-sudoers(5) FILE FORMATS sudoers(5)
+SUDOERS(5) FILE FORMATS SUDOERS(5)
N\bN\bN\bNA\bA\bA\bAM\bM\bM\bME\bE\bE\bE
- sudoers - list of which users may execute what as root
+ sudoers - list of which users may execute what
D\bD\bD\bDE\bE\bE\bES\bS\bS\bSC\bC\bC\bCR\bR\bR\bRI\bI\bI\bIP\bP\bP\bPT\bT\bT\bTI\bI\bI\bIO\bO\bO\bON\bN\bN\bN
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of an optional host alias
- section, an optional command alias section and the user
- specification section. All command or host aliases need
- to start with their respective keywords (ie: Host_Alias,
- User_Alias, Runas_Alias or Cmnd_Alias). If there are
- multiple occurrences of a user, the logical union of the
- entries will be used. Note that if there is an entry that
- denies access to a command that is followed by an entry
- that grants access the user will be allowed to run the
- command.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed two types of entries: aliases
+ (basically variables) and user specifications (which
+ specify who may run what). The grammar of _\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ described below in Extended Backus-Naur Form (EBNF).
+ Don't despair if you don't know what EBNF is, it is fairly
+ simple and the definitions below are annotated.
- u\bu\bu\bus\bs\bs\bse\be\be\ber\br\br\br s\bs\bs\bsp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bif\bf\bf\bfi\bi\bi\bic\bc\bc\bca\ba\ba\bat\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn f\bf\bf\bfo\bo\bo\bor\br\br\brm\bm\bm\bma\ba\ba\bat\bt\bt\bt:\b:\b:\b:
+ Q\bQ\bQ\bQu\bu\bu\bui\bi\bi\bic\bc\bc\bck\bk\bk\bk g\bg\bg\bgu\bu\bu\bui\bi\bi\bid\bd\bd\bde\be\be\be t\bt\bt\bto\bo\bo\bo E\bE\bE\bEB\bB\bB\bBN\bN\bN\bNF\bF\bF\bF
+ EBNF is a concise and exact way of describing the grammar
+ of a language. Each EBNF definition is made up of
+ _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. Eg.
- user access_group [: access_group] ...
+ symbol ::= definition | alternate1 | alternate2 ...
- access_group ::= host-list = [(runas-list)] [NOPASSWD:] [op]cmnd_type
- [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ...
- cmnd_type ::= a command OR a command alias.
- op ::= the logical "!" NOT operator.
+ Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a
+ grammar for the language. EBNF also contains the
+ following operators, which many readers will recognize
+ from regular expressions. Do not, however, confuse them
+ with "wildcard" characters, which have different meanings.
+ ? Means that the preceding symbol (or group of
+ symbols) is optional. That is, it may appear once
+ or not at all.
- h\bh\bh\bho\bo\bo\bos\bs\bs\bst\bt\bt\bt a\ba\ba\bal\bl\bl\bli\bi\bi\bia\ba\ba\bas\bs\bs\bs s\bs\bs\bse\be\be\bec\bc\bc\bct\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn f\bf\bf\bfo\bo\bo\bor\br\br\brm\bm\bm\bma\ba\ba\bat\bt\bt\bt:\b:\b:\b:
+ * Means that the preceding symbol (or group of
+ symbols) may appear zero or more times.
+ + Means that the preceding symbol (or group of
+ symbols) may appear one or more times.
- Host_Alias HOSTALIAS = host-list
+ Parentheses may be used to group symbols together. For
+ clarity, we will use single quotes ('') to designate what
+ is a verbatim character string (as opposed to a symbol
+ name).
- Host_Alias ::= a keyword.
- HOSTALIAS ::= an upper-case alias name.
- host-list ::= a comma separated list of hosts, netgroups,
- ip addresses, networks. A logical "!"
- NOT operator may be prefixed to any of these.
+ A\bA\bA\bAl\bl\bl\bli\bi\bi\bia\ba\ba\bas\bs\bs\bse\be\be\bes\bs\bs\bs
+ There are four kinds of aliases: the User_Alias,
+ Runas_Alias, Host_Alias and Cmnd_Alias.
- u\bu\bu\bus\bs\bs\bse\be\be\ber\br\br\br a\ba\ba\bal\bl\bl\bli\bi\bi\bia\ba\ba\bas\bs\bs\bs s\bs\bs\bse\be\be\bec\bc\bc\bct\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn f\bf\bf\bfo\bo\bo\bor\br\br\brm\bm\bm\bma\ba\ba\bat\bt\bt\bt:\b:\b:\b:
+ Alias ::= User_Alias = User_Alias (':' User_Alias)* |
+ Runas_Alias (':' Runas_Alias)* |
+ Host_Alias (':' Host_Alias)* |
+ Cmnd_Alias (':' Cmnd_Alias)*
+ User_Alias ::= NAME '=' User_List
- User_Alias USERALIAS = user-list
+ Runas_Alias ::= NAME '=' Runas_User_List
- User_Alias ::= a keyword.
- USERALIAS ::= an upper-case alias name.
- user-list ::= a comma separated list of users, groups, netgroups.
- A logical "!" NOT operator may be prefixed to any
- of these.
- r\br\br\bru\bu\bu\bun\bn\bn\bna\ba\ba\bas\bs\bs\bs a\ba\ba\bal\bl\bl\bli\bi\bi\bia\ba\ba\bas\bs\bs\bs s\bs\bs\bse\be\be\bec\bc\bc\bct\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn f\bf\bf\bfo\bo\bo\bor\br\br\brm\bm\bm\bma\ba\ba\bat\bt\bt\bt:\b:\b:\b:
+25/Aug/1999 1.6 1
- Runas_Alias RUNASALIAS = runas-list
-22/Jun/1999 1.6 1
+SUDOERS(5) FILE FORMATS SUDOERS(5)
+ Host_Alias ::= NAME '=' Host_List
+ Cmnd_Alias ::= NAME '=' Cmnd_List
-sudoers(5) FILE FORMATS sudoers(5)
+ NAME ::= [A-Z]([A-Z][0-9]_)*
+ Each _\ba_\bl_\bi_\ba_\bs definition is of the form
- Runas_Alias ::= a keyword.
- RUNASALIAS ::= an upper-case alias name.
- runas-list ::= a comma separated list of users, groups, netgroups.
- A logical "!" NOT operator may be prefixed to any
- of these.
+ Alias_Type NAME = item1, item2, ...
+ where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias,
+ Host_Alias, or Cmnd_Alias. A NAME is a string of upper
+ case letters, numbers, and the underscore characters
+ ('_'). A NAME m\bm\bm\bmu\bu\bu\bus\bs\bs\bst\bt\bt\bt start with an upper case letter. It
+ is possible to put several alias definitions of the same
+ type on a single line, joined by a semicolon (':'). Eg.
- c\bc\bc\bco\bo\bo\bom\bm\bm\bmm\bm\bm\bma\ba\ba\ban\bn\bn\bnd\bd\bd\bd a\ba\ba\bal\bl\bl\bli\bi\bi\bia\ba\ba\bas\bs\bs\bs s\bs\bs\bse\be\be\bec\bc\bc\bct\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn f\bf\bf\bfo\bo\bo\bor\br\br\brm\bm\bm\bma\ba\ba\bat\bt\bt\bt:\b:\b:\b:
+ Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
+ The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member
+ follow.
- Cmnd_Alias CMNDALIAS = cmnd-list
+ User_List ::= User |
+ User ',' User_List
- Cmnd_Alias ::= a keyword.
- CMNDALIAS ::= an upper-case alias name.
- cmnd-list ::= a comma separated list commands.
- A logical "!" NOT operator may be prefixed to any
- of these.
+ User ::= '!'* username |
+ '!'* '#'uid |
+ '!'* '%'group |
+ '!'* '+'netgroup |
+ '!'* User_Alias
+ A User_List is made up of one or more usernames, uids
+ (prefixed with '#'), System groups (prefixed with '%'),
+ netgroups (prefixed with '+') and other aliases. Each
+ list item may be prefixed with one or more '!' operators.
+ An odd number of '!' operators negates the value of the
+ item; an even number just cancel each other out.
- c\bc\bc\bco\bo\bo\bom\bm\bm\bmm\bm\bm\bma\ba\ba\ban\bn\bn\bnd\bd\bd\bd s\bs\bs\bsp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bif\bf\bf\bfi\bi\bi\bic\bc\bc\bca\ba\ba\bat\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn:\b:\b:\b:
+ Runas_List ::= Runas_User |
+ Runas_User ',' Runas_List
+ Runas_User ::= '!'* username |
+ '!'* '#'uid |
+ '!'* '%'group |
+ '!'* +netgroup |
+ '!'* Runas_Alias
- path arg1 arg2 .. argn = command
+ Likewise, a Runas_List has the same possible elements as a
+ User_List, except that it can include a Runas_Alias,
+ instead of a User_Alias.
- path ::= a fully qualified pathname.
- arg[1..n] ::= optional command line arguments.
+ Host_List ::= Host |
+ Host ',' Host_List
- p\bp\bp\bpe\be\be\ber\br\br\brs\bs\bs\bsi\bi\bi\bis\bs\bs\bst\bt\bt\bte\be\be\ben\bn\bn\bnc\bc\bc\bce\be\be\be o\bo\bo\bof\bf\bf\bf m\bm\bm\bmo\bo\bo\bod\bd\bd\bdi\bi\bi\bif\bf\bf\bfi\bi\bi\bie\be\be\ber\br\br\brs\bs\bs\bs
- When a _\br_\bu_\bn_\ba_\bs_\b-_\bl_\bi_\bs_\bt is specified for an _\ba_\bc_\bc_\be_\bs_\bs_\b__\bg_\br_\bo_\bu_\bp, it
- affects all commands in the _\ba_\bc_\bc_\be_\bs_\bs_\b__\bg_\br_\bo_\bu_\bp. For example,
- given:
- oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
+25/Aug/1999 1.6 2
- User oper will be able to run /usr/bin/kill and /bin/rm as
- r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt or s\bs\bs\bsy\by\by\bys\bs\bs\bsa\ba\ba\bad\bd\bd\bdm\bm\bm\bm on the machine, bigserver. The _\br_\bu_\bn_\ba_\bs_\b-_\bl_\bi_\bs_\bt
- is "sticky" across entries in the comma-separated
- _\ba_\bc_\bc_\be_\bs_\bs_\b__\bg_\br_\bo_\bu_\bp. You can override the _\br_\bu_\bn_\ba_\bs_\b-_\bl_\bi_\bs_\bt with
- another one, at which point the new _\br_\bu_\bn_\ba_\bs_\b-_\bl_\bi_\bs_\bt becomes the
- default for that _\ba_\bc_\bc_\be_\bs_\bs_\b__\bg_\br_\bo_\bu_\bp. For example, given:
- oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \
- /bin/rmdir
- User oper can still run /usr/bin/kill as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt or s\bs\bs\bsy\by\by\bys\bs\bs\bsa\ba\ba\bad\bd\bd\bdm\bm\bm\bm
- but can only run /bin/rm and /bin/rmdir as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt.
- Similarly, the N\bN\bN\bNO\bO\bO\bOP\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD modifier is also persistent across
- an _\ba_\bc_\bc_\be_\bs_\bs_\b__\bg_\br_\bo_\bu_\bp. For example given:
- oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir
+SUDOERS(5) FILE FORMATS SUDOERS(5)
+ Host ::= '!'* hostname |
+ '!'* ip_addr |
+ '!'* network(/netmask)? |
+ '!'* '+'netgroup |
+ '!'* Host_Alias
+ A Host_List is made up of one or more hostnames, IP
+ addresses, network numbers, netgroups (prefixed with '+')
+ and other aliases. Again, the value of an item may be
+ negated with the '!' operator. If you do not specify a
+ netmask with a network number, the netmask of the host's
+ ethernet _\bi_\bn_\bt_\be_\br_\bf_\ba_\bc_\be(s) will be used when matching. The
+ netmask may be specified either in dotted quad notation
+ (eg. 255.255.255.0) or CIDR notation (number of bits, eg.
+ 24).
-22/Jun/1999 1.6 2
+ Cmnd_List ::= Cmnd |
+ Cmnd ',' Cmnd_List
+ commandname ::= filename |
+ filename args |
+ filename '""'
+ Cmnd ::= '!'* commandname |
+ '!'* directory |
+ '!'* Cmnd_Alias
+ A Cmnd_List is a list of one or more commandnames,
+ directories, and other aliases. A commandname is a fully-
+ qualified filename which may include shell-style wildcards
+ (see `Wildcards' section below). A simple filename allows
+ the user to run the command with any arguments he/she
+ wishes. However, you may also command line arguments
+ (including wildcards). Alternately, you can specify "" to
+ indicate that the command may only be run w\bw\bw\bwi\bi\bi\bit\bt\bt\bth\bh\bh\bho\bo\bo\bou\bu\bu\but\bt\bt\bt command
+ line arguments. A directory is a fully qualified pathname
+ ending in a '/'. When you specify a directory in a
+ Cmnd_List, the user will be able to run any file within
+ that directory (but not in any subdirectories therein).
+ If a Cmnd has associated command line arguments, then the
+ arguments in the Cmnd must match exactly those given by
+ the user on the command line (or match the wildcards if
+ there are any). Note that the following characters must
+ be escaped with a '\' if they are used in command
+ arguments: ',', ':', '=', '\\'.
-sudoers(5) FILE FORMATS sudoers(5)
+ U\bU\bU\bUs\bs\bs\bse\be\be\ber\br\br\br S\bS\bS\bSp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bif\bf\bf\bfi\bi\bi\bic\bc\bc\bca\ba\ba\bat\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn
- User oper will be able to run /usr/bin/kill, /bin/rm, and
- /bin/rmdir as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt without a password. If we change that
- to:
+ Runas_Spec ::= '(' Runas_List ')'
- oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir
+ Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
- User oper can still run /usr/bin/kill without a password
- but must give a password to run /bin/rm and /bin/rmdir.
- w\bw\bw\bwi\bi\bi\bil\bl\bl\bld\bd\bd\bdc\bc\bc\bca\ba\ba\bar\br\br\brd\bd\bd\bds\bs\bs\bs (\b(\b(\b(a\ba\ba\bak\bk\bk\bka\ba\ba\ba m\bm\bm\bme\be\be\bet\bt\bt\bta\ba\ba\ba c\bc\bc\bch\bh\bh\bha\ba\ba\bar\br\br\bra\ba\ba\bac\bc\bc\bct\bt\bt\bte\be\be\ber\br\br\brs\bs\bs\bs)\b)\b)\b):\b:\b:\b:
- s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs along with command
- arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done
- via the P\bP\bP\bPO\bO\bO\bOS\bS\bS\bSI\bI\bI\bIX\bX\bX\bX fnmatch(3) routine.
+
+25/Aug/1999 1.6 3
+
+
+
+
+
+SUDOERS(5) FILE FORMATS SUDOERS(5)
+
+
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+
+ User_Spec ::= User_list Cmnd_Spec_List (':' User_Spec)*
+
+ A u\bu\bu\bus\bs\bs\bse\be\be\ber\br\br\br s\bs\bs\bsp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bif\bf\bf\bfi\bi\bi\bic\bc\bc\bca\ba\ba\bat\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn determines which commands a user may
+ run (and as what user) on specified hosts. By default,
+ commands are run as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt but this can be changed on a per-
+ command basis.
+
+ Let's break that down into its constituent parts:
+
+ R\bR\bR\bRu\bu\bu\bun\bn\bn\bna\ba\ba\bas\bs\bs\bs_\b_\b_\b_S\bS\bS\bSp\bp\bp\bpe\be\be\bec\bc\bc\bc
+
+ A Runas_Spec is simply a Runas_List (as defined above)
+ enclosed in a set of parentheses. If you do not specify a
+ Runas_Spec in the user specification, a default Runas_Spec
+ of r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt will be used. A Runas_Spec sets the default for
+ commands that follow it. What this means is that for the
+ entry:
+
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who
+
+ The user d\bd\bd\bdg\bg\bg\bgb\bb\bb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
+ -- but only as o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br. Eg.
+
+ sudo -u operator /bin/ls.
+
+ It is also possible to override a Runas_Spec later on in
+ an entry. If we modify the entry like so:
+
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+
+ Then user d\bd\bd\bdg\bg\bg\bgb\bb\bb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br,
+ but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt.
