out but this is a start.
28) Make syslog stuff work on vanilla ultrix
29) Implement date_format and log_format options.
+
+30) Add support for: Default:user@host
Cmnd_Alias VIPW = /usr/sbin/vipw, /usr/bin/passwd, /usr/bin/chsh, \
/usr/bin/chfn
+##
+# Override builtin defaults
+##
+Defaults syslog=auth
+Defaults:FULLTIMERS !lecture
+Defaults:millert !authenticate
+Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+
##
# User specification
##
-SUDOERS(5) FILE FORMATS SUDOERS(5)
+sudoers(5) FILE FORMATS sudoers(5)
N\bN\bN\bNA\bA\bA\bAM\bM\bM\bME\bE\bE\bE
There are four kinds of aliases: the User_Alias,
Runas_Alias, Host_Alias and Cmnd_Alias.
- Alias ::= User_Alias = User_Alias (':' User_Alias)* |
- Runas_Alias (':' Runas_Alias)* |
- Host_Alias (':' Host_Alias)* |
- Cmnd_Alias (':' Cmnd_Alias)*
+ Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* |
+ 'Runas_Alias' (':' Runas_Alias)* |
+ 'Host_Alias' (':' Host_Alias)* |
+ 'Cmnd_Alias' (':' Cmnd_Alias)*
User_Alias ::= NAME '=' User_List
-25/Aug/1999 1.6 1
+10/Oct/1999 1.6 1
-SUDOERS(5) FILE FORMATS SUDOERS(5)
+sudoers(5) FILE FORMATS sudoers(5)
Host_Alias ::= NAME '=' Host_List
-25/Aug/1999 1.6 2
+10/Oct/1999 1.6 2
-SUDOERS(5) FILE FORMATS SUDOERS(5)
+sudoers(5) FILE FORMATS sudoers(5)
Host ::= '!'* hostname |
be escaped with a '\' if they are used in command
arguments: ',', ':', '=', '\\'.
- U\bU\bU\bUs\bs\bs\bse\be\be\ber\br\br\br S\bS\bS\bSp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bif\bf\bf\bfi\bi\bi\bic\bc\bc\bca\ba\ba\bat\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn
+ D\bD\bD\bDe\be\be\bef\bf\bf\bfa\ba\ba\bau\bu\bu\bul\bl\bl\blt\bt\bt\bts\bs\bs\bs
+ Certain configuration options may be changed from their
+ default values at runtime via one or more Default_Entry
+ lines. These may affect all users on any host, all users
+ on a specific host, or just a specific user. When
+ multiple entries match, they are applied in order. Where
- Runas_Spec ::= '(' Runas_List ')'
- Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
+10/Oct/1999 1.6 3
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
+ there are conflicting values, the last value on a matching
+ line takes effect.
+
+ Default_Type ::= 'Defaults' ||
+ 'Defaults' ':' User ||
+ 'Defaults' '@' Host
+
+ Default_Entry ::= Default_Type Parameter_List
+
+ Parameter ::= Parameter '=' Value ||
+ '!'* Parameter ||
+
+ Parameters may be flags, integer values, or strings.
+ Flags are implicitly boolean and can be turned off via the
+ '!' operator. Some integer and string parameters may also
+ be used in a boolean context to disable them. Values may
+ be enclosed in double quotes (") when they contain
+ multiple words. Special characters may be escaped with a
+ backslash (\).
+
+ F\bF\bF\bFl\bl\bl\bla\ba\ba\bag\bg\bg\bgs\bs\bs\bs:
+
+ long_otp_prompt
+ Put OTP prompt on its own line
+
+ ignore_dot Ignore '.' in $PATH
+
+ mail_always Always send mail when sudo is run
+
+ mail_no_user
+ Send mail if the user is not in sudoers
+
+ mail_no_host
+ Send mail if the user is not in sudoers for
+ this host
+
+ mail_no_perms
+ Send mail if the user is not allowed to run a
+ command
+
+ tty_tickets Use a separate timestamp for each user/tty
+ combo
+
+ lecture Lecture user the first time they run sudo
+
+ authenticate
+ Require users to authenticate by default
+
+ root_sudo Root may run sudo
+
+ log_host Log the hostname in the (non-syslog) log file
