s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
used in host names, path names and command line arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs
file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
- as specified by IEEE Std 1003.1 (``POSIX.1''). Note that these are _\bn_\bo_\bt
- regular expressions.
+ as specified by IEEE Std 1003.1 (``POSIX.1'').
- * Matches any set of zero or more characters.
+ * Matches any set of zero or more characters (including white
+ space).
- ? Matches any single character.
+ ? Matches any single character (including white space).
[...] Matches any character in the specified range.
- [!...] Matches any character n\bno\bot\bt in the specified range.
+ [!...] Matches any character _\bn_\bo_\bt in the specified range.
\x For any character `x', evaluates to `x'. This is used to
escape special characters such as: `*', `?', `[', and `]'.
- Character classes may also be used if your system's glob(3) and
- fnmatch(3) functions support them. However, because the `:' character
- has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
+ N\bNo\bot\bte\be t\bth\bha\bat\bt t\bth\bhe\bes\bse\be a\bar\bre\be n\bno\bot\bt r\bre\beg\bgu\bul\bla\bar\br e\bex\bxp\bpr\bre\bes\bss\bsi\bio\bon\bns\bs.\b. Unlike a regular expression
+ there is no way to match one or more characters within a range.
+
+ Character classes may be used if your system's glob(3) and fnmatch(3)
+ functions support them. However, because the `:' character has special
+ meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
/bin/ls [[\:alpha\:]]*
Would match any file name beginning with a letter.
- Note that a forward slash (`/') will n\bno\bot\bt be matched by wildcards used in
+ Note that a forward slash (`/') will _\bn_\bo_\bt be matched by wildcards used in
the file name portion of the command. This is to make a path like:
/usr/bin/*
match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
- When matching the command line arguments, however, a slash d\bdo\boe\bes\bs get
+ When matching the command line arguments, however, a slash _\bd_\bo_\be_\bs get
matched by wildcards since command line arguments may contain arbitrary
strings and not just path names.
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs i\bin\bn c\bco\bom\bmm\bma\ban\bnd\bd l\bli\bin\bne\be a\bar\brg\bgu\bum\bme\ben\bnt\bts\bs s\bsh\bho\bou\bul\bld\bd b\bbe\be u\bus\bse\bed\bd w\bwi\bit\bth\bh c\bca\bar\bre\be.\b.
Command line arguments are matched as a single, concatenated string.
- This mean a wildcard such as `?' or `*' will match _\bm_\bu_\bl_\bt_\bi_\bp_\bl_\be words. For
- example, while a sudoers entry like:
+ This mean a wildcard character such as `?' or `*' will match across word
+ boundaries, which may be unexpected. For example, while a sudoers entry
+ like:
%operator ALL = /bin/cat /var/log/messages*
$ sudo cat /var/log/messages /etc/shadow
- which is probably not what was intended.
+ which is probably not what was intended. In most cases it is better to
+ do command line processing outside of _\bs_\bu_\bd_\bo_\be_\br_\bs in a scripting language.
E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
The following exceptions apply to the above rules:
"" If the empty string "" is the only command line argument in the
_\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
- with a\ban\bny\by arguments.
+ with _\ba_\bn_\by arguments.
sudoedit Command line arguments to the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt built-in command should
always be path names, so a forward slash (`/') will not be
manager or editor temporary/backup files. Files are parsed in sorted
lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed before
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is lexical,
- not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
+ not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded _\ba_\bf_\bt_\be_\br
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes in
the file names can be used to avoid such problems.
User_Alias, Runas_Alias, or Host_Alias. You should not try to define
your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
preference to your own. Please note that using A\bAL\bLL\bL can be dangerous
- since in a command context, it allows the user to run a\ban\bny\by command on the
+ since in a command context, it allows the user to run _\ba_\bn_\by command on the
system.
An exclamation point (`!') can be used as a logical _\bn_\bo_\bt operator in a
fnmatch(3)
functions as specified by
IEEE Std 1003.1 (\(LqPOSIX.1\(Rq).
-Note that these are
-\fInot\fR
-regular expressions.
.TP 10n
\fR*\fR
-Matches any set of zero or more characters.
+Matches any set of zero or more characters (including white space).
.TP 10n
\fR\&?\fR
-Matches any single character.
+Matches any single character (including white space).
.TP 10n
\fR[...]\fR
Matches any character in the specified range.
.TP 10n
\fR[!...]\fR
Matches any character
-\fBnot\fR
+\fInot\fR
in the specified range.
