User_Alias ::= NAME '=' User_List
- Runas_Alias ::= NAME '=' Runas_User_List
+ Runas_Alias ::= NAME '=' Runas_List
-December 15, 2001 1.6.4 1
+December 17, 2001 1.6.4 1
User ',' User_List
User ::= '!'* username |
- '!'* '#'uid |
'!'* '%'group |
'!'* '+'netgroup |
'!'* User_Alias
'!'* +netgroup |
'!'* Runas_Alias
- Likewise, a Runas_List has the same possible elements as a
- User_List, except that it can include a Runas_Alias,
- instead of a User_Alias.
+ A Runas_List is similar to a User_List except that it can
+ also contain uids (prefixed with '#') and instead of
+ User_Aliases it can contain Runas_Aliases.
Host_List ::= Host |
Host ',' Host_List
-December 15, 2001 1.6.4 2
+
+December 17, 2001 1.6.4 2
-December 15, 2001 1.6.4 3
+December 17, 2001 1.6.4 3
respectively. It is not an error to use the -= operator
to remove an element that does not exist in a list.
+ Note that since the _\bs_\bu_\bd_\bo_\be_\br_\bs file is parsed in order the
+ best place to put the Defaults section is after the Host,
+ User, and Cmnd aliases but before the user specifications.
+
F\bF\bF\bFl\bl\bl\bla\ba\ba\bag\bg\bg\bgs\bs\bs\bs:
long_otp_prompt
PATH itself is not modified. This flag is _\bo_\bf_\bf
by default.
- mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a
- users runs s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo. This flag is _\bo_\bf_\bf by default.
- mail_badpass
- Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user
-December 15, 2001 1.6.4 4
+December 17, 2001 1.6.4 4
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
- running sudo does not enter the correct pass
- word. This flag is _\bo_\bf_\bf by default.
+ mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a
+ users runs s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo. This flag is _\bo_\bf_\bf by default.
+
+ mail_badpass
+ Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user run
+ ning sudo does not enter the correct password.
+ This flag is _\bo_\bf_\bf by default.
mail_no_user
If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user
log_host If set, the hostname will be logged in the
(non-syslog) s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo log file. This flag is _\bo_\bf_\bf
- by default.
-
- log_year If set, the four-digit year will be logged in
- the (non-syslog) s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo log file. This flag is
- _\bo_\bf_\bf by default.
-December 15, 2001 1.6.4 5
+December 17, 2001 1.6.4 5
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ by default.
+
+ log_year If set, the four-digit year will be logged in
+ the (non-syslog) s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo log file. This flag is
+ _\bo_\bf_\bf by default.
+
shell_noargs
If set and s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo is invoked with no arguments
it acts as if the -\b-\b-\b-s\bs\bs\bs flag had been given.
fied hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e.:
instead of myhost you would use myhost.mydo
main.edu. You may still use the short form if
- you wish (and even mix the two). Beware that
- turning on _\bf_\bq_\bd_\bn requires s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to make DNS
- lookups which may make s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo unusable if DNS
- stops working (for example if the machine is
- not plugged into the network). Also note that
- you must use the host's official name as DNS
-December 15, 2001 1.6.4 6
+December 17, 2001 1.6.4 6
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ you wish (and even mix the two). Beware that
+ turning on _\bf_\bq_\bd_\bn requires s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo to make DNS
+ lookups which may make s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo unusable if DNS
+ stops working (for example if the machine is
+ not plugged into the network). Also note that
+ you must use the host's official name as DNS
knows it. That is, you may not use a host
alias (CNAME entry) due to performance issues
and the fact that there is no way to get all
root) instead of the password of the invoking
user. This flag is _\bo_\bf_\bf by default.
- set_logname Normally, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will set the LOGNAME and USER
- environment variables to the name of the tar
- get user (usually root unless the -\b-\b-\b-u\bu\bu\bu flag is
- given). However, since some programs (includ
- ing the RCS revision control system) use LOG
- NAME to determine the real identity of the
-December 15, 2001 1.6.4 7
+December 17, 2001 1.6.4 7
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ set_logname Normally, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will set the LOGNAME and USER
+ environment variables to the name of the tar
+ get user (usually root unless the -\b-\b-\b-u\bu\bu\bu flag is
+ given). However, since some programs (includ
+ ing the RCS revision control system) use LOG
+ NAME to determine the real identity of the
user, it may be desirable to change this
behavior. This can be done by negating the
set_logname option.
wrap lines for nicer log files. This has no
effect on the syslog log file, only the file
log. The default is 80 (use 0 or negate the
- option to disable word wrap).
-
- timestamp_timeout
- Number of minutes that can elapse before s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo
- will ask for a passwd again. The default is
- 5. Set this to 0 to always prompt for a
-December 15, 2001 1.6.4 8
+December 17, 2001 1.6.4 8
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
- password. If set to a value less than 0 the
+ option to disable word wrap).