+
+ log_year Log the year in the (non-syslog) log file
+
+
+
+
+10/Oct/1999 1.6 4
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
+ shell_noargs
+ If sudo is invoked with no arguments, start a
+ shell
+
+ set_home Set $HOME to the target user when starting a
+ shell with -s
+
+ path_info Allow some information gathering to give
+ useful error messages
+
+ fqdn Require fully-qualified hostnames in the
+ sudoers file
+
+ insults Insult the user when they enter an incorrect
+ password
+
+ requiretty Only allow the user to run sudo if they have a
+ tty
+
+ I\bI\bI\bIn\bn\bn\bnt\bt\bt\bte\be\be\beg\bg\bg\bge\be\be\ber\br\br\brs\bs\bs\bs:
+
+ passwd_tries
+ Number of tries to enter a password
+
+ I\bI\bI\bIn\bn\bn\bnt\bt\bt\bte\be\be\beg\bg\bg\bge\be\be\ber\br\br\brs\bs\bs\bs t\bt\bt\bth\bh\bh\bha\ba\ba\bat\bt\bt\bt c\bc\bc\bca\ba\ba\ban\bn\bn\bn b\bb\bb\bbe\be\be\be u\bu\bu\bus\bs\bs\bse\be\be\bed\bd\bd\bd i\bi\bi\bin\bn\bn\bn a\ba\ba\ba b\bb\bb\bbo\bo\bo\boo\bo\bo\bol\bl\bl\ble\be\be\bea\ba\ba\ban\bn\bn\bn c\bc\bc\bco\bo\bo\bon\bn\bn\bnt\bt\bt\bte\be\be\bex\bx\bx\bxt\bt\bt\bt:
+
+ loglinelen Length at which to wrap log file lines (use 0
+ or negate for no wrap)
+
+ timestamp_timeout
+ Authentication timestamp timeout
+
+ passwd_timeout
+ Password prompt timeout
+
+ umask Umask to use or 0777 to use user's
+
+ S\bS\bS\bSt\bt\bt\btr\br\br\bri\bi\bi\bin\bn\bn\bng\bg\bg\bgs\bs\bs\bs:
+
+ mailsub Subject line for mail messages
+
+ badpass_message
+ Incorrect password message
+
+ timestampdir
+ Path to authentication timestamp dir
+
+ passprompt Default password prompt
+
+ runas_default
+ Default user to run commands as
+
+ syslog_goodpri
+ Syslog priority to use when user authenticates
+
+
+
+10/Oct/1999 1.6 5
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
+ successfully
+
+ syslog_badpri
+ Syslog priority to use when user authenticates
+ unsuccessfully
+
+ S\bS\bS\bSt\bt\bt\btr\br\br\bri\bi\bi\bin\bn\bn\bng\bg\bg\bgs\bs\bs\bs t\bt\bt\bth\bh\bh\bha\ba\ba\bat\bt\bt\bt c\bc\bc\bca\ba\ba\ban\bn\bn\bn b\bb\bb\bbe\be\be\be u\bu\bu\bus\bs\bs\bse\be\be\bed\bd\bd\bd i\bi\bi\bin\bn\bn\bn a\ba\ba\ba b\bb\bb\bbo\bo\bo\boo\bo\bo\bol\bl\bl\ble\be\be\bea\ba\ba\ban\bn\bn\bn c\bc\bc\bco\bo\bo\bon\bn\bn\bnt\bt\bt\bte\be\be\bex\bx\bx\bxt\bt\bt\bt:
+
+ syslog Syslog facility if syslog is being used for
+ logging (negate to disable syslog)
+
+ mailerpath Path to mail program
+ mailerflags Flags for mail program
+ mailto Address to send mail to
-25/Aug/1999 1.6 3
+ exempt_group
+ Users in this group are exempt from password
+ and PATH requirements
+ secure_path Value to override user's $PATH with
+ When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), sudo accepts the following
+ values for the syslog facility (the value of the _\bs_\by_\bs_\bl_\bo_\bg
+ Parameter): _\ba_\bu_\bt_\bh_\bp_\br_\bi_\bv (if your OS supports it), _\ba_\bu_\bt_\bh,
+ _\bd_\ba_\be_\bm_\bo_\bn, _\bu_\bs_\be_\br, _\bl_\bo_\bc_\ba_\bl_\b0, _\bl_\bo_\bc_\ba_\bl_\b1, _\bl_\bo_\bc_\ba_\bl_\b2, _\bl_\bo_\bc_\ba_\bl_\b3, _\bl_\bo_\bc_\ba_\bl_\b4,
+ _\bl_\bo_\bc_\ba_\bl_\b5, _\bl_\bo_\bc_\ba_\bl_\b6, and _\bl_\bo_\bc_\ba_\bl_\b7. The following syslog
+ priorities are supported: _\ba_\bl_\be_\br_\bt, _\bc_\br_\bi_\bt, _\bd_\be_\bb_\bu_\bg, _\be_\bm_\be_\br_\bg, _\be_\br_\br,
+ _\bi_\bn_\bf_\bo, _\bn_\bo_\bt_\bi_\bc_\be, and _\bw_\ba_\br_\bn_\bi_\bn_\bg.
