e[1mALL \e[22mas the built-in alias will be used in
- preference to your own. Please note that using \e[1mALL \e[22mcan be dangerous
- since in a command context, it allows the user to run \e[1many \e[22mcommand on
+ your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
+ preference to your own. Please note that using A\bAL\bLL\bL can be dangerous
+ since in a command context, it allows the user to run a\ban\bny\by command on
the system.
- An exclamation point ('!') can be used as a logical \e[4mnot\e[24m operator both
- in an \e[4malias\e[24m and in front of a Cmnd. This allows one to exclude certain
+ An exclamation point ('!') can be used as a logical _\bn_\bo_\bt operator both
+ in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This allows one to exclude certain
values. Note, however, that using a ! in conjunction with the built-in
ALL alias to allow a user to run "all but a few" commands rarely works
as intended (see SECURITY NOTES below).
character on the line.
Whitespace between elements in a list as well as special syntactic
- characters in a \e[4mUser\e[24m \e[4mSpecification\e[24m ('=', ':', '(', ')') is optional.
+ characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':', '(', ')') is optional.
The following characters must be escaped with a backslash ('\') when
used as part of a word (e.g. a user name or host name): '!', '=', ':',
',', '(', ')', '\'.
-\e[1mSUDOERS OPTIONS\e[0m
- \e[1msudo\e[22m's behavior can be modified by Default_Entry lines, as explained
+S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
+ s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
earlier. A list of all supported Defaults parameters, grouped by type,
are listed below.
- \e[1mBoolean Flags\e[22m:
+ B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
- always_set_home If enabled, \e[1msudo \e[22mwill set the HOME environment variable
+ always_set_home If enabled, s\bsu\bud\bdo\bo will set the HOME environment variable
to the home directory of the target user (which is root
- unless the \e[1m-u \e[22moption is used). This effectively means
- that the \e[1m-H \e[22moption is always implied. Note that HOME
- is already set when the the \e[4menv_reset\e[24m option is
- enabled, so \e[4malways_set_home\e[24m is only effective for
- configurations where either \e[4menv_reset\e[24m is disabled or
- HOME is present in the \e[4menv_keep\e[24m list. This flag is \e[4moff\e[0m
+ unless the -\b-u\bu option is used). This effectively means
+ that the -\b-H\bH option is always implied. Note that HOME
+ is already set when the the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is
+ enabled, so _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be is only effective for
+ configurations where either _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled or
+ HOME is present in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This flag is _\bo_\bf_\bf
by default.
authenticate If set, users must authenticate themselves via a
password (or other means of authentication) before they
may run commands. This default may be overridden via
- the PASSWD and NOPASSWD tags. This flag is \e[4mon\e[24m by
+ the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
default.
closefrom_override
- If set, the user may use \e[1msudo\e[22m's \e[1m-C \e[22moption which
- overrides the default starting point at which \e[1msudo\e[0m
- begins closing open file descriptors. This flag is \e[4moff\e[0m
+ If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
+ overrides the default starting point at which s\bsu\bud\bdo\bo
+ begins closing open file descriptors. This flag is _\bo_\bf_\bf
by default.
- compress_io If set, and \e[1msudo \e[22mis configured to log a command's input
- or output, the I/O logs will be compressed using \e[1mzlib\e[22m.
- This flag is \e[4mon\e[24m by default when \e[1msudo \e[22mis compiled with
- \e[1mzlib \e[22msupport.
+ compress_io If set, and s\bsu\bud\bdo\bo is configured to log a command's input
+ or output, the I/O logs will be compressed using z\bzl\bli\bib\bb.
+ This flag is _\bo_\bn by default when s\bsu\bud\bdo\bo is compiled with
+ z\bzl\bli\bib\bb support.
- env_editor If set, \e[1mvisudo \e[22mwill use the value of the EDITOR or
+ env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
VISUAL environment variables before falling back on the
default editor list. Note that this may create a
security hole as it allows the user to run any
arbitrary command as root without logging. A safer
alternative is to place a colon-separated list of
- editors in the editor variable. \e[1mvisudo \e[22mwill then only
+ editors in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
use the EDITOR or VISUAL if they match a value
- specified in editor. This flag is \e[4moff\e[24m by default.
+ specified in editor. This flag is _\bo_\bf_\bf by default.
- env_reset If set, \e[1msudo \e[22mwill reset the environment to only contain
+ env_reset If set, s\bsu\bud\bdo\bo will reset the environment to only contain
the LOGNAME, MAIL, SHELL, USER, USERNAME and the SUDO_*
variables. Any variables in the caller's environment
that match the env_keep and env_check lists are then
added. The default contents of the env_keep and
- env_check lists are displayed when \e[1msudo \e[22mis run by root
- with the \e[4m-V\e[24m option. If the \e[4msecure_path\e[24m option is set,
+ env_check lists are displayed when s\bsu\bud\bdo\bo is run by root
+ with the _\b-_\bV option. If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set,
its value will be used for the PATH environment
- variable. This flag is \e[4mon\e[24m by default.
+ variable. This flag is _\bo_\bn by default.
- fast_glob Normally, \e[1msudo \e[22muses the \e[4mglob\e[24m(3) function to do shell-
+ fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
style globbing when matching path names. However,
- since it accesses the file system, \e[4mglob\e[24m(3) can take a
+ since it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a
long time to complete for some patterns, especially
when the pattern references a network file system that
- is mounted on demand (automounted). The \e[4mfast_glob\e[0m
- option causes \e[1msudo \e[22mto use the \e[4mfnmatch\e[24m(3) function,
+ is mounted on demand (automounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
+ option causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function,
which does not access the file system to do its
- matching. The disadvantage of \e[4mfast_glob\e[24m is that it is
- unable to match relative path names such as \e[4m./ls\e[24m or
- \e[4m../bin/ls\e[24m. This has security implications when path
+ matching. The disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is
+ unable to match relative path names such as _\b._\b/_\bl_\bs or
+ _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has security implications when path
names that include globbing characters are used with
the negation operator, '!', as such rules can be
trivially bypassed. As such, this option should not be
- used when \e[4msudoers\e[24m contains rules that contain negated
+ used when _\bs_\bu_\bd_\bo_\be_\br_\bs contains rules that contain negated
path names which include globbing characters. This
- flag is \e[4moff\e[24m by default.
+ flag is _\bo_\bf_\bf by default.
fqdn Set this flag if you want to put fully qualified host
- names in the \e[4msudoers\e[24m file. I.e., instead of myhost you
+ names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
would use myhost.mydomain.edu. You may still use the
short form if you wish (and even mix the two). Beware
- that turning on \e[4mfqdn\e[24m requires \e[1msudo \e[22mto make DNS lookups
- which may make \e[1msudo \e[22munusable if DNS stops working (for
+ that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
+ which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
example if the machine is not plugged into the
network). Also note that you must use the host's
official name as DNS knows it. That is, you may not
issues and the fact that there is no way to get all
aliases from DNS. If your machine's host name (as
returned by the hostname command) is already fully
- qualified you shouldn't need to set \e[4mfqdn\e[24m. This flag is
- \e[4moff\e[24m by default.
+ qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
+ _\bo_\bf_\bf by default.
- ignore_dot If set, \e[1msudo \e[22mwill ignore '.' or '' (current dir) in the
+ ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current dir) in the
PATH environment variable; the PATH itself is not
- modified. This flag is \e[4moff\e[24m by default.
+ modified. This flag is _\bo_\bf_\bf by default.
ignore_local_sudoers
- If set via LDAP, parsing of \e[4m/etc/sudoers\e[24m will be
+ If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
skipped. This is intended for Enterprises that wish to
prevent the usage of local sudoers files so that only
LDAP is used. This thwarts the efforts of rogue
operators who would attempt to add roles to
- \e[4m/etc/sudoers\e[24m. When this option is present,
- \e[4m/etc/sudoers\e[24m does not even need to exist. Since this
- option tells \e[1msudo \e[22mhow to behave when no specific LDAP
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option is present,
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
+ option tells s\bsu\bud\bdo\bo how to behave when no specific LDAP
entries have been matched, this sudoOption is only
meaningful for the cn=defaults section. This flag is
- \e[4moff\e[24m by default.
+ _\bo_\bf_\bf by default.
- insults If set, \e[1msudo \e[22mwill insult users when they enter an
- incorrect password. This flag is \e[4moff\e[24m by default.
+ insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
+ incorrect password. This flag is _\bo_\bf_\bf by default.
log_host If set, the host name will be logged in the (non-
- syslog) \e[1msudo \e[22mlog file. This flag is \e[4moff\e[24m by default.
+ syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
- log_input If set, \e[1msudo \e[22mwill run the command in a \e[4mpseudo\e[24m \e[4mtty\e[24m and
+ log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
log all user input. If the standard input is not
connected to the user's tty, due to I/O redirection or
because the command is part of a pipeline, that input
is also captured and stored in a separate log file.
Input is logged to the directory specified by the
- \e[4miolog_dir\e[24m option (\e[4m/var/log/sudo-io\e[24m by default) using a
- unique session ID that is included in the normal \e[1msudo\e[0m
- log line, prefixed with \e[4mTSID=\e[24m.
+ _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
+ unique session ID that is included in the normal s\bsu\bud\bdo\bo
+ log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
Note that user input may contain sensitive information
such as passwords (even if they are not echoed to the
screen), which will be stored in the log file
unencrypted. In most cases, logging the command output
- via \e[4mlog_output\e[24m is all that is required.
+ via _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt is all that is required.
- log_output If set, \e[1msudo \e[22mwill run the command in a \e[4mpseudo\e[24m \e[4mtty\e[24m and
+ log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
log all output that is sent to the screen, similar to
- the \e[4mscript\e[24m(1) command. If the standard output or
+ the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
standard error is not connected to the user's tty, due
to I/O redirection or because the command is part of a
pipeline, that output is also captured and stored in
separate log files.
Output is logged to the directory specified by the
- \e[4miolog_dir\e[24m option (\e[4m/var/log/sudo-io\e[24m by default) using a
- unique session ID that is included in the normal \e[1msudo\e[0m
- log line, prefixed with \e[4mTSID=\e[24m.
+ _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
+ unique session ID that is included in the normal s\bsu\bud\bdo\bo
+ log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
- Output logs may be viewed with the \e[4msudoreplay\e[24m(1m)
+ Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
utility, which can also be used to list or search the
available logs.
log_year If set, the four-digit year will be logged in the (non-
- syslog) \e[1msudo \e[22mlog file. This flag is \e[4moff\e[24m by default.
+ syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
long_otp_prompt When validating with a One Time Password (OTP) scheme
- such as \e[1mS/Key \e[22mor \e[1mOPIE\e[22m, a two-line prompt is used to
+ such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
make it easier to cut and paste the challenge to a
local window. It's not as pretty as the default but
- some people find it more convenient. This flag is \e[4moff\e[0m
+ some people find it more convenient. This flag is _\bo_\bf_\bf
by default.
- mail_always Send mail to the \e[4mmailto\e[24m user every time a users runs
- \e[1msudo\e[22m. This flag is \e[4moff\e[24m by default.
+ mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
+ s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
- mail_badpass Send mail to the \e[4mmailto\e[24m user if the user running \e[1msudo\e[0m
- does not enter the correct password. This flag is \e[4moff\e[0m
+ mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
+ does not enter the correct password. This flag is _\bo_\bf_\bf
by default.
- mail_no_host If set, mail will be sent to the \e[4mmailto\e[24m user if the
- invoking user exists in the \e[4msudoers\e[24m file, but is not
+ mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
allowed to run commands on the current host. This flag
- is \e[4moff\e[24m by default.
+ is _\bo_\bf_\bf by default.
- mail_no_perms If set, mail will be sent to the \e[4mmailto\e[24m user if the
- invoking user is allowed to use \e[1msudo \e[22mbut the command
- they are trying is not listed in their \e[4msudoers\e[24m file
- entry or is explicitly denied. This flag is \e[4moff\e[24m by
+ mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user is allowed to use s\bsu\bud\bdo\bo but the command
+ they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
+ entry or is explicitly denied. This flag is _\bo_\bf_\bf by
default.
- mail_no_user If set, mail will be sent to the \e[4mmailto\e[24m user if the
- invoking user is not in the \e[4msudoers\e[24m file. This flag is
- \e[4mon\e[24m by default.
+ mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
+ _\bo_\bn by default.
- noexec If set, all commands run via \e[1msudo \e[22mwill behave as if the
+ noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
NOEXEC tag has been set, unless overridden by a EXEC
- tag. See the description of \e[4mNOEXEC\e[24m \e[4mand\e[24m \e[4mEXEC\e[24m below as
+ tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
well as the "PREVENTING SHELL ESCAPES" section at the
- end of this manual. This flag is \e[4moff\e[24m by default.
+ end of this manual. This flag is _\bo_\bf_\bf by default.
- path_info Normally, \e[1msudo \e[22mwill tell the user when a command could
+ path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
not be found in their PATH environment variable. Some
sites may wish to disable this as it could be used to
gather information on the location of executables that
the normal user does not have access to. The
disadvantage is that if the executable is simply not in
- the user's PATH, \e[1msudo \e[22mwill tell the user that they are
+ the user's PATH, s\bsu\bud\bdo\bo will tell the user that they are
not allowed to run it, which can be confusing. This
- flag is \e[4mon\e[24m by default.
