-1.6.9 November 12, 2004 1
+1.6.9 November 19, 2004 1
-1.6.9 November 12, 2004 2
+1.6.9 November 19, 2004 2
-1.6.9 November 12, 2004 3
+1.6.9 November 19, 2004 3
Certain configuration options may be changed from their
default values at runtime via one or more Default_Entry
lines. These may affect all users on any host, all users
- on a specific host, a specific user, or commands being run
- as a specific user.
+ on a specific host, a specific user, a specific command,
+ or commands being run as a specific user. Note that per-
+ command entries may not include command line arguments.
+ If you need to specify arguments, define a Cmnd_Alias and
+ reference that instead.
Default_Type ::= 'Defaults' |
'Defaults' '@' Host |
'Defaults' ':' User |
+ 'Defaults' '!' Cmnd |
'Defaults' '>' RunasUser
Default_Entry ::= Default_Type Parameter_List
respectively. It is not an error to use the -= operator
to remove an element that does not exist in a list.
- F\bFl\bla\bag\bgs\bs:
-
- long_otp_prompt
- When validating with a One Time Password
-1.6.9 November 12, 2004 4
+1.6.9 November 19, 2004 4
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ F\bFl\bla\bag\bgs\bs:
+
+ long_otp_prompt
+ When validating with a One Time Password
scheme (S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE), a two-line prompt is
used to make it easier to cut and paste the
challenge to a local window. It's not as
ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current
dir) in the PATH environment variable; the
- PATH itself is not modified. This flag is _\bo_\bn
+ PATH itself is not modified. This flag is _\bo_\bf_\bf
by default.
mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a
If set, users must authenticate themselves via
a password (or other means of authentication)
before they may run commands. This default
- may be overridden via the PASSWD and NOPASSWD
- tags. This flag is _\bo_\bn by default.
-
- root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too.
-1.6.9 November 12, 2004 5
+1.6.9 November 19, 2004 5
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Disabling this prevents users from "chaining"
+ may be overridden via the PASSWD and NOPASSWD
+ tags. This flag is _\bo_\bn by default.
+
+ root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Dis
+ abling this prevents users from "chaining"
s\bsu\bud\bdo\bo commands to get a root shell by doing
something like "sudo sudo /bin/sh". Note,
however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo will also
tage is that if the executable is simply not
in the user's PATH, s\bsu\bud\bdo\bo will tell the user
that they are not allowed to run it, which can
- be confusing. This flag is _\bo_\bf_\bf by default.
-
- preserve_groups
- By default s\bsu\bud\bdo\bo will initialize the group
-1.6.9 November 12, 2004 6
+1.6.9 November 19, 2004 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- vector to the list of groups the target user
- is in. When _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the
- user's existing group vector is left unal
- tered. The real and effective group IDs, how
- ever, are still set to match the target user.
- This flag is _\bo_\bf_\bf by default.
+ be confusing. This flag is _\bo_\bf_\bf by default.
+
+ preserve_groups
+ By default s\bsu\bud\bdo\bo will initialize the group vec
+ tor to the list of groups the target user is
+ in. When _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's
+ existing group vector is left unaltered. The
+ real and effective group IDs, however, are
+ still set to match the target user. This flag
+ is _\bo_\bf_\bf by default.
fqdn Set this flag if you want to put fully quali
fied hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e.,
set _\bf_\bq_\bd_\bn. This flag is _\bo_\bf_\bf by default.
insults If set, s\bsu\bud\bdo\bo will insult users when they enter
- an incorrect password. This flag is _\bo_\bn by
+ an incorrect password. This flag is _\bo_\bf_\bf by
default.
requiretty If set, s\bsu\bud\bdo\bo will only run when the user is
is to place a colon-separated list of editors
in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
use the EDITOR or VISUAL if they match a value
- specified in editor. This flag is on by
+ specified in editor. This flag is off by
default.
- rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password
- instead of the password of the invoking user.
- This flag is _\bo_\bf_\bf by default.
-
-1.6.9 November 12, 2004 7
+1.6.9 November 19, 2004 7
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password
+ instead of the password of the invoking user.
+ This flag is _\bo_\bf_\bf by default.
+
runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of
the user defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option
(defaults to root) instead of the password of
use_loginclass
If set, s\bsu\bud\bdo\bo will apply the defaults specified
- for the target user's login class if one
- exists. Only available if s\bsu\bud\bdo\bo is configured
- with the --with-logincap option. This flag is
- _\bo_\bf_\bf by default.