+ U\bU\bU\bUs\bs\bs\bse\be\be\ber\br\br\br S\bS\bS\bSp\bp\bp\bpe\be\be\bec\bc\bc\bci\bi\bi\bif\bf\bf\bfi\bi\bi\bic\bc\bc\bca\ba\ba\bat\bt\bt\bti\bi\bi\bio\bo\bo\bon\bn\bn\bn
-SUDOERS(5) FILE FORMATS SUDOERS(5)
+ Runas_Spec ::= '(' Runas_List ')'
+ Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
A Runas_Spec is simply a Runas_List (as defined above)
enclosed in a set of parentheses. If you do not specify a
+
+
+
+10/Oct/1999 1.6 6
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
Runas_Spec in the user specification, a default Runas_Spec
of r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt will be used. A Runas_Spec sets the default for
commands that follow it. What this means is that for the
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
-
-25/Aug/1999 1.6 4
-
-
-
-
-
-SUDOERS(5) FILE FORMATS SUDOERS(5)
-
-
W\bW\bW\bWi\bi\bi\bil\bl\bl\bld\bd\bd\bdc\bc\bc\bca\ba\ba\bar\br\br\brd\bd\bd\bds\bs\bs\bs (\b(\b(\b(a\ba\ba\bak\bk\bk\bka\ba\ba\ba m\bm\bm\bme\be\be\bet\bt\bt\bta\ba\ba\ba c\bc\bc\bch\bh\bh\bha\ba\ba\bar\br\br\bra\ba\ba\bac\bc\bc\bct\bt\bt\bte\be\be\ber\br\br\brs\bs\bs\bs)\b)\b)\b):\b:\b:\b:
s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs to be used in pathnames
[...] Matches any character in the specified range.
+
+
+
+
+10/Oct/1999 1.6 7
+
+
+
+
+
+sudoers(5) FILE FORMATS sudoers(5)
+
+
[!...] Matches any character n\bn\bn\bno\bo\bo\bot\bt\bt\bt in the specified range.
\x For any character "x", evaluates to "x". This is
An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
+ allows one to exclude certain values. Note, however, that
+ using a ! in conjunction with the built in ALL alias to
+ allow a user to run "all but a few" commands rarely works
+ as intended (see SECURITY NOTES below).
+ Long lines can be continued with a backslash ('\\') as the
+ last character on the line.
+ Whitespace between elements in a list as well as specicial
+ syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
+ '(', ')') is optional.
-25/Aug/1999 1.6 5
+10/Oct/1999 1.6 8
-SUDOERS(5) FILE FORMATS SUDOERS(5)
- allows one to exclude certain values. Note, however, that
- using a ! in conjunction with the built in ALL alias to
- allow a user to run "all but a few" commands rarely works
- as intended (see SECURITY NOTES below).
- Long lines can be continued with a backslash ('\\') as the
- last character on the line.
- Whitespace between elements in a list as well as specicial
- syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
- '(', ')') is optional.
+sudoers(5) FILE FORMATS sudoers(5)
+
E\bE\bE\bEX\bX\bX\bXA\bA\bA\bAM\bM\bM\bMP\bP\bP\bPL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
+ Here we override some of the compiled in default values.
+ We want sudo to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility
+ in all cases. We don't want to subject the full time
+ staff to the s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo lecture, and user m\bm\bm\bmi\bi\bi\bil\bl\bl\bll\bl\bl\ble\be\be\ber\br\br\brt\bt\bt\bt need not give
+ a password. In addition, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS
+ Host_Alias, we keep an additional local log file and make
+ sure we log the year in each log line since the log
+ entries will be kept around for several years.
+
+ # Override builtin defaults
+ Defaults syslog=auth
+ Defaults:FULLTIMERS !lecture
+ Defaults:millert !authenticate
+ Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+
The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually
determines who may run what.
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
+10/Oct/1999 1.6 9
-25/Aug/1999 1.6 6
+sudoers(5) FILE FORMATS sudoers(5)
-SUDOERS(5) FILE FORMATS SUDOERS(5)
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
We let r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt and any user in group w\bw\bw\bwh\bh\bh\bhe\be\be\bee\be\be\bel\bl\bl\bl run any command on
any host as any user.
bob SPARC = (OP) ALL : SGI = (OP) ALL
The user b\bb\bb\bbo\bo\bo\bob\bb\bb\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
- machines as any user listed in the _\bO_\bP Runas_Alias (r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt
- and o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br).
+10/Oct/1999 1.6 10
-25/Aug/1999 1.6 7
+sudoers(5) FILE FORMATS sudoers(5)
-SUDOERS(5) FILE FORMATS SUDOERS(5)
+ machines as any user listed in the _\bO_\bP Runas_Alias (r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt
+ and o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br).
jim +biglab = ALL
(will, wendy, and wim), may run any command as user www
(which owns the web pages) or simply _\bs_\bu(1) to www.
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
- Any user may mount or unmount a CD-ROM on the machines in
-25/Aug/1999 1.6 8
+10/Oct/1999 1.6 11
-SUDOERS(5) FILE FORMATS SUDOERS(5)
+sudoers(5) FILE FORMATS sudoers(5)
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+
+ Any user may mount or unmount a CD-ROM on the machines in
the CDROM Host_Alias (orion, perseus, hercules) without
entering a password. This is a bit tedious for users to
type, so it is a prime candiate for encapsulating in a
-
-
-
-
-25/Aug/1999 1.6 9
+10/Oct/1999 1.6 12
-SUDOERS(5) FILE FORMATS SUDOERS(5)
+sudoers(5) FILE FORMATS sudoers(5)
-25/Aug/1999 1.6 10
+10/Oct/1999 1.6 13
<LI><A HREF="#Quick_guide_to_EBNF">Quick guide to EBNF</A>
<LI><A HREF="#Aliases">Aliases</A>
+ <LI><A HREF="#Defaults">Defaults</A>
<LI><A HREF="#User_Specification">User Specification</A>
<LI><A HREF="#Runas_Spec">Runas_Spec</A>
<LI><A HREF="#NOPASSWD_and_PASSWD">NOPASSWD and PASSWD</A>
<CODE>Host_Alias</CODE> and <CODE>Cmnd_Alias</CODE>.
