-1.6.9 November 19, 2004 1
+1.6.9 November 28, 2004 1
-1.6.9 November 19, 2004 2
+1.6.9 November 28, 2004 2
-1.6.9 November 19, 2004 3
+1.6.9 November 28, 2004 3
-1.6.9 November 19, 2004 4
+1.6.9 November 28, 2004 4
-1.6.9 November 19, 2004 5
+1.6.9 November 28, 2004 5
-1.6.9 November 19, 2004 6
+1.6.9 November 28, 2004 6
-1.6.9 November 19, 2004 7
+1.6.9 November 28, 2004 7
-1.6.9 November 19, 2004 8
+1.6.9 November 28, 2004 8
-1.6.9 November 19, 2004 9
+1.6.9 November 28, 2004 9
-1.6.9 November 19, 2004 10
+1.6.9 November 28, 2004 10
-1.6.9 November 19, 2004 11
+1.6.9 November 28, 2004 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- The default value is _\bo_\bn_\bc_\be.
+ If no value is specified, a value of _\bo_\bn_\bc_\be is
+ implied. Negating the option results in a
+ value of _\bn_\be_\bv_\be_\br being used. The default value
+ is _\bo_\bn_\bc_\be.
lecture_file
Path to a file containing an alternate s\bsu\bud\bdo\bo
any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
entries for the current host must have
- the NOPASSWD flag set to avoid enter
- ing a password.
-
-1.6.9 November 19, 2004 12
+1.6.9 November 28, 2004 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ the NOPASSWD flag set to avoid enter
+ ing a password.
+
never The user need never enter a password
to use the -\b-v\bv flag.
always The user must always enter a password
to use the -\b-v\bv flag.
- The default value is `all'.
+ If no value is specified, a value of _\ba_\bl_\bl is
+ implied. Negating the option results in a
+ value of _\bn_\be_\bv_\be_\br being used. The default value
+ is _\ba_\bl_\bl.
listpw This option controls when a password will be
required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
always The user must always enter a password
to use the -\b-l\bl flag.
- The default value is `any'.
+ If no value is specified, a value of _\ba_\bn_\by is
+ implied. Negating the option results in a
+ value of _\bn_\be_\bv_\be_\br being used. The default value
+ is _\ba_\bn_\by.
L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
is printed when s\bsu\bud\bdo\bo is run by root with the
_\b-_\bV option.
- env_delete Environment variables to be removed from the
- user's environment. The argument may be a
- double-quoted, space-separated list or a sin
- gle value without double-quotes. The list can
- be replaced, added to, deleted from, or dis
- abled by using the =, +=, -=, and ! operators
- respectively. The default list of environment
- variables to remove is printed when s\bsu\bud\bdo\bo is
- run by root with the _\b-_\bV option. Note that
-1.6.9 November 19, 2004 13
+1.6.9 November 28, 2004 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ env_delete Environment variables to be removed from the
+ user's environment. The argument may be a
+ double-quoted, space-separated list or a sin
+ gle value without double-quotes. The list can
+ be replaced, added to, deleted from, or dis
+ abled by using the =, +=, -=, and ! operators
+ respectively. The default list of environment
+ variables to remove is printed when s\bsu\bud\bdo\bo is
+ run by root with the _\b-_\bV option. Note that
many operating systems will remove potentially
dangerous variables from the environment of
any setuid process (such as s\bsu\bud\bdo\bo).
