-1.6.8 September 6, 2004 1
+1.6.9 September 30, 2004 1
-1.6.8 September 6, 2004 2
+1.6.9 September 30, 2004 2
-1.6.8 September 6, 2004 3
+1.6.9 September 30, 2004 3
-1.6.8 September 6, 2004 4
+1.6.9 September 30, 2004 4
-1.6.8 September 6, 2004 5
+1.6.9 September 30, 2004 5
-1.6.8 September 6, 2004 6
+1.6.9 September 30, 2004 6
-1.6.8 September 6, 2004 7
+1.6.9 September 30, 2004 7
-1.6.8 September 6, 2004 8
+1.6.9 September 30, 2004 8
VENTING SHELL ESCAPES" section at the end of
this manual. This flag is _\bo_\bf_\bf by default.
+ trace If set, all commands run via sudo will behave
+ as if the TRACE tag has been set, unless over
+ ridden by a NOTRACE tag. See the description
+ of _\bT_\bR_\bA_\bC_\bE _\ba_\bn_\bd _\bN_\bO_\bT_\bR_\bA_\bC_\bE below as well as the
+ "PREVENTING SHELL ESCAPES" section at the end
+ of this manual. Be aware that tracing is only
+ supported on certain operating systems. On
+ systems where it is not supported this flag
+ will have no effect. This flag is _\bo_\bf_\bf by
+ default.
+
ignore_local_sudoers
If set via LDAP, parsing of @sysconfdir@/sudo
ers will be skipped. This is intended for an
loglinelen Number of characters per line for the file
log. This value is used to decide when to
wrap lines for nicer log files. This has no
- effect on the syslog log file, only the file
- log. The default is 80 (use 0 or negate the
- option to disable word wrap).
-
- timestamp_timeout
- Number of minutes that can elapse before s\bsu\bud\bdo\bo
- will ask for a passwd again. The default is
- 5. Set this to 0 to always prompt for a pass
- word. If set to a value less than 0 the
- user's timestamp will never expire. This can
- be used to allow users to create or delete
-1.6.8 September 6, 2004 9
+1.6.9 September 30, 2004 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ effect on the syslog log file, only the file
+ log. The default is 80 (use 0 or negate the
+ option to disable word wrap).
+
+ timestamp_timeout
+ Number of minutes that can elapse before s\bsu\bud\bdo\bo
+ will ask for a passwd again. The default is
+ 5. Set this to 0 to always prompt for a pass
+ word. If set to a value less than 0 the
+ user's timestamp will never expire. This can
+ be used to allow users to create or delete
their own timestamps via sudo -v and sudo -k
respectively.
%U expanded to the login name of the user
the command will be run as (defaults
- to root)
- %h expanded to the local hostname without
- the domain name
- %H expanded to the local hostname includ
- ing the domain name (on if the
- machine's hostname is fully qualified
- or the _\bf_\bq_\bd_\bn option is set)
- %% two consecutive % characters are
+1.6.9 September 30, 2004 10
-1.6.8 September 6, 2004 10
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ to root)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ %h expanded to the local hostname without
+ the domain name
+ %H expanded to the local hostname includ
+ ing the domain name (on if the
+ machine's hostname is fully qualified
+ or the _\bf_\bq_\bd_\bn option is set)
- collaped into a single % character
+ %% two consecutive % characters are col
+ laped into a single % character
The default value is Password:.
never Never lecture the user.
- once Only lecture the user the first time
- they run s\bsu\bud\bdo\bo.
- always Always lecture the user.
- The default value is _\bo_\bn_\bc_\be.
- lecture_file
- Path to a file containing an alternate sudo
- lecture that will be used in place of the
- standard lecture if the named file exists.
+1.6.9 September 30, 2004 11
-1.6.8 September 6, 2004 11
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ once Only lecture the user the first time
+ they run s\bsu\bud\bdo\bo.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ always Always lecture the user.
+
+ The default value is _\bo_\bn_\bc_\be.