<P>
-<PRE> Alias ::= User_Alias = User_Alias (':' User_Alias)* |
- Runas_Alias (':' Runas_Alias)* |
- Host_Alias (':' Host_Alias)* |
- Cmnd_Alias (':' Cmnd_Alias)*
+<PRE> Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* |
+ 'Runas_Alias' (':' Runas_Alias)* |
+ 'Host_Alias' (':' Host_Alias)* |
+ 'Cmnd_Alias' (':' Cmnd_Alias)*
</PRE>
<P>
<PRE> User_Alias ::= NAME '=' User_List
escaped with a '\' if they are used in command arguments: ',', ':', '=',
'\\'.
+<P>
+<HR>
+<H2><A NAME="Defaults">Defaults</A></H2>
+<P>
+Certain configuration options may be changed from their default values at
+runtime via one or more <CODE>Default_Entry</CODE> lines. These may affect all users on any host, all users on a specific
+host, or just a specific user. When multiple entries match, they are
+applied in order. Where there are conflicting values, the last value on a
+matching line takes effect.
+
+<P>
+<PRE> Default_Type ::= 'Defaults' ||
+ 'Defaults' ':' User ||
+ 'Defaults' '@' Host
+</PRE>
+<P>
+<PRE> Default_Entry ::= Default_Type Parameter_List
+</PRE>
+<P>
+<PRE> Parameter ::= Parameter '=' Value ||
+ '!'* Parameter ||
+</PRE>
+<P>
+Parameters may be flags, integer values, or strings. Flags are implicitly
+boolean and can be turned off via the '!' operator. Some integer and string
+parameters may also be used in a boolean context to disable them. Values
+may be enclosed in double quotes (<CODE>"</CODE>) when they contain multiple words. Special characters may be escaped with
+a backslash (<CODE>\</CODE>).
+
+<P>
+<STRONG>Flags</STRONG>:
+
+<DL>
+<DT><STRONG><A NAME="item_long_otp_prompt">long_otp_prompt</A></STRONG><DD>
+<P>
+Put OTP prompt on its own line
+
+<DT><STRONG><A NAME="item_ignore_dot">ignore_dot</A></STRONG><DD>
+<P>
+Ignore '.' in <CODE>$PATH</CODE>
+
+<DT><STRONG><A NAME="item_mail_always">mail_always</A></STRONG><DD>
+<P>
+Always send mail when sudo is run
+
+<DT><STRONG><A NAME="item_mail_no_user">mail_no_user</A></STRONG><DD>
+<P>
+Send mail if the user is not in sudoers
+
+<DT><STRONG><A NAME="item_mail_no_host">mail_no_host</A></STRONG><DD>
+<P>
+Send mail if the user is not in sudoers for this host
+
+<DT><STRONG><A NAME="item_mail_no_perms">mail_no_perms</A></STRONG><DD>
+<P>
+Send mail if the user is not allowed to run a command
+
+<DT><STRONG><A NAME="item_tty_tickets">tty_tickets</A></STRONG><DD>
+<P>
+Use a separate timestamp for each user/tty combo
+
+<DT><STRONG><A NAME="item_lecture">lecture</A></STRONG><DD>
+<P>
+Lecture user the first time they run sudo
+
+<DT><STRONG><A NAME="item_authenticate">authenticate</A></STRONG><DD>
+<P>
+Require users to authenticate by default
+
+<DT><STRONG><A NAME="item_root_sudo">root_sudo</A></STRONG><DD>
+<P>
+Root may run sudo
+
+<DT><STRONG><A NAME="item_log_host">log_host</A></STRONG><DD>
+<P>
+Log the hostname in the (non-syslog) log file
+
+<DT><STRONG><A NAME="item_log_year">log_year</A></STRONG><DD>
+<P>
+Log the year in the (non-syslog) log file
+
+<DT><STRONG><A NAME="item_shell_noargs">shell_noargs</A></STRONG><DD>
+<P>
+If sudo is invoked with no arguments, start a shell
+
+<DT><STRONG><A NAME="item_set_home">set_home</A></STRONG><DD>
+<P>
+Set <CODE>$HOME</CODE> to the target user when starting a shell with <CODE>-s</CODE>
+
+
+
+<DT><STRONG><A NAME="item_path_info">path_info</A></STRONG><DD>
+<P>
+Allow some information gathering to give useful error messages
+
+<DT><STRONG><A NAME="item_fqdn">fqdn</A></STRONG><DD>
+<P>
+Require fully-qualified hostnames in the sudoers file
+
+<DT><STRONG><A NAME="item_insults">insults</A></STRONG><DD>
+<P>
+Insult the user when they enter an incorrect password
+
+<DT><STRONG><A NAME="item_requiretty">requiretty</A></STRONG><DD>
+<P>
+Only allow the user to run sudo if they have a tty
+
+</DL>
+<P>
+<STRONG>Integers</STRONG>:
+
+<DL>