+
+ N\bN\bN\bNO\bO\bO\bOP\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD a\ba\ba\ban\bn\bn\bnd\bd\bd\bd P\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD
+
+ By default, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo requires that a user authenticate him or
+ herself before running a command. This behavior can be
+ modified via the NOPASSWD tag. Like a Runas_Spec, the
+ NOPASSWD tag sets a default for the commands that follow
+ it in the Cmnd_Spec_List. Conversely, the PASSWD tag can
+ be used to reverse things. For example:
+
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+
+ would allow the user r\br\br\bra\ba\ba\bay\by\by\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as root on the machine rushmore as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt
+ without authenticating himself. If we only want r\br\br\bra\ba\ba\bay\by\by\by to be
+ able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry would
+ be:
+
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+
+
+
+25/Aug/1999 1.6 4
+
+
+
+
+
+SUDOERS(5) FILE FORMATS SUDOERS(5)
+
+
+ W\bW\bW\bWi\bi\bi\bil\bl\bl\bld\bd\bd\bdc\bc\bc\bca\ba\ba\bar\br\br\brd\bd\bd\bds\bs\bs\bs (\b(\b(\b(a\ba\ba\bak\bk\bk\bka\ba\ba\ba m\bm\bm\bme\be\be\bet\bt\bt\bta\ba\ba\ba c\bc\bc\bch\bh\bh\bha\ba\ba\bar\br\br\bra\ba\ba\bac\bc\bc\bct\bt\bt\bte\be\be\ber\br\br\brs\bs\bs\bs)\b)\b)\b):\b:\b:\b:
+
+ s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs to be used in pathnames
+ as well as command line arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ Wildcard matching is done via the P\bP\bP\bPO\bO\bO\bOS\bS\bS\bSI\bI\bI\bIX\bX\bX\bX fnmatch(3)
+ routine. Note that these are _\bn_\bo_\bt regular expressions.
* Matches any set of zero or more characters.
used to escape special characters such as: "*",
"?", "[", and "}".
- e\be\be\bex\bx\bx\bxc\bc\bc\bce\be\be\bep\bp\bp\bpt\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bns\bs\bs\bs t\bt\bt\bto\bo\bo\bo w\bw\bw\bwi\bi\bi\bil\bl\bl\bld\bd\bd\bdc\bc\bc\bca\ba\ba\bar\br\br\brd\bd\bd\bd r\br\br\bru\bu\bu\bul\bl\bl\ble\be\be\bes\bs\bs\bs:\b:\b:\b:
+ Note that a forward slash ('/') will n\bn\bn\bno\bo\bo\bot\bt\bt\bt be matched by
+ wildcards used in the pathname. When matching the command
+ line arguments, however, as slash d\bd\bd\bdo\bo\bo\boe\be\be\bes\bs\bs\bs get matched by
+ wildcards. This is to make a path like:
+
+ /usr/bin/*
+
+ match /usr/bin/who but not /usr/bin/X11/xterm.
+
+ E\bE\bE\bEx\bx\bx\bxc\bc\bc\bce\be\be\bep\bp\bp\bpt\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bns\bs\bs\bs t\bt\bt\bto\bo\bo\bo w\bw\bw\bwi\bi\bi\bil\bl\bl\bld\bd\bd\bdc\bc\bc\bca\ba\ba\bar\br\br\brd\bd\bd\bd r\br\br\bru\bu\bu\bul\bl\bl\ble\be\be\bes\bs\bs\bs:\b:\b:\b:
The following exceptions apply to the above rules:
- " If the empty string "" is the only command line
+ "" If the empty string "" is the only command line
argument in the _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that
- command may take n\bn\bn\bno\bo\bo\bo arguments.
+ command is not allowed to be run with a\ba\ba\ban\bn\bn\bny\by\by\by
+ arguments.
- o\bo\bo\bot\bt\bt\bth\bh\bh\bhe\be\be\ber\br\br\br s\bs\bs\bsp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bia\ba\ba\bal\bl\bl\bl c\bc\bc\bch\bh\bh\bha\ba\ba\bar\br\br\bra\ba\ba\bac\bc\bc\bct\bt\bt\bte\be\be\ber\br\br\brs\bs\bs\bs a\ba\ba\ban\bn\bn\bnd\bd\bd\bd r\br\br\bre\be\be\bes\bs\bs\bse\be\be\ber\br\br\brv\bv\bv\bve\be\be\bed\bd\bd\bd w\bw\bw\bwo\bo\bo\bor\br\br\brd\bd\bd\bds\bs\bs\bs:\b:\b:\b:
+ O\bO\bO\bOt\bt\bt\bth\bh\bh\bhe\be\be\ber\br\br\br s\bs\bs\bsp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bia\ba\ba\bal\bl\bl\bl c\bc\bc\bch\bh\bh\bha\ba\ba\bar\br\br\bra\ba\ba\bac\bc\bc\bct\bt\bt\bte\be\be\ber\br\br\brs\bs\bs\bs a\ba\ba\ban\bn\bn\bnd\bd\bd\bd r\br\br\bre\be\be\bes\bs\bs\bse\be\be\ber\br\br\brv\bv\bv\bve\be\be\bed\bd\bd\bd w\bw\bw\bwo\bo\bo\bor\br\br\brd\bd\bd\bds\bs\bs\bs:\b:\b:\b:
- Text after a pound sign (#\b#\b#\b#) is considered a comment.
- Words that begin with a percent sign (%\b%\b%\b%) are assumed to be
- UN*X groups (%staff refers to users in the group _\bs_\bt_\ba_\bf_\bf).
- Words that begin with a plus sign (+\b+\b+\b+) are assumed to be
- netgroups (+\b+\b+\b+c\bc\bc\bcs\bs\bs\bsh\bh\bh\bho\bo\bo\bos\bs\bs\bst\bt\bt\bts\bs\bs\bs refers to the netgroup _\bc_\bs_\bh_\bo_\bs_\bt_\bs). Long
- lines can be newline escaped with the backslash \\b\\b\\b\
- character.
+ The pound sign ('#') is used to indicate a comment (unless
+ it occurs in the context of a user name and is followed by
+ one or more digits, in which case it is treated as a uid).
+ Both the comment character and any text after it, up to
+ the end of the line, are ignored.
- The reserved word N\bN\bN\bNO\bO\bO\bOP\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD indicates that a user need not
- enter a password for the command listed in that entry.
- The N\bN\bN\bNO\bO\bO\bOP\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD modifier is persistent across entries in a
- _\bu_\bs_\be_\br_\b-_\bl_\bi_\bs_\bt and can be reversed with the P\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD modifier.
+ The reserved word A\bA\bA\bAL\bL\bL\bLL\bL\bL\bL is a a built in _\ba_\bl_\bi_\ba_\bs that always
+ causes a match to succeed. It can be used wherever one
+ might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
+ or Host_Alias. You should not try to define your own
+ _\ba_\bl_\bi_\ba_\bs called A\bA\bA\bAL\bL\bL\bLL\bL\bL\bL as the built in alias will be used in
+ preference to your own.
- The reserved alias _\bA_\bL_\bL can be used for both
- {Host,User,Cmnd}_Alias. D\bD\bD\bDO\bO\bO\bO N\bN\bN\bNO\bO\bO\bOT\bT\bT\bT define an alias of _\bA_\bL_\bL, it
- will N\bN\bN\bNO\bO\bO\bOT\bT\bT\bT be used. Note that _\bA_\bL_\bL implies the entire
- universe of hosts/users/commands. You can subtract
+ An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
+ operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
-22/Jun/1999 1.6 3
+25/Aug/1999 1.6 5
-sudoers(5) FILE FORMATS sudoers(5)
+SUDOERS(5) FILE FORMATS SUDOERS(5)
- elements from the universe by using the syntax:
+ allows one to exclude certain values. Note, however, that
+ using a ! in conjunction with the built in ALL alias to
+ allow a user to run "all but a few" commands rarely works
+ as intended (see SECURITY NOTES below).
- user host=ALL,!ALIAS1,!/sbin/halt...
+ Long lines can be continued with a backslash ('\\') as the
+ last character on the line.
- Commands may have optional command line arguments. If
- they do, then the arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs file must
- exactly match those on the command line. It is also
- possible to have a command's arguments span multiple lines
- as long as the line continuance character "\" is used.
- The following characters must be escaped with a "\" if
- used in command arguments: ",", ":", "=", "\".
+ Whitespace between elements in a list as well as specicial
+ syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
+ '(', ')') is optional.
E\bE\bE\bEX\bX\bX\bXA\bA\bA\bAM\bM\bM\bMP\bP\bP\bPL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
- # Host alias specification
- Host_Alias HUB=houdini:\
- REMOTE=merlin,kodiakthorn,spirit
- Host_Alias SERVERS=houdini,merlin,kodiakthorn,spirit
- Host_Alias CUNETS=128.138.0.0/255.255.0.0
- Host_Alias CSNETS=128.138.243.0,128.138.204.0,\
- 128.138.205.192
+ Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
+ these are a bit contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+
+ # User alias specification
+ User_Alias FULLTIMERS = millert, mikef, dowdy
+ User_Alias PARTTIMERS = bostley, jwfox, crawl
+ User_Alias WEBMASTERS = will, wendy, wim
+
+ # Runas alias specification
+ Runas_Alias OP = root, operator
+ Runas_Alias DB = oracle, sybase
+
+ # Host alias specification
+ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
+
+ # Cmnd alias specification
+ Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
+ /usr/sbin/restore, /usr/sbin/rrestore
+ Cmnd_Alias KILL = /usr/bin/kill
+ Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+ Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+ Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
+ Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
+ Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
+ /usr/local/bin/tcsh, /usr/bin/rsh, \
+ /usr/local/bin/zsh
+ Cmnd_Alias SU = /usr/bin/su
+
+ The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually
+ determines who may run what.
+
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
+
+
+
+
+25/Aug/1999 1.6 6
+
+
+
+
+
+SUDOERS(5) FILE FORMATS SUDOERS(5)
+
- # User alias specification
- User_Alias FULLTIME=millert,dowdy,mikef
- User_Alias PARTTIME=juola,mccreary,tor
+ We let r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt and any user in group w\bw\bw\bwh\bh\bh\bhe\be\be\bee\be\be\bel\bl\bl\bl run any command on
+ any host as any user.
- # Runas alias specification
- Runas_Alias OP=root,operator
+ FULLTIMERS ALL = NOPASSWD: ALL
- # Command alias specification
- Cmnd_Alias LPCS=/usr/sbin/lpc,/usr/bin/lprm
- Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
- Cmnd_Alias SU=/usr/bin/su
- Cmnd_Alias MISC=/bin/rm,/bin/cat:\
- SHUTDOWN=/sbin/halt,/sbin/shutdown
+ Full time sysadmins (m\bm\bm\bmi\bi\bi\bil\bl\bl\bll\bl\bl\ble\be\be\ber\br\br\brt\bt\bt\bt, m\bm\bm\bmi\bi\bi\bik\bk\bk\bke\be\be\bef\bf\bf\bf, and d\bd\bd\bdo\bo\bo\bow\bw\bw\bwd\bd\bd\bdy\by\by\by) may run
+ any command on any host without authenticating themselves.
- # User specification
- FULLTIME ALL=(ALL) NOPASSWD: ALL
- %wheel ALL=ALL
- PARTTIME ALL=ALL,!SHELLS,!SU
- +interns +openlabs=ALL,!SHELLS,!SU
- britt REMOTE=SHUTDOWN:ALL=LPCS
- jimbo CUNETS=/usr/bin/su [!-]*,!/usr/bin/su *root*
- nieusma SERVERS=SHUTDOWN,/sbin/reboot:\
- HUB=ALL,!SHELLS
- jill houdini=/sbin/shutdown -[hr] now,MISC
- markm HUB=ALL,!MISC,!/sbin/shutdown,!/sbin/halt
- davehieb merlin=(OP) ALL:SERVERS=/sbin/halt:\
- kodiakthorn=NOPASSWD: ALL
- steve CSNETS=(operator) /usr/op_commands/
+ PARTTIMERS ALL = ALL
+ Part time sysadmins (b\bb\bb\bbo\bo\bo\bos\bs\bs\bst\bt\bt\btl\bl\bl\ble\be\be\bey\by\by\by, j\bj\bj\bjw\bw\bw\bwf\bf\bf\bfo\bo\bo\box\bx\bx\bx, and c\bc\bc\bcr\br\br\bra\ba\ba\baw\bw\bw\bwl\bl\bl\bl) may run
+ any command on any host but they must authenticate
+ themselves first (since the entry lacks the NOPASSWD tag).
+ jack CSNETS = ALL
+ The user j\bj\bj\bja\ba\ba\bac\bc\bc\bck\bk\bk\bk may run any command on the machines in the
+ _\bC_\bS_\bN_\bE_\bT_\bS alias (the networks 128.138.243.0, 128.138.204.0,
+ and 128.138.242.0). Of those networks, only
+ <128.138.204.0> has an explicit netmask (in CIDR notation)
+ indicating it is a class C network. For the other
+ networks in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be
+ used during matching.
+ lisa CUNETS = ALL
+ The user l\bl\bl\bli\bi\bi\bis\bs\bs\bsa\ba\ba\ba may run any command on any host in the
+ _\bC_\bU_\bN_\bE_\bT_\bS alias (the class B network 128.138.0.0).
+ operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\
+ /usr/oper/bin/
+ The o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br user may run commands limited to simple
+ maintenance. Here, those are commands related to backups,
+ killing processes, the printing system, shutting down the
+ system, and any commands in the directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
-22/Jun/1999 1.6 4
+ joe ALL = /usr/bin/su operator
+ The user j\bj\bj\bjo\bo\bo\boe\be\be\be may only _\bs_\bu(1) to operator.
+ pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
+ The user p\bp\bp\bpe\be\be\bet\bt\bt\bte\be\be\be is allowed to change anyone's password
+ except for root on the _\bH_\bP_\bP_\bA machines. Note that this
+ assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take multiple usernames on the
+ command line.
+ bob SPARC = (OP) ALL : SGI = (OP) ALL
-sudoers(5) FILE FORMATS sudoers(5)
+ The user b\bb\bb\bbo\bo\bo\bob\bb\bb\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
+ machines as any user listed in the _\bO_\bP Runas_Alias (r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt
+ and o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br).
- H\bH\bH\bHo\bo\bo\bos\bs\bs\bst\bt\bt\bt A\bA\bA\bAl\bl\bl\bli\bi\bi\bia\ba\ba\bas\bs\bs\bs s\bs\bs\bsp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bif\bf\bf\bfi\bi\bi\bic\bc\bc\bca\ba\ba\bat\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bns\bs\bs\bs:\b:\b:\b:
- The are four _\bh_\bo_\bs_\bt _\ba_\bl_\bi_\ba_\bs_\be_\bs. The first actually contains
- two _\ba_\bl_\bi_\ba_\bs_\be_\bs. It sets HUB to be houdini and REMOTE to the
- three machines merlin, kodiakthorn and spirit. Similarly,
- SERVERS is set to the machines houdini, merlin,
- kodiakthorn and spirit. The CSNETS alias will match any
- host on the 128.138.243.0, 128.138.204.0, or
- 128.138.205.192 nets. The CUNETS alias will match any
- host on the 128.138.0.0 (class B) network. Note that
- these are n\bn\bn\bne\be\be\bet\bt\bt\btw\bw\bw\bwo\bo\bo\bor\br\br\brk\bk\bk\bk addresses, not ip addresses. Unless an
- explicit netmask is given, the local _\bn_\be_\bt_\bm_\ba_\bs_\bk is used to
- determine whether or not the current host belongs to a
- network.
- U\bU\bU\bUs\bs\bs\bse\be\be\ber\br\br\br A\bA\bA\bAl\bl\bl\bli\bi\bi\bia\ba\ba\bas\bs\bs\bs s\bs\bs\bsp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bif\bf\bf\bfi\bi\bi\bic\bc\bc\bca\ba\ba\bat\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bns\bs\bs\bs:\b:\b:\b:
+25/Aug/1999 1.6 7
- The two _\bu_\bs_\be_\br _\ba_\bl_\bi_\ba_\bs_\be_\bs simply groups the FULLTIME and
- PARTTIME folks into two separate aliases.
- C\bC\bC\bCo\bo\bo\bom\bm\bm\bmm\bm\bm\bma\ba\ba\ban\bn\bn\bnd\bd\bd\bd a\ba\ba\bal\bl\bl\bli\bi\bi\bia\ba\ba\bas\bs\bs\bs s\bs\bs\bsp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bif\bf\bf\bfi\bi\bi\bic\bc\bc\bca\ba\ba\bat\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bns\bs\bs\bs:\b:\b:\b:
- Command aliases are lists of commands with or without
- associated command line arguments. The entries above
- should be self-explanatory.
- U\bU\bU\bUs\bs\bs\bse\be\be\ber\br\br\br s\bs\bs\bsp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bif\bf\bf\bfi\bi\bi\bic\bc\bc\bca\ba\ba\bat\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bns\bs\bs\bs:\b:\b:\b:
+SUDOERS(5) FILE FORMATS SUDOERS(5)
- FULLTIME Full-time sysadmins in the FULLTIME alias
- may run any command on any host as any
- user without a password.
- %wheel Any user in the UN*X group wheel may run
- any command on any host.
+ jim +biglab = ALL
- PARTTIME Part-time sysadmins in the PARTTIME alias
- may run any command except those in the
- SHELLS and SU aliases on any host.
+ The user j\bj\bj\bji\bi\bi\bim\bm\bm\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb
+ netgroup. S\bS\bS\bSu\bu\bu\bud\bd\bd\bdo\bo\bo\bo knows that "biglab" is a netgroup due to
+ the '+' prefix.
