settings
A vector of user-supplied s\bsu\bud\bdo\bo settings in the form of
- ``name=value'' strings. The vector is terminated by a NULL
+ "name=value" strings. The vector is terminated by a NULL
pointer. These settings correspond to flags the user
specified when running s\bsu\bud\bdo\bo. As such, they will only be
present when the corresponding flag has been specified on the
network_addrs=list
A space-separated list of IP network addresses and
- netmasks in the form ``addr/netmask'', e.g.
- ``192.168.1.2/255.255.255.0''. The address and netmask
+ netmasks in the form "addr/netmask", e.g.
+ "192.168.1.2/255.255.255.0". The address and netmask
pairs may be either IPv4 or IPv6, depending on what the
operating system supports. If the address contains a
colon (`:'), it is an IPv6 address, else it is IPv4.
vector instead of setting it based on the runas user.
progname=string
- The command name that sudo was run as, typically
- ``sudo'' or ``sudoedit''.
+ The command name that sudo was run as, typically "sudo"
+ or "sudoedit".
prompt=string
The prompt to use when requesting a password, if
user_info
A vector of information about the user running the command in
- the form of ``name=value'' strings. The vector is terminated
+ the form of "name=value" strings. The vector is terminated
by a NULL pointer.
When parsing _\bu_\bs_\be_\br_\b__\bi_\bn_\bf_\bo, the plugin should split on the f\bfi\bir\brs\bst\bt
tty=string
The path to the user's terminal device. If the user
has no terminal device associated with the session, the
- value will be empty, as in ``tty=''.
+ value will be empty, as in "tty=".
uid=uid_t
The real user ID of the user invoking s\bsu\bud\bdo\bo.
user_env
The user's environment in the form of a NULL-terminated
- vector of ``name=value'' strings.
+ vector of "name=value" strings.
When parsing _\bu_\bs_\be_\br_\b__\be_\bn_\bv, the plugin should split on the f\bfi\bir\brs\bst\bt
equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
EDITOR, and include it in _\ba_\br_\bg_\bv_\b__\bo_\bu_\bt (note that environment variables
may include command line flags). The files to be edited should be
copied from _\ba_\br_\bg_\bv into _\ba_\br_\bg_\bv_\b__\bo_\bu_\bt, separated from the editor and its
- arguments by a ``--'' element. The ``--'' will be removed by s\bsu\bud\bdo\bo
+ arguments by a "--" element. The "--" will be removed by s\bsu\bud\bdo\bo
before the editor is executed. The plugin should also set
_\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b=_\bt_\br_\bu_\be in the _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b__\bi_\bn_\bf_\bo list.
env_add
Additional environment variables specified by the user on the
command line in the form of a NULL-terminated vector of
- ``name=value'' strings. The plugin may reject the command if
+ "name=value" strings. The plugin may reject the command if
one or more variables are not allowed to be set, or it may
silently ignore such variables.
command_info
Information about the command being run in the form of
- ``name=value'' strings. These values are used by s\bsu\bud\bdo\bo to set
+ "name=value" strings. These values are used by s\bsu\bud\bdo\bo to set
the execution environment when running a command. The plugin
is responsible for creating and populating the vector, which
must be terminated with a NULL pointer. The following values
password database, otherwise it will be NULL.
The _\bu_\bs_\be_\br_\b__\be_\bn_\bv argument points to the environment the command will
- run in, in the form of a NULL-terminated vector of ``name=value''
+ run in, in the form of a NULL-terminated vector of "name=value"
strings. This is the same string passed back to the front end via
the Policy Plugin's _\bu_\bs_\be_\br_\b__\be_\bn_\bv_\b__\bo_\bu_\bt parameter. If the i\bin\bni\bit\bt_\b_s\bse\bes\bss\bsi\bio\bon\bn()
function needs to modify the user environment, it should update the
settings
A vector of user-supplied s\bsu\bud\bdo\bo settings in the form of
- ``name=value'' strings. The vector is terminated by a NULL
+ "name=value" strings. The vector is terminated by a NULL
pointer. These settings correspond to flags the user
specified when running s\bsu\bud\bdo\bo. As such, they will only be
present when the corresponding flag has been specified on the
user_info
A vector of information about the user running the command in
- the form of ``name=value'' strings. The vector is terminated
+ the form of "name=value" strings. The vector is terminated
by a NULL pointer.