+ flag is _\bo_\bn by default.
passprompt_override
- The password prompt specified by \e[4mpassprompt\e[24m will
+ The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
normally only be used if the password prompt provided
by systems such as PAM matches the string "Password:".
- If \e[4mpassprompt_override\e[24m is set, \e[4mpassprompt\e[24m will always
- be used. This flag is \e[4moff\e[24m by default.
+ If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always
+ be used. This flag is _\bo_\bf_\bf by default.
- preserve_groups By default, \e[1msudo \e[22mwill initialize the group vector to
+ preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
the list of groups the target user is in. When
- \e[4mpreserve_groups\e[24m is set, the user's existing group
+ _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
vector is left unaltered. The real and effective group
IDs, however, are still set to match the target user.
- This flag is \e[4moff\e[24m by default.
+ This flag is _\bo_\bf_\bf by default.
- pwfeedback By default, \e[1msudo \e[22mreads the password like most other
+ pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
Unix programs, by turning off echo until the user hits
the return (or enter) key. Some users become confused
- by this as it appears to them that \e[1msudo \e[22mhas hung at
- this point. When \e[4mpwfeedback\e[24m is set, \e[1msudo \e[22mwill provide
+ by this as it appears to them that s\bsu\bud\bdo\bo has hung at
+ this point. When _\bp_\bw_\bf_\be_\be_\bd_\bb_\ba_\bc_\bk is set, s\bsu\bud\bdo\bo will provide
visual feedback when the user presses a key. Note that
this does have a security impact as an onlooker may be
able to determine the length of the password being
- entered. This flag is \e[4moff\e[24m by default.
+ entered. This flag is _\bo_\bf_\bf by default.
- requiretty If set, \e[1msudo \e[22mwill only run when the user is logged in
- to a real tty. When this flag is set, \e[1msudo \e[22mcan only be
+ requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
+ to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
run from a login session and not via other means such
- as \e[4mcron\e[24m(1m) or cgi-bin scripts. This flag is \e[4moff\e[24m by
+ as _\bc_\br_\bo_\bn(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
default.
- root_sudo If set, root is allowed to run \e[1msudo \e[22mtoo. Disabling
- this prevents users from "chaining" \e[1msudo \e[22mcommands to
+ root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
+ this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
get a root shell by doing something like "sudo sudo
- /bin/sh". Note, however, that turning off \e[4mroot_sudo\e[0m
- will also prevent root from running \e[1msudoedit\e[22m.
- Disabling \e[4mroot_sudo\e[24m provides no real additional
+ /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
+ will also prevent root from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+ Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
security; it exists purely for historical reasons.
- This flag is \e[4mon\e[24m by default.
+ This flag is _\bo_\bn by default.
- rootpw If set, \e[1msudo \e[22mwill prompt for the root password instead
- of the password of the invoking user. This flag is \e[4moff\e[0m
+ rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
+ of the password of the invoking user. This flag is _\bo_\bf_\bf
by default.
- runaspw If set, \e[1msudo \e[22mwill prompt for the password of the user
- defined by the \e[4mrunas_default\e[24m option (defaults to root)
+ runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option (defaults to root)
instead of the password of the invoking user. This
- flag is \e[4moff\e[24m by default.
+ flag is _\bo_\bf_\bf by default.
- set_home If enabled and \e[1msudo \e[22mis invoked with the \e[1m-s \e[22moption the
+ set_home If enabled and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the
HOME environment variable will be set to the home
directory of the target user (which is root unless the
- \e[1m-u \e[22moption is used). This effectively makes the \e[1m-s\e[0m
- option imply \e[1m-H\e[22m. Note that HOME is already set when
- the the \e[4menv_reset\e[24m option is enabled, so \e[4mset_home\e[24m is
+ -\b-u\bu option is used). This effectively makes the -\b-s\bs
+ option imply -\b-H\bH. Note that HOME is already set when
+ the the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled, so _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is
only effective for configurations where either
- \e[4menv_reset\e[24m is disabled or HOME is present in the
- \e[4menv_keep\e[24m list. This flag is \e[4moff\e[24m by default.
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled or HOME is present in the
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This flag is _\bo_\bf_\bf by default.
- set_logname Normally, \e[1msudo \e[22mwill set the LOGNAME, USER and USERNAME
+ set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and USERNAME
environment variables to the name of the target user
- (usually root unless the \e[1m-u \e[22moption is given). However,
+ (usually root unless the -\b-u\bu option is given). However,
since some programs (including the RCS revision control
system) use LOGNAME to determine the real identity of
the user, it may be desirable to change this behavior.
This can be done by negating the set_logname option.
- Note that if the \e[4menv_reset\e[24m option has not been
- disabled, entries in the \e[4menv_keep\e[24m list will override
- the value of \e[4mset_logname\e[24m. This flag is \e[4mon\e[24m by default.
+ Note that if the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been
+ disabled, entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
+ the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bn by default.
- setenv Allow the user to disable the \e[4menv_reset\e[24m option from the
+ setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
command line. Additionally, environment variables set
via the command line are not subject to the
- restrictions imposed by \e[4menv_check\e[24m, \e[4menv_delete\e[24m, or
- \e[4menv_keep\e[24m. As such, only trusted users should be
+ restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be
allowed to set variables in this manner. This flag is
- \e[4moff\e[24m by default.
+ _\bo_\bf_\bf by default.
- shell_noargs If set and \e[1msudo \e[22mis invoked with no arguments it acts as
- if the \e[1m-s \e[22moption had been given. That is, it runs a
+ shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
+ if the -\b-s\bs option had been given. That is, it runs a
shell as root (the shell is determined by the SHELL
environment variable if it is set, falling back on the
shell listed in the invoking user's /etc/passwd entry
- if not). This flag is \e[4moff\e[24m by default.
+ if not). This flag is _\bo_\bf_\bf by default.
- stay_setuid Normally, when \e[1msudo \e[22mexecutes a command the real and
+ stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
effective UIDs are set to the target user (root by
default). This option changes that behavior such that
the real UID is left as the invoking user's UID. In
- other words, this makes \e[1msudo \e[22mact as a setuid wrapper.
+ other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
This can be useful on systems that disable some
potentially dangerous functionality when a program is
run setuid. This option is only effective on systems
- with either the \e[4msetreuid()\e[24m or \e[4msetresuid()\e[24m function.
- This flag is \e[4moff\e[24m by default.
+ with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
+ This flag is _\bo_\bf_\bf by default.
- targetpw If set, \e[1msudo \e[22mwill prompt for the password of the user
- specified by the \e[1m-u \e[22moption (defaults to root) instead
+ targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ specified by the -\b-u\bu option (defaults to root) instead
of the password of the invoking user. In addition, the
timestamp file name will include the target user's
name. Note that this flag precludes the use of a uid
not listed in the passwd database as an argument to the
- \e[1m-u \e[22moption. This flag is \e[4moff\e[24m by default.
+ -\b-u\bu option. This flag is _\bo_\bf_\bf by default.
tty_tickets If set, users must authenticate on a per-tty basis.
- With this flag enabled, \e[1msudo \e[22mwill use a file named for
+ With this flag enabled, s\bsu\bud\bdo\bo will use a file named for
the tty the user is logged in on in the user's time
stamp directory. If disabled, the time stamp of the
- directory is used instead. This flag is \e[4mon\e[24m by default.
+ directory is used instead. This flag is _\bo_\bn by default.
- umask_override If set, \e[1msudo \e[22mwill set the umask as specified by \e[4msudoers\e[0m
+ umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
without modification. This makes it possible to
- specify a more permissive umask in \e[4msudoers\e[24m than the
+ specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
user's own umask and matches historical behavior. If
- \e[4mumask_override\e[24m is not set, \e[1msudo \e[22mwill set the umask to
+ _\bu_\bm_\ba_\bs_\bk_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is not set, s\bsu\bud\bdo\bo will set the umask to
be the union of the user's umask and what is specified
- in \e[4msudoers\e[24m. This flag is \e[4moff\e[24m by default.
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
- use_loginclass If set, \e[1msudo \e[22mwill apply the defaults specified for the
+ use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
target user's login class if one exists. Only
- available if \e[1msudo \e[22mis configured with the
- --with-logincap option. This flag is \e[4moff\e[24m by default.
+ available if s\bsu\bud\bdo\bo is configured with the
+ --with-logincap option. This flag is _\bo_\bf_\bf by default.
- use_pty If set, \e[1msudo \e[22mwill run the command in a pseudo-pty even
+ use_pty If set, s\bsu\bud\bdo\bo will run the command in a pseudo-pty even
if no I/O logging is being gone. A malicious program
- run under \e[1msudo \e[22mcould conceivably fork a background
+ run under s\bsu\bud\bdo\bo could conceivably fork a background
process that retains to the user's terminal device
after the main program has finished executing. Use of
this option will make that impossible.
- visiblepw By default, \e[1msudo \e[22mwill refuse to run if the user must
+ visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
enter a password but it is not possible to disable echo
- on the terminal. If the \e[4mvisiblepw\e[24m flag is set, \e[1msudo\e[0m
+ on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
will prompt for a password even when it would be
visible on the screen. This makes it possible to run
- things like "rsh somehost sudo ls" since \e[4mrsh\e[24m(1) does
- not allocate a tty. This flag is \e[4moff\e[24m by default.
+ things like "rsh somehost sudo ls" since _\br_\bs_\bh(1) does
+ not allocate a tty. This flag is _\bo_\bf_\bf by default.
- \e[1mIntegers\e[22m:
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs:
- closefrom Before it executes a command, \e[1msudo \e[22mwill close all open
+ closefrom Before it executes a command, s\bsu\bud\bdo\bo will close all open
file descriptors other than standard input, standard
output and standard error (ie: file descriptors 0-2).
- The \e[4mclosefrom\e[24m option can be used to specify a different
+ The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to specify a different
file descriptor at which to start closing. The default
is 3.
passwd_tries The number of tries a user gets to enter his/her
- password before \e[1msudo \e[22mlogs the failure and exits. The
+ password before s\bsu\bud\bdo\bo logs the failure and exits. The
default is 3.
- \e[1mIntegers that can be used in a boolean context\e[22m:
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
loglinelen Number of characters per line for the file log. This
value is used to decide when to wrap lines for nicer
only the file log. The default is 80 (use 0 or negate
the option to disable word wrap).
- passwd_timeout Number of minutes before the \e[1msudo \e[22mpassword prompt times
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
out, or 0 for no timeout. The timeout may include a
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5.
timestamp_timeout
- Number of minutes that can elapse before \e[1msudo \e[22mwill ask
+ Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
for a passwd again. The timeout may include a
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5. Set
umask Umask to use when running the command. Negate this
option or set it to 0777 to preserve the user's umask.
The actual umask that is used will be the union of the
- user's umask and the value of the \e[4mumask\e[24m option, which
- defaults to 0022. This guarantees that \e[1msudo \e[22mnever
+ user's umask and the value of the _\bu_\bm_\ba_\bs_\bk option, which
+ defaults to 0022. This guarantees that s\bsu\bud\bdo\bo never
lowers the umask when running a command. Note on
systems that use PAM, the default PAM configuration may
specify its own umask which will override the value set
- in \e[4msudoers\e[24m.
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs.
- \e[1mStrings\e[22m:
+ S\bSt\btr\bri\bin\bng\bgs\bs:
badpass_message Message that is displayed if a user enters an incorrect
password. The default is Sorry, try again. unless
insults are enabled.
editor A colon (':') separated list of editors allowed to be
- used with \e[1mvisudo\e[22m. \e[1mvisudo \e[22mwill choose the editor that
+ used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will choose the editor that
matches the user's EDITOR environment variable if
possible, or the first editor in the list that exists
and is executable. The default is "vi".
iolog_dir The directory in which to store input/output logs when
- the \e[4mlog_input\e[24m or \e[4mlog_output\e[24m options are enabled or when
+ the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt options are enabled or when
the LOG_INPUT or LOG_OUTPUT tags are present for a
command. The default is "/var/log/sudo-io".
- mailsub Subject of the mail sent to the \e[4mmailto\e[24m user. The escape
+ mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
%h will expand to the host name of the machine.
Default is *** SECURITY information for %h ***.
noexec_file Path to a shared library containing dummy versions of
- the \e[4mexecv()\e[24m, \e[4mexecve()\e[24m and \e[4mfexecve()\e[24m library functions
+ the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b) library functions
that just return an error. This is used to implement
- the \e[4mnoexec\e[24m functionality on systems that support
+ the _\bn_\bo_\be_\bx_\be_\bc functionality on systems that support
LD_PRELOAD or its equivalent. Defaults to
- \e[4m/usr/local/libexec/sudo_noexec.so\e[24m.
+ _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
passprompt The default prompt to use when asking for a password;
- can be overridden via the \e[1m-p \e[22moption or the SUDO_PROMPT
+ can be overridden via the -\b-p\bp option or the SUDO_PROMPT
environment variable. The following percent (`%')
escapes are supported:
%H expanded to the local host name including the
domain name (on if the machine's host name is fully
- qualified or the \e[4mfqdn\e[24m option is set)
+ qualified or the _\bf_\bq_\bd_\bn option is set)
%h expanded to the local host name without the domain
name
%p expanded to the user whose password is being asked
- for (respects the \e[4mrootpw\e[24m, \e[4mtargetpw\e[24m and \e[4mrunaspw\e[0m
- flags in \e[4msudoers\e[24m)
+ for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
+ flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
%U expanded to the login name of the user the command
will be run as (defaults to root)
role The default SELinux role to use when constructing a new
security context to run the command. The default role
- may be overridden on a per-command basis in \e[4msudoers\e[24m or
+ may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
via command line options. This option is only
- available whe \e[1msudo \e[22mis built with SELinux support.