- +interns Any user in the netgroup interns may run
- any command except those in the SHELLS and
- SU aliases on any host that is in the
- openlabs netgroup.
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- britt The user britt may run commands in the
- SHUTDOWN alias on the REMOTE machines and
- commands in the LPCS alias on any machine.
+ Users in the s\bs\bs\bse\be\be\bec\bc\bc\bcr\br\br\bre\be\be\bet\bt\bt\bta\ba\ba\bar\br\br\bri\bi\bi\bie\be\be\bes\bs\bs\bs netgroup need to help manage the
+ printers as well as add and remove users, so they are
+ allowed to run those commands on all machines.
- jimbo The user jimbo may su to any user save
- root on the machines on CUNETS (which is
- explicitly listed as a class B network).
+ fred ALL = (DB) NOPASSWD: ALL
+ The user f\bf\bf\bfr\br\br\bre\be\be\bed\bd\bd\bd can run commands as any user in the _\bD_\bB
+ Runas_Alias (o\bo\bo\bor\br\br\bra\ba\ba\bac\bc\bc\bcl\bl\bl\ble\be\be\be or s\bs\bs\bsy\by\by\byb\bb\bb\bba\ba\ba\bas\bs\bs\bse\be\be\be) without giving a password.
+ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+ On the _\bA_\bL_\bP_\bH_\bA machines, user j\bj\bj\bjo\bo\bo\boh\bh\bh\bhn\bn\bn\bn may su to anyone except
+ root but he is not allowed to give _\bs_\bu(1) any flags.
+ jen ALL, !SERVERS = ALL
-22/Jun/1999 1.6 5
+ The user j\bj\bj\bje\be\be\ben\bn\bn\bn may run any command on any machine except for
+ those in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and
+ ns).
+ jill SERVERS = /usr/bin/, !SU, !SHELLS
+ For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bj\bj\bji\bi\bi\bil\bl\bl\bll\bl\bl\bl may run
+ any commands in the directory /usr/bin/ except for those
+ commands belonging to the _\bS_\bU and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
+ steve CSNETS = (operator) /usr/local/op_commands/
+ The user s\bs\bs\bst\bt\bt\bte\be\be\bev\bv\bv\bve\be\be\be may run any command in the directory
+ /usr/local/op_commands/ but only as user operator.
-sudoers(5) FILE FORMATS sudoers(5)
+ matt valkyrie = KILL
+ On his personal workstation, valkyrie, m\bm\bm\bma\ba\ba\bat\bt\bt\btt\bt\bt\bt needs to be
+ able to kill hung processes.
- nieusma The user nieusma may run commands in the
- SHUTDOWN alias as well as _\b/_\bs_\bb_\bi_\bn_\b/_\br_\be_\bb_\bo_\bo_\bt on
- the SERVER machines and any command except
- those in the SHELLS alias on the HUB
- machines.
+ WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
- jill The user jill may run /sbin/shutdown -h
- now or /sbin/shutdown -r now as well as
- the commands in the MISC alias on houdini.
+ On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias
+ (will, wendy, and wim), may run any command as user www
+ (which owns the web pages) or simply _\bs_\bu(1) to www.
- markm The user markm may run any command on the
- HUB machines except _\b/_\bs_\bb_\bi_\bn_\b/_\bs_\bh_\bu_\bt_\bd_\bo_\bw_\bn,
- _\b/_\bs_\bb_\bi_\bn_\b/_\bh_\ba_\bl_\bt, and commands listed in the
- MISC alias.
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
- davehieb The user davehieb may run any command on
- merlin as any user in the Runas_Alias OP
- (ie: root or operator). He may also run
- _\b/_\bs_\bb_\bi_\bn_\b/_\bh_\ba_\bl_\bt on the SERVERS and any command
- on kodiakthorn (no password required on
- kodiakthorn).
+ Any user may mount or unmount a CD-ROM on the machines in
- steve The user steve may run any command in the
- _\b/_\bu_\bs_\br_\b/_\bo_\bp_\b__\bc_\bo_\bm_\bm_\ba_\bn_\bd_\bs_\b/ directory as user
- operator on the machines on CSNETS.
+
+
+25/Aug/1999 1.6 8
+
+
+
+
+
+SUDOERS(5) FILE FORMATS SUDOERS(5)
+
+
+ the CDROM Host_Alias (orion, perseus, hercules) without
+ entering a password. This is a bit tedious for users to
+ type, so it is a prime candiate for encapsulating in a
+ shell script.
+
+S\bS\bS\bSE\bE\bE\bEC\bC\bC\bCU\bU\bU\bUR\bR\bR\bRI\bI\bI\bIT\bT\bT\bTY\bY\bY\bY N\bN\bN\bNO\bO\bO\bOT\bT\bT\bTE\bE\bE\bES\bS\bS\bS
+ It is generally not effective to "subtract" commands from
+ ALL using the '!' operator. A user can trivially
+ circumvent this by copying the desired command to a
+ different name and then executing that. For example:
+
+ bill ALL = ALL, !SU, !SHELLS
+
+ Doesn't really prevent b\bb\bb\bbi\bi\bi\bil\bl\bl\bll\bl\bl\bl from running the commands
+ listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those
+ commands to a different name, or use a shell escape from
+ an editor or other program. Therefore, these kind of
+ restrictions should be considered advisory at best (and
+ reinforced by policy).
C\bC\bC\bCA\bA\bA\bAV\bV\bV\bVE\bE\bE\bEA\bA\bA\bAT\bT\bT\bTS\bS\bS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\ba\ba\bal\bl\bl\blw\bw\bw\bwa\ba\ba\bay\by\by\bys\bs\bs\bs be edited by the v\bv\bv\bvi\bi\bi\bis\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo
command which locks the file and does grammatical
- checking. It is imperative that the _\bs_\bu_\bd_\bo_\be_\br_\bs be free of
- syntax errors since sudo will not run with a syntactically
+ checking. It is imperative that _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax
+ errors since s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will not run with a syntactically
incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
F\bF\bF\bFI\bI\bI\bIL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
- /etc/sudoers file of authorized users.
- /etc/netgroup list of network groups.
+ /etc/sudoers List of who can run what
+ /etc/group Local groups file
+ /etc/netgroup List of network groups
S\bS\bS\bSE\bE\bE\bEE\bE\bE\bE A\bA\bA\bAL\bL\bL\bLS\bS\bS\bSO\bO\bO\bO
-22/Jun/1999 1.6 6
-sudoers(5) FILE FORMATS sudoers(5)
+25/Aug/1999 1.6 9
+
+
+
+
+
+SUDOERS(5) FILE FORMATS SUDOERS(5)
-22/Jun/1999 1.6 7
+25/Aug/1999 1.6 10
<LI><A HREF="#DESCRIPTION">DESCRIPTION</A>
<UL>
- <LI><A HREF="#user_specification_format_">user specification format:</A>
- <LI><A HREF="#host_alias_section_format_">host alias section format:</A>
- <LI><A HREF="#user_alias_section_format_">user alias section format:</A>
- <LI><A HREF="#runas_alias_section_format_">runas alias section format:</A>
- <LI><A HREF="#command_alias_section_format_">command alias section format:</A>
- <LI><A HREF="#command_specification_">command specification:</A>
- <LI><A HREF="#persistence_of_modifiers">persistence of modifiers</A>
- <LI><A HREF="#wildcards_aka_meta_characters_">wildcards (aka meta characters):</A>
- <LI><A HREF="#exceptions_to_wildcard_rules_">exceptions to wildcard rules:</A>
- <LI><A HREF="#other_special_characters_and_res">other special characters and reserved words:</A>
+ <LI><A HREF="#Quick_guide_to_EBNF">Quick guide to EBNF</A>
+ <LI><A HREF="#Aliases">Aliases</A>
+ <LI><A HREF="#User_Specification">User Specification</A>
+ <LI><A HREF="#Runas_Spec">Runas_Spec</A>
+ <LI><A HREF="#NOPASSWD_and_PASSWD">NOPASSWD and PASSWD</A>
+ <LI><A HREF="#Wildcards_aka_meta_characters_">Wildcards (aka meta characters):</A>
+ <LI><A HREF="#Exceptions_to_wildcard_rules_">Exceptions to wildcard rules:</A>
+ <LI><A HREF="#Other_special_characters_and_res">Other special characters and reserved words:</A>
</UL>
<LI><A HREF="#EXAMPLES">EXAMPLES</A>
- <UL>
-
- <LI><A HREF="#Host_Alias_specifications_">Host Alias specifications:</A>
- <LI><A HREF="#User_Alias_specifications_">User Alias specifications:</A>
- <LI><A HREF="#Command_alias_specifications_">Command alias specifications:</A>
- <LI><A HREF="#User_specifications_">User specifications:</A>
- </UL>
-
+ <LI><A HREF="#SECURITY_NOTES">SECURITY NOTES</A>
<LI><A HREF="#CAVEATS">CAVEATS</A>
<LI><A HREF="#FILES">FILES</A>
<LI><A HREF="#SEE_ALSO">SEE ALSO</A>
<HR>
<H1><A NAME="NAME">NAME</A></H1>
<P>
-sudoers - list of which users may execute what as root
+sudoers - list of which users may execute what
<P>
<HR>
<H1><A NAME="DESCRIPTION">DESCRIPTION</A></H1>
<P>
-The <EM>sudoers</EM> file is composed of an optional host alias section, an optional command
-alias section and the user specification section. All command or host
-aliases need to start with their respective keywords (ie: Host_Alias,
-User_Alias, Runas_Alias or Cmnd_Alias). If there are multiple occurrences
-of a user, the logical union of the entries will be used. Note that if
-there is an entry that denies access to a command that is followed by an
-entry that grants access the user will be allowed to run the command.
+The <EM>sudoers</EM> file is composed two types of entries: aliases (basically variables) and
+user specifications (which specify who may run what). The grammar of <EM>sudoers</EM>
+will be described below in Extended Backus-Naur Form (EBNF). Don't despair
+if you don't know what EBNF is, it is fairly simple and the definitions
+below are annotated.
<P>
<HR>
-<H2><A NAME="user_specification_format_">user specification format:</A></H2>
+<H2><A NAME="Quick_guide_to_EBNF">Quick guide to EBNF</A></H2>
<P>
-<PRE> user access_group [: access_group] ...
-</PRE>
+EBNF is a concise and exact way of describing the grammar of a language.
+Each EBNF definition is made up of <EM>production rules</EM>. Eg.
+
<P>
-<PRE> access_group ::= host-list = [(runas-list)] [NOPASSWD:] [op]cmnd_type
- [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ...
- cmnd_type ::= a command OR a command alias.
- op ::= the logical "!" NOT operator.
+<PRE> symbol ::= definition | alternate1 | alternate2 ...
</PRE>
+<P>
+Each <EM>production rule</EM> references others and thus makes up a grammar for the language. EBNF also
+contains the following operators, which many readers will recognize from
+regular expressions. Do not, however, confuse them with ``wildcard''
+characters, which have different meanings.
+
+<DL>
+<DT><STRONG><A NAME="item__">?</A></STRONG><DD>
+<P>
+Means that the preceding symbol (or group of symbols) is optional. That is,
+it may appear once or not at all.
+
+<LI>
+<P>
+Means that the preceding symbol (or group of symbols) may appear zero or
+more times.
+
+<DT><STRONG><A NAME="item__">+</A></STRONG><DD>
+<P>
+Means that the preceding symbol (or group of symbols) may appear one or
+more times.
+
+</DL>
+<P>
+Parentheses may be used to group symbols together. For clarity, we will use
+single quotes ('') to designate what is a verbatim character string (as
+opposed to a symbol name).
+
<P>
<HR>
-<H2><A NAME="host_alias_section_format_">host alias section format:</A></H2>
+<H2><A NAME="Aliases">Aliases</A></H2>
<P>
-<PRE> Host_Alias HOSTALIAS = host-list
+There are four kinds of aliases: the <CODE>User_Alias</CODE>, <CODE>Runas_Alias</CODE>,
+<CODE>Host_Alias</CODE> and <CODE>Cmnd_Alias</CODE>.
+
+<P>
+<PRE> Alias ::= User_Alias = User_Alias (':' User_Alias)* |
+ Runas_Alias (':' Runas_Alias)* |
+ Host_Alias (':' Host_Alias)* |
+ Cmnd_Alias (':' Cmnd_Alias)*
</PRE>
<P>
-<PRE> Host_Alias ::= a keyword.
- HOSTALIAS ::= an upper-case alias name.
- host-list ::= a comma separated list of hosts, netgroups,
- ip addresses, networks. A logical "!"
- NOT operator may be prefixed to any of these.
+<PRE> User_Alias ::= NAME '=' User_List
</PRE>
<P>
-<HR>
-<H2><A NAME="user_alias_section_format_">user alias section format:</A></H2>
+<PRE> Runas_Alias ::= NAME '=' Runas_User_List
+</PRE>
<P>
-<PRE> User_Alias USERALIAS = user-list
+<PRE> Host_Alias ::= NAME '=' Host_List
</PRE>
<P>
-<PRE> User_Alias ::= a keyword.
- USERALIAS ::= an upper-case alias name.
- user-list ::= a comma separated list of users, groups, netgroups.
- A logical "!" NOT operator may be prefixed to any
- of these.
+<PRE> Cmnd_Alias ::= NAME '=' Cmnd_List
</PRE>
<P>
-<HR>
-<H2><A NAME="runas_alias_section_format_">runas alias section format:</A></H2>
+<PRE> NAME ::= [A-Z]([A-Z][0-9]_)*
+</PRE>
<P>
-<PRE> Runas_Alias RUNASALIAS = runas-list
+Each <EM>alias</EM> definition is of the form
+
+<P>
+<PRE> Alias_Type NAME = item1, item2, ...
</PRE>
<P>
-<PRE> Runas_Alias ::= a keyword.
- RUNASALIAS ::= an upper-case alias name.
- runas-list ::= a comma separated list of users, groups, netgroups.
- A logical "!" NOT operator may be prefixed to any
- of these.
+where <EM>Alias_Type</EM> is one of <CODE>User_Alias</CODE>, <CODE>Runas_Alias</CODE>, <CODE>Host_Alias</CODE>, or <CODE>Cmnd_Alias</CODE>. A <CODE>NAME</CODE> is a string of upper case letters, numbers, and the underscore characters
+('_'). A <CODE>NAME</CODE> <STRONG>must</STRONG> start with an upper case letter. It is possible to put several alias
+definitions of the same type on a single line, joined by a semicolon (':').
+Eg.
+
+<P>
+<PRE> Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
</PRE>
<P>
-<HR>
-<H2><A NAME="command_alias_section_format_">command alias section format:</A></H2>
+The definitions of what constitutes a valid <EM>alias</EM> member follow.
+
<P>
-<PRE> Cmnd_Alias CMNDALIAS = cmnd-list
+<PRE> User_List ::= User |
+ User ',' User_List
</PRE>
<P>
-<PRE> Cmnd_Alias ::= a keyword.
- CMNDALIAS ::= an upper-case alias name.
- cmnd-list ::= a comma separated list commands.
- A logical "!" NOT operator may be prefixed to any
- of these.
+<PRE> User ::= '!'* username |
+ '!'* '#'uid |
+ '!'* '%'group |
+ '!'* '+'netgroup |
+ '!'* User_Alias
</PRE>
<P>
-<HR>
-<H2><A NAME="command_specification_">command specification:</A></H2>
+A <CODE>User_List</CODE> is made up of one or more usernames, uids (prefixed with '#'), System
+groups (prefixed with '%'), netgroups (prefixed with '+') and other
+aliases. Each list item may be prefixed with one or more '!' operators. An
+odd number of '!' operators negates the value of the item; an even number
+just cancel each other out.
+
<P>
-<PRE> path arg1 arg2 .. argn = command
+<PRE> Runas_List ::= Runas_User |
+ Runas_User ',' Runas_List
</PRE>
<P>
-<PRE> path ::= a fully qualified pathname.
- arg[1..n] ::= optional command line arguments.
+<PRE> Runas_User ::= '!'* username |
+ '!'* '#'uid |
+ '!'* '%'group |
+ '!'* +netgroup |
+ '!'* Runas_Alias
</PRE>
<P>
-<HR>
-<H2><A NAME="persistence_of_modifiers">persistence of modifiers</A></H2>
+Likewise, a <CODE>Runas_List</CODE> has the same possible elements as a <CODE>User_List</CODE>, except that it can include a <CODE>Runas_Alias</CODE>, instead of a <CODE>User_Alias</CODE>.
