-1.7.5b2 January 28, 2011 1
+1.7.5b2 February 3, 2011 1
-1.7.5b2 January 28, 2011 2
+1.7.5b2 February 3, 2011 2
-1.7.5b2 January 28, 2011 3
+1.7.5b2 February 3, 2011 3
-1.7.5b2 January 28, 2011 4
+1.7.5b2 February 3, 2011 4
The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm -- but only
as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
- $ sudo -u operator /bin/ls.
+ $ sudo -u operator /bin/ls
-1.7.5b2 January 28, 2011 5
+1.7.5b2 February 3, 2011 5
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
/usr/bin/lprm
+ Note that while the group portion of the Runas_Spec permits the user to
+ run as command with that group, it does not force the user to do so.
+ If no group is specified on the command line, the command will run with
+ the group listed in the target user's password database entry. The
+ following would all be permitted by the sudoers entry above:
+
+ $ sudo -u operator /bin/ls
+ $ sudo -u operator -g operator /bin/ls
+ $ sudo -g operator /bin/ls
+
In the following example, user t\btc\bcm\bm may run commands that access a modem
- device file with the dialer group. Note that in this example only the
- group will be set, the command still runs as user t\btc\bcm\bm.
+ device file with the dialer group.
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
+ Note that in this example only the group will be set, the command still
+ runs as user t\btc\bcm\bm. E.g.
+
+ $ sudo -g dialer /usr/bin/cu
+
+ Multiple users and groups may be present in a Runas_Spec, in which case
+ the user may select any combination of users and groups via the -\b-u\bu and
+ -\b-g\bg options. In this example:
+
+ alan ALL = (root, bin : operator, system) ALL
+
+ user a\bal\bla\ban\bn may run any command as either user root or bin, optionally
+ setting the group to operator or system.
+
S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
SELinux role and/or type associated with a command. If a role or type
T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
A command may have zero or more tags associated with it. There are
eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
+
+
+
+1.7.5b2 February 3, 2011 6
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
NOSETENV, LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a
tag is set on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit
the tag unless it is overridden by the opposite tag (i.e.: PASSWD
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note, however, that the PASSWD tag has no effect on users who are in
-
-
-
-1.7.5b2 January 28, 2011 6
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
By default, if the NOPASSWD tag is applied to any of the entries for a
restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such,
only trusted users should be allowed to set variables in this manner.
If the command matched is A\bAL\bLL\bL, the SETENV tag is implied for that
+
+
+
+1.7.5b2 February 3, 2011 7
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
command; this default may be overridden by use of the NOSETENV tag.
_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
? Matches any single character.
-
-
-1.7.5b2 January 28, 2011 7
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
[...] Matches any character in the specified range.
[!...] Matches any character n\bno\bot\bt in the specified range.
_\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
with a\ban\bny\by arguments.
+
+
+
+1.7.5b2 February 3, 2011 8
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
file currently being parsed using the #include and #includedir
#include /etc/sudoers.%h
-
-
-1.7.5b2 January 28, 2011 8
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
as a uid). Both the comment character and any text after it, up to the
end of the line, are ignored.
+
+
+
+1.7.5b2 February 3, 2011 9
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
User_Alias, Runas_Alias, or Host_Alias. You should not try to define
used as part of a word (e.g. a user name or host name): '@', '!', '=',
':', ',', '(', ')', '\'.
-
-
-
-
-1.7.5b2 January 28, 2011 9
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
earlier. A list of all supported Defaults parameters, grouped by type,
by default.
compress_io If set, and s\bsu\bud\bdo\bo is configured to log a command's input
+
+
+
+1.7.5b2 February 3, 2011 10
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
or output, the I/O logs will be compressed using z\bzl\bli\bib\bb.
This flag is _\bo_\bn by default when s\bsu\bud\bdo\bo is compiled with
z\bzl\bli\bib\bb support.
its value will be used for the PATH environment
variable. This flag is _\bo_\bn by default.
-
-
-
-1.7.5b2 January 28, 2011 10
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
style globbing when matching path names. However,
since it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a
use a host alias (CNAME entry) due to performance
issues and the fact that there is no way to get all
aliases from DNS. If your machine's host name (as
+
+
+
+1.7.5b2 February 3, 2011 11
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
returned by the hostname command) is already fully
qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
_\bo_\bf_\bf by default.
insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
incorrect password. This flag is _\bo_\bf_\bf by default.
-
-
-
-1.7.5b2 January 28, 2011 11
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
log_host If set, the host name will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
entry or is explicitly denied. This flag is _\bo_\bf_\bf by
default.
+
+
+1.7.5b2 February 3, 2011 12
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
_\bo_\bn by default.
passprompt_override
The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
normally only be used if the password prompt provided
-
-
-
-1.7.5b2 January 28, 2011 12
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
by systems such as PAM matches the string "Password:".
If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always
be used. This flag is _\bo_\bf_\bf by default.
this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
get a root shell by doing something like "sudo sudo
/bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
+
+
+
+1.7.5b2 February 3, 2011 13
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
will also prevent root from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
security; it exists purely for historical reasons.
_\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled or HOME is present in the
_\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This flag is _\bo_\bf_\bf by default.