+ available whe s\bsu\bud\bdo\bo is built with SELinux support.
- runas_default The default user to run commands as if the \e[1m-u \e[22moption is
+ runas_default The default user to run commands as if the -\b-u\bu option is
not specified on the command line. This defaults to
root.
syslog_badpri Syslog priority to use when user authenticates
unsuccessfully. Defaults to alert.
- The following syslog priorities are supported: \e[1malert\e[22m,
- \e[1mcrit\e[22m, \e[1mdebug\e[22m, \e[1memerg\e[22m, \e[1merr\e[22m, \e[1minfo\e[22m, \e[1mnotice\e[22m, and \e[1mwarning\e[22m.
+ The following syslog priorities are supported: a\bal\ble\ber\brt\bt,
+ c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be, and w\bwa\bar\brn\bni\bin\bng\bg.
syslog_goodpri Syslog priority to use when user authenticates
successfully. Defaults to notice.
locale may affect how sudoers is interpreted. Defaults
to "C".
- timestampdir The directory in which \e[1msudo \e[22mstores its timestamp files.
- The default is \e[4m/var/adm/sudo\e[24m.
+ timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
+ The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
timestampowner The owner of the timestamp directory and the timestamps
stored therein. The default is root.
type The default SELinux type to use when constructing a new
security context to run the command. The default type
- may be overridden on a per-command basis in \e[4msudoers\e[24m or
+ may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
via command line options. This option is only
- available whe \e[1msudo \e[22mis built with SELinux support.
+ available whe s\bsu\bud\bdo\bo is built with SELinux support.
- \e[1mStrings that can be used in a boolean context\e[22m:
+ S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- askpass The \e[4maskpass\e[24m option specifies the fully qualified path to a
+ askpass The _\ba_\bs_\bk_\bp_\ba_\bs_\bs option specifies the fully qualified path to a
helper program used to read the user's password when no
- terminal is available. This may be the case when \e[1msudo \e[22mis
+ terminal is available. This may be the case when s\bsu\bud\bdo\bo is
executed from a graphical (as opposed to text-based)
- application. The program specified by \e[4maskpass\e[24m should
+ application. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs should
display the argument passed to it as the prompt and write
the user's password to the standard output. The value of
- \e[4maskpass\e[24m may be overridden by the SUDO_ASKPASS environment
+ _\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
variable.
- env_file The \e[4menv_file\e[24m options specifies the fully qualified path to
+ env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be options specifies the fully qualified path to
a file containing variables to be set in the environment of
the program being run. Entries in this file should either
be of the form VARIABLE=value or export VARIABLE=value.
The value may optionally be surrounded by single or double
- quotes. Variables in this file are subject to other \e[1msudo\e[0m
- environment settings such as \e[4menv_keep\e[24m and \e[4menv_check\e[24m.
+ quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
+ environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
exempt_group
Users in this group are exempt from password and PATH
never Never lecture the user.
- once Only lecture the user the first time they run \e[1msudo\e[22m.
+ once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
- If no value is specified, a value of \e[4monce\e[24m is implied.
- Negating the option results in a value of \e[4mnever\e[24m being used.
- The default value is \e[4monce\e[24m.
+ If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\bo_\bn_\bc_\be.
lecture_file
- Path to a file containing an alternate \e[1msudo \e[22mlecture that
+ Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
will be used in place of the standard lecture if the named
- file exists. By default, \e[1msudo \e[22muses a built-in lecture.
+ file exists. By default, s\bsu\bud\bdo\bo uses a built-in lecture.
listpw This option controls when a password will be required when
- a user runs \e[1msudo \e[22mwith the \e[1m-l \e[22moption. It has the following
+ a user runs s\bsu\bud\bdo\bo with the -\b-l\bl option. It has the following
possible values:
- all All the user's \e[4msudoers\e[24m entries for the current host
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
must have the NOPASSWD flag set to avoid entering a
password.
- always The user must always enter a password to use the \e[1m-l\e[0m
+ always The user must always enter a password to use the -\b-l\bl
option.
- any At least one of the user's \e[4msudoers\e[24m entries for the
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
current host must have the NOPASSWD flag set to
avoid entering a password.
- never The user need never enter a password to use the \e[1m-l\e[0m
+ never The user need never enter a password to use the -\b-l\bl
option.
- If no value is specified, a value of \e[4many\e[24m is implied.
- Negating the option results in a value of \e[4mnever\e[24m being used.
- The default value is \e[4many\e[24m.
+ If no value is specified, a value of _\ba_\bn_\by is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\ba_\bn_\by.
- logfile Path to the \e[1msudo \e[22mlog file (not the syslog log file).
+ logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
Setting a path turns on logging to a file; negating this
- option turns it off. By default, \e[1msudo \e[22mlogs via syslog.
+ option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
- mailerflags Flags to use when invoking mailer. Defaults to \e[1m-t\e[22m.
+ mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
mailerpath Path to mail program used to send warning mail. Defaults
to the path to sendmail found at configure time.
mailfrom Address to use for the "from" address when sending warning
and error mail. The address should be enclosed in double
- quotes (") to protect against \e[1msudo \e[22minterpreting the @ sign.
- Defaults to the name of the user running \e[1msudo\e[22m.
+ quotes (") to protect against s\bsu\bud\bdo\bo interpreting the @ sign.
+ Defaults to the name of the user running s\bsu\bud\bdo\bo.
mailto Address to send warning and error mail to. The address
should be enclosed in double quotes (") to protect against
- \e[1msudo \e[22minterpreting the @ sign. Defaults to root.
+ s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
- secure_path Path used for every command run from \e[1msudo\e[22m. If you don't
- trust the people running \e[1msudo \e[22mto have a sane PATH
+ secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
+ trust the people running s\bsu\bud\bdo\bo to have a sane PATH
environment variable you may want to use this. Another use
is if you want to have the "root path" be separate from the
"user path." Users in the group specified by the
- \e[4mexempt_group\e[24m option are not affected by \e[4msecure_path\e[24m. This
+ _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
option is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
to disable syslog logging). Defaults to auth.
- The following syslog facilities are supported: \e[1mauthpriv \e[22m(if
- your OS supports it), \e[1mauth\e[22m, \e[1mdaemon\e[22m, \e[1muser\e[22m, \e[1mlocal0\e[22m, \e[1mlocal1\e[22m,
- \e[1mlocal2\e[22m, \e[1mlocal3\e[22m, \e[1mlocal4\e[22m, \e[1mlocal5\e[22m, \e[1mlocal6\e[22m, and \e[1mlocal7\e[22m.
+ The following syslog facilities are supported: a\bau\but\bth\bhp\bpr\bri\biv\bv (if
+ your OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1,
+ l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3, l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7.
verifypw This option controls when a password will be required when
- a user runs \e[1msudo \e[22mwith the \e[1m-v \e[22moption. It has the following
+ a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
possible values:
- all All the user's \e[4msudoers\e[24m entries for the current host
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
must have the NOPASSWD flag set to avoid entering a
password.
- always The user must always enter a password to use the \e[1m-v\e[0m
+ always The user must always enter a password to use the -\b-v\bv
option.
- any At least one of the user's \e[4msudoers\e[24m entries for the
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
current host must have the NOPASSWD flag set to
avoid entering a password.
- never The user need never enter a password to use the \e[1m-v\e[0m
+ never The user need never enter a password to use the -\b-v\bv
option.
- If no value is specified, a value of \e[4mall\e[24m is implied.
- Negating the option results in a value of \e[4mnever\e[24m being used.
- The default value is \e[4mall\e[24m.
+ If no value is specified, a value of _\ba_\bl_\bl is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\ba_\bl_\bl.
- \e[1mLists that can be used in a boolean context\e[22m:
+ L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
env_check Environment variables to be removed from the user's
environment if the variable's value contains % or /
option is enabled or disabled, variables specified by
env_check will be preserved in the environment if they
pass the aforementioned check. The default list of
- environment variables to check is displayed when \e[1msudo\e[0m
- is run by root with the \e[4m-V\e[24m option.
+ environment variables to check is displayed when s\bsu\bud\bdo\bo
+ is run by root with the _\b-_\bV option.
env_delete Environment variables to be removed from the user's
- environment when the \e[4menv_reset\e[24m option is not in effect.
+ environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
The argument may be a double-quoted, space-separated
list or a single value without double-quotes. The list
can be replaced, added to, deleted from, or disabled by
using the =, +=, -=, and ! operators respectively. The
default list of environment variables to remove is
- displayed when \e[1msudo \e[22mis run by root with the \e[4m-V\e[24m option.
+ displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
Note that many operating systems will remove
potentially dangerous variables from the environment of
- any setuid process (such as \e[1msudo\e[22m).
+ any setuid process (such as s\bsu\bud\bdo\bo).
env_keep Environment variables to be preserved in the user's
- environment when the \e[4menv_reset\e[24m option is in effect.
+ environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
This allows fine-grained control over the environment
- \e[1msudo\e[22m-spawned processes will receive. The argument may
+ s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
be a double-quoted, space-separated list or a single
value without double-quotes. The list can be replaced,
added to, deleted from, or disabled by using the =, +=,
-=, and ! operators respectively. The default list of
- variables to keep is displayed when \e[1msudo \e[22mis run by root
- with the \e[4m-V\e[24m option.
+ variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
+ with the _\b-_\bV option.
-\e[1mFILES\e[0m
- \e[4m/etc/sudoers\e[24m List of who can run what
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- \e[4m/etc/group\e[24m Local groups file
+ _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
- \e[4m/etc/netgroup\e[24m List of network groups
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
- \e[4m/var/log/sudo-io\e[24m I/O log files
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
-\e[1mEXAMPLES\e[0m
- Below are example \e[4msudoers\e[24m entries. Admittedly, some of these are a bit
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
contrived. First, we allow a few environment variables to pass and
- then define our \e[4maliases\e[24m:
+ then define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
# Run X applications through sudo; HOME is used to find the
# .Xauthority file. Note that other programs use HOME to find
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
- Here we override some of the compiled in default values. We want \e[1msudo\e[0m
- to log via \e[4msyslog\e[24m(3) using the \e[4mauth\e[24m facility in all cases. We don't
- want to subject the full time staff to the \e[1msudo \e[22mlecture, user \e[1mmillert\e[0m
+ Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo
+ to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't
+ want to subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt
need not give a password, and we don't want to reset the LOGNAME, USER
or USERNAME environment variables when running commands as root.
- Additionally, on the machines in the \e[4mSERVERS\e[24m Host_Alias, we keep an
+ Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an
additional local log file and make sure we log the year in each log
line since the log entries will be kept around for several years.
Lastly, we disable shell escapes for the commands in the PAGERS
- Cmnd_Alias (\e[4m/usr/bin/more\e[24m, \e[4m/usr/bin/pg\e[24m and \e[4m/usr/bin/less\e[24m).
+ Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
# Override built-in defaults
Defaults syslog=auth
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
Defaults!PAGERS noexec
- The \e[4mUser\e[24m \e[4mspecification\e[24m is the part that actually determines who may run
+ The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
what.
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
- We let \e[1mroot \e[22mand any user in group \e[1mwheel \e[22mrun any command on any host as
+ We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
any user.
FULLTIMERS ALL = NOPASSWD: ALL
- Full time sysadmins (\e[1mmillert\e[22m, \e[1mmikef\e[22m, and \e[1mdowdy\e[22m) may run any command on
+ Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
any host without authenticating themselves.
PARTTIMERS ALL = ALL
- Part time sysadmins (\e[1mbostley\e[22m, \e[1mjwfox\e[22m, and \e[1mcrawl\e[22m) may run any command on
+ Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
any host but they must authenticate themselves first (since the entry
lacks the NOPASSWD tag).
jack CSNETS = ALL
- The user \e[1mjack \e[22mmay run any command on the machines in the \e[4mCSNETS\e[24m alias
+ The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
those networks, only 128.138.204.0 has an explicit netmask (in CIDR
notation) indicating it is a class C network. For the other networks
- in \e[4mCSNETS\e[24m, the local machine's netmask will be used during matching.
+ in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be used during matching.
lisa CUNETS = ALL
- The user \e[1mlisa \e[22mmay run any command on any host in the \e[4mCUNETS\e[24m alias (the
+ The user l\bli\bis\bsa\ba may run any command on any host in the _\bC_\bU_\bN_\bE_\bT_\bS alias (the
class B network 128.138.0.0).
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
- The \e[1moperator \e[22muser may run commands limited to simple maintenance.
+ The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance.
Here, those are commands related to backups, killing processes, the
printing system, shutting down the system, and any commands in the
- directory \e[4m/usr/oper/bin/\e[24m.
+ directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
joe ALL = /usr/bin/su operator
- The user \e[1mjoe \e[22mmay only \e[4msu\e[24m(1) to operator.