+
+ timestamp_timeout
+ Number of minutes that can elapse before s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo
+ will ask for a passwd again. The default is
+ 5. Set this to 0 to always prompt for a pass
+ word. If set to a value less than 0 the
user's timestamp will never expire. This can
be used to allow users to create or delete
their own timestamps via sudo -v and sudo -k
Syslog priority to use when user authenticates
successfully. Defaults to notice.
- syslog_badpri
- Syslog priority to use when user authenticates
- unsuccessfully. Defaults to alert.
- editor A colon (':') separated list of editors
- allowed to be used with v\bv\bv\bvi\bi\bi\bis\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo. v\bv\bv\bvi\bi\bi\bis\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will
- choose the editor that matches the user's USER
-December 15, 2001 1.6.4 9
+December 17, 2001 1.6.4 9
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ syslog_badpri
+ Syslog priority to use when user authenticates
+ unsuccessfully. Defaults to alert.
+
+ editor A colon (':') separated list of editors
+ allowed to be used with v\bv\bv\bvi\bi\bi\bis\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo. v\bv\bv\bvi\bi\bi\bis\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will
+ choose the editor that matches the user's USER
environment variable if possible, or the first
editor in the list that exists and is exe
cutable. The default is the path to vi on
never The user need never enter a password
to use the -\b-\b-\b-v\bv\bv\bv flag.
- always The user must always enter a password
- to use the -\b-\b-\b-v\bv\bv\bv flag.
-
- The default value is `all'.
-
+December 17, 2001 1.6.4 10
-December 15, 2001 1.6.4 10
+sudoers(4) MAINTENANCE COMMANDS sudoers(4)
-sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ always The user must always enter a password
+ to use the -\b-\b-\b-v\bv\bv\bv flag.
+ The default value is `all'.
listpw This option controls when a password will be
required when a user runs s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo with the -\b-\b-\b-l\bl\bl\bl.
ronment variables to be preserved in the
user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option
is in effect. This allows fine-grained con
- trol over the environment s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo-spawned pro
- cesses will get. The list can be replaced,
- added to, deleted from, or disabled by using
- the =, +=, -=, and ! operators respectively.
- This list has no default members.
+ trol over the environment s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo-spawned
-
-December 15, 2001 1.6.4 11
+December 17, 2001 1.6.4 11
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ processes will get. The list can be replaced,
+ added to, deleted from, or disabled by using
+ the =, +=, -=, and ! operators respectively.
+ This list has no default members.
+
When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo accepts the following
values for the syslog facility (the value of the s\bs\bs\bsy\by\by\bys\bs\bs\bsl\bl\bl\blo\bo\bo\bog\bg\bg\bg
Parameter): a\ba\ba\bau\bu\bu\but\bt\bt\bth\bh\bh\bhp\bp\bp\bpr\br\br\bri\bi\bi\biv\bv\bv\bv (if your OS supports it), a\ba\ba\bau\bu\bu\but\bt\bt\bth\bh\bh\bh, d\bd\bd\bda\ba\ba\bae\be\be\be\b\b\b
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user d\bd\bd\bdg\bg\bg\bgb\bb\bb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br,
- but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt.
-
-
-
-
-December 15, 2001 1.6.4 12
+December 17, 2001 1.6.4 12
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt.
+
N\bN\bN\bNO\bO\bO\bOP\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD a\ba\ba\ban\bn\bn\bnd\bd\bd\bd P\bP\bP\bPA\bA\bA\bAS\bS\bS\bSS\bS\bS\bSW\bW\bW\bWD\bD\bD\bD
By default, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo requires that a user authenticate him or
Note that a forward slash ('/') will n\bn\bn\bno\bo\bo\bot\bt\bt\bt be matched by
wildcards used in the pathname. When matching the command
line arguments, however, as slash d\bd\bd\bdo\bo\bo\boe\be\be\bes\bs\bs\bs get matched by
- wildcards. This is to make a path like:
-
-December 15, 2001 1.6.4 13
+December 17, 2001 1.6.4 13
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ wildcards. This is to make a path like:
+
/usr/bin/*
match /usr/bin/who but not /usr/bin/X11/xterm.
-
-
-December 15, 2001 1.6.4 14
+December 17, 2001 1.6.4 14
-December 15, 2001 1.6.4 15
+December 17, 2001 1.6.4 15
-December 15, 2001 1.6.4 16
+December 17, 2001 1.6.4 16
-December 15, 2001 1.6.4 17
+December 17, 2001 1.6.4 17
-December 15, 2001 1.6.4 18
+December 17, 2001 1.6.4 18
projects / sudo / commitdiff