Let's break that down into its constituent parts:
- R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
- A Runas_Spec is simply a Runas_List (as defined above)
- enclosed in a set of parentheses. If you do not specify a
- Runas_Spec in the user specification, a default Runas_Spec
- of r\bro\boo\bot\bt will be used. A Runas_Spec sets the default for
- commands that follow it. What this means is that for the
- entry:
+1.6.9 November 28, 2004 14
-1.6.9 November 19, 2004 14
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
+ A Runas_Spec is simply a Runas_List (as defined above)
+ enclosed in a set of parentheses. If you do not specify a
+ Runas_Spec in the user specification, a default Runas_Spec
+ of r\bro\boo\bot\bt will be used. A Runas_Spec sets the default for
+ commands that follow it. What this means is that for the
+ entry:
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note, however, that the PASSWD tag has no effect on users
- who are in the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
-
- By default, if the NOPASSWD tag is applied to any of the
- entries for a user on the current host, he or she will be
- able to run sudo -l without a password. Additionally, a
- user may only run sudo -v without a password if the
- NOPASSWD tag is present for all a user's entries that per
- tain to the current host. This behavior may be overridden
- via the verifypw and listpw options.
-1.6.9 November 19, 2004 15
+1.6.9 November 28, 2004 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ who are in the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
+
+ By default, if the NOPASSWD tag is applied to any of the
+ entries for a user on the current host, he or she will be
+ able to run sudo -l without a password. Additionally, a
+ user may only run sudo -v without a password if the
+ NOPASSWD tag is present for all a user's entries that per
+ tain to the current host. This behavior may be overridden
+ via the verifypw and listpw options.
+
_\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
* Matches any set of zero or more characters.
- ? Matches any single character.
- [...] Matches any character in the specified range.
- [!...] Matches any character n\bno\bot\bt in the specified range.
+1.6.9 November 28, 2004 16
- \x For any character "x", evaluates to "x". This is
- used to escape special characters such as: "*",
- "?", "[", and "}".
-1.6.9 November 19, 2004 16
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ ? Matches any single character.
+ [...] Matches any character in the specified range.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ [!...] Matches any character n\bno\bot\bt in the specified range.
+ \x For any character "x", evaluates to "x". This is
+ used to escape special characters such as: "*",
+ "?", "[", and "}".
Note that a forward slash ('/') will n\bno\bot\bt be matched by
wildcards used in the pathname. When matching the command
The pound sign ('#') is used to indicate a comment (unless
it is part of a #include directive or unless it occurs in
the context of a user name and is followed by one or more
- digits, in which case it is treated as a uid). Both the
- comment character and any text after it, up to the end of
- the line, are ignored.
-
- The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always
- causes a match to succeed. It can be used wherever one
- might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
- or Host_Alias. You should not try to define your own
- _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
- preference to your own. Please note that using A\bAL\bLL\bL can be
-1.6.9 November 19, 2004 17
+1.6.9 November 28, 2004 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ digits, in which case it is treated as a uid). Both the
+ comment character and any text after it, up to the end of
+ the line, are ignored.
+
+ The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always
+ causes a match to succeed. It can be used wherever one
+ might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
+ or Host_Alias. You should not try to define your own
+ _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
+ preference to your own. Please note that using A\bAL\bLL\bL can be
dangerous since in a command context, it allows the user
to run a\ban\bny\by command on the system.
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
- # Host alias specification
- Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
- SGI = grolsch, dandelion, black :\
- ALPHA = widget, thalamus, foobar :\
- HPPA = boa, nag, python
- Host_Alias CUNETS = 128.138.0.0/255.255.0.0
- Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
- Host_Alias SERVERS = master, mail, www, ns
- Host_Alias CDROM = orion, perseus, hercules
-
-1.6.9 November 19, 2004 18
+1.6.9 November 28, 2004 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ # Host alias specification
+ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
+
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on
any host as any user.
- FULLTIMERS ALL = NOPASSWD: ALL
- Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run
- any command on any host without authenticating themselves.
- PARTTIMERS ALL = ALL
- Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run
- any command on any host but they must authenticate them
- selves first (since the entry lacks the NOPASSWD tag).
+1.6.9 November 28, 2004 19
-1.6.9 November 19, 2004 19
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ FULLTIMERS ALL = NOPASSWD: ALL
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run
+ any command on any host without authenticating themselves.