+ The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
%opers ALL = (: ADMINGRP) /usr/sbin/
- Users in the \e[1mopers \e[22mgroup may run commands in \e[4m/usr/sbin/\e[24m as themselves
- with any group in the \e[4mADMINGRP\e[24m Runas_Alias (the \e[1madm \e[22mand \e[1moper \e[22mgroups).
+ Users in the o\bop\bpe\ber\brs\bs group may run commands in _\b/_\bu_\bs_\br_\b/_\bs_\bb_\bi_\bn_\b/ as themselves
+ with any group in the _\bA_\bD_\bM_\bI_\bN_\bG_\bR_\bP Runas_Alias (the a\bad\bdm\bm and o\bop\bpe\ber\br groups).
- The user \e[1mpete \e[22mis allowed to change anyone's password except for root on
- the \e[4mHPPA\e[24m machines. Note that this assumes \e[4mpasswd\e[24m(1) does not take
+ The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
+ the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
multiple user names on the command line.
bob SPARC = (OP) ALL : SGI = (OP) ALL
- The user \e[1mbob \e[22mmay run anything on the \e[4mSPARC\e[24m and \e[4mSGI\e[24m machines as any user
- listed in the \e[4mOP\e[24m Runas_Alias (\e[1mroot \e[22mand \e[1moperator\e[22m).
+ The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
+ listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
jim +biglab = ALL
- The user \e[1mjim \e[22mmay run any command on machines in the \e[4mbiglab\e[24m netgroup.
- \e[1msudo \e[22mknows that "biglab" is a netgroup due to the '+' prefix.
+ The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
+ s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- Users in the \e[1msecretaries \e[22mnetgroup need to help manage the printers as
+ Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
well as add and remove users, so they are allowed to run those commands
on all machines.
fred ALL = (DB) NOPASSWD: ALL
- The user \e[1mfred \e[22mcan run commands as any user in the \e[4mDB\e[24m Runas_Alias
- (\e[1moracle \e[22mor \e[1msybase\e[22m) without giving a password.
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
+ (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
- On the \e[4mALPHA\e[24m machines, user \e[1mjohn \e[22mmay su to anyone except root but he is
- not allowed to specify any options to the \e[4msu\e[24m(1) command.
+ On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
+ not allowed to specify any options to the _\bs_\bu(1) command.
jen ALL, !SERVERS = ALL
- The user \e[1mjen \e[22mmay run any command on any machine except for those in the
- \e[4mSERVERS\e[24m Host_Alias (master, mail, www and ns).
+ The user j\bje\ben\bn may run any command on any machine except for those in the
+ _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and ns).
jill SERVERS = /usr/bin/, !SU, !SHELLS
- For any machine in the \e[4mSERVERS\e[24m Host_Alias, \e[1mjill \e[22mmay run any commands in
- the directory \e[4m/usr/bin/\e[24m except for those commands belonging to the \e[4mSU\e[0m
- and \e[4mSHELLS\e[24m Cmnd_Aliases.
+ For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
+ the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU
+ and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
steve CSNETS = (operator) /usr/local/op_commands/
- The user \e[1msteve \e[22mmay run any command in the directory
+ The user s\bst\bte\bev\bve\be may run any command in the directory
/usr/local/op_commands/ but only as user operator.
matt valkyrie = KILL
- On his personal workstation, valkyrie, \e[1mmatt \e[22mneeds to be able to kill
+ On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be able to kill
hung processes.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
- On the host www, any user in the \e[4mWEBMASTERS\e[24m User_Alias (will, wendy,
+ On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias (will, wendy,
and wim), may run any command as user www (which owns the web pages) or
- simply \e[4msu\e[24m(1) to www.
+ simply _\bs_\bu(1) to www.
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
This is a bit tedious for users to type, so it is a prime candidate for
encapsulating in a shell script.
-\e[1mSECURITY NOTES\e[0m
+S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
It is generally not effective to "subtract" commands from ALL using the
'!' operator. A user can trivially circumvent this by copying the
desired command to a different name and then executing that. For
bill ALL = ALL, !SU, !SHELLS
- Doesn't really prevent \e[1mbill \e[22mfrom running the commands listed in \e[4mSU\e[24m or
- \e[4mSHELLS\e[24m since he can simply copy those commands to a different name, or
+ Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
+ _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
use a shell escape from an editor or other program. Therefore, these
kind of restrictions should be considered advisory at best (and
reinforced by policy).
- Furthermore, if the \e[4mfast_glob\e[24m option is in use, it is not possible to
+ Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
reliably negate commands where the path name includes globbing (aka
- wildcard) characters. This is because the C library's \e[4mfnmatch\e[24m(3)
+ wildcard) characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
function cannot resolve relative paths. While this is typically only
an inconvenience for rules that grant privileges, it can result in a
security issue for rules that subtract or revoke privileges.
- For example, given the following \e[4msudoers\e[24m entry:
+ For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
- User \e[1mjohn \e[22mcan still run /usr/bin/passwd root if \e[4mfast_glob\e[24m is enabled by
- changing to \e[4m/usr/bin\e[24m and running ./passwd root instead.
+ User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
+ changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
-\e[1mPREVENTING SHELL ESCAPES\e[0m
- Once \e[1msudo \e[22mexecutes a program, that program is free to do whatever it
+P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
+ Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
pleases, including run other programs. This can be a security issue
since it is not uncommon for a program to allow shell escapes, which
- lets a user bypass \e[1msudo\e[22m's access control and logging. Common programs
+ lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
that permit shell escapes include shells (obviously), editors,
paginators, mail and terminal programs.
restrict Avoid giving users access to commands that allow the user to
run arbitrary commands. Many editors have a restricted mode
- where shell escapes are disabled, though \e[1msudoedit \e[22mis a better
- solution to running editors via \e[1msudo\e[22m. Due to the large
+ where shell escapes are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better
+ solution to running editors via s\bsu\bud\bdo\bo. Due to the large
number of programs that offer shell escapes, restricting
users to the set of programs that do not is often unworkable.
noexec Many systems that support shared libraries have the ability
to override default library functions by pointing an
environment variable (usually LD_PRELOAD) to an alternate
- shared library. On such systems, \e[1msudo\e[22m's \e[4mnoexec\e[24m functionality
- can be used to prevent a program run by \e[1msudo \e[22mfrom executing
+ shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality
+ can be used to prevent a program run by s\bsu\bud\bdo\bo from executing
any other programs. Note, however, that this applies only to
native dynamically-linked executables. Statically-linked
executables and foreign executables running under binary
emulation are not affected.
- To tell whether or not \e[1msudo \e[22msupports \e[4mnoexec\e[24m, you can run the
+ To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run the
following as root:
sudo -V | grep "dummy exec"
File containing dummy exec functions:
- then \e[1msudo \e[22mmay be able to replace the exec family of functions
+ then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
in the standard library with its own that simply return an
error. Unfortunately, there is no foolproof way to know
- whether or not \e[4mnoexec\e[24m will work at compile-time. \e[4mnoexec\e[0m
+ whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
- MacOS X, and HP-UX 11.x. It is known \e[1mnot \e[22mto work on AIX and
- UnixWare. \e[4mnoexec\e[24m is expected to work on most operating
+ MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
+ UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating
systems that support the LD_PRELOAD environment variable.
Check your operating system's manual pages for the dynamic
linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
to see if LD_PRELOAD is supported.
- To enable \e[4mnoexec\e[24m for a command, use the NOEXEC tag as
+ To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as
documented in the User Specification section above. Here is
that example again:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- This allows user \e[1maaron \e[22mto run \e[4m/usr/bin/more\e[24m and \e[4m/usr/bin/vi\e[0m
- with \e[4mnoexec\e[24m enabled. This will prevent those two commands
+ This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
+ with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
from executing other commands (such as a shell). If you are
unsure whether or not your system is capable of supporting
- \e[4mnoexec\e[24m you can always just try it out and see if it works.
+ _\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
Note that restricting shell escapes is not a panacea. Programs running
as root are still capable of many potentially hazardous operations
(such as changing or overwriting files) that could lead to unintended
privilege escalation. In the specific case of an editor, a safer
- approach is to give the user permission to run \e[1msudoedit\e[22m.
+ approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
-\e[1mSEE ALSO\e[0m
- \e[4mrsh\e[24m(1), \e[4msu\e[24m(1), \e[4mfnmatch\e[24m(3), \e[4mglob\e[24m(3), \e[4msudo\e[24m(1m), \e[4mvisudo\e[24m(8)
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bg_\bl_\bo_\bb(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
-\e[1mCAVEATS\e[0m
- The \e[4msudoers\e[24m file should \e[1malways \e[22mbe edited by the \e[1mvisudo \e[22mcommand which
+C\bCA\bAV\bVE\bEA\bAT\bTS\bS
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
locks the file and does grammatical checking. It is imperative that
- \e[4msudoers\e[24m be free of syntax errors since \e[1msudo \e[22mwill not run with a
- syntactically incorrect \e[4msudoers\e[24m file.
+ _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
+ syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
When using netgroups of machines (as opposed to users), if you store
fully qualified host name in the netgroup (as is usually the case), you
either need to have the machine's host name be fully qualified as
- returned by the hostname command or use the \e[4mfqdn\e[24m option in \e[4msudoers\e[24m.
+ returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-\e[1mBUGS\e[0m
- If you feel you have found a bug in \e[1msudo\e[22m, please submit a bug report at
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
http://www.sudo.ws/sudo/bugs/
-\e[1mSUPPORT\e[0m
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-\e[1mDISCLAIMER\e[0m
- \e[1msudo \e[22mis provided ``AS IS'' and any express or implied warranties,
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with \e[1msudo \e[22mor
+ See the LICENSE file distributed with s\bsu\bud\bdo\bo or
http://www.sudo.ws/sudo/license.html for complete details.
-1.7.7 August 13, 2011 SUDOERS(4)
+1.7.8 September 16, 2011 SUDOERS(4)
-\e[1mNAME\e[0m
+N\bNA\bAM\bME\bE
sudoers.ldap - sudo LDAP configuration
-\e[1mDESCRIPTION\e[0m
- In addition to the standard \e[4msudoers\e[24m file, \e[1msudo \e[22mmay be configured via
- LDAP. This can be especially useful for synchronizing \e[4msudoers\e[24m in a
+D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
+ In addition to the standard _\bs_\bu_\bd_\bo_\be_\br_\bs file, s\bsu\bud\bdo\bo may be configured via
+ LDAP. This can be especially useful for synchronizing _\bs_\bu_\bd_\bo_\be_\br_\bs in a
large, distributed environment.
- Using LDAP for \e[4msudoers\e[24m has several benefits:
+ Using LDAP for _\bs_\bu_\bd_\bo_\be_\br_\bs has several benefits:
- +\bo \e[1msudo \e[22mno longer needs to read \e[4msudoers\e[24m in its entirety. When LDAP is
+ +\bo s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety. When LDAP is
used, there are only two or three LDAP queries per invocation.
This makes it especially fast and particularly usable in LDAP
environments.
- +\bo \e[1msudo \e[22mno longer exits if there is a typo in \e[4msudoers\e[24m. It is not
+ +\bo s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs. It is not
possible to load LDAP data into the server that does not conform to
the sudoers schema, so proper syntax is guaranteed. It is still
possible to have typos in a user or host name, but this will not
- prevent \e[1msudo \e[22mfrom running.
+ prevent s\bsu\bud\bdo\bo from running.
+\bo It is possible to specify per-entry options that override the
- global default options. \e[4m/etc/sudoers\e[24m only supports default options
+ global default options. _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs only supports default options
and limited options associated with user/host/commands/aliases.
The syntax is complicated and can be difficult for users to
understand. Placing the options directly in the entry is more
natural.
- +\bo The \e[1mvisudo \e[22mprogram is no longer needed. \e[1mvisudo \e[22mprovides locking
- and syntax checking of the \e[4m/etc/sudoers\e[24m file. Since LDAP updates
+ +\bo The v\bvi\bis\bsu\bud\bdo\bo program is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking
+ and syntax checking of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file. Since LDAP updates
are atomic, locking is no longer necessary. Because syntax is
checked when the data is inserted into LDAP, there is no need for a
specialized tool to check syntax.
- Another major difference between LDAP and file-based \e[4msudoers\e[24m is that in
- LDAP, \e[1msudo\e[22m-specific Aliases are not supported.
+ Another major difference between LDAP and file-based _\bs_\bu_\bd_\bo_\be_\br_\bs is that in
+ LDAP, s\bsu\bud\bdo\bo-specific Aliases are not supported.
- For the most part, there is really no need for \e[1msudo\e[22m-specific Aliases.
+ For the most part, there is really no need for s\bsu\bud\bdo\bo-specific Aliases.
Unix groups or user netgroups can be used in place of User_Aliases and
Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
Since Unix groups and netgroups can also be stored in LDAP there is no
- real need for \e[1msudo\e[22m-specific aliases.
+ real need for s\bsu\bud\bdo\bo-specific aliases.
Cmnd_Aliases are not really required either since it is possible to
have multiple users listed in a sudoRole. Instead of defining a
Cmnd_Alias that is referenced by multiple users, one can create a
sudoRole that contains the commands and assign multiple users to it.