When parsing _\bu_\bs_\be_\br_\b__\bi_\bn_\bf_\bo, the plugin should split on the f\bfi\bir\brs\bst\bt
user_env
The user's environment in the form of a NULL-terminated
- vector of ``name=value'' strings.
+ vector of "name=value" strings.
When parsing _\bu_\bs_\be_\br_\b__\be_\bn_\bv, the plugin should split on the f\bfi\bir\brs\bst\bt
equal sign (`=') since the _\bn_\ba_\bm_\be field will never include one
The s\bsu\bud\bdo\bo front end does not have native support for running remote
commands. However, starting with s\bsu\bud\bdo\bo 1.8.8, the -\b-h\bh option may be used
to specify a remote host that is passed to the policy plugin. A plugin
- may also accept a _\br_\bu_\bn_\ba_\bs_\b__\bu_\bs_\be_\br in the form of ``user@hostname'' which will
+ may also accept a _\br_\bu_\bn_\ba_\bs_\b__\bu_\bs_\be_\br in the form of "user@hostname" which will
work with older versions of s\bsu\bud\bdo\bo. It is anticipated that remote commands
- will be supported by executing a ``helper'' program. The policy plugin
+ will be supported by executing a "helper" program. The policy plugin
should setup the execution environment such that the s\bsu\bud\bdo\bo front end will
run the helper which, in turn, will connect to the remote host and run
the command.
the archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ s\bsu\bud\bdo\bo is provided "AS IS" and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
env_keep += "my_func=()*"
- Without the ``=()*'' suffix, this would not match, as old-style b\bba\bas\bsh\bh
- shell functions are not preserved by default.
+ Without the "=()*" suffix, this would not match, as old-style b\bba\bas\bsh\bh shell
+ functions are not preserved by default.
The complete list of environment variables that s\bsu\bud\bdo\bo allows or denies is
- contained in the output of ``sudo -V'' when run as root. Please note
- that this list varies based on the operating system s\bsu\bud\bdo\bo is running on.
+ contained in the output of "sudo -V" when run as root. Please note that
+ this list varies based on the operating system s\bsu\bud\bdo\bo is running on.
On systems that support PAM where the p\bpa\bam\bm_\b_e\ben\bnv\bv module is enabled for s\bsu\bud\bdo\bo,
variables in the PAM environment may be merged in to the environment. If
Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a grammar for
the language. EBNF also contains the following operators, which many
readers will recognize from regular expressions. Do not, however,
- confuse them with ``wildcard'' characters, which have different meanings.
+ confuse them with "wildcard" characters, which have different meanings.
? Means that the preceding symbol (or group of symbols) is optional.
That is, it may appear once or not at all.
command on your machine returns the fully qualified host name, you'll
need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful. Note that s\bsu\bud\bdo\bo
only inspects actual network interfaces; this means that IP address
- 127.0.0.1 (localhost) will never match. Also, the host name
- ``localhost'' will only match if that is the actual host name, which is
- usually only the case for non-networked systems.
+ 127.0.0.1 (localhost) will never match. Also, the host name "localhost"
+ will only match if that is the actual host name, which is usually only
+ the case for non-networked systems.
digest ::= [A-Fa-f0-9]+ |
[[A-Za-z0-9+/=]+
the Cmnd must match exactly those given by the user on the command line
(or match the wildcards if there are any). Note that the following
characters must be escaped with a `\' if they are used in command
- arguments: `,', `:', `=', `\'. The built-in command ``sudoedit'' is used
+ arguments: `,', `:', `=', `\'. The built-in command "sudoedit" is used
to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may
take command line arguments just as a normal command does. Note that
- ``sudoedit'' is a command built into s\bsu\bud\bdo\bo itself and must be specified in
+ "sudoedit" is a command built into s\bsu\bud\bdo\bo itself and must be specified in
the _\bs_\bu_\bd_\bo_\be_\br_\bs file without a leading path.
If a command name is prefixed with a Digest_Spec, the command will only
what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt, but
this can be changed on a per-command basis.