+<DT><STRONG><A NAME="item_passwd_tries">passwd_tries</A></STRONG><DD>
+<P>
+Number of tries to enter a password
+
+</DL>
+<P>
+<STRONG>Integers that can be used in a boolean context</STRONG>:
+
+<DL>
+<DT><STRONG><A NAME="item_loglinelen">loglinelen</A></STRONG><DD>
+<P>
+Length at which to wrap log file lines (use 0 or negate for no wrap)
+
+<DT><STRONG><A NAME="item_timestamp_timeout">timestamp_timeout</A></STRONG><DD>
+<P>
+Authentication timestamp timeout
+
+<DT><STRONG><A NAME="item_passwd_timeout">passwd_timeout</A></STRONG><DD>
+<P>
+Password prompt timeout
+
+<DT><STRONG><A NAME="item_umask">umask</A></STRONG><DD>
+<P>
+Umask to use or 0777 to use user's
+
+</DL>
+<P>
+<STRONG>Strings</STRONG>:
+
+<DL>
+<DT><STRONG><A NAME="item_mailsub">mailsub</A></STRONG><DD>
+<P>
+Subject line for mail messages
+
+<DT><STRONG><A NAME="item_badpass_message">badpass_message</A></STRONG><DD>
+<P>
+Incorrect password message
+
+<DT><STRONG><A NAME="item_timestampdir">timestampdir</A></STRONG><DD>
+<P>
+Path to authentication timestamp dir
+
+<DT><STRONG><A NAME="item_passprompt">passprompt</A></STRONG><DD>
+<P>
+Default password prompt
+
+<DT><STRONG><A NAME="item_runas_default">runas_default</A></STRONG><DD>
+<P>
+Default user to run commands as
+
+<DT><STRONG><A NAME="item_syslog_goodpri">syslog_goodpri</A></STRONG><DD>
+<P>
+Syslog priority to use when user authenticates successfully
+
+<DT><STRONG><A NAME="item_syslog_badpri">syslog_badpri</A></STRONG><DD>
+<P>
+Syslog priority to use when user authenticates unsuccessfully
+
+</DL>
+<P>
+<STRONG>Strings that can be used in a boolean context</STRONG>:
+
+<DL>
+<DT><STRONG><A NAME="item_syslog">syslog</A></STRONG><DD>
+<P>
+Syslog facility if syslog is being used for logging (negate to disable
+syslog)
+
+<DT><STRONG><A NAME="item_mailerpath">mailerpath</A></STRONG><DD>
+<P>
+Path to mail program
+
+<DT><STRONG><A NAME="item_mailerflags">mailerflags</A></STRONG><DD>
+<P>
+Flags for mail program
+
+<DT><STRONG><A NAME="item_mailto">mailto</A></STRONG><DD>
+<P>
+Address to send mail to
+
+<DT><STRONG><A NAME="item_exempt_group">exempt_group</A></STRONG><DD>
+<P>
+Users in this group are exempt from password and PATH requirements
+
+<DT><STRONG><A NAME="item_secure_path">secure_path</A></STRONG><DD>
+<P>
+Value to override user's <CODE>$PATH</CODE> with
+
+</DL>
+<P>
+When logging via <CODE>syslog(3),</CODE> sudo accepts the following values
+for the syslog facility (the value of the <EM>syslog</EM> Parameter): <EM>authpriv</EM> (if your OS supports it), <EM>auth</EM>, <EM>daemon</EM>, <EM>user</EM>, <EM>local0</EM>, <EM>local1</EM>, <EM>local2</EM>,
+<EM>local3</EM>, <EM>local4</EM>, <EM>local5</EM>, <EM>local6</EM>, and <EM>local7</EM>. The following syslog priorities are supported: <EM>alert</EM>, <EM>crit</EM>, <EM>debug</EM>, <EM>emerg</EM>,
+<EM>err</EM>, <EM>info</EM>, <EM>notice</EM>, and <EM>warning</EM>.
+
<P>
<HR>
<H2><A NAME="User_Specification">User Specification</A></H2>
Cmnd_Alias SU = /usr/bin/su
</PRE>
<P>
+Here we override some of the compiled in default values. We want sudo to
+log via <CODE>syslog(3)</CODE> using the <EM>auth</EM> facility in all cases. We don't want to subject the full time staff to the <STRONG>sudo</STRONG> lecture, and user <STRONG>millert</STRONG> need not give a password. In addition, on the machines in the <EM>SERVERS</EM> <CODE>Host_Alias</CODE>, we keep an additional local log file and make sure we log the year in
+each log line since the log entries will be kept around for several years.
+
+<P>
+<PRE> # Override builtin defaults
+ Defaults syslog=auth
+ Defaults:FULLTIMERS !lecture
+ Defaults:millert !authenticate
+ Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+</PRE>
+<P>
The <EM>User specification</EM> is the part that actually determines who may run what.
