-1.7.3b2 December 19, 2009 1
+1.7.3b2 April 7, 2010 1
-1.7.3b2 December 19, 2009 2
+1.7.3b2 April 7, 2010 2
-1.7.3b2 December 19, 2009 3
+1.7.3b2 April 7, 2010 3
-1.7.3b2 December 19, 2009 4
+1.7.3b2 April 7, 2010 4
-1.7.3b2 December 19, 2009 5
+1.7.3b2 April 7, 2010 5
-1.7.3b2 December 19, 2009 6
+1.7.3b2 April 7, 2010 6
-1.7.3b2 December 19, 2009 7
+1.7.3b2 April 7, 2010 7
-1.7.3b2 December 19, 2009 8
+1.7.3b2 April 7, 2010 8
-1.7.3b2 December 19, 2009 9
+1.7.3b2 April 7, 2010 9
which does not access the file system to do its
matching. The disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is
unable to match relative path names such as _\b._\b/_\bl_\bs or
- _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This flag is _\bo_\bf_\bf by default.
+ _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has security implications when path
+ names that include globbing characters are used with
+ the negation operator, '!', as such rules can be
+ trivially bypassed. As such, this option should not be
+ used when _\bs_\bu_\bd_\bo_\be_\br_\bs contains rules that contain negated
+ path names which include globbing characters. This
+ flag is _\bo_\bf_\bf by default.
fqdn Set this flag if you want to put fully qualified host
names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
example if the machine is not plugged into the
- network). Also note that you must use the host's
- official name as DNS knows it. That is, you may not
- use a host alias (CNAME entry) due to performance
- issues and the fact that there is no way to get all
- aliases from DNS. If your machine's host name (as
- returned by the hostname command) is already fully
-1.7.3b2 December 19, 2009 10
+1.7.3b2 April 7, 2010 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ network). Also note that you must use the host's
+ official name as DNS knows it. That is, you may not
+ use a host alias (CNAME entry) due to performance
+ issues and the fact that there is no way to get all
+ aliases from DNS. If your machine's host name (as
+ returned by the hostname command) is already fully
qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
_\bo_\bf_\bf by default.
allowed to run commands on the current host. This flag
is _\bo_\bf_\bf by default.
- mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
- invoking user is allowed to use s\bsu\bud\bdo\bo but the command
- they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
- entry or is explicitly denied. This flag is _\bo_\bf_\bf by
- default.
-
-1.7.3b2 December 19, 2009 11
+1.7.3b2 April 7, 2010 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user is allowed to use s\bsu\bud\bdo\bo but the command
+ they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
+ entry or is explicitly denied. This flag is _\bo_\bf_\bf by
+ default.
+
mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
_\bo_\bn by default.
to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
run from a login session and not via other means such
as _\bc_\br_\bo_\bn(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
- default.
- root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
- this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
- get a root shell by doing something like "sudo sudo
- /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
-
-1.7.3b2 December 19, 2009 12
+1.7.3b2 April 7, 2010 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ default.
+
+ root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
+ this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
+ get a root shell by doing something like "sudo sudo
+ /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
will also prevent root and from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
security; it exists purely for historical reasons.
stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
effective UIDs are set to the target user (root by
- default). This option changes that behavior such that
- the real UID is left as the invoking user's UID. In
- other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
- This can be useful on systems that disable some
- potentially dangerous functionality when a program is
- run setuid. This option is only effective on systems
-1.7.3b2 December 19, 2009 13
+1.7.3b2 April 7, 2010 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ default). This option changes that behavior such that
+ the real UID is left as the invoking user's UID. In
+ other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
+ This can be useful on systems that disable some
+ potentially dangerous functionality when a program is
+ run setuid. This option is only effective on systems
with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
This flag is _\bo_\bf_\bf by default.
use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
target user's login class if one exists. Only
- available if s\bsu\bud\bdo\bo is configured with the
- --with-logincap option. This flag is _\bo_\bf_\bf by default.
-
- visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
- enter a password but it is not possible to disable echo
- on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
-1.7.3b2 December 19, 2009 14
+1.7.3b2 April 7, 2010 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ available if s\bsu\bud\bdo\bo is configured with the
+ --with-logincap option. This flag is _\bo_\bf_\bf by default.
+
+ visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
+ enter a password but it is not possible to disable echo
+ on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
will prompt for a password even when it would be
visible on the screen. This makes it possible to run
things like "rsh somehost sudo ls" since _\br_\bs_\bh(1) does
The actual umask that is used will be the union of the
user's umask and 0022. This guarantees that s\bsu\bud\bdo\bo never
lowers the umask when running a command. Note on
- systems that use PAM, the default PAM configuration may
- specify its own umask which will override the value set
- in _\bs_\bu_\bd_\bo_\be_\br_\bs.