- The basic structure of a user specification is ``who where = (as_whom)
- what''. Let's break that down into its constituent parts:
+ The basic structure of a user specification is "who where = (as_whom)
+ what". Let's break that down into its constituent parts:
R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
A Runas_Spec determines the user and/or the group that a command may be
$ ppriv -l
- In addition, there are several ``special'' privilege strings:
+ In addition, there are several "special" privilege strings:
none the empty set
the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
By default, if the NOPASSWD tag is applied to any of the entries for a
- user on the current host, he or she will be able to run ``sudo -l''
- without a password. Additionally, a user may only run ``sudo -v''
+ user on the current host, he or she will be able to run "sudo -l"
+ without a password. Additionally, a user may only run "sudo -v"
without a password if the NOPASSWD tag is present for all a user's
entries that pertain to the current host. This behavior may be
overridden via the _\bv_\be_\br_\bi_\bf_\by_\bp_\bw and _\bl_\bi_\bs_\bt_\bp_\bw options.
s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
used in host names, path names and command line arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs
file. Wildcard matching is done via the glob(3) and fnmatch(3) functions
- as specified by IEEE Std 1003.1 (``POSIX.1'').
+ as specified by IEEE Std 1003.1 ("POSIX.1").
* Matches any set of zero or more characters (including white
space).
The file name may also include the %h escape, signifying the short form
of the host name. In other words, if the machine's host name is
- ``xerxes'', then
+ "xerxes", then
#include /etc/sudoers.%h
!root
it would explicitly deny root but not match any other users. This is
- different from a true ``negation'' operator.
+ different from a true "negation" operator.
Note, however, that using a `!' in conjunction with the built-in A\bAL\bLL\bL
- alias to allow a user to run ``all but a few'' commands rarely works as
+ alias to allow a user to run "all but a few" commands rarely works as
intended (see _\bS_\bE_\bC_\bU_\bR_\bI_\bT_\bY _\bN_\bO_\bT_\bE_\bS below).
Long lines can be continued with a backslash (`\') as the last character
domain name. In other words, instead of myhost you
would use myhost.mydomain.edu. You may still use the
short form if you wish (and even mix the two). This
- option is only effective when the ``canonical'' host
+ option is only effective when the "canonical" host
name, as returned by the g\bge\bet\bta\bad\bdd\bdr\bri\bin\bnf\bfo\bo() or
g\bge\bet\bth\bho\bos\bst\btb\bby\byn\bna\bam\bme\be() function, is a fully-qualified domain
name. This is usually the case when the system is
configured to use DNS for host name resolution.
If the system is configured to use the _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\bs file
- in preference to DNS, the ``canonical'' host name may
- not be fully-qualified. The order that sources are
- queried for host name resolution is usually specified
- in the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf,
- _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\b._\bc_\bo_\bn_\bf, or, in some cases, _\b/_\be_\bt_\bc_\b/_\br_\be_\bs_\bo_\bl_\bv_\b._\bc_\bo_\bn_\bf
- file. In the _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\bs file, the first host name of
- the entry is considered to be the ``canonical'' name;
- subsequent names are aliases that are not used by
- s\bsu\bud\bdo\boe\ber\brs\bs. For example, the following hosts file line
- for the machine ``xyzzy'' has the fully-qualified
- domain name as the ``canonical'' host name, and the
- short version as an alias.
+ in preference to DNS, the "canonical" host name may not
+ be fully-qualified. The order that sources are queried
+ for host name resolution is usually specified in the
+ _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf, _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\b._\bc_\bo_\bn_\bf,
+ or, in some cases, _\b/_\be_\bt_\bc_\b/_\br_\be_\bs_\bo_\bl_\bv_\b._\bc_\bo_\bn_\bf file. In the
+ _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\bs file, the first host name of the entry is
+ considered to be the "canonical" name; subsequent names
+ are aliases that are not used by s\bsu\bud\bdo\boe\ber\brs\bs. For example,
+ the following hosts file line for the machine "xyzzy"
+ has the fully-qualified domain name as the "canonical"
+ host name, and the short version as an alias.
192.168.1.1 xyzzy.sudo.ws xyzzy
which renders s\bsu\bud\bdo\bo unusable if DNS stops working (for
example if the machine is disconnected from the
network). Also note that just like with the hosts
- file, you must use the ``canonical'' name as DNS knows
+ file, you must use the "canonical" name as DNS knows
it. That is, you may not use a host alias (CNAME
entry) due to performance issues and the fact that
there is no way to get all aliases from DNS.
passprompt_override
The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
normally only be used if the password prompt provided
- by systems such as PAM matches the string
- ``Password:''. If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set,
- _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be used. This flag is _\bo_\bf_\bf by
- default.