<P>
''' $RCSfile$$Revision$$Date$
'''
''' $Log$
-''' Revision 1.11 1999/08/26 09:00:58 millert
-''' new sudoers(8) man page
+''' Revision 1.12 1999/10/11 15:55:11 millert
+''' Docuement "Defaults" lines in /etc/sudoers. Still needs some fleshing
+''' out but this is a start.
'''
'''
.de Sh
.nr % 0
.rr F
.\}
-.TH SUDOERS 5 "1.6" "25/Aug/1999" "FILE FORMATS"
+.TH sudoers 5 "1.6" "10/Oct/1999" "FILE FORMATS"
.UC
.if n .hy 0
.if n .na
\f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR.
.PP
.Vb 4
-\& Alias ::= User_Alias = User_Alias (':' User_Alias)* |
-\& Runas_Alias (':' Runas_Alias)* |
-\& Host_Alias (':' Host_Alias)* |
-\& Cmnd_Alias (':' Cmnd_Alias)*
+\& Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* |
+\& 'Runas_Alias' (':' Runas_Alias)* |
+\& 'Host_Alias' (':' Host_Alias)* |
+\& 'Cmnd_Alias' (':' Cmnd_Alias)*
.Ve
.Vb 1
\& User_Alias ::= NAME '=' User_List
(or match the wildcards if there are any). Note that the following
characters must be escaped with a \*(L'\e\*(R' if they are used in command
arguments: \*(L',\*(R', \*(L':\*(R', \*(L'=\*(R', \*(L'\e\e\*(R'.
+.Sh "Defaults"
+Certain configuration options may be changed from their default
+values at runtime via one or more \f(CWDefault_Entry\fR lines. These
+may affect all users on any host, all users on a specific host,
+or just a specific user. When multiple entries match, they are
+applied in order. Where there are conflicting values, the last
+value on a matching line takes effect.
+.PP
+.Vb 3
+\& Default_Type ::= 'Defaults' ||
+\& 'Defaults' ':' User ||
+\& 'Defaults' '@' Host
+.Ve
+.Vb 1
+\& Default_Entry ::= Default_Type Parameter_List
+.Ve
+.Vb 2
+\& Parameter ::= Parameter '=' Value ||
+\& '!'* Parameter ||
+.Ve
+Parameters may be flags, integer values, or strings. Flags are
+implicitly boolean and can be turned off via the \*(L'!\*(R' operator.
+Some integer and string parameters may also be used in a boolean
+context to disable them. Values may be enclosed in double quotes
+(\f(CW"\fR) when they contain multiple words. Special characters may
+be escaped with a backslash (\f(CW\e\fR).
+.PP
+\fBFlags\fR:
+.Ip "long_otp_prompt" 12
+Put \s-1OTP\s0 prompt on its own line
+.Ip "ignore_dot" 12
+Ignore \*(L'.\*(R' in \f(CW$PATH\fR
+.Ip "mail_always" 12
+Always send mail when sudo is run
+.Ip "mail_no_user" 12
+Send mail if the user is not in sudoers
+.Ip "mail_no_host" 12
+Send mail if the user is not in sudoers for this host
+.Ip "mail_no_perms" 12
+Send mail if the user is not allowed to run a command
+.Ip "tty_tickets" 12
+Use a separate timestamp for each user/tty combo
+.Ip "lecture" 12
+Lecture user the first time they run sudo
+.Ip "authenticate" 12
+Require users to authenticate by default
+.Ip "root_sudo" 12
+Root may run sudo
+.Ip "log_host" 12
+Log the hostname in the (non-syslog) log file
+.Ip "log_year" 12
+Log the year in the (non-syslog) log file
+.Ip "shell_noargs" 12
+If sudo is invoked with no arguments, start a shell
+.Ip "set_home" 12
+Set \f(CW$HOME\fR to the target user when starting a shell with \f(CW-s\fR
+.Ip "path_info" 12
+Allow some information gathering to give useful error messages
+.Ip "fqdn" 12
+Require fully-qualified hostnames in the sudoers file
+.Ip "insults" 12
+Insult the user when they enter an incorrect password
+.Ip "requiretty" 12
+Only allow the user to run sudo if they have a tty
+.PP
+\fBIntegers\fR:
+.Ip "passwd_tries" 12
+Number of tries to enter a password
+.PP
+\fBIntegers that can be used in a boolean context\fR:
+.Ip "loglinelen" 12
+Length at which to wrap log file lines (use 0 or negate for no wrap)
+.Ip "timestamp_timeout" 12
+Authentication timestamp timeout
+.Ip "passwd_timeout" 12
+Password prompt timeout
+.Ip "umask" 12
+Umask to use or 0777 to use user's
+.PP
+\fBStrings\fR:
+.Ip "mailsub" 12
+Subject line for mail messages
+.Ip "badpass_message" 12
+Incorrect password message
+.Ip "timestampdir" 12