+
+<P>
+<PRE> Host_List ::= Host |
+ Host ',' Host_List
+</PRE>
+<P>
+<PRE> Host ::= '!'* hostname |
+ '!'* ip_addr |
+ '!'* network(/netmask)? |
+ '!'* '+'netgroup |
+ '!'* Host_Alias
+</PRE>
<P>
-When a <EM>runas-list</EM> is specified for an <EM>access_group</EM>, it affects all commands in the <EM>access_group</EM>. For example, given:
+A <CODE>Host_List</CODE> is made up of one or more hostnames, IP addresses, network numbers,
+netgroups (prefixed with '+') and other aliases. Again, the value of an
+item may be negated with the '!' operator. If you do not specify a netmask
+with a network number, the netmask of the host's ethernet
+<CODE>interface(s)</CODE> will be used when matching. The netmask may be
+specified either in dotted quad notation (eg. 255.255.255.0) or CIDR
+notation (number of bits, eg. 24).
<P>
-<PRE> oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
+<PRE> Cmnd_List ::= Cmnd |
+ Cmnd ',' Cmnd_List
+</PRE>
+<P>
+<PRE> commandname ::= filename |
+ filename args |
+ filename '""'
+</PRE>
+<P>
+<PRE> Cmnd ::= '!'* commandname |
+ '!'* directory |
+ '!'* Cmnd_Alias
</PRE>
<P>
-User <CODE>oper</CODE> will be able to run <CODE>/usr/bin/kill</CODE> and <CODE>/bin/rm</CODE>
-as <STRONG>root</STRONG> or <STRONG>sysadm</STRONG> on the machine, <CODE>bigserver</CODE>. The
-<EM>runas-list</EM> is ``sticky'' across entries in the comma-separated
-<EM>access_group</EM>. You can override the <EM>runas-list</EM> with another one, at which point the new <EM>runas-list</EM> becomes the default for that <EM>access_group</EM>. For example, given:
+A <CODE>Cmnd_List</CODE> is a list of one or more commandnames, directories, and other aliases. A
+commandname is a fully-qualified filename which may include shell-style
+wildcards (see `Wildcards' section below). A simple filename allows the
+user to run the command with any arguments he/she wishes. However, you may
+also command line arguments (including wildcards). Alternately, you can
+specify <CODE>""</CODE> to indicate that the command may only be run <STRONG>without</STRONG> command line arguments. A directory is a fully qualified pathname ending in
+a '/'. When you specify a directory in a <CODE>Cmnd_List</CODE>, the user will be able to run any file within that directory (but not in
+any subdirectories therein).
<P>
-<PRE> oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \
- /bin/rmdir
+If a <CODE>Cmnd</CODE> has associated command line arguments, then the arguments in the <CODE>Cmnd</CODE> must match exactly those given by the user on the command line (or match
+the wildcards if there are any). Note that the following characters must be
+escaped with a '\' if they are used in command arguments: ',', ':', '=',
+'\\'.
+
+<P>
+<HR>
+<H2><A NAME="User_Specification">User Specification</A></H2>
+<P>
+<PRE> Runas_Spec ::= '(' Runas_List ')'
</PRE>
<P>
-User <CODE>oper</CODE> can still run <CODE>/usr/bin/kill</CODE> as <STRONG>root</STRONG> or <STRONG>sysadm</STRONG> but can only run <CODE>/bin/rm</CODE> and <CODE>/bin/rmdir</CODE> as <STRONG>root</STRONG>.
+<PRE> Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
+</PRE>
+<P>
+<PRE> Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+</PRE>
+<P>
+<PRE> User_Spec ::= User_list Cmnd_Spec_List (':' User_Spec)*
+</PRE>
+<P>
+A <STRONG>user specification</STRONG> determines which commands a user may run (and as what user) on specified
+hosts. By default, commands are run as <STRONG>root</STRONG> but this can be changed on a per-command basis.
+
+<P>
+Let's break that down into its constituent parts:
<P>
-Similarly, the <STRONG>NOPASSWD</STRONG> modifier is also persistent across an
-<EM>access_group</EM>. For example given:
+<HR>
+<H2><A NAME="Runas_Spec">Runas_Spec</A></H2>
+<P>
+A <CODE>Runas_Spec</CODE> is simply a <CODE>Runas_List</CODE> (as defined above) enclosed in a set of parentheses. If you do not specify
+a
+<CODE>Runas_Spec</CODE> in the user specification, a default <CODE>Runas_Spec</CODE>
+of <STRONG>root</STRONG> will be used. A <CODE>Runas_Spec</CODE> sets the default for commands that follow it. What this means is that for
+the entry:
+
+<P>
+<PRE> dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who
+</PRE>
+<P>
+The user <STRONG>dgb</STRONG> may run <EM>/bin/ls</EM>, <EM>/bin/kill</EM>, and
+<EM>/usr/bin/lprm</EM> -- but only as <STRONG>operator</STRONG>. Eg.
<P>
-<PRE> oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir
+<PRE> sudo -u operator /bin/ls.
</PRE>
<P>
-User <CODE>oper</CODE> will be able to run <CODE>/usr/bin/kill</CODE>, <CODE>/bin/rm</CODE>, and
-<CODE>/bin/rmdir</CODE> as <STRONG>root</STRONG> without a password. If we change that to:
+It is also possible to override a <CODE>Runas_Spec</CODE> later on in an entry. If we modify the entry like so:
<P>
-<PRE> oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir
+<PRE> dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
</PRE>
<P>
-User <CODE>oper</CODE> can still run <CODE>/usr/bin/kill</CODE> without a password but must give a password to run <CODE>/bin/rm</CODE> and <CODE>/bin/rmdir</CODE>.
+Then user <STRONG>dgb</STRONG> is now allowed to run <EM>/bin/ls</EM> as <STRONG>operator</STRONG>, but <EM>/bin/kill</EM> and <EM>/usr/bin/lprm</EM> as <STRONG>root</STRONG>.
<P>
<HR>
-<H2><A NAME="wildcards_aka_meta_characters_">wildcards (aka meta characters):</A></H2>
+<H2><A NAME="NOPASSWD_and_PASSWD">NOPASSWD and PASSWD</A></H2>
<P>
-<STRONG>sudo</STRONG> allows shell-style <EM>wildcards</EM> along with command arguments in the <EM>sudoers</EM> file. Wildcard matching is done via the <STRONG>POSIX</STRONG>
+By default, <STRONG>sudo</STRONG> requires that a user authenticate him or herself before running a command.
+This behavior can be modified via the
+<CODE>NOPASSWD</CODE> tag. Like a <CODE>Runas_Spec</CODE>, the <CODE>NOPASSWD</CODE> tag sets a default for the commands that follow it in the <CODE>Cmnd_Spec_List</CODE>. Conversely, the <CODE>PASSWD</CODE> tag can be used to reverse things. For example:
-<CODE>fnmatch(3)</CODE> routine.
+<P>
+<PRE> ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+</PRE>
+<P>
+would allow the user <STRONG>ray</STRONG> to run <EM>/bin/kill</EM>, <EM>/bin/ls</EM>, and
+<EM>/usr/bin/lprm</EM> as root on the machine rushmore as <STRONG>root</STRONG> without authenticating himself. If we only want <STRONG>ray</STRONG> to be able to run <EM>/bin/kill</EM> without a password the entry would be:
+
+<P>
+<PRE> ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+</PRE>
+<P>
+<HR>
+<H2><A NAME="Wildcards_aka_meta_characters_">Wildcards (aka meta characters):</A></H2>
+<P>
+<STRONG>sudo</STRONG> allows shell-style <EM>wildcards</EM> to be used in pathnames as well as command line arguments in the <EM>sudoers</EM> file. Wildcard matching is done via the <STRONG>POSIX</STRONG> <CODE>fnmatch(3)</CODE> routine. Note that these are <EM>not</EM> regular expressions.
<UL>
<LI>
<P>
Matches any set of zero or more characters.
-<DT><STRONG><A NAME="item__">?</A></STRONG><DD>
+<DT><STRONG>?</STRONG><DD>
<P>
Matches any single character.
characters such as: ``*'', ``?'', ``['', and ``}''.
</UL>
+<P>
+Note that a forward slash ('/') will <STRONG>not</STRONG> be matched by wildcards used in the pathname. When matching the command
+line arguments, however, as slash <STRONG>does</STRONG> get matched by wildcards. This is to make a path like:
+
+<P>
+<PRE> /usr/bin/*
+</PRE>
+<P>
+match <CODE>/usr/bin/who</CODE> but not <CODE>/usr/bin/X11/xterm</CODE>.
+
<P>
<HR>
-<H2><A NAME="exceptions_to_wildcard_rules_">exceptions to wildcard rules:</A></H2>
+<H2><A NAME="Exceptions_to_wildcard_rules_">Exceptions to wildcard rules:</A></H2>
<P>
The following exceptions apply to the above rules:
<DT><STRONG><A NAME="item__">""</A></STRONG><DD>
<P>
If the empty string <CODE>""</CODE> is the only command line argument in the
-<EM>sudoers</EM> entry it means that command may take <STRONG>no</STRONG> arguments.
+<EM>sudoers</EM> entry it means that command is not allowed to be run with <STRONG>any</STRONG> arguments.
</DL>
<P>
<HR>
-<H2><A NAME="other_special_characters_and_res">other special characters and reserved words:</A></H2>
+<H2><A NAME="Other_special_characters_and_res">Other special characters and reserved words:</A></H2>
<P>
-Text after a pound sign (<STRONG>#</STRONG>) is considered a comment. Words that begin with a percent sign (<STRONG>%</STRONG>) are assumed to be UN*X groups (%staff refers to users in the group <EM>staff</EM>). Words that begin with a plus sign (<STRONG>+</STRONG>) are assumed to be netgroups (<STRONG>+cshosts</STRONG> refers to the netgroup <EM>cshosts</EM>). Long lines can be newline escaped with the backslash <STRONG>\</STRONG> character.
+The pound sign ('#') is used to indicate a comment (unless it occurs in the
+context of a user name and is followed by one or more digits, in which case
+it is treated as a uid). Both the comment character and any text after it,
+up to the end of the line, are ignored.
<P>
-The reserved word <STRONG>NOPASSWD</STRONG> indicates that a user need not enter a password for the command listed in
-that entry. The
-<STRONG>NOPASSWD</STRONG> modifier is persistent across entries in a <EM>user-list</EM>
-and can be reversed with the <STRONG>PASSWD</STRONG> modifier.
+The reserved word <STRONG>ALL</STRONG> is a a built in <EM>alias</EM> that always causes a match to succeed. It can be used wherever one might
+otherwise use a <CODE>Cmnd_Alias</CODE>, <CODE>User_Alias</CODE>, <CODE>Runas_Alias</CODE>, or <CODE>Host_Alias</CODE>. You should not try to define your own <EM>alias</EM> called <STRONG>ALL</STRONG> as the built in alias will be used in preference to your own.
<P>
-The reserved alias <EM>ALL</EM> can be used for both {Host,User,Cmnd}_Alias.
-<STRONG>DO NOT</STRONG> define an alias of <EM>ALL</EM>, it will <STRONG>NOT</STRONG> be used. Note that <EM>ALL</EM> implies the entire universe of hosts/users/commands. You can subtract
-elements from the universe by using the syntax:
+An exclamation point ('!') can be used as a logical <EM>not</EM> operator both in an <EM>alias</EM> and in front of a <CODE>Cmnd</CODE>. This allows one to exclude certain values. Note, however, that using a <CODE>!</CODE> in conjunction with the built in <CODE>ALL</CODE> alias to allow a user to run ``all but a few'' commands rarely works as
+intended (see SECURITY NOTES below).
<P>
-<PRE> user host=ALL,!ALIAS1,!/sbin/halt...
-</PRE>
+Long lines can be continued with a backslash ('\\') as the last character
+on the line.
+
<P>
-Commands may have optional command line arguments. If they do, then the
-arguments in the <EM>sudoers</EM> file must exactly match those on the command line. It is also possible to
-have a command's arguments span multiple lines as long as the line
-continuance character ``\'' is used. The following characters must be
-escaped with a ``\'' if used in command arguments: ``,'', ``:'', ``='',
-``\''.
+Whitespace between elements in a list as well as specicial syntactic
+characters in a <EM>User Specification</EM> ('=', ':', '(', ')') is optional.
<P>
<HR>
<H1><A NAME="EXAMPLES">EXAMPLES</A></H1>
<P>
-<PRE> # Host alias specification
- Host_Alias HUB=houdini:\
- REMOTE=merlin,kodiakthorn,spirit
- Host_Alias SERVERS=houdini,merlin,kodiakthorn,spirit
- Host_Alias CUNETS=128.138.0.0/255.255.0.0
- Host_Alias CSNETS=128.138.243.0,128.138.204.0,\
- 128.138.205.192
+Below are example <EM>sudoers</EM> entries. Admittedly, some of these are a bit contrived. First, we define
+our <EM>aliases</EM>:
+
+<P>
+<PRE> # User alias specification
+ User_Alias FULLTIMERS = millert, mikef, dowdy
+ User_Alias PARTTIMERS = bostley, jwfox, crawl
+ User_Alias WEBMASTERS = will, wendy, wim
</PRE>
<P>
-<PRE> # User alias specification
- User_Alias FULLTIME=millert,dowdy,mikef
- User_Alias PARTTIME=juola,mccreary,tor
+<PRE> # Runas alias specification
+ Runas_Alias OP = root, operator
+ Runas_Alias DB = oracle, sybase
</PRE>
<P>
-<PRE> # Runas alias specification
- Runas_Alias OP=root,operator
+<PRE> # Host alias specification
+ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
</PRE>
<P>
-<PRE> # Command alias specification
- Cmnd_Alias LPCS=/usr/sbin/lpc,/usr/bin/lprm
- Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
- Cmnd_Alias SU=/usr/bin/su
- Cmnd_Alias MISC=/bin/rm,/bin/cat:\
- SHUTDOWN=/sbin/halt,/sbin/shutdown
+<PRE> # Cmnd alias specification
+ Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
+ /usr/sbin/restore, /usr/sbin/rrestore
+ Cmnd_Alias KILL = /usr/bin/kill
+ Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+ Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+ Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
+ Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
+ Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
+ /usr/local/bin/tcsh, /usr/bin/rsh, \
+ /usr/local/bin/zsh
+ Cmnd_Alias SU = /usr/bin/su
</PRE>
<P>
-<PRE> # User specification
- FULLTIME ALL=(ALL) NOPASSWD: ALL
- %wheel ALL=ALL
- PARTTIME ALL=ALL,!SHELLS,!SU
- +interns +openlabs=ALL,!SHELLS,!SU
- britt REMOTE=SHUTDOWN:ALL=LPCS
- jimbo CUNETS=/usr/bin/su [!-]*,!/usr/bin/su *root*
- nieusma SERVERS=SHUTDOWN,/sbin/reboot:\
- HUB=ALL,!SHELLS
- jill houdini=/sbin/shutdown -[hr] now,MISC
- markm HUB=ALL,!MISC,!/sbin/shutdown,!/sbin/halt
- davehieb merlin=(OP) ALL:SERVERS=/sbin/halt:\
- kodiakthorn=NOPASSWD: ALL
- steve CSNETS=(operator) /usr/op_commands/
+The <EM>User specification</EM> is the part that actually determines who may run what.
+
+<P>
+<PRE> root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
</PRE>
<P>
-<HR>
-<H2><A NAME="Host_Alias_specifications_">Host Alias specifications:</A></H2>
+We let <STRONG>root</STRONG> and any user in group <STRONG>wheel</STRONG> run any command on any host as any user.
+
+<P>
+<PRE> FULLTIMERS ALL = NOPASSWD: ALL
+</PRE>
<P>
-The are four <EM>host aliases</EM>. The first actually contains two <EM>aliases</EM>. It sets <CODE>HUB</CODE> to be <CODE>houdini</CODE> and <CODE>REMOTE</CODE>
-to the three machines <CODE>merlin</CODE>, <CODE>kodiakthorn</CODE> and <CODE>spirit</CODE>. Similarly, <CODE>SERVERS</CODE> is set to the machines <CODE>houdini</CODE>, <CODE>merlin</CODE>,
-<CODE>kodiakthorn</CODE> and <CODE>spirit</CODE>. The <CODE>CSNETS</CODE> alias will match any host on the 128.138.243.0, 128.138.204.0, or
-128.138.205.192 nets. The <CODE>CUNETS</CODE> alias will match any host on the 128.138.0.0 (class B) network. Note that
-these are <STRONG>network</STRONG> addresses, not ip addresses. Unless an explicit netmask is given, the local <EM>netmask</EM>
-is used to determine whether or not the current host belongs to a network.
+Full time sysadmins (<STRONG>millert</STRONG>, <STRONG>mikef</STRONG>, and <STRONG>dowdy</STRONG>) may run any command on any host without authenticating themselves.
<P>
-<HR>
-<H2><A NAME="User_Alias_specifications_">User Alias specifications:</A></H2>
+<PRE> PARTTIMERS ALL = ALL
+</PRE>
<P>
-The two <EM>user aliases</EM> simply groups the <A HREF="#item_FULLTIME">FULLTIME</A> and
-<A HREF="#item_PARTTIME">PARTTIME</A> folks into two separate aliases.