+ by systems such as PAM matches the string "Password:".
+ If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always
+ be used. This flag is _\bo_\bf_\bf by default.
path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
not be found in their PATH environment variable. Some
default.
root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
- this prevents users from ``chaining'' s\bsu\bud\bdo\bo commands to
- get a root shell by doing something like ``sudo sudo
- /bin/sh''. Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
+ this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
+ get a root shell by doing something like "sudo sudo
+ /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
will also prevent root from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
security; it exists purely for historical reasons.
on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
will prompt for a password even when it would be
visible on the screen. This makes it possible to run
- things like ``ssh somehost sudo ls'' since by default,
+ things like "ssh somehost sudo ls" since by default,
ssh(1) does not allocate a tty when running a command.
This flag is _\bo_\bf_\bf by default.
higher.
maxseq The maximum sequence number that will be substituted
- for the ``%{seq}'' escape in the I/O log file (see the
+ for the "%{seq}" escape in the I/O log file (see the
_\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br description above for more information).
- While the value substituted for ``%{seq}'' is in base
- 36, _\bm_\ba_\bx_\bs_\be_\bq itself should be expressed in decimal.
- Values larger than 2176782336 (which corresponds to the
- base 36 sequence number ``ZZZZZZ'') will be silently
- truncated to 2176782336. The default value is
- 2176782336.
+ While the value substituted for "%{seq}" is in base 36,
+ _\bm_\ba_\bx_\bs_\be_\bq itself should be expressed in decimal. Values
+ larger than 2176782336 (which corresponds to the base
+ 36 sequence number "ZZZZZZ") will be silently truncated
+ to 2176782336. The default value is 2176782336.
Once the local sequence number reaches the value of
- _\bm_\ba_\bx_\bs_\be_\bq, it will ``roll over'' to zero, after which
+ _\bm_\ba_\bx_\bs_\be_\bq, it will "roll over" to zero, after which
s\bsu\bud\bdo\boe\ber\brs\bs will truncate and re-use any existing I/O log
path names.
value less than 0 the user's time stamp will not expire
until the system is rebooted. This can be used to
allow users to create or delete their own time stamps
- via ``sudo -v'' and ``sudo -k'' respectively.
+ via "sudo -v" and "sudo -k" respectively.
umask Umask to use when running the command. Negate this
option or set it to 0777 to preserve the user's umask.
options are enabled or when the LOG_INPUT or LOG_OUTPUT
tags are present for a command. Note that _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be
may contain directory components. The default is
- ``%{seq}''.
+ "%{seq}".
See the _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option above for a list of supported
percent (`%') escape sequences.
mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The
escape %h will expand to the host name of the machine.
- Default is ``*** SECURITY information for %h ***''.
+ Default is "*** SECURITY information for %h ***".
noexec_file As of s\bsu\bud\bdo\bo version 1.8.1 this option is no longer
supported. The path to the noexec file should now be
pam_login_service
On systems that use PAM for authentication, this is the
service name used when the -\b-i\bi option is specified. The
- default value is ``sudo''. See the description of
+ default value is "sudo". See the description of
_\bp_\ba_\bm_\b__\bs_\be_\br_\bv_\bi_\bc_\be for more information.
This setting is only supported by version 1.8.8 or
name specifies the PAM policy to apply. This usually
corresponds to an entry in the _\bp_\ba_\bm_\b._\bc_\bo_\bn_\bf file or a file
in the _\b/_\be_\bt_\bc_\b/_\bp_\ba_\bm_\b._\bd directory. The default value is
- ``sudo''.
+ "sudo".
This setting is only supported by version 1.8.8 or
higher.
%% two consecutive % characters are collapsed into a
single % character
- The default value is ``Password:''.
+ The default value is "Password:".
privs The default Solaris privileges to use when constructing
a new privilege set for a command. This is passed to
being truncated, s\bsu\bud\bdo\boe\ber\brs\bs will split up log messages
that are larger than _\bs_\by_\bs_\bl_\bo_\bg_\b__\bm_\ba_\bx_\bl_\be_\bn bytes. When a
message is split, additional parts will include the
- string ``(command continued)'' after the user name and
+ string "(command continued)" after the user name and
before the continued command line arguments.
