-1.6.9 October 26, 2004 1
+1.6.9 November 12, 2004 1
-1.6.9 October 26, 2004 2
+1.6.9 November 12, 2004 2
-1.6.9 October 26, 2004 3
+1.6.9 November 12, 2004 3
-1.6.9 October 26, 2004 4
+1.6.9 November 12, 2004 4
ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current
dir) in the PATH environment variable; the
- PATH itself is not modified. This flag is _\bo_\bf_\bf
+ PATH itself is not modified. This flag is _\bo_\bn
by default.
mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a
-1.6.9 October 26, 2004 5
+1.6.9 November 12, 2004 5
-1.6.9 October 26, 2004 6
+1.6.9 November 12, 2004 6
set _\bf_\bq_\bd_\bn. This flag is _\bo_\bf_\bf by default.
insults If set, s\bsu\bud\bdo\bo will insult users when they enter
- an incorrect password. This flag is _\bo_\bf_\bf by
+ an incorrect password. This flag is _\bo_\bn by
default.
requiretty If set, s\bsu\bud\bdo\bo will only run when the user is
is to place a colon-separated list of editors
in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
use the EDITOR or VISUAL if they match a value
- specified in editor. This flag is off by
+ specified in editor. This flag is on by
default.
rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password
-1.6.9 October 26, 2004 7
+1.6.9 November 12, 2004 7
TERM is copied unaltered from the old environ
ment. The other variables are set to default
values (possibly modified by the value of the
- _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be option). If s\bsu\bud\bdo\bo was compiled
- with the SECURE_PATH option, its value will be
- used for the PATH environment variable. Other
- variables may be preserved with the _\be_\bn_\bv_\b__\bk_\be_\be_\bp
- option.
+ _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be option). If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh
+ option is set, its value will be used for the
+ PATH environment variable. Other variables
+ may be preserved with the _\be_\bn_\bv_\b__\bk_\be_\be_\bp option.
use_loginclass
If set, s\bsu\bud\bdo\bo will apply the defaults specified
for the target user's login class if one
exists. Only available if s\bsu\bud\bdo\bo is configured
with the --with-logincap option. This flag is
+ _\bo_\bf_\bf by default.
-1.6.9 October 26, 2004 8
+1.6.9 November 12, 2004 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- _\bo_\bf_\bf by default.
-
noexec If set, all commands run via s\bsu\bud\bdo\bo will behave
as if the NOEXEC tag has been set, unless
overridden by a EXEC tag. See the description
timestamp_timeout
Number of minutes that can elapse before s\bsu\bud\bdo\bo
will ask for a passwd again. The default is
+ 5. Set this to 0 to always prompt for a pass
+ word. If set to a value less than 0 the
-1.6.9 October 26, 2004 9
+1.6.9 November 12, 2004 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- 5. Set this to 0 to always prompt for a pass
- word. If set to a value less than 0 the
user's timestamp will never expire. This can
be used to allow users to create or delete
their own timestamps via sudo -v and sudo -k
%H expanded to the local hostname includ
ing the domain name (on if the
+ machine's hostname is fully qualified
+ or the _\bf_\bq_\bd_\bn option is set)
-1.6.9 October 26, 2004 10
+1.6.9 November 12, 2004 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- machine's hostname is fully qualified
- or the _\bf_\bq_\bd_\bn option is set)
-
%% two consecutive % characters are col
laped into a single % character
The default value is _\bo_\bn_\bc_\be.
+ lecture_file
+ Path to a file containing an alternate s\bsu\bud\bdo\bo
+ lecture that will be used in place of the
-1.6.9 October 26, 2004 11
+1.6.9 November 12, 2004 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- lecture_file
- Path to a file containing an alternate s\bsu\bud\bdo\bo
- lecture that will be used in place of the
standard lecture if the named file exists.
logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log
syslog Syslog facility if syslog is being used for
logging (negate to disable syslog logging).
- Defaults to local2.
+ Defaults to authpriv.
mailerpath Path to mail program used to send warning
mail. Defaults to the path to sendmail found
and PATH requirements. This is not set by
default.
+ secure_path Path used for every command run from s\bsu\bud\bdo\bo. If
+ you don't trust the people running s\bsu\bud\bdo\bo to
+ have a sane PATH environment variable you may
+ want to use this. Another use is if you want
+ to have the "root path" be separate from the
+ "user path." Users in the group specified by
+ the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by
+ _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This is not set by default.