+Part time sysadmins (<STRONG>bostley</STRONG>, <STRONG>jwfox</STRONG>, and <STRONG>crawl</STRONG>) may run any command on any host but they must authenticate themselves
+first (since the entry lacks the <CODE>NOPASSWD</CODE> tag).
<P>
-<HR>
-<H2><A NAME="Command_alias_specifications_">Command alias specifications:</A></H2>
+<PRE> jack CSNETS = ALL
+</PRE>
<P>
-Command aliases are lists of commands with or without associated command
-line arguments. The entries above should be self-explanatory.
+The user <STRONG>jack</STRONG> may run any command on the machines in the <EM>CSNETS</EM> alias (the networks <CODE>128.138.243.0</CODE>, <CODE>128.138.204.0</CODE>, and <CODE>128.138.242.0</CODE>). Of those networks, only <128.138.204.0> has an explicit netmask (in CIDR notation) indicating it
+is a class C network. For the other networks in <EM>CSNETS</EM>, the local machine's netmask will be used during matching.
<P>
-<HR>
-<H2><A NAME="User_specifications_">User specifications:</A></H2>
-<DL>
-<DT><STRONG><A NAME="item_FULLTIME">FULLTIME</A></STRONG><DD>
+<PRE> lisa CUNETS = ALL
+</PRE>
+<P>
+The user <STRONG>lisa</STRONG> may run any command on any host in the <EM>CUNETS</EM> alias (the class B network <CODE>128.138.0.0</CODE>).
+
+<P>
+<PRE> operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\
+ /usr/oper/bin/
+</PRE>
+<P>
+The <STRONG>operator</STRONG> user may run commands limited to simple maintenance. Here, those are
+commands related to backups, killing processes, the printing system,
+shutting down the system, and any commands in the directory <EM>/usr/oper/bin/</EM>.
+
+<P>
+<PRE> joe ALL = /usr/bin/su operator
+</PRE>
+<P>
+The user <STRONG>joe</STRONG> may only <CODE>su(1)</CODE> to operator.
+
<P>
-Full-time sysadmins in the <A HREF="#item_FULLTIME">FULLTIME</A> alias may run any command on any host as any user without a password.
+<PRE> pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
+</PRE>
+<P>
+The user <STRONG>pete</STRONG> is allowed to change anyone's password except for root on the <EM>HPPA</EM> machines. Note that this assumes <CODE>passwd(1)</CODE> does not take
+multiple usernames on the command line.
-<DT><STRONG><A NAME="item__wheel">%wheel</A></STRONG><DD>
<P>
-Any user in the UN*X group <CODE>wheel</CODE> may run any command on any host.
+<PRE> bob SPARC = (OP) ALL : SGI = (OP) ALL
+</PRE>
+<P>
+The user <STRONG>bob</STRONG> may run anything on the <EM>SPARC</EM> and <EM>SGI</EM> machines as any user listed in the <EM>OP</EM> <CODE>Runas_Alias</CODE> (<STRONG>root</STRONG> and <STRONG>operator</STRONG>).
-<DT><STRONG><A NAME="item_PARTTIME">PARTTIME</A></STRONG><DD>
<P>
-Part-time sysadmins in the <A HREF="#item_PARTTIME">PARTTIME</A> alias may run any command except those in the <CODE>SHELLS</CODE> and <CODE>SU</CODE> aliases on any host.
+<PRE> jim +biglab = ALL
+</PRE>
+<P>
+The user <STRONG>jim</STRONG> may run any command on machines in the <EM>biglab</EM> netgroup.
+<STRONG>Sudo</STRONG> knows that ``biglab'' is a netgroup due to the '+' prefix.
-<DT><STRONG><A NAME="item__interns">+interns</A></STRONG><DD>
<P>
-Any user in the netgroup <CODE>interns</CODE> may run any command except those in the <CODE>SHELLS</CODE> and <CODE>SU</CODE> aliases on any host that is in the <CODE>openlabs</CODE> netgroup.
+<PRE> +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+</PRE>
+<P>
+Users in the <STRONG>secretaries</STRONG> netgroup need to help manage the printers as well as add and remove users,
+so they are allowed to run those commands on all machines.
-<DT><STRONG><A NAME="item_britt">britt</A></STRONG><DD>
<P>
-The user <A HREF="#item_britt">britt</A> may run commands in the <CODE>SHUTDOWN</CODE> alias on the <CODE>REMOTE</CODE> machines and commands in the <CODE>LPCS</CODE> alias on any machine.
+<PRE> fred ALL = (DB) NOPASSWD: ALL
+</PRE>
+<P>
+The user <STRONG>fred</STRONG> can run commands as any user in the <EM>DB</EM> <CODE>Runas_Alias</CODE>
+(<STRONG>oracle</STRONG> or <STRONG>sybase</STRONG>) without giving a password.
-<DT><STRONG><A NAME="item_jimbo">jimbo</A></STRONG><DD>
<P>
-The user <A HREF="#item_jimbo">jimbo</A> may <CODE>su</CODE> to any user save root on the machines on <CODE>CUNETS</CODE> (which is explicitly listed as a class B network).
+<PRE> john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+</PRE>
+<P>
+On the <EM>ALPHA</EM> machines, user <STRONG>john</STRONG> may su to anyone except root but he is not allowed to give
+<CODE>su(1)</CODE> any flags.
-<DT><STRONG><A NAME="item_nieusma">nieusma</A></STRONG><DD>
<P>
-The user <A HREF="#item_nieusma">nieusma</A> may run commands in the <CODE>SHUTDOWN</CODE> alias as well as <EM>/sbin/reboot</EM> on the <CODE>SERVER</CODE> machines and any command except those in the <CODE>SHELLS</CODE> alias on the <CODE>HUB</CODE>
-machines.
+<PRE> jen ALL, !SERVERS = ALL
+</PRE>
+<P>
+The user <STRONG>jen</STRONG> may run any command on any machine except for those in the <EM>SERVERS</EM> <CODE>Host_Alias</CODE> (master, mail, www and ns).
-<DT><STRONG><A NAME="item_jill">jill</A></STRONG><DD>
<P>
-The user <A HREF="#item_jill">jill</A> may run <CODE>/sbin/shutdown -h now</CODE> or
-<CODE>/sbin/shutdown -r now</CODE> as well as the commands in the
-<CODE>MISC</CODE> alias on houdini.
+<PRE> jill SERVERS = /usr/bin/, !SU, !SHELLS
+</PRE>
+<P>
+For any machine in the <EM>SERVERS</EM> <CODE>Host_Alias</CODE>, <STRONG>jill</STRONG> may run any commands in the directory /usr/bin/ except for those commands
+belonging to the <EM>SU</EM> and <EM>SHELLS</EM> <CODE>Cmnd_Aliases</CODE>.
-<DT><STRONG><A NAME="item_markm">markm</A></STRONG><DD>
<P>
-The user <A HREF="#item_markm">markm</A> may run any command on the <CODE>HUB</CODE> machines except <EM>/sbin/shutdown</EM>, <EM>/sbin/halt</EM>, and commands listed in the <CODE>MISC</CODE> alias.
+<PRE> steve CSNETS = (operator) /usr/local/op_commands/
+</PRE>
+<P>
+The user <STRONG>steve</STRONG> may run any command in the directory /usr/local/op_commands/ but only as
+user operator.
-<DT><STRONG><A NAME="item_davehieb">davehieb</A></STRONG><DD>
<P>
-The user <A HREF="#item_davehieb">davehieb</A> may run any command on <CODE>merlin</CODE> as any user in the Runas_Alias OP (ie: root or operator). He may also run <EM>/sbin/halt</EM> on the <CODE>SERVERS</CODE> and any command on <CODE>kodiakthorn</CODE> (no password required on <CODE>kodiakthorn</CODE>).
+<PRE> matt valkyrie = KILL
+</PRE>
+<P>
+On his personal workstation, valkyrie, <STRONG>matt</STRONG> needs to be able to kill hung processes.
-<DT><STRONG><A NAME="item_steve">steve</A></STRONG><DD>
<P>
-The user <A HREF="#item_steve">steve</A> may run any command in the <EM>/usr/op_commands/</EM>
-directory as user <CODE>operator</CODE> on the machines on <CODE>CSNETS</CODE>.
+<PRE> WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+</PRE>
+<P>
+On the host www, any user in the <EM>WEBMASTERS</EM> <CODE>User_Alias</CODE> (will, wendy, and wim), may run any command as user www (which owns the web
+pages) or simply <CODE>su(1)</CODE> to www.
+
+<P>
+<PRE> ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+</PRE>
+<P>
+Any user may mount or unmount a CD-ROM on the machines in the CDROM
+<CODE>Host_Alias</CODE> (orion, perseus, hercules) without entering a password. This is a bit
+tedious for users to type, so it is a prime candiate for encapsulating in a
+shell script.
+
+<P>
+<HR>
+<H1><A NAME="SECURITY_NOTES">SECURITY NOTES</A></H1>
+<P>
+It is generally not effective to ``subtract'' commands from <CODE>ALL</CODE>
+using the '!' operator. A user can trivially circumvent this by copying the
+desired command to a different name and then executing that. For example:
+
+<P>
+<PRE> bill ALL = ALL, !SU, !SHELLS
+</PRE>
+<P>
+Doesn't really prevent <STRONG>bill</STRONG> from running the commands listed in
+<EM>SU</EM> or <EM>SHELLS</EM> since he can simply copy those commands to a different name, or use a shell
+escape from an editor or other program. Therefore, these kind of
+restrictions should be considered advisory at best (and reinforced by
+policy).
-</DL>
<P>
<HR>
<H1><A NAME="CAVEATS">CAVEATS</A></H1>
<P>
The <EM>sudoers</EM> file should <STRONG>always</STRONG> be edited by the <STRONG>visudo</STRONG>
command which locks the file and does grammatical checking. It is
-imperative that the <EM>sudoers</EM> be free of syntax errors since sudo will not run with a syntactically
-incorrect <EM>sudoers</EM> file.
+imperative that <EM>sudoers</EM> be free of syntax errors since <STRONG>sudo</STRONG>
+will not run with a syntactically incorrect <EM>sudoers</EM> file.
<P>
<HR>
<H1><A NAME="FILES">FILES</A></H1>
<P>
-<PRE> /etc/sudoers file of authorized users.
- /etc/netgroup list of network groups.
+<PRE> /etc/sudoers List of who can run what
+ /etc/group Local groups file
+ /etc/netgroup List of network groups
</PRE>
<P>
<HR>
''' $RCSfile$$Revision$$Date$
'''
''' $Log$
-''' Revision 1.10 1999/06/22 10:38:38 millert
-''' typos
+''' Revision 1.11 1999/08/26 09:00:58 millert
+''' new sudoers(8) man page
'''
'''
.de Sh
.nr % 0
.rr F
.\}
-.TH sudoers 5 "1.6" "22/Jun/1999" "FILE FORMATS"
+.TH SUDOERS 5 "1.6" "25/Aug/1999" "FILE FORMATS"
.UC
.if n .hy 0
.if n .na
.\}
.rm #[ #] #H #V #F C
.SH "NAME"
-sudoers \- list of which users may execute what as root
+sudoers \- list of which users may execute what
.SH "DESCRIPTION"
-The \fIsudoers\fR file is composed of an optional host alias section,
-an optional command alias section and the user specification section.
-All command or host aliases need to start with their respective keywords
-(ie: Host_Alias, User_Alias, Runas_Alias or Cmnd_Alias).
-If there are multiple occurrences of a user, the logical union of the
-entries will be used. Note that if there is an entry that denies access
-to a command that is followed by an entry that grants access the user
-will be allowed to run the command.
-.Sh "user specification format:"
+The \fIsudoers\fR file is composed two types of entries:
+aliases (basically variables) and user specifications
+(which specify who may run what). The grammar of \fIsudoers\fR
+will be described below in Extended Backus-Naur Form (EBNF).
+Don't despair if you don't know what EBNF is, it is fairly
+simple and the definitions below are annotated.
+.Sh "Quick guide to \s-1EBNF\s0"
+\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
+Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. Eg.
.PP
.Vb 1
-\& user access_group [: access_group] ...
+\& symbol ::= definition | alternate1 | alternate2 ...
.Ve
+Each \fIproduction rule\fR references others and thus makes up a
+grammar for the language. \s-1EBNF\s0 also contains the following
+operators, which many readers will recognize from regular
+expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
+characters, which have different meanings.
+.Ip "\f(CW?\fR" 8
+Means that the preceding symbol (or group of symbols) is optional.
+That is, it may appear once or not at all.
+.Ip "\f(CW*\fR" 8
+Means that the preceding symbol (or group of symbols) may appear
+zero or more times.
+.Ip "\f(CW+\fR" 8
+Means that the preceding symbol (or group of symbols) may appear
+one or more times.
+.PP
+Parentheses may be used to group symbols together. For clarity,
+we will use single quotes ('') to designate what is a verbatim character
+string (as opposed to a symbol name).
+.Sh "Aliases"
+There are four kinds of aliases: the \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR,
+\f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR.
+.PP
.Vb 4
-\& access_group ::= host-list = [(runas-list)] [NOPASSWD:] [op]cmnd_type
-\& [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ...
-\& cmnd_type ::= a command OR a command alias.
-\& op ::= the logical "!" NOT operator.
+\& Alias ::= User_Alias = User_Alias (':' User_Alias)* |
+\& Runas_Alias (':' Runas_Alias)* |
+\& Host_Alias (':' Host_Alias)* |
+\& Cmnd_Alias (':' Cmnd_Alias)*
.Ve
-.Sh "host alias section format:"
-.PP
.Vb 1
-\& Host_Alias HOSTALIAS = host-list
+\& User_Alias ::= NAME '=' User_List
.Ve
-.Vb 5
-\& Host_Alias ::= a keyword.
-\& HOSTALIAS ::= an upper-case alias name.
-\& host-list ::= a comma separated list of hosts, netgroups,
-\& ip addresses, networks. A logical "!"
-\& NOT operator may be prefixed to any of these.
+.Vb 1
+\& Runas_Alias ::= NAME '=' Runas_User_List
+.Ve
+.Vb 1
+\& Host_Alias ::= NAME '=' Host_List
.Ve
-.Sh "user alias section format:"
+.Vb 1
+\& Cmnd_Alias ::= NAME '=' Cmnd_List
+.Ve
+.Vb 1
+\& NAME ::= [A-Z]([A-Z][0-9]_)*
+.Ve
+Each \fIalias\fR definition is of the form
.PP
.Vb 1
-\& User_Alias USERALIAS = user-list
+\& Alias_Type NAME = item1, item2, ...
+.Ve
+where \fIAlias_Type\fR is one of \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR,
+or \f(CWCmnd_Alias\fR. A \f(CWNAME\fR is a string of upper case letters, numbers,
+and the underscore characters ('_'). A \f(CWNAME\fR \fBmust\fR start with an
+upper case letter. It is possible to put several alias definitions
+of the same type on a single line, joined by a semicolon (':'). Eg.
+.PP
+.Vb 1
+\& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
+.Ve
+The definitions of what constitutes a valid \fIalias\fR member follow.
+.PP
+.Vb 2
+\& User_List ::= User |
+\& User ',' User_List
.Ve
.Vb 5
-\& User_Alias ::= a keyword.
-\& USERALIAS ::= an upper-case alias name.
-\& user-list ::= a comma separated list of users, groups, netgroups.
-\& A logical "!" NOT operator may be prefixed to any
-\& of these.
+\& User ::= '!'* username |
+\& '!'* '#'uid |
+\& '!'* '%'group |
+\& '!'* '+'netgroup |
+\& '!'* User_Alias
.Ve
-.Sh "runas alias section format:"
+A \f(CWUser_List\fR is made up of one or more usernames, uids
+(prefixed with \*(L'#'), System groups (prefixed with \*(L'%'),
+netgroups (prefixed with \*(L'+') and other aliases. Each list
+item may be prefixed with one or more \*(L'!\*(R' operators. An odd number
+of \*(L'!\*(R' operators negates the value of the item; an even number
+just cancel each other out.
.PP
-.Vb 1
-\& Runas_Alias RUNASALIAS = runas-list
+.Vb 2
+\& Runas_List ::= Runas_User |
+\& Runas_User ',' Runas_List
.Ve
.Vb 5
-\& Runas_Alias ::= a keyword.
-\& RUNASALIAS ::= an upper-case alias name.
-\& runas-list ::= a comma separated list of users, groups, netgroups.
-\& A logical "!" NOT operator may be prefixed to any
-\& of these.
+\& Runas_User ::= '!'* username |
+\& '!'* '#'uid |
+\& '!'* '%'group |
+\& '!'* +netgroup |
+\& '!'* Runas_Alias
.Ve
-.Sh "command alias section format:"
+Likewise, a \f(CWRunas_List\fR has the same possible elements
+as a \f(CWUser_List\fR, except that it can include a \f(CWRunas_Alias\fR,
+instead of a \f(CWUser_Alias\fR.