+ PARTTIMERS ALL = ALL
+
+ Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run
+ any command on any host but they must authenticate them
+ selves first (since the entry lacks the NOPASSWD tag).
jack CSNETS = ALL
The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb
netgroup. S\bSu\bud\bdo\bo knows that "biglab" is a netgroup due to
- the '+' prefix.
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the
- printers as well as add and remove users, so they are
- allowed to run those commands on all machines.
- fred ALL = (DB) NOPASSWD: ALL
+1.6.9 November 28, 2004 20
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
-1.6.9 November 19, 2004 20
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ the '+' prefix.
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the
+ printers as well as add and remove users, so they are
+ allowed to run those commands on all machines.
+ fred ALL = (DB) NOPASSWD: ALL
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
Runas_Alias (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
type, so it is a prime candidate for encapsulating in a
shell script.
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- It is generally not effective to "subtract" commands from
- ALL using the '!' operator. A user can trivially circum
- vent this by copying the desired command to a different
- name and then executing that. For example:
- bill ALL = ALL, !SU, !SHELLS
-
- Doesn't really prevent b\bbi\bil\bll\bl from running the commands
- listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those
+1.6.9 November 28, 2004 21
-1.6.9 November 19, 2004 21
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ It is generally not effective to "subtract" commands from
+ ALL using the '!' operator. A user can trivially circum
+ vent this by copying the desired command to a different
+ name and then executing that. For example:
+ bill ALL = ALL, !SU, !SHELLS
- commands to a different name, or use a shell escape from
- an editor or other program. Therefore, these kind of
+ Doesn't really prevent b\bbi\bil\bll\bl from running the commands
+ listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those com
+ mands to a different name, or use a shell escape from an
+ editor or other program. Therefore, these kind of
restrictions should be considered advisory at best (and
reinforced by policy).
If the resulting output contains a line that
begins with:
- File containing dummy exec functions:
-
- then s\bsu\bud\bdo\bo may be able to replace the exec family
- of functions in the standard library with its
- own that simply return an error. Unfortunately,
- there is no foolproof way to know whether or not
- _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bN_\bo_\be_\bx_\be_\bc should
- work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
- UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt
-
-1.6.9 November 19, 2004 22
+1.6.9 November 28, 2004 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ File containing dummy exec functions:
+
+ then s\bsu\bud\bdo\bo may be able to replace the exec family
+ of functions in the standard library with its
+ own that simply return an error. Unfortunately,
+ there is no foolproof way to know whether or not
+ _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bN_\bo_\be_\bx_\be_\bc should
+ work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
+ UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt
to work on AIX and UnixWare. _\bN_\bo_\be_\bx_\be_\bc is expected
to work on most operating systems that support
the LD_PRELOAD environment variable. Check your
At the time of this writing the s\bsy\bys\bst\btr\bra\bac\bce\be pseudo-
device comes standard with OpenBSD and NetBSD
- and is available as patches to FreeBSD, MacOS X
- and Linux. See <http://www.systrace.org/> for
- more information.
- Note that restricting shell escapes is not a panacea.
- Programs running as root are still capable of many poten
- tially hazardous operations (such as changing or overwrit
- ing files) that could lead to unintended privilege escala
- tion. In the specific case of an editor, a safer approach
-
-1.6.9 November 19, 2004 23
+1.6.9 November 28, 2004 23
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ and is available as patches to FreeBSD, MacOS X
+ and Linux. See <http://www.systrace.org/> for
+ more information.
+
+ Note that restricting shell escapes is not a panacea.
+ Programs running as root are still capable of many poten
+ tially hazardous operations (such as changing or overwrit
+ ing files) that could lead to unintended privilege escala
+ tion. In the specific case of an editor, a safer approach
is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
-
-
-
-
-
-
-
-
-
-1.6.9 November 19, 2004 24
+1.6.9 November 28, 2004 24
projects / sudo / commitdiff