.TP 10n
\fR\ex\fR
and
\(oq]\&\(cq.
.PP
-Character classes may also be used if your system's
+\fBNote that these are not regular expressions.\fR
+Unlike a regular expression there is no way to match one or more
+characters within a range.
+.PP
+Character classes may be used if your system's
glob(3)
and
fnmatch(3)
Note that a forward slash
(\(oq/\(cq)
will
-\fBnot\fR
+\fInot\fR
be matched by
wildcards used in the file name portion of the command.
This is to make a path like:
\fI/usr/bin/X11/xterm\fR.
.PP
When matching the command line arguments, however, a slash
-\fBdoes\fR
+\fIdoes\fR
get matched by wildcards since command line arguments may contain
arbitrary strings and not just path names.
.PP
\fBWildcards in command line arguments should be used with care.\fR
.br
Command line arguments are matched as a single, concatenated string.
-This mean a wildcard such as
+This mean a wildcard character such as
\(oq\&?\(cq
or
\(oq*\(cq
-will match
-\fImultiple\fR
-words.
+will match across word boundaries, which may be unexpected.
For example, while a sudoers entry like:
.nf
.sp
.fi
.PP
which is probably not what was intended.
+In most cases it is better to do command line processing
+outside of
+\fIsudoers\fR
+in a scripting language.
.SS "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
.TP 10n
is the only command line argument in the
\fIsudoers\fR
entry it means that command is not allowed to be run with
-\fBany\fR
+\fIany\fR
arguments.
.TP 10n
sudoedit
Be aware that because the sorting is lexical, not numeric,
\fI/etc/sudoers.d/1_whoops\fR
would be loaded
-\fBafter\fR
+\fIafter\fR
\fI/etc/sudoers.d/10_second\fR.
Using a consistent number of leading zeroes in the file names can be used
to avoid such problems.
Please note that using
\fBALL\fR
can be dangerous since in a command context, it allows the user to run
-\fBany\fR
+\fIany\fR
command on the system.
.PP
An exclamation point
.Xr fnmatch 3
functions as specified by
.St -p1003.1 .
-Note that these are
-.Em not
-regular expressions.
.Bl -tag -width 8n
.It Li *
-Matches any set of zero or more characters.
+Matches any set of zero or more characters (including white space).
.It Li \&?
-Matches any single character.
+Matches any single character (including white space).
.It Li [...]
Matches any character in the specified range.
.It Li [!...]
Matches any character
-.Sy not
+.Em not
in the specified range.
.It Li \ex
For any character
.Ql ]\& .
.El
.Pp
-Character classes may also be used if your system's
+.Bf -symbolic
+Note that these are not regular expressions.
+.Ef
+Unlike a regular expression there is no way to match one or more
+characters within a range.
+.Pp
+Character classes may be used if your system's
.Xr glob 3
and
.Xr fnmatch 3
Note that a forward slash
.Pq Ql /
will
-.Sy not
+.Em not
be matched by
wildcards used in the file name portion of the command.
This is to make a path like:
.Pa /usr/bin/X11/xterm .
.Pp
When matching the command line arguments, however, a slash
-.Sy does
+.Em does
get matched by wildcards since command line arguments may contain
arbitrary strings and not just path names.
.Pp
.Ef
.br
Command line arguments are matched as a single, concatenated string.
-This mean a wildcard such as
+This mean a wildcard character such as
.Ql \&?
or
.Ql *
-will match
-.Em multiple
-words.
+will match across word boundaries, which may be unexpected.
For example, while a sudoers entry like:
.Bd -literal -offset 4n
%operator ALL = /bin/cat /var/log/messages*
.Ed
.Pp
which is probably not what was intended.
+In most cases it is better to do command line processing
+outside of
+.Em sudoers
+in a scripting language.
.Ss Exceptions to wildcard rules
The following exceptions apply to the above rules:
.Bl -tag -width 8n
is the only command line argument in the
.Em sudoers
entry it means that command is not allowed to be run with
-.Sy any
+.Em any
arguments.
.It sudoedit
Command line arguments to the
Be aware that because the sorting is lexical, not numeric,
.Pa /etc/sudoers.d/1_whoops
would be loaded
-.Sy after
+.Em after
.Pa /etc/sudoers.d/10_second .
Using a consistent number of leading zeroes in the file names can be used
to avoid such problems.
Please note that using
.Sy ALL
can be dangerous since in a command context, it allows the user to run
-.Sy any
+.Em any
command on the system.
.Pp
An exclamation point
projects / sudo / commitdiff