- \e[1mSUDOers LDAP container\e[0m
- The \e[4msudoers\e[24m configuration is contained in the ou=SUDOers LDAP
+ S\bSU\bUD\bDO\bOe\ber\brs\bs L\bLD\bDA\bAP\bP c\bco\bon\bnt\bta\bai\bin\bne\ber\br
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers LDAP
container.
Sudo first looks for the cn=default entry in the SUDOers container. If
found, the multi-valued sudoOption attribute is parsed in the same
- manner as a global Defaults line in \e[4m/etc/sudoers\e[24m. In the following
+ manner as a global Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following
example, the SSH_AUTH_SOCK variable will be preserved in the
environment for all users.
The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
following attributes:
- \e[1msudoUser\e[0m
+ s\bsu\bud\bdo\boU\bUs\bse\ber\br
A user name, uid (prefixed with '#'), Unix group (prefixed with a
'%') or user netgroup (prefixed with a '+').
- \e[1msudoHost\e[0m
+ s\bsu\bud\bdo\boH\bHo\bos\bst\bt
A host name, IP address, IP network, or host netgroup (prefixed
with a '+'). The special value ALL will match any host.
- \e[1msudoCommand\e[0m
+ s\bsu\bud\bdo\boC\bCo\bom\bmm\bma\ban\bnd\bd
A Unix command with optional command line arguments, potentially
including globbing characters (aka wild cards). The special value
ALL will match any command. If a command is prefixed with an
exclamation point '!', the user will be prohibited from running
that command.
- \e[1msudoOption\e[0m
+ s\bsu\bud\bdo\boO\bOp\bpt\bti\bio\bon\bn
Identical in function to the global options described above, but
specific to the sudoRole in which it resides.
- \e[1msudoRunAsUser\e[0m
+ s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsU\bUs\bse\ber\br
A user name or uid (prefixed with '#') that commands may be run as
or a Unix group (prefixed with a '%') or user netgroup (prefixed
with a '+') that contains a list of users that commands may be run
as. The special value ALL will match any user.
- The sudoRunAsUser attribute is only available in \e[1msudo \e[22mversions
- 1.7.0 and higher. Older versions of \e[1msudo \e[22muse the sudoRunAs
+ The sudoRunAsUser attribute is only available in s\bsu\bud\bdo\bo versions
+ 1.7.0 and higher. Older versions of s\bsu\bud\bdo\bo use the sudoRunAs
attribute instead.
- \e[1msudoRunAsGroup\e[0m
+ s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsG\bGr\bro\bou\bup\bp
A Unix group or gid (prefixed with '#') that commands may be run
as. The special value ALL will match any group.
- The sudoRunAsGroup attribute is only available in \e[1msudo \e[22mversions
+ The sudoRunAsGroup attribute is only available in s\bsu\bud\bdo\bo versions
1.7.0 and higher.
- \e[1msudoNotBefore\e[0m
+ s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be
A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
a start date/time for when the sudoRole will be valid. If multiple
sudoNotBefore entries are present, the earliest is used. Note that
some LDAP servers require that they be present (contrary to the
RFC).
- The sudoNotBefore attribute is only available in \e[1msudo \e[22mversions
+ The sudoNotBefore attribute is only available in s\bsu\bud\bdo\bo versions
1.7.5 and higher and must be explicitly enabled via the
- \e[1mSUDOERS_TIMED \e[22moption in \e[4m/etc/ldap.conf\e[24m.
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
- \e[1msudoNotAfter\e[0m
+ s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
A timestamp in the form yyyymmddHHMMSSZ that indicates an
expiration date/time, after which the sudoRole will no longer be
valid. If multiple sudoNotBefore entries are present, the last one
portions are optional, but some LDAP servers require that they be
present (contrary to the RFC).
- The sudoNotAfter attribute is only available in \e[1msudo \e[22mversions 1.7.5
- and higher and must be explicitly enabled via the \e[1mSUDOERS_TIMED\e[0m
- option in \e[4m/etc/ldap.conf\e[24m.
+ The sudoNotAfter attribute is only available in s\bsu\bud\bdo\bo versions 1.7.5
+ and higher and must be explicitly enabled via the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD
+ option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
- \e[1msudoOrder\e[0m
+ s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br
The sudoRole entries retrieved from the LDAP directory have no
inherent order. The sudoOrder attribute is an integer (or floating
point value for LDAP servers that support it) that is used to sort
corresponds to the "last match" behavior of the sudoers file. If
the sudoOrder attribute is not present, a value of 0 is assumed.
- The sudoOrder attribute is only available in \e[1msudo \e[22mversions 1.7.5
+ The sudoOrder attribute is only available in s\bsu\bud\bdo\bo versions 1.7.5
and higher.
Each attribute listed above should contain a single value, but there
contain at least one sudoUser, sudoHost and sudoCommand.
The following example allows users in group wheel to run any command on
- any host via \e[1msudo\e[22m:
+ any host via s\bsu\bud\bdo\bo:
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
objectClass: top
sudoHost: ALL
sudoCommand: ALL
- \e[1mAnatomy of LDAP sudoers lookup\e[0m
+ A\bAn\bna\bat\bto\bom\bmy\by o\bof\bf L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs l\blo\boo\bok\bku\bup\bp
When looking up a sudoer using LDAP there are only two or three LDAP
queries per invocation. The first query is to parse the global
options. The second is to match against the user's name and the groups
third query returns all entries containing user netgroups and checks to
see if the user belongs to any of them.
- If timed entries are enabled with the \e[1mSUDOERS_TIMED \e[22mconfiguration
+ If timed entries are enabled with the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD configuration
directive, the LDAP queries include a subfilter that limits retrieval
to entries that satisfy the time constraints, if any.
- \e[1mDifferences between LDAP and non-LDAP sudoers\e[0m
+ D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
There are some subtle differences in the way sudoers is handled once in
LDAP. Probably the biggest is that according to the RFC, LDAP ordering
is arbitrary and you cannot expect that Attributes and Entries are
sudoHost: ALL
sudoHost: !web01
- \e[1mSudoers Schema\e[0m
- In order to use \e[1msudo\e[22m's LDAP support, the \e[1msudo \e[22mschema must be installed
+ S\bSu\bud\bdo\boe\ber\brs\bs S\bSc\bch\bhe\bem\bma\ba
+ In order to use s\bsu\bud\bdo\bo's LDAP support, the s\bsu\bud\bdo\bo schema must be installed
on your LDAP server. In addition, be sure to index the 'sudoUser'
attribute.
Three versions of the schema: one for OpenLDAP servers
- (\e[4mschema.OpenLDAP\e[24m), one for Netscape-derived servers (\e[4mschema.iPlanet\e[24m),
- and one for Microsoft Active Directory (\e[4mschema.ActiveDirectory\e[24m) may be
- found in the \e[1msudo \e[22mdistribution.
+ (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP), one for Netscape-derived servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt),
+ and one for Microsoft Active Directory (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bA_\bc_\bt_\bi_\bv_\be_\bD_\bi_\br_\be_\bc_\bt_\bo_\br_\by) may be
+ found in the s\bsu\bud\bdo\bo distribution.
- The schema for \e[1msudo \e[22min OpenLDAP form is included in the EXAMPLES
+ The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included in the EXAMPLES
section.
- \e[1mConfiguring ldap.conf\e[0m
- Sudo reads the \e[4m/etc/ldap.conf\e[24m file for LDAP-specific configuration.
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
+ Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
- As such, most of the settings are not \e[1msudo\e[22m-specific. Note that \e[1msudo\e[0m
- parses \e[4m/etc/ldap.conf\e[24m itself and may support options that differ from
- those described in the \e[4mldap.conf\e[24m(4) manual.
+ As such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo
+ parses _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ from
+ those described in the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual.
Also note that on systems using the OpenLDAP libraries, default values
- specified in \e[4m/etc/openldap/ldap.conf\e[24m or the user's \e[4m.ldaprc\e[24m files are
+ specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are
not used.
- Only those options explicitly listed in \e[4m/etc/ldap.conf\e[24m as being
- supported by \e[1msudo \e[22mare honored. Configuration options are listed below
+ Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf as being
+ supported by s\bsu\bud\bdo\bo are honored. Configuration options are listed below
in upper case but are parsed in a case-independent manner.
- \e[1mURI \e[22mldap[s]://[hostname[:port]] ...
+ U\bUR\bRI\bI ldap[s]://[hostname[:port]] ...
Specifies a whitespace-delimited list of one or more URIs
- describing the LDAP server(s) to connect to. The \e[4mprotocol\e[24m may be
- either \e[1mldap \e[22mor \e[1mldaps\e[22m, the latter being for servers that support TLS
- (SSL) encryption. If no \e[4mport\e[24m is specified, the default is port 389
- for ldap:// or port 636 for ldaps://. If no \e[4mhostname\e[24m is specified,
- \e[1msudo \e[22mwill connect to \e[1mlocalhost\e[22m. Multiple \e[1mURI \e[22mlines are treated
- identically to a \e[1mURI \e[22mline containing multiple entries. Only
+ describing the LDAP server(s) to connect to. The _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be
+ either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS
+ (SSL) encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389
+ for ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
+ s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Multiple U\bUR\bRI\bI lines are treated
+ identically to a U\bUR\bRI\bI line containing multiple entries. Only
systems using the OpenSSL libraries support the mixing of ldap://
and ldaps:// URIs. The Netscape-derived libraries used on most
commercial versions of Unix are only capable of supporting one or
the other.
- \e[1mHOST \e[22mname[:port] ...
- If no \e[1mURI \e[22mis specified, the \e[1mHOST \e[22mparameter specifies a whitespace-
+ H\bHO\bOS\bST\bT name[:port] ...
+ If no U\bUR\bRI\bI is specified, the H\bHO\bOS\bST\bT parameter specifies a whitespace-
delimited list of LDAP servers to connect to. Each host may
- include an optional \e[4mport\e[24m separated by a colon (':'). The \e[1mHOST\e[0m
- parameter is deprecated in favor of the \e[1mURI \e[22mspecification and is
+ include an optional _\bp_\bo_\br_\bt separated by a colon (':'). The H\bHO\bOS\bST\bT
+ parameter is deprecated in favor of the U\bUR\bRI\bI specification and is
included for backwards compatibility.
- \e[1mPORT \e[22mport_number
- If no \e[1mURI \e[22mis specified, the \e[1mPORT \e[22mparameter specifies the default
- port to connect to on the LDAP server if a \e[1mHOST \e[22mparameter does not
- specify the port itself. If no \e[1mPORT \e[22mparameter is used, the default
+ P\bPO\bOR\bRT\bT port_number
+ If no U\bUR\bRI\bI is specified, the P\bPO\bOR\bRT\bT parameter specifies the default
+ port to connect to on the LDAP server if a H\bHO\bOS\bST\bT parameter does not
+ specify the port itself. If no P\bPO\bOR\bRT\bT parameter is used, the default
is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
- \e[1mPORT \e[22mparameter is deprecated in favor of the \e[1mURI \e[22mspecification and
+ P\bPO\bOR\bRT\bT parameter is deprecated in favor of the U\bUR\bRI\bI specification and
is included for backwards compatibility.
- \e[1mBIND_TIMELIMIT \e[22mseconds
- The \e[1mBIND_TIMELIMIT \e[22mparameter specifies the amount of time, in
+ B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
+ The B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in
seconds, to wait while trying to connect to an LDAP server. If
- multiple \e[1mURI\e[22ms or \e[1mHOST\e[22ms are specified, this is the amount of time to
+ multiple U\bUR\bRI\bIs or H\bHO\bOS\bST\bTs are specified, this is the amount of time to
wait before trying the next one in the list.
- \e[1mNETWORK_TIMEOUT \e[22mseconds
- An alias for \e[1mBIND_TIMELIMIT \e[22mfor OpenLDAP compatibility.
+ N\bNE\bET\bTW\bWO\bOR\bRK\bK_\b_T\bTI\bIM\bME\bEO\bOU\bUT\bT seconds
+ An alias for B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT for OpenLDAP compatibility.
- \e[1mTIMELIMIT \e[22mseconds
- The \e[1mTIMELIMIT \e[22mparameter specifies the amount of time, in seconds,
+ T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
+ The T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in seconds,
to wait for a response to an LDAP query.
- \e[1mTIMEOUT \e[22mseconds
- The \e[1mTIMEOUT \e[22mparameter specifies the amount of time, in seconds, to
+ T\bTI\bIM\bME\bEO\bOU\bUT\bT seconds
+ The T\bTI\bIM\bME\bEO\bOU\bUT\bT parameter specifies the amount of time, in seconds, to
wait for a response from the various LDAP APIs.
- \e[1mSUDOERS_BASE \e[22mbase
- The base DN to use when performing \e[1msudo \e[22mLDAP queries. Typically
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE base
+ The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries. Typically
this is of the form ou=SUDOers,dc=example,dc=com for the domain
- example.com. Multiple \e[1mSUDOERS_BASE \e[22mlines may be specified, in
+ example.com. Multiple S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE lines may be specified, in
which case they are queried in the order specified.
- \e[1mSUDOERS_SEARCH_FILTER \e[22mldap_filter
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_S\bSE\bEA\bAR\bRC\bCH\bH_\b_F\bFI\bIL\bLT\bTE\bER\bR ldap_filter
An LDAP filter which is used to restrict the set of records
- returned when performing a \e[1msudo \e[22mLDAP query. Typically, this is of
+ returned when performing a s\bsu\bud\bdo\bo LDAP query. Typically, this is of
the form attribute=value or
(&(attribute=value)(attribute2=value2)).