.PP
-.Vb 1
-\& Cmnd_Alias CMNDALIAS = cmnd-list
+.Vb 2
+\& Host_List ::= Host |
+\& Host ',' Host_List
.Ve
.Vb 5
-\& Cmnd_Alias ::= a keyword.
-\& CMNDALIAS ::= an upper-case alias name.
-\& cmnd-list ::= a comma separated list commands.
-\& A logical "!" NOT operator may be prefixed to any
-\& of these.
+\& Host ::= '!'* hostname |
+\& '!'* ip_addr |
+\& '!'* network(/netmask)? |
+\& '!'* '+'netgroup |
+\& '!'* Host_Alias
+.Ve
+A \f(CWHost_List\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
+network numbers, netgroups (prefixed with \*(L'+') and other aliases.
+Again, the value of an item may be negated with the \*(L'!\*(R' operator.
+If you do not specify a netmask with a network number, the netmask
+of the host's ethernet \fIinterface\fR\|(s) will be used when matching.
+The netmask may be specified either in dotted quad notation (eg.
+255.255.255.0) or \s-1CIDR\s0 notation (number of bits, eg. 24).
+.PP
+.Vb 2
+\& Cmnd_List ::= Cmnd |
+\& Cmnd ',' Cmnd_List
+.Ve
+.Vb 3
+\& commandname ::= filename |
+\& filename args |
+\& filename '""'
+.Ve
+.Vb 3
+\& Cmnd ::= '!'* commandname |
+\& '!'* directory |
+\& '!'* Cmnd_Alias
.Ve
-.Sh "command specification:"
+A \f(CWCmnd_List\fR is a list of one or more commandnames, directories, and other
+aliases. A commandname is a fully-qualified filename which may include
+shell-style wildcards (see `Wildcards\*(R' section below). A simple
+filename allows the user to run the command with any arguments he/she
+wishes. However, you may also command line arguments (including wildcards).
+Alternately, you can specify \f(CW""\fR to indicate that the command
+may only be run \fBwithout\fR command line arguments. A directory is a
+fully qualified pathname ending in a \*(L'/\*(R'. When you specify a directory
+in a \f(CWCmnd_List\fR, the user will be able to run any file within that directory
+(but not in any subdirectories therein).
+.PP
+If a \f(CWCmnd\fR has associated command line arguments, then the arguments
+in the \f(CWCmnd\fR must match exactly those given by the user on the command line
+(or match the wildcards if there are any). Note that the following
+characters must be escaped with a \*(L'\e\*(R' if they are used in command
+arguments: \*(L',\*(R', \*(L':\*(R', \*(L'=\*(R', \*(L'\e\e\*(R'.
+.Sh "User Specification"
.PP
.Vb 1
-\& path arg1 arg2 .. argn = command
+\& Runas_Spec ::= '(' Runas_List ')'
+.Ve
+.Vb 1
+\& Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
.Ve
.Vb 2
-\& path ::= a fully qualified pathname.
-\& arg[1..n] ::= optional command line arguments.
+\& Cmnd_Spec_List ::= Cmnd_Spec |
+\& Cmnd_Spec ',' Cmnd_Spec_List
.Ve
-.Sh "persistence of modifiers"
-When a \fIrunas-list\fR is specified for an \fIaccess_group\fR, it
-affects all commands in the \fIaccess_group\fR. For example, given:
+.Vb 1
+\& User_Spec ::= User_list Cmnd_Spec_List (':' User_Spec)*
+.Ve
+A \fBuser specification\fR determines which commands a user may run
+(and as what user) on specified hosts. By default, commands are
+run as \fBroot\fR but this can be changed on a per-command basis.
+.PP
+Let's break that down into its constituent parts:
+.Sh "Runas_Spec"
+A \f(CWRunas_Spec\fR is simply a \f(CWRunas_List\fR (as defined above)
+enclosed in a set of parentheses. If you do not specify a
+\f(CWRunas_Spec\fR in the user specification, a default \f(CWRunas_Spec\fR
+of \fBroot\fR will be used. A \f(CWRunas_Spec\fR sets the default for
+commands that follow it. What this means is that for the entry:
.PP
.Vb 1
-\& oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
+\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who
.Ve
-User \f(CWoper\fR will be able to run \f(CW/usr/bin/kill\fR and \f(CW/bin/rm\fR
-as \fBroot\fR or \fBsysadm\fR on the machine, \f(CWbigserver\fR. The
-\fIrunas-list\fR is \*(L"sticky\*(R" across entries in the comma-separated
-\fIaccess_group\fR. You can override the \fIrunas-list\fR with another
-one, at which point the new \fIrunas-list\fR becomes the default for
-that \fIaccess_group\fR. For example, given:
+The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
+\fI/usr/bin/lprm\fR -- but only as \fBoperator\fR. Eg.
.PP
-.Vb 2
-\& oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \e
-\& /bin/rmdir
+.Vb 1
+\& sudo -u operator /bin/ls.
.Ve
-User \f(CWoper\fR can still run \f(CW/usr/bin/kill\fR as \fBroot\fR or \fBsysadm\fR but
-can only run \f(CW/bin/rm\fR and \f(CW/bin/rmdir\fR as \fBroot\fR.
+It is also possible to override a \f(CWRunas_Spec\fR later on in an
+entry. If we modify the entry like so:
.PP
-Similarly, the \fB\s-1NOPASSWD\s0\fR modifier is also persistent across an
-\fIaccess_group\fR. For example given:
+.Vb 1
+\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+.Ve
+Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
+but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
+.Sh "\s-1NOPASSWD\s0 and \s-1PASSWD\s0"
+By default, \fBsudo\fR requires that a user authenticate him or herself
+before running a command. This behavior can be modified via the
+\f(CWNOPASSWD\fR tag. Like a \f(CWRunas_Spec\fR, the \f(CWNOPASSWD\fR tag sets
+a default for the commands that follow it in the \f(CWCmnd_Spec_List\fR.
+Conversely, the \f(CWPASSWD\fR tag can be used to reverse things.
+For example:
.PP
.Vb 1
-\& oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir
+\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
.Ve
-User \f(CWoper\fR will be able to run \f(CW/usr/bin/kill\fR, \f(CW/bin/rm\fR, and
-\f(CW/bin/rmdir\fR as \fBroot\fR without a password. If we change that to:
+would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
+\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
+authenticating himself. If we only want \fBray\fR to be able to
+run \fI/bin/kill\fR without a password the entry would be:
.PP
.Vb 1
-\& oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir
+\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
.Ve
-User \f(CWoper\fR can still run \f(CW/usr/bin/kill\fR without a password but
-must give a password to run \f(CW/bin/rm\fR and \f(CW/bin/rmdir\fR.
-.Sh "wildcards (aka meta characters):"
-\fBsudo\fR allows shell-style \fIwildcards\fR along with command arguments
-in the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
-\f(CWfnmatch(3)\fR routine.
+.Sh "Wildcards (aka meta characters):"
+\fBsudo\fR allows shell-style \fIwildcards\fR to be used in pathnames
+as well as command line arguments in the \fIsudoers\fR file. Wildcard
+matching is done via the \fB\s-1POSIX\s0\fR \f(CWfnmatch(3)\fR routine. Note that
+these are \fInot\fR regular expressions.
.Ip "\f(CW*\fR" 8
Matches any set of zero or more characters.
.Ip "\f(CW?\fR" 8
.Ip "\f(CW\ex\fR" 8
For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
-.Sh "exceptions to wildcard rules:"
+.PP
+Note that a forward slash ('/') will \fBnot\fR be matched by
+wildcards used in the pathname. When matching the command
+line arguments, however, as slash \fBdoes\fR get matched by
+wildcards. This is to make a path like:
+.PP
+.Vb 1
+\& /usr/bin/*
+.Ve
+match \f(CW/usr/bin/who\fR but not \f(CW/usr/bin/X11/xterm\fR.
+.Sh "Exceptions to wildcard rules:"
The following exceptions apply to the above rules:
-.Ip "\f(CW""\fR" 8
+.Ip \f(CW""\fR 8
If the empty string \f(CW""\fR is the only command line argument in the
-\fIsudoers\fR entry it means that command may take \fBno\fR arguments.
-.Sh "other special characters and reserved words:"
-Text after a pound sign (\fB#\fR) is considered a comment.
-Words that begin with a percent sign (\fB%\fR) are assumed to
-be \s-1UN\s0*X groups (%staff refers to users in the group \fIstaff\fR).
-Words that begin with a plus sign (\fB+\fR) are assumed to
-be netgroups (\fB+cshosts\fR refers to the netgroup \fIcshosts\fR).
-Long lines can be newline escaped with the backslash \fB\e\fR character.
-.PP
-The reserved word \fB\s-1NOPASSWD\s0\fR indicates that a user need not
-enter a password for the command listed in that entry. The
-\fB\s-1NOPASSWD\s0\fR modifier is persistent across entries in a \fIuser-list\fR
-and can be reversed with the \fB\s-1PASSWD\s0\fR modifier.
-.PP
-The reserved alias \fI\s-1ALL\s0\fR can be used for both {Host,User,Cmnd}_Alias.
-\fB\s-1DO\s0 \s-1NOT\s0\fR define an alias of \fI\s-1ALL\s0\fR, it will \fB\s-1NOT\s0\fR be used.
-Note that \fI\s-1ALL\s0\fR implies the entire universe of hosts/users/commands.
-You can subtract elements from the universe by using the syntax:
-.PP
-.Vb 1
-\& user host=ALL,!ALIAS1,!/sbin/halt...
-.Ve
-Commands may have optional command line arguments. If they do,
-then the arguments in the \fIsudoers\fR file must exactly match those
-on the command line. It is also possible to have a command's
-arguments span multiple lines as long as the line continuance
-character \*(L"\e\*(R" is used. The following characters must be escaped
-with a \*(L"\e\*(R" if used in command arguments: \*(L",\*(R", \*(L":\*(R", \*(L"=\*(R", \*(L"\e\*(R".
+\fIsudoers\fR entry it means that command is not allowed to be run
+with \fBany\fR arguments.
+.Sh "Other special characters and reserved words:"
+The pound sign ('#') is used to indicate a comment (unless it
+occurs in the context of a user name and is followed by one or
+more digits, in which case it is treated as a uid). Both the
+comment character and any text after it, up to the end of the line,
+are ignored.
+.PP
+The reserved word \fB\s-1ALL\s0\fR is a a built in \fIalias\fR that always causes
+a match to succeed. It can be used wherever one might otherwise
+use a \f(CWCmnd_Alias\fR, \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, or \f(CWHost_Alias\fR.
+You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
+built in alias will be used in preference to your own.
+.PP
+An exclamation point (\*(R'!') can be used as a logical \fInot\fR operator
+both in an \fIalias\fR and in front of a \f(CWCmnd\fR. This allows one to
+exclude certain values. Note, however, that using a \f(CW!\fR in
+conjunction with the built in \f(CWALL\fR alias to allow a user to
+run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
+\s-1NOTES\s0 below).
+.PP
+Long lines can be continued with a backslash (\*(R'\e\e') as the last
+character on the line.
+.PP
+Whitespace between elements in a list as well as specicial syntactic
+characters in a \fIUser Specification\fR ('=\*(R', \*(L':\*(R', \*(L'(\*(R', \*(L')') is optional.
.SH "EXAMPLES"
+Below are example \fIsudoers\fR entries. Admittedly, some of
+these are a bit contrived. First, we define our \fIaliases\fR:
.PP
-.Vb 7
-\& # Host alias specification
-\& Host_Alias HUB=houdini:\e
-\& REMOTE=merlin,kodiakthorn,spirit
-\& Host_Alias SERVERS=houdini,merlin,kodiakthorn,spirit
-\& Host_Alias CUNETS=128.138.0.0/255.255.0.0
-\& Host_Alias CSNETS=128.138.243.0,128.138.204.0,\e
-\& 128.138.205.192
+.Vb 4
+\& # User alias specification
+\& User_Alias FULLTIMERS = millert, mikef, dowdy
+\& User_Alias PARTTIMERS = bostley, jwfox, crawl
+\& User_Alias WEBMASTERS = will, wendy, wim
.Ve
.Vb 3
-\& # User alias specification
-\& User_Alias FULLTIME=millert,dowdy,mikef
-\& User_Alias PARTTIME=juola,mccreary,tor
+\& # Runas alias specification
+\& Runas_Alias OP = root, operator
+\& Runas_Alias DB = oracle, sybase
.Ve
+.Vb 9
+\& # Host alias specification
+\& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
+\& SGI = grolsch, dandelion, black :\e
+\& ALPHA = widget, thalamus, foobar :\e
+\& HPPA = boa, nag, python
+\& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+\& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+\& Host_Alias SERVERS = master, mail, www, ns
+\& Host_Alias CDROM = orion, perseus, hercules
+.Ve
+.Vb 12
+\& # Cmnd alias specification
+\& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
+\& /usr/sbin/restore, /usr/sbin/rrestore
+\& Cmnd_Alias KILL = /usr/bin/kill
+\& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+\& Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
+\& Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
+\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e
+\& /usr/local/bin/tcsh, /usr/bin/rsh, \e
+\& /usr/local/bin/zsh
+\& Cmnd_Alias SU = /usr/bin/su
+.Ve
+The \fIUser specification\fR is the part that actually determines who may
+run what.
+.PP
.Vb 2
-\& # Runas alias specification
-\& Runas_Alias OP=root,operator
-.Ve
-.Vb 6
-\& # Command alias specification
-\& Cmnd_Alias LPCS=/usr/sbin/lpc,/usr/bin/lprm
-\& Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
-\& Cmnd_Alias SU=/usr/bin/su
-\& Cmnd_Alias MISC=/bin/rm,/bin/cat:\e
-\& SHUTDOWN=/sbin/halt,/sbin/shutdown
-.Ve
-.Vb 14
-\& # User specification
-\& FULLTIME ALL=(ALL) NOPASSWD: ALL
-\& %wheel ALL=ALL
-\& PARTTIME ALL=ALL,!SHELLS,!SU
-\& +interns +openlabs=ALL,!SHELLS,!SU
-\& britt REMOTE=SHUTDOWN:ALL=LPCS
-\& jimbo CUNETS=/usr/bin/su [!-]*,!/usr/bin/su *root*
-\& nieusma SERVERS=SHUTDOWN,/sbin/reboot:\e
-\& HUB=ALL,!SHELLS
-\& jill houdini=/sbin/shutdown -[hr] now,MISC
-\& markm HUB=ALL,!MISC,!/sbin/shutdown,!/sbin/halt
-\& davehieb merlin=(OP) ALL:SERVERS=/sbin/halt:\e
-\& kodiakthorn=NOPASSWD: ALL
-\& steve CSNETS=(operator) /usr/op_commands/
-.Ve
-.Sh "Host Alias specifications:"
-The are four \fIhost aliases\fR. The first actually contains
-two \fIaliases\fR. It sets \f(CWHUB\fR to be \f(CWhoudini\fR and \f(CWREMOTE\fR
-to the three machines \f(CWmerlin\fR, \f(CWkodiakthorn\fR and \f(CWspirit\fR.
-Similarly, \f(CWSERVERS\fR is set to the machines \f(CWhoudini\fR, \f(CWmerlin\fR,
-\f(CWkodiakthorn\fR and \f(CWspirit\fR. The \f(CWCSNETS\fR alias will match
-any host on the 128.138.243.0, 128.138.204.0, or 128.138.205.192
-nets. The \f(CWCUNETS\fR alias will match any host on the 128.138.0.0
-(class B) network. Note that these are \fBnetwork\fR addresses, not ip
-addresses. Unless an explicit netmask is given, the local \fInetmask\fR
-is used to determine whether or not the current host belongs to a network.
-.Sh "User Alias specifications:"
-The two \fIuser aliases\fR simply groups the \f(CWFULLTIME\fR and
-\f(CWPARTTIME\fR folks into two separate aliases.
-.Sh "Command alias specifications:"
-Command aliases are lists of commands with or without associated
-command line arguments. The entries above should be self-explanatory.
-.Sh "User specifications:"
-.Ip "\s-1FULLTIME\s0" 16
-Full-time sysadmins in the \f(CWFULLTIME\fR alias may run any
-command on any host as any user without a password.
-.Ip "%wheel" 16
-Any user in the \s-1UN\s0*X group \f(CWwheel\fR may run any
-command on any host.
-.Ip "\s-1PARTTIME\s0" 16
-Part-time sysadmins in the \f(CWPARTTIME\fR alias may run any
-command except those in the \f(CWSHELLS\fR and \f(CWSU\fR aliases
-on any host.
-.Ip "+interns" 16
-Any user in the netgroup \f(CWinterns\fR may run any
-command except those in the \f(CWSHELLS\fR and \f(CWSU\fR aliases
-on any host that is in the \f(CWopenlabs\fR netgroup.
-.Ip "britt" 16
-The user \f(CWbritt\fR may run commands in the \f(CWSHUTDOWN\fR alias
-on the \f(CWREMOTE\fR machines and commands in the \f(CWLPCS\fR alias
-on any machine.