-
-
-1.7.5b2 January 28, 2011 13
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and USERNAME
environment variables to the name of the target user
(usually root unless the -\b-u\bu option is given). However,
effective UIDs are set to the target user (root by
default). This option changes that behavior such that
the real UID is left as the invoking user's UID. In
+
+
+
+1.7.5b2 February 3, 2011 14
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
This can be useful on systems that disable some
potentially dangerous functionality when a program is
a unique session ID that is included in the normal s\bsu\bud\bdo\bo
log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
-
-
-1.7.5b2 January 28, 2011 14
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
log all output that is sent to the screen, similar to
the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
be the union of the user's umask and what is specified
in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
+
+
+1.7.5b2 February 3, 2011 15
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
target user's login class if one exists. Only
available if s\bsu\bud\bdo\bo is configured with the
closefrom Before it executes a command, s\bsu\bud\bdo\bo will close all open
file descriptors other than standard input, standard
-
-
-
-1.7.5b2 January 28, 2011 15
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
output and standard error (ie: file descriptors 0-2).
The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to specify a different
file descriptor at which to start closing. The default
this to 0 to always prompt for a password. If set to a
value less than 0 the user's timestamp will never
expire. This can be used to allow users to create or
+
+
+
+1.7.5b2 February 3, 2011 16
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
delete their own timestamps via sudo -v and sudo -k
respectively.
possible, or the first editor in the list that exists
and is executable. The default is "vi".
-
-
-1.7.5b2 January 28, 2011 16
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
iolog_dir The directory in which to store input/output logs when
the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt options are enabled or when
the LOG_INPUT or LOG_OUTPUT tags are present for a
name
%p expanded to the user whose password is being asked
+
+
+
+1.7.5b2 February 3, 2011 17
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
before any Runas_Alias specifications.
syslog_badpri Syslog priority to use when user authenticates
-
-
-
-1.7.5b2 January 28, 2011 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
unsuccessfully. Defaults to alert.
syslog_goodpri Syslog priority to use when user authenticates
terminal is available. This may be the case when s\bsu\bud\bdo\bo is
executed from a graphical (as opposed to text-based)
application. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs should
+
+
+
+1.7.5b2 February 3, 2011 18
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
display the argument passed to it as the prompt and write
the user's password to the standard output. The value of
_\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
never Never lecture the user.
-
-
-
-1.7.5b2 January 28, 2011 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
never The user need never enter a password to use the -\b-l\bl
option.
+
+
+
+1.7.5b2 February 3, 2011 19
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
If no value is specified, a value of _\ba_\bn_\by is implied.
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\ba_\bn_\by.
secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
trust the people running s\bsu\bud\bdo\bo to have a sane PATH
environment variable you may want to use this. Another use
-
-
-
-1.7.5b2 January 28, 2011 19
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
is if you want to have the "root path" be separate from the
"user path." Users in the group specified by the
_\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\ba_\bl_\bl.
+
+
+1.7.5b2 February 3, 2011 20
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
env_check Environment variables to be removed from the user's
can be replaced, added to, deleted from, or disabled by
using the =, +=, -=, and ! operators respectively. The
default list of environment variables to remove is
-
-
-
-1.7.5b2 January 28, 2011 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
Note that many operating systems will remove
potentially dangerous variables from the environment of
_\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
+
+
+
+1.7.5b2 February 3, 2011 21
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
-
-
-
-1.7.5b2 January 28, 2011 21
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
SGI = grolsch, dandelion, black :\
ALPHA = widget, thalamus, foobar :\
HPPA = boa, nag, python
Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an
additional local log file and make sure we log the year in each log
line since the log entries will be kept around for several years.
+
+
+
+1.7.5b2 February 3, 2011 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
Lastly, we disable shell escapes for the commands in the PAGERS
Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
any host without authenticating themselves.
-
-
-1.7.5b2 January 28, 2011 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
PARTTIMERS ALL = ALL
Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
joe ALL = /usr/bin/su operator
+
+
+
+1.7.5b2 February 3, 2011 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-
-
-
-1.7.5b2 January 28, 2011 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
well as add and remove users, so they are allowed to run those commands
on all machines.
The user s\bst\bte\bev\bve\be may run any command in the directory
/usr/local/op_commands/ but only as user operator.
+
+
+1.7.5b2 February 3, 2011 24
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
matt valkyrie = KILL
On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be able to kill
desired command to a different name and then executing that. For
example:
-
-
-1.7.5b2 January 28, 2011 24
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
since it is not uncommon for a program to allow shell escapes, which
lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
that permit shell escapes include shells (obviously), editors,
+
+
+
+1.7.5b2 February 3, 2011 25
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
paginators, mail and terminal programs.
There are two basic approaches to this problem:
sudo -V | grep "dummy exec"
-
-
-1.7.5b2 January 28, 2011 25
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
If the resulting output contains a line that begins with:
File containing dummy exec functions:
unsure whether or not your system is capable of supporting
_\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
+
+
+
+1.7.5b2 February 3, 2011 26
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
Note that restricting shell escapes is not a panacea. Programs running
as root are still capable of many potentially hazardous operations
(such as changing or overwriting files) that could lead to unintended
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
Limited free support is available via the sudo-users mailing list, see
-
-
-
-1.7.5b2 January 28, 2011 26
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.5b2 January 28, 2011 27
+1.7.5b2 February 3, 2011 27
projects / sudo / commitdiff