+
verifypw This option controls when a password will be
required when a user runs s\bsu\bud\bdo\bo with the -\b-v\bv
flag. It has the following possible values:
always The user must always enter a password
to use the -\b-v\bv flag.
- The default value is `all'.
- listpw This option controls when a password will be
- required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
- flag. It has the following possible values:
+1.6.9 November 12, 2004 12
-1.6.9 October 26, 2004 12
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The default value is `all'.
+ listpw This option controls when a password will be
+ required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
+ flag. It has the following possible values:
all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
current host must have the NOPASSWD
env_keep Environment variables to be preserved in the
user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option
- is in effect. This allows fine-grained con
- trol over the environment s\bsu\bud\bdo\bo-spawned pro
- cesses will receive. The argument may be a
- double-quoted, space-separated list or a sin
- gle value without double-quotes. The list can
- be replaced, added to, deleted from, or
-1.6.9 October 26, 2004 13
+1.6.9 November 12, 2004 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- disabled by using the =, +=, -=, and ! opera
- tors respectively. This list has no default
- members.
+ is in effect. This allows fine-grained con
+ trol over the environment s\bsu\bud\bdo\bo-spawned pro
+ cesses will receive. The argument may be a
+ double-quoted, space-separated list or a sin
+ gle value without double-quotes. The list can
+ be replaced, added to, deleted from, or dis
+ abled by using the =, +=, -=, and ! operators
+ respectively. This list has no default mem
+ bers.
When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following
values for the syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg
The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
-- but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
- $ sudo -u operator /bin/ls.
- It is also possible to override a Runas_Spec later on in
- an entry. If we modify the entry like so:
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+1.6.9 November 12, 2004 14
-1.6.9 October 26, 2004 14
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ $ sudo -u operator /bin/ls.
+
+ It is also possible to override a Runas_Spec later on in
+ an entry. If we modify the entry like so:
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br,
but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note, however, that the PASSWD tag has no effect on users
- who are in the group specified by the exempt_group option.
+ who are in the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
By default, if the NOPASSWD tag is applied to any of the
entries for a user on the current host, he or she will be
If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
underlying operating system supports it, the NOEXEC tag
- can be used to prevent a dynamically-linked executable
- from running further commands itself.
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be
- and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+1.6.9 November 12, 2004 15
-1.6.9 October 26, 2004 15
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ can be used to prevent a dynamically-linked executable
+ from running further commands itself.
+
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be
+ and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more
details on how NOEXEC works and whether or not it will
Note that a forward slash ('/') will n\bno\bot\bt be matched by
wildcards used in the pathname. When matching the command
- line arguments, however, a slash d\bdo\boe\bes\bs get matched by wild
- cards. This is to make a path like:
-
- /usr/bin/*
+ line arguments, however, a slash d\bdo\boe\bes\bs get matched by
- match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
+1.6.9 November 12, 2004 16
-1.6.9 October 26, 2004 16
-
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ wildcards. This is to make a path like:
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ /usr/bin/*
+ match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
dangerous since in a command context, it allows the user
to run a\ban\bny\by command on the system.
- An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
- operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
- allows one to exclude certain values. Note, however, that
- using a ! in conjunction with the built-in ALL alias to
- allow a user to run "all but a few" commands rarely works
- as intended (see SECURITY NOTES below).
-1.6.9 October 26, 2004 17
+1.6.9 November 12, 2004 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
+ operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
+ allows one to exclude certain values. Note, however, that
+ using a ! in conjunction with the built-in ALL alias to
+ allow a user to run "all but a few" commands rarely works
+ as intended (see SECURITY NOTES below).
+
Long lines can be continued with a backslash ('\') as the
last character on the line.
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
+
+
+
+
+
+
+
+
+
+
+
+1.6.9 November 12, 2004 18
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Here we override some of the compiled in default values.