- \e[1mSUDOERS_TIMED \e[22mon/true/yes/off/false/no
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD on/true/yes/off/false/no
Whether or not to evaluate the sudoNotBefore and sudoNotAfter
attributes that implement time-dependent sudoers entries.
- \e[1mSUDOERS_DEBUG \e[22mdebug_level
- This sets the debug level for \e[1msudo \e[22mLDAP queries. Debugging
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG debug_level
+ This sets the debug level for s\bsu\bud\bdo\bo LDAP queries. Debugging
information is printed to the standard error. A value of 1 results
in a moderate amount of debugging information. A value of 2 shows
the results of the matches themselves. This parameter should not
be set in a production environment as the extra information is
likely to confuse users.
- \e[1mBINDDN \e[22mDN
- The \e[1mBINDDN \e[22mparameter specifies the identity, in the form of a
+ B\bBI\bIN\bND\bDD\bDN\bN DN
+ The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing LDAP operations.
If not specified, LDAP operations are performed with an anonymous
identity. By default, most LDAP servers will allow anonymous
access.
- \e[1mBINDPW \e[22msecret
- The \e[1mBINDPW \e[22mparameter specifies the password to use when performing
+ B\bBI\bIN\bND\bDP\bPW\bW secret
+ The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
LDAP operations. This is typically used in conjunction with the
- \e[1mBINDDN \e[22mparameter.
+ B\bBI\bIN\bND\bDD\bDN\bN parameter.
- \e[1mROOTBINDDN \e[22mDN
- The \e[1mROOTBINDDN \e[22mparameter specifies the identity, in the form of a
+ R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN DN
+ The R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing privileged LDAP
- operations, such as \e[4msudoers\e[24m queries. The password corresponding to
- the identity should be stored in \e[4m/etc/ldap.secret\e[24m. If not
- specified, the \e[1mBINDDN \e[22midentity is used (if any).
+ operations, such as _\bs_\bu_\bd_\bo_\be_\br_\bs queries. The password corresponding to
+ the identity should be stored in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bs_\be_\bc_\br_\be_\bt. If not
+ specified, the B\bBI\bIN\bND\bDD\bDN\bN identity is used (if any).
- \e[1mLDAP_VERSION \e[22mnumber
+ L\bLD\bDA\bAP\bP_\b_V\bVE\bER\bRS\bSI\bIO\bON\bN number
The version of the LDAP protocol to use when connecting to the
server. The default value is protocol version 3.
- \e[1mSSL \e[22mon/true/yes/off/false/no
- If the \e[1mSSL \e[22mparameter is set to on, true or yes, TLS (SSL)
+ S\bSS\bSL\bL on/true/yes/off/false/no
+ If the S\bSS\bSL\bL parameter is set to on, true or yes, TLS (SSL)
encryption is always used when communicating with the LDAP server.
Typically, this involves connecting to the server on port 636
(ldaps).
- \e[1mSSL \e[22mstart_tls
- If the \e[1mSSL \e[22mparameter is set to start_tls, the LDAP server
+ S\bSS\bSL\bL start_tls
+ If the S\bSS\bSL\bL parameter is set to start_tls, the LDAP server
connection is initiated normally and TLS encryption is begun before
the bind credentials are sent. This has the advantage of not
requiring a dedicated port for encrypted communications. This
parameter is only supported by LDAP servers that honor the
start_tls extension, such as the OpenLDAP server.
- \e[1mTLS_CHECKPEER \e[22mon/true/yes/off/false/no
- If enabled, \e[1mTLS_CHECKPEER \e[22mwill cause the LDAP server's TLS
+ T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR on/true/yes/off/false/no
+ If enabled, T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR will cause the LDAP server's TLS
certificated to be verified. If the server's TLS certificate
cannot be verified (usually because it is signed by an unknown
- certificate authority), \e[1msudo \e[22mwill be unable to connect to it. If
- \e[1mTLS_CHECKPEER \e[22mis disabled, no check is made. Note that disabling
+ certificate authority), s\bsu\bud\bdo\bo will be unable to connect to it. If
+ T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR is disabled, no check is made. Note that disabling
the check creates an opportunity for man-in-the-middle attacks
since the server's identity will not be authenticated. If
possible, the CA's certificate should be installed locally so it
can be verified.
- \e[1mTLS_CACERT \e[22mfile name
- An alias for \e[1mTLS_CACERTFILE \e[22mfor OpenLDAP compatibility.
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bT file name
+ An alias for T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE for OpenLDAP compatibility.
- \e[1mTLS_CACERTFILE \e[22mfile name
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE file name
The path to a certificate authority bundle which contains the
certificates for all the Certificate Authorities the client knows
- to be valid, e.g. \e[4m/etc/ssl/ca-bundle.pem\e[24m. This option is only
+ to be valid, e.g. _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only
supported by the OpenLDAP libraries. Netscape-derived LDAP
libraries use the same certificate database for CA and client
- certificates (see \e[1mTLS_CERT\e[22m).
+ certificates (see T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT).
- \e[1mTLS_CACERTDIR \e[22mdirectory
- Similar to \e[1mTLS_CACERTFILE \e[22mbut instead of a file, it is a directory
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
+ Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
containing individual Certificate Authority certificates, e.g.
- \e[4m/etc/ssl/certs\e[24m. The directory specified by \e[1mTLS_CACERTDIR \e[22mis
- checked after \e[1mTLS_CACERTFILE\e[22m. This option is only supported by the
+ _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\be_\br_\bt_\bs. The directory specified by T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR is
+ checked after T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE. This option is only supported by the
OpenLDAP libraries.
- \e[1mTLS_CERT \e[22mfile name
+ T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT file name
The path to a file containing the client certificate which can be
used to authenticate the client to the LDAP server. The
certificate type depends on the LDAP libraries used.
When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates.
- \e[1mTLS_KEY \e[22mfile name
+ T\bTL\bLS\bS_\b_K\bKE\bEY\bY file name
The path to a file containing the private key which matches the
- certificate specified by \e[1mTLS_CERT\e[22m. The private key must not be
+ certificate specified by T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT. The private key must not be
password-protected. The key type depends on the LDAP libraries
used.
Netscape-derived:
tls_key /var/ldap/key3.db
- \e[1mTLS_RANDFILE \e[22mfile name
- The \e[1mTLS_RANDFILE \e[22mparameter specifies the path to an entropy source
+ T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE file name
+ The T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE parameter specifies the path to an entropy source
for systems that lack a random device. It is generally used in
- conjunction with \e[4mprngd\e[24m or \e[4megd\e[24m. This option is only supported by
+ conjunction with _\bp_\br_\bn_\bg_\bd or _\be_\bg_\bd. This option is only supported by
the OpenLDAP libraries.
- \e[1mTLS_CIPHERS \e[22mcipher list
- The \e[1mTLS_CIPHERS \e[22mparameter allows the administer to restrict which
+ T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS cipher list
+ The T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS parameter allows the administer to restrict which
encryption algorithms may be used for TLS (SSL) connections. See
the OpenSSL manual for a list of valid ciphers. This option is
only supported by the OpenLDAP libraries.
- \e[1mUSE_SASL \e[22mon/true/yes/off/false/no
- Enable \e[1mUSE_SASL \e[22mfor LDAP servers that support SASL authentication.
+ U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
+ Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL authentication.
- \e[1mSASL_AUTH_ID \e[22midentity
+ S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
The SASL user name to use when connecting to the LDAP server. By
- default, \e[1msudo \e[22mwill use an anonymous connection.
+ default, s\bsu\bud\bdo\bo will use an anonymous connection.
- \e[1mROOTUSE_SASL \e[22mon/true/yes/off/false/no
- Enable \e[1mROOTUSE_SASL \e[22mto enable SASL authentication when connecting
- to an LDAP server from a privileged process, such as \e[1msudo\e[22m.
+ R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
+ Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
+ to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
- \e[1mROOTSASL_AUTH_ID \e[22midentity
- The SASL user name to use when \e[1mROOTUSE_SASL \e[22mis enabled.
+ R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
+ The SASL user name to use when R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL is enabled.
- \e[1mSASL_SECPROPS \e[22mnone/properties
- SASL security properties or \e[4mnone\e[24m for no properties. See the SASL
+ S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS none/properties
+ SASL security properties or _\bn_\bo_\bn_\be for no properties. See the SASL
programmer's manual for details.
- \e[1mKRB5_CCNAME \e[22mfile name
+ K\bKR\bRB\bB5\b5_\b_C\bCC\bCN\bNA\bAM\bME\bE file name
The path to the Kerberos 5 credential cache to use when
authenticating with the remote server.
+ D\bDE\bER\bRE\bEF\bF never/searching/finding/always
+ How alias dereferencing is to be performed when searching. See the
+ _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual for a full description of this option.
+
See the ldap.conf entry in the EXAMPLES section.
- \e[1mConfiguring nsswitch.conf\e[0m
- Unless it is disabled at build time, \e[1msudo \e[22mconsults the Name Service
- Switch file, \e[4m/etc/nsswitch.conf\e[24m, to specify the \e[4msudoers\e[24m search order.
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
+ Unless it is disabled at build time, s\bsu\bud\bdo\bo consults the Name Service
+ Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order.
Sudo looks for a line beginning with sudoers: and uses this to
- determine the search order. Note that \e[1msudo \e[22mdoes not stop searching
+ determine the search order. Note that s\bsu\bud\bdo\bo does not stop searching
after the first match and later matches take precedence over earlier
ones.
sudoers: ldap files
- The local \e[4msudoers\e[24m file can be ignored completely by using:
+ The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
sudoers: ldap
- If the \e[4m/etc/nsswitch.conf\e[24m file is not present or there is no sudoers
+ If the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
line, the following default is assumed:
sudoers: files
- Note that \e[4m/etc/nsswitch.conf\e[24m is supported even when the underlying
+ Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
operating system does not use an nsswitch.conf file.
- \e[1mConfiguring netsvc.conf\e[0m
- On AIX systems, the \e[4m/etc/netsvc.conf\e[24m file is consulted instead of
- \e[4m/etc/nsswitch.conf\e[24m. \e[1msudo \e[22msimply treats \e[4mnetsvc.conf\e[24m as a variant of
- \e[4mnsswitch.conf\e[24m; information in the previous section unrelated to the
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bne\bet\bts\bsv\bvc\bc.\b.c\bco\bon\bnf\bf
+ On AIX systems, the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is consulted instead of
+ _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf. s\bsu\bud\bdo\bo simply treats _\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf as a variant of
+ _\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the
file format itself still applies.
To consult LDAP first followed by the local sudoers file (if it
sudoers = ldap, files
- The local \e[4msudoers\e[24m file can be ignored completely by using:
+ The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
sudoers = ldap
sudoers = ldap = auth, files
Note that in the above example, the auth qualfier only affects user
- lookups; both LDAP and \e[4msudoers\e[24m will be queried for Defaults entries.
+ lookups; both LDAP and _\bs_\bu_\bd_\bo_\be_\br_\bs will be queried for Defaults entries.
- If the \e[4m/etc/netsvc.conf\e[24m file is not present or there is no sudoers
+ If the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
line, the following default is assumed:
sudoers = files
-\e[1mFILES\e[0m
- \e[4m/etc/ldap.conf\e[24m LDAP configuration file
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
- \e[4m/etc/nsswitch.conf\e[24m determines sudoers source order
+ _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
- \e[4m/etc/netsvc.conf\e[24m determines sudoers source order on AIX
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf determines sudoers source order on AIX
-\e[1mEXAMPLES\e[0m
- \e[1mExample ldap.conf\e[0m
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
# Either specify one or more URIs or one or more host:port pairs.
# If neither is specified sudo will default to localhost, port 389.
#
# sasl_secprops none
# krb5_ccname /etc/.ldapcache
- \e[1mSudo schema for OpenLDAP\e[0m
- The following schema, in OpenLDAP format, is included with \e[1msudo \e[22msource
- and binary distributions as \e[4mschema.OpenLDAP\e[24m. Simply copy it to the
- schema directory (e.g. \e[4m/etc/openldap/schema\e[24m), add the proper include
- line in slapd.conf and restart \e[1mslapd\e[22m.
+ S\bSu\bud\bdo\bo s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
+ The following schema, in OpenLDAP format, is included with s\bsu\bud\bdo\bo source
+ and binary distributions as _\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP. Simply copy it to the
+ schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba), add the proper include
+ line in slapd.conf and restart s\bsl\bla\bap\bpd\bd.
attributetype ( 1.3.6.1.4.1.15953.9.1.1
NAME 'sudoUser'
sudoOrder $ description )
)
-\e[1mSEE ALSO\e[0m
- \e[4mldap.conf\e[24m(4), \e[4msudoers\e[24m(5)
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
-\e[1mCAVEATS\e[0m
- Note that there are differences in the way that LDAP-based \e[4msudoers\e[24m is
- parsed compared to file-based \e[4msudoers\e[24m. See the "Differences between
+C\bCA\bAV\bVE\bEA\bAT\bTS\bS
+ Note that there are differences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs is
+ parsed compared to file-based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the "Differences between
LDAP and non-LDAP sudoers" section for more information.