+ lecture_file
+ Path to a file containing an alternate sudo
+ lecture that will be used in place of the
+ standard lecture if the named file exists.
logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log
file). Setting a path turns on logging to a
to use the -\b-v\bv flag.
always The user must always enter a password
- to use the -\b-v\bv flag.
- The default value is `all'.
- listpw This option controls when a password will be
- required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
- flag. It has the following possible values:
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD
- flag set to avoid entering a password.
+1.6.9 September 30, 2004 12
-1.6.8 September 6, 2004 12
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ to use the -\b-v\bv flag.
+ The default value is `all'.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ listpw This option controls when a password will be
+ required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
+ flag. It has the following possible values:
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ current host must have the NOPASSWD
+ flag set to avoid entering a password.
any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
entries for the current host must have
dangerous variables from the environment of
any setuid process (such as s\bsu\bud\bdo\bo).
+
+
+
+1.6.9 September 30, 2004 13
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
env_keep Environment variables to be preserved in the
user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option
is in effect. This allows fine-grained con
respectively. This list has no default mem
bers.
-
-
-
-1.6.8 September 6, 2004 13
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following
values for the syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg
Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your OS supports it), a\bau\but\bth\bh, d\bda\bae\be\b
Runas_Spec ::= '(' Runas_List ')'
- Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:')
+ Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'TRACE' | 'NOTRACE')
A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may
run (and as what user) on specified hosts. By default,
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
- -- but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
- $ sudo -u operator /bin/ls.
- It is also possible to override a Runas_Spec later on in
- an entry. If we modify the entry like so:
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+1.6.9 September 30, 2004 14
- Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br,
- but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
-
-1.6.8 September 6, 2004 14
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ -- but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+ $ sudo -u operator /bin/ls.
+ It is also possible to override a Runas_Spec later on in
+ an entry. If we modify the entry like so:
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+ Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br,
+ but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
A command may have zero or more tags associated with it.
There are four possible tag values, NOPASSWD, PASSWD,
- NOEXEC, EXEC. Once a tag is set on a Cmnd, subsequent
- Cmnds in the Cmnd_Spec_List, inherit the tag unless it is
- overridden by the opposite tag (ie: PASSWD overrides
- NOPASSWD and EXEC overrides NOEXEC).
+ NOEXEC, EXEC, TRACE and NOTRACE. Once a tag is set on a
+ Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the
+ tag unless it is overridden by the opposite tag (ie:
+ PASSWD overrides NOPASSWD and NOTRACE overrides TRACE).
_\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
_\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
- If sudo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
- underlying operating system support it, the NOEXEC tag can
- be used to prevent a dynamically-linked executable from
- running further commands itself.
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
+
+
+
+1.6.9 September 30, 2004 15
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ underlying operating system supports it, the NOEXEC tag
+ can be used to prevent a dynamically-linked executable
+ from running further commands itself.
In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be
and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
See the "PREVENTING SHELL ESCAPES" section below for more
- details on how _\bn_\bo_\be_\bx_\be_\bc works and whether or not it will
+ details on how NOEXEC works and whether or not it will
work on your system.
+ _\bT_\bR_\bA_\bC_\bE _\ba_\bn_\bd _\bN_\bO_\bT_\bR_\bA_\bC_\bE
+ If s\bsu\bud\bdo\bo has been configured with the --with-systrace
+ option, the TRACE tag can be used to cause programs
+ spawned by a command to be checked against _\bs_\bu_\bd_\bo_\be_\br_\bs and
+ logged just like they would be if run through s\bsu\bud\bdo\bo
+ directly. This is useful in conjunction with commands
+ that allow shell escapes such as editors, shells and pagi
+ nators.
-1.6.8 September 6, 2004 15
-
-
-
+ In the following example, user c\bch\bhu\buc\bck\bk may run any command
+ on the machine research with tracing enabled.