-1.6.9 November 12, 2004 8
+1.6.9 November 19, 2004 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ for the target user's login class if one
+ exists. Only available if s\bsu\bud\bdo\bo is configured
+ with the --with-logincap option. This flag is
+ _\bo_\bf_\bf by default.
+
noexec If set, all commands run via s\bsu\bud\bdo\bo will behave
as if the NOEXEC tag has been set, unless
overridden by a EXEC tag. See the description
log. The default is 80 (use 0 or negate the
option to disable word wrap).
- timestamp_timeout
- Number of minutes that can elapse before s\bsu\bud\bdo\bo
- will ask for a passwd again. The default is
- 5. Set this to 0 to always prompt for a pass
- word. If set to a value less than 0 the
-1.6.9 November 12, 2004 9
+1.6.9 November 19, 2004 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ timestamp_timeout
+ Number of minutes that can elapse before s\bsu\bud\bdo\bo
+ will ask for a passwd again. The default is
+ 5. Set this to 0 to always prompt for a pass
+ word. If set to a value less than 0 the
user's timestamp will never expire. This can
be used to allow users to create or delete
their own timestamps via sudo -v and sudo -k
%h expanded to the local hostname without
the domain name
- %H expanded to the local hostname includ
- ing the domain name (on if the
- machine's hostname is fully qualified
- or the _\bf_\bq_\bd_\bn option is set)
-
-1.6.9 November 12, 2004 10
+1.6.9 November 19, 2004 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ %H expanded to the local hostname includ
+ ing the domain name (on if the
+ machine's hostname is fully qualified
+ or the _\bf_\bq_\bd_\bn option is set)
+
%% two consecutive % characters are col
laped into a single % character
always Always lecture the user.
- The default value is _\bo_\bn_\bc_\be.
-
- lecture_file
- Path to a file containing an alternate s\bsu\bud\bdo\bo
- lecture that will be used in place of the
-1.6.9 November 12, 2004 11
+1.6.9 November 19, 2004 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The default value is _\bo_\bn_\bc_\be.
+
+ lecture_file
+ Path to a file containing an alternate s\bsu\bud\bdo\bo
+ lecture that will be used in place of the
standard lecture if the named file exists.
logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log
syslog Syslog facility if syslog is being used for
logging (negate to disable syslog logging).
- Defaults to authpriv.
+ Defaults to local2.
mailerpath Path to mail program used to send warning
mail. Defaults to the path to sendmail found
the NOPASSWD flag set to avoid enter
ing a password.
- never The user need never enter a password
- to use the -\b-v\bv flag.
-
- always The user must always enter a password
- to use the -\b-v\bv flag.
-1.6.9 November 12, 2004 12
+1.6.9 November 19, 2004 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ never The user need never enter a password
+ to use the -\b-v\bv flag.
+
+ always The user must always enter a password
+ to use the -\b-v\bv flag.
+
The default value is `all'.
listpw This option controls when a password will be
respectively. The default list of environment
variables to remove is printed when s\bsu\bud\bdo\bo is
run by root with the _\b-_\bV option. Note that
- many operating systems will remove potentially
- dangerous variables from the environment of
- any setuid process (such as s\bsu\bud\bdo\bo).
-
- env_keep Environment variables to be preserved in the
- user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option
-1.6.9 November 12, 2004 13
+1.6.9 November 19, 2004 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ many operating systems will remove potentially
+ dangerous variables from the environment of
+ any setuid process (such as s\bsu\bud\bdo\bo).
+
+ env_keep Environment variables to be preserved in the
+ user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option
is in effect. This allows fine-grained con
trol over the environment s\bsu\bud\bdo\bo-spawned pro
cesses will receive. The argument may be a
commands that follow it. What this means is that for the
entry:
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
- The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
- -- but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+1.6.9 November 19, 2004 14
-1.6.9 November 12, 2004 14
-
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+ The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
+ -- but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
$ sudo -u operator /bin/ls.
tain to the current host. This behavior may be overridden
via the verifypw and listpw options.
- _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
-
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
- underlying operating system supports it, the NOEXEC tag
-
-1.6.9 November 12, 2004 15
+1.6.9 November 19, 2004 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
+ underlying operating system supports it, the NOEXEC tag
can be used to prevent a dynamically-linked executable
from running further commands itself.
used to escape special characters such as: "*",
"?", "[", and "}".