-\e[1mBUGS\e[0m
- If you feel you have found a bug in \e[1msudo\e[22m, please submit a bug report at
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
http://www.sudo.ws/sudo/bugs/
-\e[1mSUPPORT\e[0m
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-\e[1mDISCLAIMER\e[0m
- \e[1msudo \e[22mis provided ``AS IS'' and any express or implied warranties,
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with \e[1msudo \e[22mor
+ See the LICENSE file distributed with s\bsu\bud\bdo\bo or
http://www.sudo.ws/sudo/license.html for complete details.
-1.7.7 August 13, 2011 SUDOERS.LDAP(4)
+1.7.8 September 16, 2011 SUDOERS.LDAP(4)
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "September 16, 2011" "1.7.8" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.IX Item "KRB5_CCNAME file name"
The path to the Kerberos 5 credential cache to use when authenticating
with the remote server.
+.IP "\fB\s-1DEREF\s0\fR never/searching/finding/always" 4
+.IX Item "DEREF never/searching/finding/always"
+How alias dereferencing is to be performed when searching. See the
+\&\fIldap.conf\fR\|(@mansectform@) manual for a full description of this option.
.PP
See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
.SS "Configuring nsswitch.conf"
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "September 16, 2011" "1.7.8" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
-\e[1mNAME\e[0m
+N\bNA\bAM\bME\bE
sudoreplay - replay sudo session logs
-\e[1mSYNOPSIS\e[0m
- \e[1msudoreplay \e[22m[\e[1m-h\e[22m] [\e[1m-d \e[4m\e[22mdirectory\e[24m] [\e[1m-f \e[4m\e[22mfilter\e[24m] [\e[1m-m \e[4m\e[22mmax_wait\e[24m] [\e[1m-s\e[0m
- \e[4mspeed_factor\e[24m] ID
+S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] [-\b-f\bf _\bf_\bi_\bl_\bt_\be_\br] [-\b-m\bm _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt] [-\b-s\bs
+ _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br] ID
- \e[1msudoreplay \e[22m[\e[1m-h\e[22m] [\e[1m-d \e[4m\e[22mdirectory\e[24m] -l [search expression]
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] -l [search expression]
-\e[1mDESCRIPTION\e[0m
- \e[1msudoreplay \e[22mplays back or lists the session logs created by \e[1msudo\e[22m. When
- replaying, \e[1msudoreplay \e[22mcan play the session back in real-time, or the
+D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by plays back or lists the session logs created by s\bsu\bud\bdo\bo. When
+ replaying, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can play the session back in real-time, or the
playback speed may be adjusted (faster or slower) based on the command
- line options. The \e[4mID\e[24m should be a six character sequence of digits and
- upper case letters, e.g. 0100A5, which is logged by \e[1msudo \e[22mwhen a
+ line options. The _\bI_\bD should be a six character sequence of digits and
+ upper case letters, e.g. 0100A5, which is logged by s\bsu\bud\bdo\bo when a
command is run with session logging enabled.
- In list mode, \e[1msudoreplay \e[22mcan be used to find the ID of a session based
+ In list mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can be used to find the ID of a session based
on a number of criteria such as the user, tty or command run.
In replay mode, if the standard output has not been redirected,
- \e[1msudoreplay \e[22mwill act on the following keys:
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will act on the following keys:
' ' (space)
Pause output; press any key to resume.
'>' Double the playback speed.
-\e[1mOPTIONS\e[0m
- \e[1msudoreplay \e[22maccepts the following command line options:
+O\bOP\bPT\bTI\bIO\bON\bNS\bS
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by accepts the following command line options:
- -d \e[4mdirectory\e[0m
- Use \e[4mdirectory\e[24m to for the session logs instead of the
- default, \e[4m/var/log/sudo-io\e[24m.
+ -d _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by
+ Use _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by to for the session logs instead of the
+ default, _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo.
- -f \e[4mfilter\e[24m By default, \e[1msudoreplay \e[22mwill play back the command's
- standard output, standard error and tty output. The \e[4m-f\e[0m
+ -f _\bf_\bi_\bl_\bt_\be_\br By default, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will play back the command's
+ standard output, standard error and tty output. The _\b-_\bf
option can be used to select which of these to output. The
- \e[4mfilter\e[24m argument is a comma-separated list, consisting of
- one or more of following: \e[4mstdout\e[24m, \e[4mstderr\e[24m, and \e[4mttyout\e[24m.
+ _\bf_\bi_\bl_\bt_\be_\br argument is a comma-separated list, consisting of
+ one or more of following: _\bs_\bt_\bd_\bo_\bu_\bt, _\bs_\bt_\bd_\be_\br_\br, and _\bt_\bt_\by_\bo_\bu_\bt.
- -h The \e[1m-h \e[22m(\e[4mhelp\e[24m) option causes \e[1msudoreplay \e[22mto print a short
+ -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to print a short
help message to the standard output and exit.
- -l [\e[4msearch\e[24m \e[4mexpression\e[24m]
- Enable "list mode". In this mode, \e[1msudoreplay \e[22mwill list
- available session IDs. If a \e[4msearch\e[24m \e[4mexpression\e[24m is
+ -l [_\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn]
+ Enable "list mode". In this mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will list
+ available session IDs. If a _\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn is
specified, it will be used to restrict the IDs that are
displayed. An expression is composed of the following
predicates:
- command \e[4mcommand\e[24m \e[4mpattern\e[0m
+ command _\bc_\bo_\bm_\bm_\ba_\bn_\bd _\bp_\ba_\bt_\bt_\be_\br_\bn
Evaluates to true if the command run matches
- \e[4mcommand\e[24m \e[4mpattern\e[24m. On systems with POSIX regular
+ _\bc_\bo_\bm_\bm_\ba_\bn_\bd _\bp_\ba_\bt_\bt_\be_\br_\bn. On systems with POSIX regular
expression support, the pattern may be an extended
regular expression. On systems without POSIX
regular expression support, a simple substring
match is performed instead.
- cwd \e[4mdirectory\e[0m
+ cwd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by
Evaluates to true if the command was run with the
specified current working directory.
- fromdate \e[4mdate\e[0m
+ fromdate _\bd_\ba_\bt_\be
Evaluates to true if the command was run on or
- after \e[4mdate\e[24m. See "Date and time format" for a
+ after _\bd_\ba_\bt_\be. See "Date and time format" for a
description of supported date and time formats.
- group \e[4mrunas_group\e[0m
+ group _\br_\bu_\bn_\ba_\bs_\b__\bg_\br_\bo_\bu_\bp
Evaluates to true if the command was run with the
- specified \e[4mrunas_group\e[24m. Note that unless a
- \e[4mrunas_group\e[24m was explicitly specified when \e[1msudo \e[22mwas
+ specified _\br_\bu_\bn_\ba_\bs_\b__\bg_\br_\bo_\bu_\bp. Note that unless a
+ _\br_\bu_\bn_\ba_\bs_\b__\bg_\br_\bo_\bu_\bp was explicitly specified when s\bsu\bud\bdo\bo was
run this field will be empty in the log.
- runas \e[4mrunas_user\e[0m
+ runas _\br_\bu_\bn_\ba_\bs_\b__\bu_\bs_\be_\br
Evaluates to true if the command was run as the
- specified \e[4mrunas_user\e[24m. Note that \e[1msudo \e[22mruns commands
- as user \e[4mroot\e[24m by default.
+ specified _\br_\bu_\bn_\ba_\bs_\b__\bu_\bs_\be_\br. Note that s\bsu\bud\bdo\bo runs commands
+ as user _\br_\bo_\bo_\bt by default.
- todate \e[4mdate\e[0m
+ todate _\bd_\ba_\bt_\be
Evaluates to true if the command was run on or
- prior to \e[4mdate\e[24m. See "Date and time format" for a
+ prior to _\bd_\ba_\bt_\be. See "Date and time format" for a
description of supported date and time formats.
- tty \e[4mtty\e[24m Evaluates to true if the command was run on the
- specified terminal device. The \e[4mtty\e[24m should be
- specified without the \e[4m/dev/\e[24m prefix, e.g. \e[4mtty01\e[0m
- instead of \e[4m/dev/tty01\e[24m.
+ tty _\bt_\bt_\by Evaluates to true if the command was run on the
+ specified terminal device. The _\bt_\bt_\by should be
+ specified without the _\b/_\bd_\be_\bv_\b/ prefix, e.g. _\bt_\bt_\by_\b0_\b1
+ instead of _\b/_\bd_\be_\bv_\b/_\bt_\bt_\by_\b0_\b1.
- user \e[4muser\e[24m \e[4mname\e[0m
+ user _\bu_\bs_\be_\br _\bn_\ba_\bm_\be
Evaluates to true if the ID matches a command run
- by \e[4muser\e[24m \e[4mname\e[24m.
+ by _\bu_\bs_\be_\br _\bn_\ba_\bm_\be.
Predicates may be abbreviated to the shortest unique string
(currently all predicates may be shortened to a single
character).
- Predicates may be combined using \e[4mand\e[24m, \e[4mor\e[24m and \e[4m!\e[24m operators as
+ Predicates may be combined using _\ba_\bn_\bd, _\bo_\br and _\b! operators as
well as '(' and ')' for grouping (note that parentheses
- must generally be escaped from the shell). The \e[4mand\e[0m
+ must generally be escaped from the shell). The _\ba_\bn_\bd
operator is optional, adjacent predicates have an implied
- \e[4mand\e[24m unless separated by an \e[4mor\e[24m.
+ _\ba_\bn_\bd unless separated by an _\bo_\br.
- -m \e[4mmax_wait\e[24m Specify an upper bound on how long to wait between key
- presses or output data. By default, \e[1msudo_replay \e[22mwill
+ -m _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt Specify an upper bound on how long to wait between key
+ presses or output data. By default, s\bsu\bud\bdo\bo_\b_r\bre\bep\bpl\bla\bay\by will
accurately reproduce the delays between key presses or
program output. However, this can be tedious when the
- session includes long pauses. When the \e[4m-m\e[24m option is
- specified, \e[1msudoreplay \e[22mwill limit these pauses to at most
- \e[4mmax_wait\e[24m seconds. The value may be specified as a floating
- point number, .e.g. \e[4m2.5\e[24m.
+ session includes long pauses. When the _\b-_\bm option is
+ specified, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will limit these pauses to at most
+ _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt seconds. The value may be specified as a floating
+ point number, .e.g. _\b2_\b._\b5.
- -s \e[4mspeed_factor\e[0m
- This option causes \e[1msudoreplay \e[22mto adjust the number of
+ -s _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br
+ This option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to adjust the number of
seconds it will wait between key presses or program output.
This can be used to slow down or speed up the display. For
- example, a \e[4mspeed_factor\e[24m of \e[4m2\e[24m would make the output twice as
- fast whereas a \e[4mspeed_factor\e[24m of <.5> would make the output
+ example, a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of _\b2 would make the output twice as
+ fast whereas a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of <.5> would make the output
twice as slow.
- -V The \e[1m-V \e[22m(version) option causes \e[1msudoreplay \e[22mto print its
+ -V The -\b-V\bV (version) option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to print its
version number and exit.
- \e[1mDate and time format\e[0m
+ D\bDa\bat\bte\be a\ban\bnd\bd t\bti\bim\bme\be f\bfo\bor\brm\bma\bat\bt
The time and date may be specified multiple ways, common formats
include:
10:01 am Sep 17, 2009
10:01 am, September 17, 2009.
-\e[1mFILES\e[0m
- \e[4m/var/log/sudo-io\e[24m The default I/O log directory.
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo The default I/O log directory.
- \e[4m/var/log/sudo-io/00/00/01/log\e[0m
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bl_\bo_\bg
Example session log info.
- \e[4m/var/log/sudo-io/00/00/01/stdin\e[0m
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\bi_\bn
Example session standard input log.
- \e[4m/var/log/sudo-io/00/00/01/stdout\e[0m
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\bo_\bu_\bt
Example session standard output log.
- \e[4m/var/log/sudo-io/00/00/01/stderr\e[0m
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\be_\br_\br
Example session standard error log.
- \e[4m/var/log/sudo-io/00/00/01/ttyin\e[0m
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bt_\by_\bi_\bn
Example session tty input file.
- \e[4m/var/log/sudo-io/00/00/01/ttyout\e[0m
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bt_\by_\bo_\bu_\bt
Example session tty output file.
- \e[4m/var/log/sudo-io/00/00/01/timing\e[0m
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bi_\bm_\bi_\bn_\bg
Example session timing file.
- Note that the \e[4mstdin\e[24m, \e[4mstdout\e[24m and \e[4mstderr\e[24m files will be empty unless \e[1msudo\e[0m
+ Note that the _\bs_\bt_\bd_\bi_\bn, _\bs_\bt_\bd_\bo_\bu_\bt and _\bs_\bt_\bd_\be_\br_\br files will be empty unless s\bsu\bud\bdo\bo
was used as part of a pipeline for a particular command.