+Path to authentication timestamp dir
+.Ip "passprompt" 12
+Default password prompt
+.Ip "runas_default" 12
+Default user to run commands as
+.Ip "syslog_goodpri" 12
+Syslog priority to use when user authenticates successfully
+.Ip "syslog_badpri" 12
+Syslog priority to use when user authenticates unsuccessfully
+.PP
+\fBStrings that can be used in a boolean context\fR:
+.Ip "syslog" 12
+Syslog facility if syslog is being used for logging (negate to disable syslog)
+.Ip "mailerpath" 12
+Path to mail program
+.Ip "mailerflags" 12
+Flags for mail program
+.Ip "mailto" 12
+Address to send mail to
+.Ip "exempt_group" 12
+Users in this group are exempt from password and \s-1PATH\s0 requirements
+.Ip "secure_path" 12
+Value to override user's \f(CW$PATH\fR with
+.PP
+When logging via \fIsyslog\fR\|(3), sudo accepts the following values for the syslog
+facility (the value of the \fIsyslog\fR Parameter): \fIauthpriv\fR (if your \s-1OS\s0
+supports it), \fIauth\fR, \fIdaemon\fR, \fIuser\fR, \fIlocal0\fR, \fIlocal1\fR, \fIlocal2\fR,
+\fIlocal3\fR, \fIlocal4\fR, \fIlocal5\fR, \fIlocal6\fR, and \fIlocal7\fR. The following
+syslog priorities are supported: \fIalert\fR, \fIcrit\fR, \fIdebug\fR, \fIemerg\fR,
+\fIerr\fR, \fIinfo\fR, \fInotice\fR, and \fIwarning\fR.
.Sh "User Specification"
.PP
.Vb 1
\& /usr/local/bin/zsh
\& Cmnd_Alias SU = /usr/bin/su
.Ve
+Here we override some of the compiled in default values. We want
+sudo to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases.
+We don't want to subject the full time staff to the \fBsudo\fR lecture,
+and user \fBmillert\fR need not give a password. In addition, on the
+machines in the \fISERVERS\fR \f(CWHost_Alias\fR, we keep an additional
+local log file and make sure we log the year in each log line since
+the log entries will be kept around for several years.
+.PP
+.Vb 5
+\& # Override builtin defaults
+\& Defaults syslog=auth
+\& Defaults:FULLTIMERS !lecture
+\& Defaults:millert !authenticate
+\& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+.Ve
The \fIUser specification\fR is the part that actually determines who may
run what.
.PP
\fIsudo\fR\|(8), \fIvisudo\fR\|(8), \fIsu\fR\|(1), \fIfnmatch\fR\|(3).
.rn }` ''
-.IX Title "SUDOERS 5"
+.IX Title "sudoers 5"
.IX Name "sudoers - list of which users may execute what"
.IX Header "NAME"
.IX Subsection "Aliases"
+.IX Subsection "Defaults"
+
+.IX Item "long_otp_prompt"
+
+.IX Item "ignore_dot"
+
+.IX Item "mail_always"
+
+.IX Item "mail_no_user"
+
+.IX Item "mail_no_host"
+
+.IX Item "mail_no_perms"
+
+.IX Item "tty_tickets"
+
+.IX Item "lecture"
+
+.IX Item "authenticate"
+
+.IX Item "root_sudo"
+
+.IX Item "log_host"
+
+.IX Item "log_year"
+
+.IX Item "shell_noargs"
+
+.IX Item "set_home"
+
+.IX Item "path_info"
+
+.IX Item "fqdn"
+
+.IX Item "insults"
+
+.IX Item "requiretty"
+
+.IX Item "passwd_tries"
+
+.IX Item "loglinelen"
+
+.IX Item "timestamp_timeout"
+
+.IX Item "passwd_timeout"
+
+.IX Item "umask"
+
+.IX Item "mailsub"
+
+.IX Item "badpass_message"
+
+.IX Item "timestampdir"
+
+.IX Item "passprompt"
+
+.IX Item "runas_default"
+
+.IX Item "syslog_goodpri"
+
+.IX Item "syslog_badpri"
+
+.IX Item "syslog"
+
+.IX Item "mailerpath"
+
+.IX Item "mailerflags"
+
+.IX Item "mailto"
+
+.IX Item "exempt_group"
+
+.IX Item "secure_path"
+
.IX Subsection "User Specification"
.IX Subsection "Runas_Spec"
There are four kinds of aliases: the C<User_Alias>, C<Runas_Alias>,
C<Host_Alias> and C<Cmnd_Alias>.
- Alias ::= User_Alias = User_Alias (':' User_Alias)* |
- Runas_Alias (':' Runas_Alias)* |
- Host_Alias (':' Host_Alias)* |
- Cmnd_Alias (':' Cmnd_Alias)*
+ Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* |
+ 'Runas_Alias' (':' Runas_Alias)* |
+ 'Host_Alias' (':' Host_Alias)* |
+ 'Cmnd_Alias' (':' Cmnd_Alias)*
User_Alias ::= NAME '=' User_List
characters must be escaped with a '\' if they are used in command
arguments: ',', ':', '=', '\\'.