- Note that a forward slash ('/') will n\bno\bot\bt be matched by
- wildcards used in the pathname. When matching the command
- line arguments, however, a slash d\bdo\boe\bes\bs get matched by
-
-1.6.9 November 12, 2004 16
+1.6.9 November 19, 2004 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- wildcards. This is to make a path like:
+ Note that a forward slash ('/') will n\bno\bot\bt be matched by
+ wildcards used in the pathname. When matching the command
+ line arguments, however, a slash d\bdo\boe\bes\bs get matched by wild
+ cards. This is to make a path like:
/usr/bin/*
or Host_Alias. You should not try to define your own
_\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
preference to your own. Please note that using A\bAL\bLL\bL can be
- dangerous since in a command context, it allows the user
- to run a\ban\bny\by command on the system.
-
-1.6.9 November 12, 2004 17
+1.6.9 November 19, 2004 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ dangerous since in a command context, it allows the user
+ to run a\ban\bny\by command on the system.
+
An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
allows one to exclude certain values. Note, however, that
-
-
-
-1.6.9 November 12, 2004 18
+1.6.9 November 19, 2004 18
/usr/local/bin/tcsh, /usr/bin/rsh, \
/usr/local/bin/zsh
Cmnd_Alias SU = /usr/bin/su
+ Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
Here we override some of the compiled in default values.
We want s\bsu\bud\bdo\bo to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility
Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias,
we keep an additional local log file and make sure we log
the year in each log line since the log entries will be
- kept around for several years.
+ kept around for several years. Lastly, we disable shell
+ escapes for the commands in the PAGERS Cmnd_Alias
+ (/usr/bin/more, /usr/bin/pg and /usr/bin/less).
# Override built-in defaults
Defaults syslog=auth
Defaults:FULLTIMERS !lecture
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+ Defaults!PAGERS noexec
The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter
mines who may run what.
any command on any host but they must authenticate them
selves first (since the entry lacks the NOPASSWD tag).
- jack CSNETS = ALL
-
- The user j\bja\bac\bck\bk may run any command on the machines in the
-
-1.6.9 November 12, 2004 19
+1.6.9 November 19, 2004 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ jack CSNETS = ALL
+
+ The user j\bja\bac\bck\bk may run any command on the machines in the
_\bC_\bS_\bN_\bE_\bT_\bS alias (the networks 128.138.243.0, 128.138.204.0,
and 128.138.242.0). Of those networks, only 128.138.204.0
has an explicit netmask (in CIDR notation) indicating it
fred ALL = (DB) NOPASSWD: ALL
The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
- Runas_Alias (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
-
- john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
-1.6.9 November 12, 2004 20
+1.6.9 November 19, 2004 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Runas_Alias (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
+
+ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+
On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except
root but he is not allowed to give _\bs_\bu(1) any flags.
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent b\bbi\bil\bll\bl from running the commands
- listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those com
- mands to a different name, or use a shell escape from an
- editor or other program. Therefore, these kind of
- restrictions should be considered advisory at best (and
- reinforced by policy).
+ listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those
-1.6.9 November 12, 2004 21
+1.6.9 November 19, 2004 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ commands to a different name, or use a shell escape from
+ an editor or other program. Therefore, these kind of
+ restrictions should be considered advisory at best (and
+ reinforced by policy).
+
P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
Once s\bsu\bud\bdo\bo executes a program, that program is free to do
whatever it pleases, including run other programs. This
_\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bN_\bo_\be_\bx_\be_\bc should
work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt
- to work on AIX and UnixWare. _\bN_\bo_\be_\bx_\be_\bc is expected
- to work on most operating systems that support
- the LD_PRELOAD environment variable. Check your
- operating system's manual pages for the dynamic
- linker (usually ld.so, ld.so.1, dyld, dld.sl,
-1.6.9 November 12, 2004 22
+1.6.9 November 19, 2004 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ to work on AIX and UnixWare. _\bN_\bo_\be_\bx_\be_\bc is expected
+ to work on most operating systems that support
+ the LD_PRELOAD environment variable. Check your
+ operating system's manual pages for the dynamic
+ linker (usually ld.so, ld.so.1, dyld, dld.sl,
rld, or loader) to see if LD_PRELOAD is sup
ported.
tially hazardous operations (such as changing or overwrit
ing files) that could lead to unintended privilege escala
tion. In the specific case of an editor, a safer approach
- is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), sudo(1m), visudo(1m)
+1.6.9 November 19, 2004 23
-1.6.9 November 12, 2004 23
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), sudo(1m), visudo(1m)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo
-
-
-
-
-
-1.6.9 November 12, 2004 24
+1.6.9 November 19, 2004 24
projects / sudo / commitdiff