-.Ip "jimbo" 16
-The user \f(CWjimbo\fR may \f(CWsu\fR to any user save root on the
-machines on \f(CWCUNETS\fR (which is explicitly listed as a class
-B network).
-.Ip "nieusma" 16
-The user \f(CWnieusma\fR may run commands in the \f(CWSHUTDOWN\fR alias
-as well as \fI/sbin/reboot\fR on the \f(CWSERVER\fR machines and
-any command except those in the \f(CWSHELLS\fR alias on the \f(CWHUB\fR
-machines.
-.Ip "jill" 16
-The user \f(CWjill\fR may run \f(CW/sbin/shutdown -h now\fR or
-\f(CW/sbin/shutdown -r now\fR as well as the commands in the
-\f(CWMISC\fR alias on houdini.
-.Ip "markm" 16
-The user \f(CWmarkm\fR may run any command on the \f(CWHUB\fR machines
-except \fI/sbin/shutdown\fR, \fI/sbin/halt\fR, and commands listed
-in the \f(CWMISC\fR alias.
-.Ip "davehieb" 16
-The user \f(CWdavehieb\fR may run any command on \f(CWmerlin\fR as any
-user in the Runas_Alias \s-1OP\s0 (ie: root or operator). He may
-also run \fI/sbin/halt\fR on the \f(CWSERVERS\fR and any command
-on \f(CWkodiakthorn\fR (no password required on \f(CWkodiakthorn\fR).
-.Ip "steve" 16
-The user \f(CWsteve\fR may run any command in the \fI/usr/op_commands/\fR
-directory as user \f(CWoperator\fR on the machines on \f(CWCSNETS\fR.
+\& root ALL = (ALL) ALL
+\& %wheel ALL = (ALL) ALL
+.Ve
+We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
+host as any user.
+.PP
+.Vb 1
+\& FULLTIMERS ALL = NOPASSWD: ALL
+.Ve
+Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
+command on any host without authenticating themselves.
+.PP
+.Vb 1
+\& PARTTIMERS ALL = ALL
+.Ve
+Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
+command on any host but they must authenticate themselves first
+(since the entry lacks the \f(CWNOPASSWD\fR tag).
+.PP
+.Vb 1
+\& jack CSNETS = ALL
+.Ve
+The user \fBjack\fR may run any command on the machines in the \fICSNETS\fR alias
+(the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
+Of those networks, only <128.138.204.0> has an explicit netmask (in
+CIDR notation) indicating it is a class C network. For the other
+networks in \fICSNETS\fR, the local machine's netmask will be used
+during matching.
+.PP
+.Vb 1
+\& lisa CUNETS = ALL
+.Ve
+The user \fBlisa\fR may run any command on any host in the \fICUNETS\fR alias
+(the class B network \f(CW128.138.0.0\fR).
+.PP
+.Vb 2
+\& operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\e
+\& /usr/oper/bin/
+.Ve
+The \fBoperator\fR user may run commands limited to simple maintenance.
+Here, those are commands related to backups, killing processes, the
+printing system, shutting down the system, and any commands in the
+directory \fI/usr/oper/bin/\fR.
+.PP
+.Vb 1
+\& joe ALL = /usr/bin/su operator
+.Ve
+The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
+.PP
+.Vb 1
+\& pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
+.Ve
+The user \fBpete\fR is allowed to change anyone's password except for
+root on the \fIHPPA\fR machines. Note that this assumes \fIpasswd\fR\|(1)
+does not take multiple usernames on the command line.
+.PP
+.Vb 1
+\& bob SPARC = (OP) ALL : SGI = (OP) ALL
+.Ve
+The user \fBbob\fR may run anything on the \fISPARC\fR and \fISGI\fR machines
+as any user listed in the \fIOP\fR \f(CWRunas_Alias\fR (\fBroot\fR and \fBoperator\fR).
+.PP
+.Vb 1
+\& jim +biglab = ALL
+.Ve
+The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
+\fBSudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the \*(L'+\*(R' prefix.
+.PP
+.Vb 1
+\& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+.Ve
+Users in the \fBsecretaries\fR netgroup need to help manage the printers
+as well as add and remove users, so they are allowed to run those
+commands on all machines.
+.PP
+.Vb 1
+\& fred ALL = (DB) NOPASSWD: ALL
+.Ve
+The user \fBfred\fR can run commands as any user in the \fIDB\fR \f(CWRunas_Alias\fR
+(\fBoracle\fR or \fBsybase\fR) without giving a password.
+.PP
+.Vb 1
+\& john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+.Ve
+On the \fIALPHA\fR machines, user \fBjohn\fR may su to anyone except root
+but he is not allowed to give \fIsu\fR\|(1) any flags.
+.PP
+.Vb 1
+\& jen ALL, !SERVERS = ALL
+.Ve
+The user \fBjen\fR may run any command on any machine except for those
+in the \fISERVERS\fR \f(CWHost_Alias\fR (master, mail, www and ns).
+.PP
+.Vb 1
+\& jill SERVERS = /usr/bin/, !SU, !SHELLS
+.Ve
+For any machine in the \fISERVERS\fR \f(CWHost_Alias\fR, \fBjill\fR may run
+any commands in the directory /usr/bin/ except for those commands
+belonging to the \fISU\fR and \fISHELLS\fR \f(CWCmnd_Aliases\fR.
+.PP
+.Vb 1
+\& steve CSNETS = (operator) /usr/local/op_commands/
+.Ve
+The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
+but only as user operator.
+.PP
+.Vb 1
+\& matt valkyrie = KILL
+.Ve
+On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
+kill hung processes.
+.PP
+.Vb 1
+\& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+.Ve
+On the host www, any user in the \fIWEBMASTERS\fR \f(CWUser_Alias\fR (will,
+wendy, and wim), may run any command as user www (which owns the
+web pages) or simply \fIsu\fR\|(1) to www.
+.PP
+.Vb 2
+\& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
+\& /sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM
+.Ve
+Any user may mount or unmount a CD\-ROM on the machines in the CDROM
+\f(CWHost_Alias\fR (orion, perseus, hercules) without entering a password.
+This is a bit tedious for users to type, so it is a prime candiate
+for encapsulating in a shell script.
+.SH "SECURITY NOTES"
+It is generally not effective to \*(L"subtract\*(R" commands from \f(CWALL\fR
+using the \*(L'!\*(R' operator. A user can trivially circumvent this
+by copying the desired command to a different name and then
+executing that. For example:
+.PP
+.Vb 1
+\& bill ALL = ALL, !SU, !SHELLS
+.Ve
+Doesn't really prevent \fBbill\fR from running the commands listed in
+\fISU\fR or \fISHELLS\fR since he can simply copy those commands to a
+different name, or use a shell escape from an editor or other
+program. Therefore, these kind of restrictions should be considered
+advisory at best (and reinforced by policy).
.SH "CAVEATS"
The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
command which locks the file and does grammatical checking. It is
-imperative that the \fIsudoers\fR be free of syntax errors since sudo
+imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
will not run with a syntactically incorrect \fIsudoers\fR file.
.SH "FILES"
.PP
-.Vb 2
-\& /etc/sudoers file of authorized users.
-\& /etc/netgroup list of network groups.
+.Vb 3
+\& /etc/sudoers List of who can run what
+\& /etc/group Local groups file
+\& /etc/netgroup List of network groups
.Ve
.SH "SEE ALSO"
\fIsudo\fR\|(8), \fIvisudo\fR\|(8), \fIsu\fR\|(1), \fIfnmatch\fR\|(3).
.rn }` ''
-.IX Title "sudoers 5"
-.IX Name "sudoers - list of which users may execute what as root"
+.IX Title "SUDOERS 5"
+.IX Name "sudoers - list of which users may execute what"
.IX Header "NAME"
.IX Header "DESCRIPTION"
-.IX Subsection "user specification format:"
+.IX Subsection "Quick guide to \s-1EBNF\s0"
+
+.IX Item "\f(CW?\fR"
-.IX Subsection "host alias section format:"
+.IX Item "\f(CW*\fR"
-.IX Subsection "user alias section format:"
+.IX Item "\f(CW+\fR"
-.IX Subsection "runas alias section format:"
+.IX Subsection "Aliases"
-.IX Subsection "command alias section format:"
+.IX Subsection "User Specification"
-.IX Subsection "command specification:"
+.IX Subsection "Runas_Spec"
-.IX Subsection "persistence of modifiers"
+.IX Subsection "\s-1NOPASSWD\s0 and \s-1PASSWD\s0"
-.IX Subsection "wildcards (aka meta characters):"
+.IX Subsection "Wildcards (aka meta characters):"
.IX Item "\f(CW*\fR"
.IX Item "\f(CW\ex\fR"
-.IX Subsection "exceptions to wildcard rules:"
+.IX Subsection "Exceptions to wildcard rules:"
.IX Item "\f(CW""\fR"
-.IX Subsection "other special characters and reserved words:"
+.IX Subsection "Other special characters and reserved words:"
.IX Header "EXAMPLES"
-.IX Subsection "Host Alias specifications:"
-
-.IX Subsection "User Alias specifications:"
-
-.IX Subsection "Command alias specifications:"
-
-.IX Subsection "User specifications:"
-
-.IX Item "\s-1FULLTIME\s0"
-
-.IX Item "%wheel"
-
-.IX Item "\s-1PARTTIME\s0"
-
-.IX Item "+interns"
-
-.IX Item "britt"
-
-.IX Item "jimbo"
-
-.IX Item "nieusma"
-
-.IX Item "jill"
-
-.IX Item "markm"
-
-.IX Item "davehieb"
-
-.IX Item "steve"
+.IX Header "SECURITY NOTES"
.IX Header "CAVEATS"
=cut
+Copyright (c) 1994-1996,1998-1999 Todd C. Miller <Todd.Miller@courtesan.com>
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions
+are met:
+
+1. Redistributions of source code must retain the above copyright
+ notice, this list of conditions and the following disclaimer.
+
+2. Redistributions in binary form must reproduce the above copyright
+ notice, this list of conditions and the following disclaimer in the
+ documentation and/or other materials provided with the distribution.
+
+3. The name of the author may not be used to endorse or promote products
+ derived from this software without specific prior written permission
+ from the author.
+
+4. Products derived from this software may not be called "Sudo" nor
+ may "Sudo" appear in their names without specific prior written
+ permission from the author.
+
+THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL
+THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
$Sudo$
=pod
=head1 NAME
-sudoers - list of which users may execute what as root
+sudoers - list of which users may execute what
=head1 DESCRIPTION
-The I<sudoers> file is composed of an optional host alias section,
-an optional command alias section and the user specification section.
-All command or host aliases need to start with their respective keywords
-(ie: Host_Alias, User_Alias, Runas_Alias or Cmnd_Alias).
-If there are multiple occurrences of a user, the logical union of the
-entries will be used. Note that if there is an entry that denies access
-to a command that is followed by an entry that grants access the user
-will be allowed to run the command.
+The I<sudoers> file is composed two types of entries:
+aliases (basically variables) and user specifications
+(which specify who may run what). The grammar of I<sudoers>
+will be described below in Extended Backus-Naur Form (EBNF).
+Don't despair if you don't know what EBNF is, it is fairly
+simple and the definitions below are annotated.
+
+=head2 Quick guide to EBNF
+
+EBNF is a concise and exact way of describing the grammar of a language.
+Each EBNF definition is made up of I<production rules>. Eg.
+
+ symbol ::= definition | alternate1 | alternate2 ...
+
+Each I<production rule> references others and thus makes up a
+grammar for the language. EBNF also contains the following
+operators, which many readers will recognize from regular
+expressions. Do not, however, confuse them with "wildcard"
+characters, which have different meanings.
+
+=over 8
+
+=item C<?>
+
+Means that the preceding symbol (or group of symbols) is optional.
+That is, it may appear once or not at all.
+
+=item C<*>
+
+Means that the preceding symbol (or group of symbols) may appear
+zero or more times.
+
+=item C<+>
+
+Means that the preceding symbol (or group of symbols) may appear
+one or more times.
+
+=back
+
+Parentheses may be used to group symbols together. For clarity,
+we will use single quotes ('') to designate what is a verbatim character
+string (as opposed to a symbol name).
+
+=head2 Aliases
+
+There are four kinds of aliases: the C<User_Alias>, C<Runas_Alias>,
+C<Host_Alias> and C<Cmnd_Alias>.
+
+ Alias ::= User_Alias = User_Alias (':' User_Alias)* |
+ Runas_Alias (':' Runas_Alias)* |
+ Host_Alias (':' Host_Alias)* |
+ Cmnd_Alias (':' Cmnd_Alias)*
+
+ User_Alias ::= NAME '=' User_List
+
+ Runas_Alias ::= NAME '=' Runas_User_List
+
+ Host_Alias ::= NAME '=' Host_List
+
+ Cmnd_Alias ::= NAME '=' Cmnd_List
+
+ NAME ::= [A-Z]([A-Z][0-9]_)*
-=head2 user specification format:
+Each I<alias> definition is of the form
- user access_group [: access_group] ...
+ Alias_Type NAME = item1, item2, ...
- access_group ::= host-list = [(runas-list)] [NOPASSWD:] [op]cmnd_type
- [,[(user-list)] [NOPASSWD|PASSWD:] [op]cmnd_type] ...
- cmnd_type ::= a command OR a command alias.
- op ::= the logical "!" NOT operator.
+where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
+or C<Cmnd_Alias>. A C<NAME> is a string of upper case letters, numbers,
+and the underscore characters ('_'). A C<NAME> B<must> start with an
+upper case letter. It is possible to put several alias definitions
+of the same type on a single line, joined by a semicolon (':'). Eg.
-=head2 host alias section format:
+ Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
- Host_Alias HOSTALIAS = host-list
+The definitions of what constitutes a valid I<alias> member follow.
- Host_Alias ::= a keyword.
- HOSTALIAS ::= an upper-case alias name.
- host-list ::= a comma separated list of hosts, netgroups,
- ip addresses, networks. A logical "!"
- NOT operator may be prefixed to any of these.
+ User_List ::= User |
+ User ',' User_List
-=head2 user alias section format:
+ User ::= '!'* username |
+ '!'* '#'uid |
+ '!'* '%'group |
+ '!'* '+'netgroup |
+ '!'* User_Alias
- User_Alias USERALIAS = user-list
+A C<User_List> is made up of one or more usernames, uids
+(prefixed with '#'), System groups (prefixed with '%'),
+netgroups (prefixed with '+') and other aliases. Each list
+item may be prefixed with one or more '!' operators. An odd number
+of '!' operators negates the value of the item; an even number
+just cancel each other out.
- User_Alias ::= a keyword.
- USERALIAS ::= an upper-case alias name.
- user-list ::= a comma separated list of users, groups, netgroups.
- A logical "!" NOT operator may be prefixed to any
- of these.
+ Runas_List ::= Runas_User |
+ Runas_User ',' Runas_List
-=head2 runas alias section format:
+ Runas_User ::= '!'* username |
+ '!'* '#'uid |
+ '!'* '%'group |
+ '!'* +netgroup |
+ '!'* Runas_Alias
- Runas_Alias RUNASALIAS = runas-list
+Likewise, a C<Runas_List> has the same possible elements
+as a C<User_List>, except that it can include a C<Runas_Alias>,
+instead of a C<User_Alias>.
- Runas_Alias ::= a keyword.
- RUNASALIAS ::= an upper-case alias name.
- runas-list ::= a comma separated list of users, groups, netgroups.
- A logical "!" NOT operator may be prefixed to any
- of these.
+ Host_List ::= Host |
+ Host ',' Host_List
-=head2 command alias section format:
+ Host ::= '!'* hostname |
+ '!'* ip_addr |
+ '!'* network(/netmask)? |
+ '!'* '+'netgroup |
+ '!'* Host_Alias
- Cmnd_Alias CMNDALIAS = cmnd-list
+A C<Host_List> is made up of one or more hostnames, IP addresses,
+network numbers, netgroups (prefixed with '+') and other aliases.
+Again, the value of an item may be negated with the '!' operator.
+If you do not specify a netmask with a network number, the netmask
+of the host's ethernet interface(s) will be used when matching.
+The netmask may be specified either in dotted quad notation (eg.
+255.255.255.0) or CIDR notation (number of bits, eg. 24).
- Cmnd_Alias ::= a keyword.
- CMNDALIAS ::= an upper-case alias name.
- cmnd-list ::= a comma separated list commands.
- A logical "!" NOT operator may be prefixed to any
- of these.
+ Cmnd_List ::= Cmnd |
+ Cmnd ',' Cmnd_List
-=head2 command specification:
+ commandname ::= filename |
+ filename args |
+ filename '""'
- path arg1 arg2 .. argn = command
+ Cmnd ::= '!'* commandname |
+ '!'* directory |
+ '!'* Cmnd_Alias
- path ::= a fully qualified pathname.
- arg[1..n] ::= optional command line arguments.
+A C<Cmnd_List> is a list of one or more commandnames, directories, and other
+aliases. A commandname is a fully-qualified filename which may include
+shell-style wildcards (see `Wildcards' section below). A simple
+filename allows the user to run the command with any arguments he/she
+wishes. However, you may also command line arguments (including wildcards).