+=head2 Defaults
+
+Certain configuration options may be changed from their default
+values at runtime via one or more C<Default_Entry> lines. These
+may affect all users on any host, all users on a specific host,
+or just a specific user. When multiple entries match, they are
+applied in order. Where there are conflicting values, the last
+value on a matching line takes effect.
+
+ Default_Type ::= 'Defaults' ||
+ 'Defaults' ':' User ||
+ 'Defaults' '@' Host
+
+ Default_Entry ::= Default_Type Parameter_List
+
+ Parameter ::= Parameter '=' Value ||
+ '!'* Parameter ||
+
+Parameters may be flags, integer values, or strings. Flags are
+implicitly boolean and can be turned off via the '!' operator.
+Some integer and string parameters may also be used in a boolean
+context to disable them. Values may be enclosed in double quotes
+(C<">) when they contain multiple words. Special characters may
+be escaped with a backslash (C<\>).
+
+B<Flags>:
+
+=over 12
+
+=item long_otp_prompt
+
+Put OTP prompt on its own line
+
+=item ignore_dot
+
+Ignore '.' in $PATH
+
+=item mail_always
+
+Always send mail when sudo is run
+
+=item mail_no_user
+
+Send mail if the user is not in sudoers
+
+=item mail_no_host
+
+Send mail if the user is not in sudoers for this host
+
+=item mail_no_perms
+
+Send mail if the user is not allowed to run a command
+
+=item tty_tickets
+
+Use a separate timestamp for each user/tty combo
+
+=item lecture
+
+Lecture user the first time they run sudo
+
+=item authenticate
+
+Require users to authenticate by default
+
+=item root_sudo
+
+Root may run sudo
+
+=item log_host
+
+Log the hostname in the (non-syslog) log file
+
+=item log_year
+
+Log the year in the (non-syslog) log file
+
+=item shell_noargs
+
+If sudo is invoked with no arguments, start a shell
+
+=item set_home
+
+Set $HOME to the target user when starting a shell with C<-s>
+
+=item path_info
+
+Allow some information gathering to give useful error messages
+
+=item fqdn
+
+Require fully-qualified hostnames in the sudoers file
+
+=item insults
+
+Insult the user when they enter an incorrect password
+
+=item requiretty
+
+Only allow the user to run sudo if they have a tty
+
+=back
+
+B<Integers>:
+
+=over 12
+
+=item passwd_tries
+
+Number of tries to enter a password
+
+=back
+
+B<Integers that can be used in a boolean context>:
+
+=over 12
+
+=item loglinelen
+
+Length at which to wrap log file lines (use 0 or negate for no wrap)
+
+=item timestamp_timeout
+
+Authentication timestamp timeout
+
+=item passwd_timeout
+
+Password prompt timeout
+
+=item umask
+
+Umask to use or 0777 to use user's
+
+=back
+
+B<Strings>:
+
+=over 12
+
+=item mailsub
+
+Subject line for mail messages
+
+=item badpass_message
+
+Incorrect password message
+
+=item timestampdir
+
+Path to authentication timestamp dir
+
+=item passprompt
+
+Default password prompt
+
+=item runas_default
+
+Default user to run commands as
+
+=item syslog_goodpri
+
+Syslog priority to use when user authenticates successfully
+
+=item syslog_badpri
+
+Syslog priority to use when user authenticates unsuccessfully
+
+=back 12
+
+B<Strings that can be used in a boolean context>:
+
+=over 12
+
+=item syslog
+
+Syslog facility if syslog is being used for logging (negate to disable syslog)
+
+=item mailerpath
+
+Path to mail program
+
+=item mailerflags
+
+Flags for mail program
+
+=item mailto
+
+Address to send mail to
+
+=item exempt_group
+
+Users in this group are exempt from password and PATH requirements
+
+=item secure_path
+
+Value to override user's $PATH with
+
+=back 12
+
+When logging via syslog(3), sudo accepts the following values for the syslog
+facility (the value of the I<syslog> Parameter): I<authpriv> (if your OS
+supports it), I<auth>, I<daemon>, I<user>, I<local0>, I<local1>, I<local2>,
+I<local3>, I<local4>, I<local5>, I<local6>, and I<local7>. The following
+syslog priorities are supported: I<alert>, I<crit>, I<debug>, I<emerg>,
+I<err>, I<info>, I<notice>, and I<warning>.
+
=head2 User Specification
Runas_Spec ::= '(' Runas_List ')'
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
+Here we override some of the compiled in default values. We want
+sudo to log via syslog(3) using the I<auth> facility in all cases.
+We don't want to subject the full time staff to the B<sudo> lecture,
+and user B<millert> need not give a password. In addition, on the
+machines in the I<SERVERS> C<Host_Alias>, we keep an additional
+local log file and make sure we log the year in each log line since
+the log entries will be kept around for several years.
+
+ # Override builtin defaults
+ Defaults syslog=auth
+ Defaults:FULLTIMERS !lecture
+ Defaults:millert !authenticate
+ Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+
The I<User specification> is the part that actually determines who may
run what.
projects / sudo / commitdiff