- S\bSt\btr\bri\bin\bng\bgs\bs:
+1.7.3b2 April 7, 2010 15
-1.7.3b2 December 19, 2009 15
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ systems that use PAM, the default PAM configuration may
+ specify its own umask which will override the value set
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ S\bSt\btr\bri\bin\bng\bgs\bs:
badpass_message Message that is displayed if a user enters an incorrect
password. The default is Sorry, try again. unless
The default value is Password:.
- runas_default The default user to run commands as if the -\b-u\bu option is
- not specified on the command line. This defaults to
- root. Note that if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
- before any Runas_Alias specifications.
-
- syslog_badpri Syslog priority to use when user authenticates
-1.7.3b2 December 19, 2009 16
+1.7.3b2 April 7, 2010 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ runas_default The default user to run commands as if the -\b-u\bu option is
+ not specified on the command line. This defaults to
+ root. Note that if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
+ before any Runas_Alias specifications.
+
+ syslog_badpri Syslog priority to use when user authenticates
unsuccessfully. Defaults to alert.
syslog_goodpri Syslog priority to use when user authenticates
once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
- If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
- Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
- The default value is _\bo_\bn_\bc_\be.
-
-
-
-1.7.3b2 December 19, 2009 17
+1.7.3b2 April 7, 2010 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\bo_\bn_\bc_\be.
+
lecture_file
Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
will be used in place of the standard lecture if the named
environment variable you may want to use this. Another use
is if you want to have the "root path" be separate from the
"user path." Users in the group specified by the
- _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
- option is not set by default.
-
- syslog Syslog facility if syslog is being used for logging (negate
-1.7.3b2 December 19, 2009 18
+1.7.3b2 April 7, 2010 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
+ option is not set by default.
+
+ syslog Syslog facility if syslog is being used for logging (negate
to disable syslog logging). Defaults to local2.
verifypw This option controls when a password will be required when
default list of environment variables to remove is
displayed when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV option.
Note that many operating systems will remove
- potentially dangerous variables from the environment of
- any setuid process (such as s\bsu\bud\bdo\bo).
- env_keep Environment variables to be preserved in the user's
-
-1.7.3b2 December 19, 2009 19
+1.7.3b2 April 7, 2010 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ potentially dangerous variables from the environment of
+ any setuid process (such as s\bsu\bud\bdo\bo).
+
+ env_keep Environment variables to be preserved in the user's
environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
This allows fine-grained control over the environment
s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
- # Cmnd alias specification
- Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
- /usr/sbin/restore, /usr/sbin/rrestore
- Cmnd_Alias KILL = /usr/bin/kill
-1.7.3b2 December 19, 2009 20
+1.7.3b2 April 7, 2010 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ # Cmnd alias specification
+ Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
+ /usr/sbin/restore, /usr/sbin/rrestore
+ Cmnd_Alias KILL = /usr/bin/kill
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
jack CSNETS = ALL
- The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
- (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
- those networks, only 128.138.204.0 has an explicit netmask (in CIDR
-
-1.7.3b2 December 19, 2009 21
+1.7.3b2 April 7, 2010 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
+ (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
+ those networks, only 128.138.204.0 has an explicit netmask (in CIDR
notation) indicating it is a class C network. For the other networks
in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be used during matching.
The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
(o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
- john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
-
-
-1.7.3b2 December 19, 2009 22
+1.7.3b2 April 7, 2010 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+
On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
not allowed to specify any options to the _\bs_\bu(1) command.
kind of restrictions should be considered advisory at best (and
reinforced by policy).
-P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
- Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
-1.7.3b2 December 19, 2009 23
+1.7.3b2 April 7, 2010 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
+ reliably negate commands where the path name includes globbing (aka
+ wildcard) characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
+ function cannot resolve relative paths. While this is typically only
+ an inconvenience for rules that grant privileges, it can result in a
+ security issue for rules that subtract or revoke privileges.
+
+ For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+ User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
+ changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
+
+P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
+ Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
pleases, including run other programs. This can be a security issue
since it is not uncommon for a program to allow shell escapes, which
lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
in the standard library with its own that simply return an
error. Unfortunately, there is no foolproof way to know
+
+
+
+1.7.3b2 April 7, 2010 24
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
-
-
-
-1.7.3b2 December 19, 2009 24
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
from executing other commands (such as a shell). If you are
unsure whether or not your system is capable of supporting
_\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
including, but not limited to, the implied warranties of
merchantability and fitness for a particular purpose are disclaimed.
+
+
+
+1.7.3b2 April 7, 2010 25
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
See the LICENSE file distributed with s\bsu\bud\bdo\bo or
http://www.sudo.ws/sudo/license.html for complete details.
-1.7.3b2 December 19, 2009 25
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1.7.3b2 April 7, 2010 26
projects / sudo / commitdiff