This setting is only supported by version 1.8.19 or
sudoers_locale Locale to use when parsing the sudoers file, logging
commands, and sending email. Note that changing the
locale may affect how sudoers is interpreted. Defaults
- to ``C''.
+ to "C".
timestampdir The directory in which s\bsu\bud\bdo\bo stores its time stamp
files. This directory should be cleared when the
env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option specifies the fully qualified path to a
file containing variables to be set in the environment of
the program being run. Entries in this file should either
- be of the form ``VARIABLE=value'' or ``export
- VARIABLE=value''. The value may optionally be surrounded
- by single or double quotes. Variables in this file are
- only added if the variable does not already exist in the
- environment. This file is considered to be part of the
- security policy, its contents are not subject to other s\bsu\bud\bdo\bo
- environment restrictions such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
+ be of the form "VARIABLE=value" or "export VARIABLE=value".
+ The value may optionally be surrounded by single or double
+ quotes. Variables in this file are only added if the
+ variable does not already exist in the environment. This
+ file is considered to be part of the security policy, its
+ contents are not subject to other s\bsu\bud\bdo\bo environment
+ restrictions such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
exempt_group Users in this group are exempt from password and PATH
requirements. The group name specified should not include
mailerpath Path to mail program used to send warning mail. Defaults
to the path to sendmail found at configure time.
- mailfrom Address to use for the ``from'' address when sending
- warning and error mail. The address should be enclosed in
- double quotes ("") to protect against s\bsu\bud\bdo\bo interpreting the
- @ sign. Defaults to the name of the user running s\bsu\bud\bdo\bo.
+ mailfrom Address to use for the "from" address when sending warning
+ and error mail. The address should be enclosed in double
+ quotes ("") to protect against s\bsu\bud\bdo\bo interpreting the @
+ sign. Defaults to the name of the user running s\bsu\bud\bdo\bo.
mailto Address to send warning and error mail to. The address
should be enclosed in double quotes ("") to protect against
secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
trust the people running s\bsu\bud\bdo\bo to have a sane PATH
environment variable you may want to use this. Another use
- is if you want to have the ``root path'' be separate from
- the ``user path''. Users in the group specified by the
+ is if you want to have the "root path" be separate from the
+ "user path". Users in the group specified by the
_\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
option is not set by default.
L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
env_check Environment variables to be removed from the user's
- environment unless they are considered ``safe''. For
- all variables except TZ, ``safe'' means that the
- variable's value does not contain any `%' or `/'
- characters. This can be used to guard against printf-
- style format vulnerabilities in poorly-written
- programs. The TZ variable is considered unsafe if any
- of the following are true:
+ environment unless they are considered "safe". For all
+ variables except TZ, "safe" means that the variable's
+ value does not contain any `%' or `/' characters. This
+ can be used to guard against printf-style format
+ vulnerabilities in poorly-written programs. The TZ
+ variable is considered unsafe if any of the following
+ are true:
+\b+\bo\bo It consists of a fully-qualified path name,
optionally prefixed with a colon (`:'), that does
Where the fields are as follows:
date The date the command was run. Typically, this is in the
- format ``MMM, DD, HH:MM:SS''. If logging via syslog(3),
- the actual date format is controlled by the syslog daemon.
- If logging to a file and the _\bl_\bo_\bg_\b__\by_\be_\ba_\br option is enabled,
- the date will also include the year.
+ format "MMM, DD, HH:MM:SS". If logging via syslog(3), the
+ actual date format is controlled by the syslog daemon. If
+ logging to a file and the _\bl_\bo_\bg_\b__\by_\be_\ba_\br option is enabled, the
+ date will also include the year.
hostname The name of the host s\bsu\bud\bdo\bo was run on. This field is only
present when logging via syslog(3).
username The login name of the user who ran s\bsu\bud\bdo\bo.
- ttyname The short name of the terminal (e.g. ``console'',
- ``tty01'', or ``pts/0'') s\bsu\bud\bdo\bo was run on, or ``unknown'' if
- there was no terminal present.
+ ttyname The short name of the terminal (e.g. "console", "tty01", or
+ "pts/0") s\bsu\bud\bdo\bo was run on, or "unknown" if there was no
+ terminal present.
cwd The current working directory that s\bsu\bud\bdo\bo was run in.
command The actual command that was executed.