-\e[1mEXAMPLES\e[0m
- List sessions run by user \e[4mmillert\e[24m:
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ List sessions run by user _\bm_\bi_\bl_\bl_\be_\br_\bt:
sudoreplay -l user millert
- List sessions run by user \e[4mbob\e[24m with a command containing the string vi:
+ List sessions run by user _\bb_\bo_\bb with a command containing the string vi:
sudoreplay -l user bob command vi
- List sessions run by user \e[4mjeff\e[24m that match a regular expression:
+ List sessions run by user _\bj_\be_\bf_\bf that match a regular expression:
sudoreplay -l user jeff command '/bin/[a-z]*sh'
sudoreplay -l ( user jeff or user bob ) tty console
-\e[1mSEE ALSO\e[0m
- \e[4msudo\e[24m(1m), \e[4mscript\e[24m(1)
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\bs_\bu_\bd_\bo(1m), _\bs_\bc_\br_\bi_\bp_\bt(1)
-\e[1mAUTHOR\e[0m
+A\bAU\bUT\bTH\bHO\bOR\bR
Todd C. Miller
-\e[1mBUGS\e[0m
- If you feel you have found a bug in \e[1msudoreplay\e[22m, please submit a bug
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by, please submit a bug
report at http://www.sudo.ws/sudo/bugs/
-\e[1mSUPPORT\e[0m
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-\e[1mDISCLAIMER\e[0m
- \e[1msudoreplay \e[22mis provided ``AS IS'' and any express or implied warranties,
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with \e[1msudo \e[22mor
+ See the LICENSE file distributed with s\bsu\bud\bdo\bo or
http://www.sudo.ws/sudo/license.html for complete details.
-1.7.7 August 13, 2011 SUDOREPLAY(1m)
+1.7.8 September 16, 2011 SUDOREPLAY(1m)
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS"
+.TH SUDOREPLAY @mansectsu@ "September 16, 2011" "1.7.8" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
-\e[1mNAME\e[0m
+N\bNA\bAM\bME\bE
visudo - edit the sudoers file
-\e[1mSYNOPSIS\e[0m
- \e[1mvisudo \e[22m[\e[1m-chqsV\e[22m] [\e[1m-f \e[4m\e[22msudoers\e[24m]
+S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
+ v\bvi\bis\bsu\bud\bdo\bo [-\b-c\bch\bhq\bqs\bsV\bV] [-\b-f\bf _\bs_\bu_\bd_\bo_\be_\br_\bs]
-\e[1mDESCRIPTION\e[0m
- \e[1mvisudo \e[22medits the \e[4msudoers\e[24m file in a safe fashion, analogous to \e[4mvipw\e[24m(1m).
- \e[1mvisudo \e[22mlocks the \e[4msudoers\e[24m file against multiple simultaneous edits,
+D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
+ v\bvi\bis\bsu\bud\bdo\bo edits the _\bs_\bu_\bd_\bo_\be_\br_\bs file in a safe fashion, analogous to _\bv_\bi_\bp_\bw(1m).
+ v\bvi\bis\bsu\bud\bdo\bo locks the _\bs_\bu_\bd_\bo_\be_\br_\bs file against multiple simultaneous edits,
provides basic sanity checks, and checks for parse errors. If the
- \e[4msudoers\e[24m file is currently being edited you will receive a message to
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file is currently being edited you will receive a message to
try again later.
- There is a hard-coded list of one or more editors that \e[1mvisudo \e[22mwill use
- set at compile-time that may be overridden via the \e[4meditor\e[24m \e[4msudoers\e[0m
- Default variable. This list defaults to "vi". Normally, \e[1mvisudo \e[22mdoes
+ There is a hard-coded list of one or more editors that v\bvi\bis\bsu\bud\bdo\bo will use
+ set at compile-time that may be overridden via the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs
+ Default variable. This list defaults to "vi". Normally, v\bvi\bis\bsu\bud\bdo\bo does
not honor the VISUAL or EDITOR environment variables unless they
contain an editor in the aforementioned editors list. However, if
- \e[1mvisudo \e[22mis configured with the \e[4m--with-env-editor\e[24m option or the
- \e[4menv_editor\e[24m Default variable is set in \e[4msudoers\e[24m, \e[1mvisudo \e[22mwill use any the
+ v\bvi\bis\bsu\bud\bdo\bo is configured with the _\b-_\b-_\bw_\bi_\bt_\bh_\b-_\be_\bn_\bv_\b-_\be_\bd_\bi_\bt_\bo_\br option or the
+ _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br Default variable is set in _\bs_\bu_\bd_\bo_\be_\br_\bs, v\bvi\bis\bsu\bud\bdo\bo will use any the
editor defines by VISUAL or EDITOR. Note that this can be a security
hole since it allows the user to execute any program they wish simply
by setting VISUAL or EDITOR.
- \e[1mvisudo \e[22mparses the \e[4msudoers\e[24m file after the edit and will not save the
- changes if there is a syntax error. Upon finding an error, \e[1mvisudo \e[22mwill
+ v\bvi\bis\bsu\bud\bdo\bo parses the _\bs_\bu_\bd_\bo_\be_\br_\bs file after the edit and will not save the
+ changes if there is a syntax error. Upon finding an error, v\bvi\bis\bsu\bud\bdo\bo will
print a message stating the line number(s) where the error occurred and
the user will receive the "What now?" prompt. At this point the user
- may enter "e" to re-edit the \e[4msudoers\e[24m file, "x" to exit without saving
+ may enter "e" to re-edit the _\bs_\bu_\bd_\bo_\be_\br_\bs file, "x" to exit without saving
the changes, or "Q" to quit and save changes. The "Q" option should be
- used with extreme care because if \e[1mvisudo \e[22mbelieves there to be a parse
- error, so will \e[1msudo \e[22mand no one will be able to \e[1msudo \e[22magain until the
- error is fixed. If "e" is typed to edit the \e[4msudoers\e[24m file after a
+ used with extreme care because if v\bvi\bis\bsu\bud\bdo\bo believes there to be a parse
+ error, so will s\bsu\bud\bdo\bo and no one will be able to s\bsu\bud\bdo\bo again until the
+ error is fixed. If "e" is typed to edit the _\bs_\bu_\bd_\bo_\be_\br_\bs file after a
parse error has been detected, the cursor will be placed on the line
where the error occurred (if the editor supports this feature).
-\e[1mOPTIONS\e[0m
- \e[1mvisudo \e[22maccepts the following command line options:
+O\bOP\bPT\bTI\bIO\bON\bNS\bS
+ v\bvi\bis\bsu\bud\bdo\bo accepts the following command line options:
- -c Enable \e[1mcheck-only \e[22mmode. The existing \e[4msudoers\e[24m file will be
+ -c Enable c\bch\bhe\bec\bck\bk-\b-o\bon\bnl\bly\by mode. The existing _\bs_\bu_\bd_\bo_\be_\br_\bs file will be
checked for syntax and a message will be printed to the
- standard output detailing the status of \e[4msudoers\e[24m. If the
- syntax check completes successfully, \e[1mvisudo \e[22mwill exit with
- a value of 0. If a syntax error is encountered, \e[1mvisudo\e[0m
+ standard output detailing the status of _\bs_\bu_\bd_\bo_\be_\br_\bs. If the
+ syntax check completes successfully, v\bvi\bis\bsu\bud\bdo\bo will exit with
+ a value of 0. If a syntax error is encountered, v\bvi\bis\bsu\bud\bdo\bo
will exit with a value of 1.
- -f \e[4msudoers\e[24m Specify and alternate \e[4msudoers\e[24m file location. With this
- option \e[1mvisudo \e[22mwill edit (or check) the \e[4msudoers\e[24m file of your
- choice, instead of the default, \e[4m/etc/sudoers\e[24m. The lock
- file used is the specified \e[4msudoers\e[24m file with ".tmp"
- appended to it. In \e[1mcheck-only \e[22mmode only, the argument to
- \e[1m-f \e[22mmay be "-", indicating that \e[4msudoers\e[24m will be read from
+ -f _\bs_\bu_\bd_\bo_\be_\br_\bs Specify and alternate _\bs_\bu_\bd_\bo_\be_\br_\bs file location. With this
+ option v\bvi\bis\bsu\bud\bdo\bo will edit (or check) the _\bs_\bu_\bd_\bo_\be_\br_\bs file of your
+ choice, instead of the default, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. The lock
+ file used is the specified _\bs_\bu_\bd_\bo_\be_\br_\bs file with ".tmp"
+ appended to it. In c\bch\bhe\bec\bck\bk-\b-o\bon\bnl\bly\by mode only, the argument to
+ -\b-f\bf may be "-", indicating that _\bs_\bu_\bd_\bo_\be_\br_\bs will be read from
the standard input.
- -h The \e[1m-h \e[22m(\e[4mhelp\e[24m) option causes \e[1mvisudo \e[22mto print a short help
+ -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes v\bvi\bis\bsu\bud\bdo\bo to print a short help
message to the standard output and exit.
- -q Enable \e[1mquiet \e[22mmode. In this mode details about syntax
+ -q Enable q\bqu\bui\bie\bet\bt mode. In this mode details about syntax
errors are not printed. This option is only useful when
- combined with the \e[1m-c \e[22moption.
+ combined with the -\b-c\bc option.
- -s Enable \e[1mstrict \e[22mchecking of the \e[4msudoers\e[24m file. If an alias is
- used before it is defined, \e[1mvisudo \e[22mwill consider this a
+ -s Enable s\bst\btr\bri\bic\bct\bt checking of the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If an alias is
+ used before it is defined, v\bvi\bis\bsu\bud\bdo\bo will consider this a
parse error. Note that it is not possible to differentiate
between an alias and a host name or user name that consists
solely of uppercase letters, digits, and the underscore
('_') character.
- -V The \e[1m-V \e[22m(version) option causes \e[1mvisudo \e[22mto print its version
+ -V The -\b-V\bV (version) option causes v\bvi\bis\bsu\bud\bdo\bo to print its version
number and exit.
-\e[1mENVIRONMENT\e[0m
+E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
The following environment variables may be consulted depending on the
- value of the \e[4meditor\e[24m and \e[4menv_editor\e[24m \e[4msudoers\e[24m variables:
+ value of the _\be_\bd_\bi_\bt_\bo_\br and _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs variables:
VISUAL Invoked by visudo as the editor to use
EDITOR Used by visudo if VISUAL is not set
-\e[1mFILES\e[0m
- \e[4m/etc/sudoers\e[24m List of who can run what
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- \e[4m/etc/sudoers.tmp\e[24m Lock file for visudo
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bt_\bm_\bp Lock file for visudo
-\e[1mDIAGNOSTICS\e[0m
+D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS
sudoers file busy, try again later.
- Someone else is currently editing the \e[4msudoers\e[24m file.
+ Someone else is currently editing the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
/etc/sudoers.tmp: Permission denied
- You didn't run \e[1mvisudo \e[22mas root.
+ You didn't run v\bvi\bis\bsu\bud\bdo\bo as root.
Can't find you in the passwd database
Your userid does not appear in the system passwd file.
{User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
that consists solely of uppercase letters, digits, and the
underscore ('_') character. In the latter case, you can ignore the
- warnings (\e[1msudo \e[22mwill not complain). In \e[1m-s \e[22m(strict) mode these are
+ warnings (s\bsu\bud\bdo\bo will not complain). In -\b-s\bs (strict) mode these are
errors, not warnings.
Warning: unused {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used. You may wish to comment out or remove the unused alias. In
- \e[1m-s \e[22m(strict) mode this is an error, not a warning.
+ -\b-s\bs (strict) mode this is an error, not a warning.
-\e[1mSEE ALSO\e[0m
- \e[4mvi\e[24m(1), \e[4msudoers\e[24m(4), \e[4msudo\e[24m(1m), \e[4mvipw\e[24m(8)
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\bv_\bi(1), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bp_\bw(8)
-\e[1mAUTHOR\e[0m
- Many people have worked on \e[4msudo\e[24m over the years; this version of \e[1mvisudo\e[0m
+A\bAU\bUT\bTH\bHO\bOR\bR
+ Many people have worked on _\bs_\bu_\bd_\bo over the years; this version of v\bvi\bis\bsu\bud\bdo\bo
was written by:
Todd Miller
See the HISTORY file in the sudo distribution or visit
http://www.sudo.ws/sudo/history.html for more details.
-\e[1mCAVEATS\e[0m
+C\bCA\bAV\bVE\bEA\bAT\bTS\bS
There is no easy way to prevent a user from gaining a root shell if the
- editor used by \e[1mvisudo \e[22mallows shell escapes.
+ editor used by v\bvi\bis\bsu\bud\bdo\bo allows shell escapes.
-\e[1mBUGS\e[0m
- If you feel you have found a bug in \e[1mvisudo\e[22m, please submit a bug report
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in v\bvi\bis\bsu\bud\bdo\bo, please submit a bug report
at http://www.sudo.ws/sudo/bugs/
-\e[1mSUPPORT\e[0m
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
Limited free support is available via the sudo-users mailing list, see
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-\e[1mDISCLAIMER\e[0m
- \e[1mvisudo \e[22mis provided ``AS IS'' and any express or implied warranties,
+D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
+ v\bvi\bis\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with \e[1msudo \e[22mor
+ See the LICENSE file distributed with s\bsu\bud\bdo\bo or
http://www.sudo.ws/sudo/license.html for complete details.
-1.7.7 August 13, 2011 VISUDO(1m)
+1.7.8 September 16, 2011 VISUDO(1m)
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "August 13, 2011" "1.7.7" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "September 16, 2011" "1.7.8" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
projects / sudo / commitdiff