We want s\bsu\bud\bdo\bo to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility
-
-
-
-1.6.9 October 26, 2004 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
in all cases. We don't want to subject the full time
staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt need not give a
password, and we don't want to reset the LOGNAME or USER
jack CSNETS = ALL
The user j\bja\bac\bck\bk may run any command on the machines in the
- _\bC_\bS_\bN_\bE_\bT_\bS alias (the networks 128.138.243.0, 128.138.204.0,
- and 128.138.242.0). Of those networks, only 128.138.204.0
- has an explicit netmask (in CIDR notation) indicating it
- is a class C network. For the other networks in _\bC_\bS_\bN_\bE_\bT_\bS,
- the local machine's netmask will be used during matching.
- lisa CUNETS = ALL
- The user l\bli\bis\bsa\ba may run any command on any host in the
- _\bC_\bU_\bN_\bE_\bT_\bS alias (the class B network 128.138.0.0).
- operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
- sudoedit /etc/printcap, /usr/oper/bin/
+1.6.9 November 12, 2004 19
- The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple
-1.6.9 October 26, 2004 19
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\bC_\bS_\bN_\bE_\bT_\bS alias (the networks 128.138.243.0, 128.138.204.0,
+ and 128.138.242.0). Of those networks, only 128.138.204.0
+ has an explicit netmask (in CIDR notation) indicating it
+ is a class C network. For the other networks in _\bC_\bS_\bN_\bE_\bT_\bS,
+ the local machine's netmask will be used during matching.
+ lisa CUNETS = ALL
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The user l\bli\bis\bsa\ba may run any command on any host in the
+ _\bC_\bU_\bN_\bE_\bT_\bS alias (the class B network 128.138.0.0).
+ operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
+ sudoedit /etc/printcap, /usr/oper/bin/
- maintenance. Here, those are commands related to backups,
+ The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple main
+ tenance. Here, those are commands related to backups,
killing processes, the printing system, shutting down the
system, and any commands in the directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+
+
+1.6.9 November 12, 2004 20
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except
root but he is not allowed to give _\bs_\bu(1) any flags.
any commands in the directory /usr/bin/ except for those
commands belonging to the _\bS_\bU and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
-
-
-1.6.9 October 26, 2004 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
steve CSNETS = (operator) /usr/local/op_commands/
The user s\bst\bte\bev\bve\be may run any command in the directory
restrictions should be considered advisory at best (and
reinforced by policy).
+
+
+1.6.9 November 12, 2004 21
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
Once s\bsu\bud\bdo\bo executes a program, that program is free to do
whatever it pleases, including run other programs. This
restrict Avoid giving users access to commands that allow
the user to run arbitrary commands. Many edi
tors have a restricted mode where shell escapes
-
-
-
-1.6.9 October 26, 2004 21
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better solu
tion to running editors via s\bsu\bud\bdo\bo. Due to the
large number of programs that offer shell
the LD_PRELOAD environment variable. Check your
operating system's manual pages for the dynamic
linker (usually ld.so, ld.so.1, dyld, dld.sl,
- rld, or loader) to see if LD_PRELOAD is sup
- ported.
- To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC
- tag as documented in the User Specification sec
- tion above. Here is that example again:
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi with _\bn_\bo_\be_\bx_\be_\bc enabled. This will pre
- vent those two commands from executing other
- commands (such as a shell). If you are unsure
- whether or not your system is capable of
+1.6.9 November 12, 2004 22
-1.6.9 October 26, 2004 22
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ rld, or loader) to see if LD_PRELOAD is sup
+ ported.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC
+ tag as documented in the User Specification sec
+ tion above. Here is that example again:
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- supporting _\bn_\bo_\be_\bx_\be_\bc you can always just try it out
+ This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi with _\bn_\bo_\be_\bx_\be_\bc enabled. This will pre
+ vent those two commands from executing other
+ commands (such as a shell). If you are unsure
+ whether or not your system is capable of sup
+ porting _\bn_\bo_\be_\bx_\be_\bc you can always just try it out
and see if it works.
monitor On operating systems that support the s\bsy\bys\bst\btr\bra\bac\bce\be
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), sudo(1m), visudo(1m)
+
+
+
+1.6.9 November 12, 2004 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo
command which locks the file and does grammatical check
hostname be fully qualified as returned by the hostname
command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
-
-
-
-1.6.9 October 26, 2004 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
B\bBU\bUG\bGS\bS
If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
bug report at http://www.sudo.ws/sudo/bugs/
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.6.9 October 26, 2004 24
+1.6.9 November 12, 2004 24
projects / sudo / commitdiff