Messages are logged using the locale specified by _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bl_\bo_\bc_\ba_\bl_\be, which
- defaults to the ``C'' locale.
+ defaults to the "C" locale.
D\bDe\ben\bni\bie\bed\bd c\bco\bom\bmm\bma\ban\bnd\bd l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
If the user is not allowed to run the command, the reason for the denial
user ID 0 to a different value. Normally, s\bsu\bud\bdo\boe\ber\brs\bs tries to open the
_\bs_\bu_\bd_\bo_\be_\br_\bs file using group permissions to avoid this problem. Consider
either changing the ownership of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs or adding an argument
- like ``sudoers_uid=N'' (where `N' is the user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ like "sudoers_uid=N" (where `N' is the user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs
file) to the end of the s\bsu\bud\bdo\boe\ber\brs\bs Plugin line in the sudo.conf(4) file.
unable to stat /etc/sudoers
/etc/sudoers is owned by uid N, should be 0
The _\bs_\bu_\bd_\bo_\be_\br_\bs file has the wrong owner. If you wish to change the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file owner, please add ``sudoers_uid=N'' (where `N' is the
- user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs Plugin line in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file owner, please add "sudoers_uid=N" (where `N' is the user
+ ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs Plugin line in the
sudo.conf(4) file.
/etc/sudoers is world writable
The permissions on the _\bs_\bu_\bd_\bo_\be_\br_\bs file allow all users to write to it.
The _\bs_\bu_\bd_\bo_\be_\br_\bs file must not be world-writable, the default file mode is
0440 (readable by owner and group, writable by none). The default
- mode may be changed via the ``sudoers_mode'' option to the s\bsu\bud\bdo\boe\ber\brs\bs
+ mode may be changed via the "sudoers_mode" option to the s\bsu\bud\bdo\boe\ber\brs\bs
Plugin line in the sudo.conf(4) file.
/etc/sudoers is owned by gid N, should be 1
The _\bs_\bu_\bd_\bo_\be_\br_\bs file has the wrong group ownership. If you wish to change
- the _\bs_\bu_\bd_\bo_\be_\br_\bs file group ownership, please add ``sudoers_gid=N'' (where
+ the _\bs_\bu_\bd_\bo_\be_\br_\bs file group ownership, please add "sudoers_gid=N" (where
`N' is the group ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs file) to the s\bsu\bud\bdo\boe\ber\brs\bs Plugin
line in the sudo.conf(4) file.
and log all user input and/or output. I/O is logged to the directory
specified by the _\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
unique session ID that is included in the s\bsu\bud\bdo\bo log line, prefixed with
- ``TSID=''. The _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be option may be used to control the format of
- the session ID.
+ "TSID=". The _\bi_\bo_\bl_\bo_\bg_\b__\bf_\bi_\bl_\be option may be used to control the format of the
+ session ID.
Each I/O log is stored in a separate directory that contains the
following files:
jim +biglab = ALL
The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
- s\bsu\bud\bdo\bo knows that ``biglab'' is a netgroup due to the `+' prefix.
+ s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the `+' prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
L\bLi\bim\bmi\bit\bta\bat\bti\bio\bon\bns\bs o\bof\bf t\bth\bhe\be `\b`!\b!'\b' o\bop\bpe\ber\bra\bat\bto\bor\br
- It is generally not effective to ``subtract'' commands from A\bAL\bLL\bL using the
+ It is generally not effective to "subtract" commands from A\bAL\bLL\bL using the
`!' operator. A user can trivially circumvent this by copying the
desired command to a different name and then executing that. For
example:
invoking user and with the environment unmodified. More information may
be found in the description of the -\b-e\be option in sudo(1m).
- For example, to allow user operator to edit the ``message of the day''
+ For example, to allow user operator to edit the "message of the day"
file:
operator sudoedit /etc/motd
the archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ s\bsu\bud\bdo\bo is provided "AS IS" and any express or implied warranties,
including, but not limited to, the implied warranties of merchantability
and fitness for a particular purpose are disclaimed. See the LICENSE
file distributed with s\bsu\bud\bdo\bo or https://www.sudo.ws/license.html for
projects / sudo / commitdiff