+Alternately, you can specify C<""> to indicate that the command
+may only be run B<without> command line arguments. A directory is a
+fully qualified pathname ending in a '/'. When you specify a directory
+in a C<Cmnd_List>, the user will be able to run any file within that directory
+(but not in any subdirectories therein).
-=head2 persistence of modifiers
+If a C<Cmnd> has associated command line arguments, then the arguments
+in the C<Cmnd> must match exactly those given by the user on the command line
+(or match the wildcards if there are any). Note that the following
+characters must be escaped with a '\' if they are used in command
+arguments: ',', ':', '=', '\\'.
-When a I<runas-list> is specified for an I<access_group>, it
-affects all commands in the I<access_group>. For example, given:
+=head2 User Specification
- oper bigserver = (root, sysadm) /usr/bin/kill, /bin/rm
+ Runas_Spec ::= '(' Runas_List ')'
-User C<oper> will be able to run C</usr/bin/kill> and C</bin/rm>
-as B<root> or B<sysadm> on the machine, C<bigserver>. The
-I<runas-list> is "sticky" across entries in the comma-separated
-I<access_group>. You can override the I<runas-list> with another
-one, at which point the new I<runas-list> becomes the default for
-that I<access_group>. For example, given:
+ Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
- oper bigserver = (root, sysadm) /usr/bin/kill, (root) /bin/rm, \
- /bin/rmdir
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
-User C<oper> can still run C</usr/bin/kill> as B<root> or B<sysadm> but
-can only run C</bin/rm> and C</bin/rmdir> as B<root>.
+ User_Spec ::= User_list Cmnd_Spec_List (':' User_Spec)*
-Similarly, the B<NOPASSWD> modifier is also persistent across an
-I<access_group>. For example given:
+A B<user specification> determines which commands a user may run
+(and as what user) on specified hosts. By default, commands are
+run as B<root> but this can be changed on a per-command basis.
- oper bigserver = NOPASSWD: /usr/bin/kill, /bin/rm, /bin/rmdir
+Let's break that down into its constituent parts:
-User C<oper> will be able to run C</usr/bin/kill>, C</bin/rm>, and
-C</bin/rmdir> as B<root> without a password. If we change that to:
+=head2 Runas_Spec
- oper bigserver = NOPASSWD: /usr/bin/kill, PASSWD: /bin/rm, /bin/rmdir
+A C<Runas_Spec> is simply a C<Runas_List> (as defined above)
+enclosed in a set of parentheses. If you do not specify a
+C<Runas_Spec> in the user specification, a default C<Runas_Spec>
+of B<root> will be used. A C<Runas_Spec> sets the default for
+commands that follow it. What this means is that for the entry:
-User C<oper> can still run C</usr/bin/kill> without a password but
-must give a password to run C</bin/rm> and C</bin/rmdir>.
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who
-=head2 wildcards (aka meta characters):
+The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
+F</usr/bin/lprm> -- but only as B<operator>. Eg.
-B<sudo> allows shell-style I<wildcards> along with command arguments
-in the I<sudoers> file. Wildcard matching is done via the B<POSIX>
-C<fnmatch(3)> routine.
+ sudo -u operator /bin/ls.
+
+It is also possible to override a C<Runas_Spec> later on in an
+entry. If we modify the entry like so:
+
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+
+Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
+but F</bin/kill> and F</usr/bin/lprm> as B<root>.
+
+=head2 NOPASSWD and PASSWD
+
+By default, B<sudo> requires that a user authenticate him or herself
+before running a command. This behavior can be modified via the
+C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
+a default for the commands that follow it in the C<Cmnd_Spec_List>.
+Conversely, the C<PASSWD> tag can be used to reverse things.
+For example:
+
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+
+would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
+F</usr/bin/lprm> as root on the machine rushmore as B<root> without
+authenticating himself. If we only want B<ray> to be able to
+run F</bin/kill> without a password the entry would be:
+
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+
+=head2 Wildcards (aka meta characters):
+
+B<sudo> allows shell-style I<wildcards> to be used in pathnames
+as well as command line arguments in the I<sudoers> file. Wildcard
+matching is done via the B<POSIX> C<fnmatch(3)> routine. Note that
+these are I<not> regular expressions.
=over 8
=back
-=head2 exceptions to wildcard rules:
+Note that a forward slash ('/') will B<not> be matched by
+wildcards used in the pathname. When matching the command
+line arguments, however, as slash B<does> get matched by
+wildcards. This is to make a path like:
+
+ /usr/bin/*
+
+match C</usr/bin/who> but not C</usr/bin/X11/xterm>.
+
+=head2 Exceptions to wildcard rules:
The following exceptions apply to the above rules:
=item C<"">
If the empty string C<""> is the only command line argument in the
-I<sudoers> entry it means that command may take B<no> arguments.
+I<sudoers> entry it means that command is not allowed to be run
+with B<any> arguments.
=back
-=head2 other special characters and reserved words:
+=head2 Other special characters and reserved words:
-Text after a pound sign (B<#>) is considered a comment.
-Words that begin with a percent sign (B<%>) are assumed to
-be UN*X groups (%staff refers to users in the group I<staff>).
-Words that begin with a plus sign (B<+>) are assumed to
-be netgroups (B<+cshosts> refers to the netgroup I<cshosts>).
-Long lines can be newline escaped with the backslash B<\> character.
+The pound sign ('#') is used to indicate a comment (unless it
+occurs in the context of a user name and is followed by one or
+more digits, in which case it is treated as a uid). Both the
+comment character and any text after it, up to the end of the line,
+are ignored.
-The reserved word B<NOPASSWD> indicates that a user need not
-enter a password for the command listed in that entry. The
-B<NOPASSWD> modifier is persistent across entries in a I<user-list>
-and can be reversed with the B<PASSWD> modifier.
+The reserved word B<ALL> is a a built in I<alias> that always causes
+a match to succeed. It can be used wherever one might otherwise
+use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
+You should not try to define your own I<alias> called B<ALL> as the
+built in alias will be used in preference to your own.
-The reserved alias I<ALL> can be used for both {Host,User,Cmnd}_Alias.
-B<DO NOT> define an alias of I<ALL>, it will B<NOT> be used.
-Note that I<ALL> implies the entire universe of hosts/users/commands.
-You can subtract elements from the universe by using the syntax:
+An exclamation point ('!') can be used as a logical I<not> operator
+both in an I<alias> and in front of a C<Cmnd>. This allows one to
+exclude certain values. Note, however, that using a C<!> in
+conjunction with the built in C<ALL> alias to allow a user to
+run "all but a few" commands rarely works as intended (see SECURITY
+NOTES below).
- user host=ALL,!ALIAS1,!/sbin/halt...
+Long lines can be continued with a backslash ('\\') as the last
+character on the line.
-Commands may have optional command line arguments. If they do,
-then the arguments in the I<sudoers> file must exactly match those
-on the command line. It is also possible to have a command's
-arguments span multiple lines as long as the line continuance
-character "\" is used. The following characters must be escaped
-with a "\" if used in command arguments: ",", ":", "=", "\".
+Whitespace between elements in a list as well as specicial syntactic
+characters in a I<User Specification> ('=', ':', '(', ')') is optional.
=head1 EXAMPLES
- # Host alias specification
- Host_Alias HUB=houdini:\
- REMOTE=merlin,kodiakthorn,spirit
- Host_Alias SERVERS=houdini,merlin,kodiakthorn,spirit
- Host_Alias CUNETS=128.138.0.0/255.255.0.0
- Host_Alias CSNETS=128.138.243.0,128.138.204.0,\
- 128.138.205.192
+Below are example I<sudoers> entries. Admittedly, some of
+these are a bit contrived. First, we define our I<aliases>:
- # User alias specification
- User_Alias FULLTIME=millert,dowdy,mikef
- User_Alias PARTTIME=juola,mccreary,tor
+ # User alias specification
+ User_Alias FULLTIMERS = millert, mikef, dowdy
+ User_Alias PARTTIMERS = bostley, jwfox, crawl
+ User_Alias WEBMASTERS = will, wendy, wim
- # Runas alias specification
- Runas_Alias OP=root,operator
+ # Runas alias specification
+ Runas_Alias OP = root, operator
+ Runas_Alias DB = oracle, sybase
- # Command alias specification
- Cmnd_Alias LPCS=/usr/sbin/lpc,/usr/bin/lprm
- Cmnd_Alias SHELLS=/bin/sh,/bin/csh,/bin/tcsh,/bin/ksh
- Cmnd_Alias SU=/usr/bin/su
- Cmnd_Alias MISC=/bin/rm,/bin/cat:\
- SHUTDOWN=/sbin/halt,/sbin/shutdown
+ # Host alias specification
+ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
- # User specification
- FULLTIME ALL=(ALL) NOPASSWD: ALL
- %wheel ALL=ALL
- PARTTIME ALL=ALL,!SHELLS,!SU
- +interns +openlabs=ALL,!SHELLS,!SU
- britt REMOTE=SHUTDOWN:ALL=LPCS
- jimbo CUNETS=/usr/bin/su [!-]*,!/usr/bin/su *root*
- nieusma SERVERS=SHUTDOWN,/sbin/reboot:\
- HUB=ALL,!SHELLS
- jill houdini=/sbin/shutdown -[hr] now,MISC
- markm HUB=ALL,!MISC,!/sbin/shutdown,!/sbin/halt
- davehieb merlin=(OP) ALL:SERVERS=/sbin/halt:\
- kodiakthorn=NOPASSWD: ALL
- steve CSNETS=(operator) /usr/op_commands/
+ # Cmnd alias specification
+ Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
+ /usr/sbin/restore, /usr/sbin/rrestore
+ Cmnd_Alias KILL = /usr/bin/kill
+ Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+ Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+ Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt
+ Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot
+ Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \
+ /usr/local/bin/tcsh, /usr/bin/rsh, \
+ /usr/local/bin/zsh
+ Cmnd_Alias SU = /usr/bin/su
-=head2 Host Alias specifications:
+The I<User specification> is the part that actually determines who may
+run what.
-The are four I<host aliases>. The first actually contains
-two I<aliases>. It sets C<HUB> to be C<houdini> and C<REMOTE>
-to the three machines C<merlin>, C<kodiakthorn> and C<spirit>.
-Similarly, C<SERVERS> is set to the machines C<houdini>, C<merlin>,
-C<kodiakthorn> and C<spirit>. The C<CSNETS> alias will match
-any host on the 128.138.243.0, 128.138.204.0, or 128.138.205.192
-nets. The C<CUNETS> alias will match any host on the 128.138.0.0
-(class B) network. Note that these are B<network> addresses, not ip
-addresses. Unless an explicit netmask is given, the local I<netmask>
-is used to determine whether or not the current host belongs to a network.
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
-=head2 User Alias specifications:
+We let B<root> and any user in group B<wheel> run any command on any
+host as any user.
-The two I<user aliases> simply groups the C<FULLTIME> and
-C<PARTTIME> folks into two separate aliases.
+ FULLTIMERS ALL = NOPASSWD: ALL
-=head2 Command alias specifications:
+Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
+command on any host without authenticating themselves.
-Command aliases are lists of commands with or without associated
-command line arguments. The entries above should be self-explanatory.
+ PARTTIMERS ALL = ALL
-=head2 User specifications:
+Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
+command on any host but they must authenticate themselves first
+(since the entry lacks the C<NOPASSWD> tag).
-=over 16
+ jack CSNETS = ALL
-=item FULLTIME
+The user B<jack> may run any command on the machines in the I<CSNETS> alias
+(the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
+Of those networks, only <128.138.204.0> has an explicit netmask (in
+CIDR notation) indicating it is a class C network. For the other
+networks in I<CSNETS>, the local machine's netmask will be used
+during matching.
-Full-time sysadmins in the C<FULLTIME> alias may run any
-command on any host as any user without a password.
+ lisa CUNETS = ALL
-=item %wheel
+The user B<lisa> may run any command on any host in the I<CUNETS> alias
+(the class B network C<128.138.0.0>).
-Any user in the UN*X group C<wheel> may run any
-command on any host.
+ operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\
+ /usr/oper/bin/
-=item PARTTIME
+The B<operator> user may run commands limited to simple maintenance.
+Here, those are commands related to backups, killing processes, the
+printing system, shutting down the system, and any commands in the
+directory F</usr/oper/bin/>.
-Part-time sysadmins in the C<PARTTIME> alias may run any
-command except those in the C<SHELLS> and C<SU> aliases
-on any host.
+ joe ALL = /usr/bin/su operator
-=item +interns
+The user B<joe> may only su(1) to operator.
-Any user in the netgroup C<interns> may run any
-command except those in the C<SHELLS> and C<SU> aliases
-on any host that is in the C<openlabs> netgroup.
+ pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
-=item britt
+The user B<pete> is allowed to change anyone's password except for
+root on the I<HPPA> machines. Note that this assumes passwd(1)
+does not take multiple usernames on the command line.
-The user C<britt> may run commands in the C<SHUTDOWN> alias
-on the C<REMOTE> machines and commands in the C<LPCS> alias
-on any machine.
+ bob SPARC = (OP) ALL : SGI = (OP) ALL
-=item jimbo
+The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
+as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
-The user C<jimbo> may C<su> to any user save root on the
-machines on C<CUNETS> (which is explicitly listed as a class
-B network).
+ jim +biglab = ALL
-=item nieusma
+The user B<jim> may run any command on machines in the I<biglab> netgroup.
+B<Sudo> knows that "biglab" is a netgroup due to the '+' prefix.
-The user C<nieusma> may run commands in the C<SHUTDOWN> alias
-as well as F</sbin/reboot> on the C<SERVER> machines and
-any command except those in the C<SHELLS> alias on the C<HUB>
-machines.
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-=item jill
+Users in the B<secretaries> netgroup need to help manage the printers
+as well as add and remove users, so they are allowed to run those
+commands on all machines.
-The user C<jill> may run C</sbin/shutdown -h now> or
-C</sbin/shutdown -r now> as well as the commands in the
-C<MISC> alias on houdini.
+ fred ALL = (DB) NOPASSWD: ALL
-=item markm
+The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
+(B<oracle> or B<sybase>) without giving a password.
-The user C<markm> may run any command on the C<HUB> machines
-except F</sbin/shutdown>, F</sbin/halt>, and commands listed
-in the C<MISC> alias.
+ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
-=item davehieb
+On the I<ALPHA> machines, user B<john> may su to anyone except root
+but he is not allowed to give su(1) any flags.
-The user C<davehieb> may run any command on C<merlin> as any
-user in the Runas_Alias OP (ie: root or operator). He may
-also run F</sbin/halt> on the C<SERVERS> and any command
-on C<kodiakthorn> (no password required on C<kodiakthorn>).
+ jen ALL, !SERVERS = ALL
-=item steve
+The user B<jen> may run any command on any machine except for those
+in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
-The user C<steve> may run any command in the F</usr/op_commands/>
-directory as user C<operator> on the machines on C<CSNETS>.
+ jill SERVERS = /usr/bin/, !SU, !SHELLS
-=back
+For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
+any commands in the directory /usr/bin/ except for those commands
+belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
+
+ steve CSNETS = (operator) /usr/local/op_commands/
+
+The user B<steve> may run any command in the directory /usr/local/op_commands/
+but only as user operator.
+
+ matt valkyrie = KILL
+
+On his personal workstation, valkyrie, B<matt> needs to be able to
+kill hung processes.
+
+ WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+
+On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
+wendy, and wim), may run any command as user www (which owns the
+web pages) or simply su(1) to www.
+
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+
+Any user may mount or unmount a CD-ROM on the machines in the CDROM
+C<Host_Alias> (orion, perseus, hercules) without entering a password.
+This is a bit tedious for users to type, so it is a prime candiate
+for encapsulating in a shell script.
+
+=head1 SECURITY NOTES
+
+It is generally not effective to "subtract" commands from C<ALL>
+using the '!' operator. A user can trivially circumvent this
+by copying the desired command to a different name and then
+executing that. For example:
+
+ bill ALL = ALL, !SU, !SHELLS
+
+Doesn't really prevent B<bill> from running the commands listed in
+I<SU> or I<SHELLS> since he can simply copy those commands to a
+different name, or use a shell escape from an editor or other
+program. Therefore, these kind of restrictions should be considered
+advisory at best (and reinforced by policy).
=head1 CAVEATS
The I<sudoers> file should B<always> be edited by the B<visudo>
command which locks the file and does grammatical checking. It is
-imperative that the I<sudoers> be free of syntax errors since sudo
+imperative that I<sudoers> be free of syntax errors since B<sudo>
will not run with a syntactically incorrect I<sudoers> file.
=head1 FILES
- /etc/sudoers file of authorized users.
- /etc/netgroup list of network groups.
+ /etc/sudoers List of who can run what
+ /etc/group Local groups file
+ /etc/netgroup List of network groups
=head1 SEE ALSO
projects / sudo / commitdiff