+ chuck research = TRACE: ALL
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
+ See the "PREVENTING SHELL ESCAPES" section below for more
+ details on how TRACE works and whether or not it will work
+ on your system.
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
Note that a forward slash ('/') will n\bno\bot\bt be matched by
wildcards used in the pathname. When matching the command
+
+
+
+1.6.9 September 30, 2004 16
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
line arguments, however, a slash d\bdo\boe\bes\bs get matched by wild
cards. This is to make a path like:
This limitation will be removed in a future version of
s\bsu\bud\bdo\bo.
+ E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
+ The following exceptions apply to the above rules:
+ "" If the empty string "" is the only command line
+ argument in the _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that com
+ mand is not allowed to be run with a\ban\bny\by arguments.
+ I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
-1.6.8 September 6, 2004 16
+ It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within
+ the _\bs_\bu_\bd_\bo_\be_\br_\bs file currently being parsed using the #include
+ directive, similar to the one used by the C preprocessor.
+ This is useful, for example, for keeping a site-wide _\bs_\bu_\bd_\bo_\b
+ _\be_\br_\bs file in addition to a per-machine local one. For the
+ sake of this example the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b
+ _\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b
+ _\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
+ #include /etc/sudoers.local
+ When s\bsu\bud\bdo\bo reaches this line it will suspend processing of
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+1.6.9 September 30, 2004 17
- E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
- The following exceptions apply to the above rules:
- "" If the empty string "" is the only command line
- argument in the _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that com
- mand is not allowed to be run with a\ban\bny\by arguments.
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ the current file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b
+ _\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl,
+ the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be processed. Files that
+ are included may themselves include other files. A hard
+ limit of 128 nested include files is enforced to prevent
+ include file loops.
O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
The pound sign ('#') is used to indicate a comment (unless
- it occurs in the context of a user name and is followed by
- one or more digits, in which case it is treated as a uid).
- Both the comment character and any text after it, up to
- the end of the line, are ignored.
+ it is part of a #include directive or unless it occurs in
+ the context of a user name and is followed by one or more
+ digits, in which case it is treated as a uid). Both the
+ comment character and any text after it, up to the end of
+ the line, are ignored.
The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always
causes a match to succeed. It can be used wherever one
-1.6.8 September 6, 2004 17
+1.6.9 September 30, 2004 18
-1.6.8 September 6, 2004 18
+1.6.9 September 30, 2004 19
-1.6.8 September 6, 2004 19
+1.6.9 September 30, 2004 20
-1.6.8 September 6, 2004 20
+1.6.9 September 30, 2004 21
whatever it pleases, including run other programs. This
can be a security issue since it is not uncommon for a
program to allow shell escapes, which lets a user bypass
- s\bsu\bud\bdo\bo's restrictions. Common programs that permit shell
- escapes include shells (obviously), editors, paginators,
- mail and terminal programs.
-
- Many systems that support shared libraries have the abil
- ity to override default library functions by pointing an
- environment variable (usually LD_PRELOAD) to an alternate
- shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc function
- ality can be used to prevent a program run by sudo from
- executing any other programs. Note, however, that this
- applies only to native dynamically-linked executables.
- Statically-linked executables and foreign executables run
- ning under binary emulation are not affected.
+ s\bsu\bud\bdo\bo's access control and logging. Common programs that
+ permit shell escapes include shells (obviously), editors,
+ paginators, mail and terminal programs.
- To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run
- the following as root:
+ There are three basic approaches to this problem:
- sudo -V | grep "dummy exec"
+ restrict Avoid giving users access to commands that allow
+ the user to run arbitrary commands. Many edi
+ tors have a restricted mode where shell escapes
+ are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better solu
+ tion to running editors via sudo. Due to the
+ large number of programs that offer shell
+ escapes, restricting users to the set of pro
+ grams that do not if often unworkable.
+ noexec Many systems that support shared libraries have
+ the ability to override default library func
+ tions by pointing an environment variable (usu
+ ally LD_PRELOAD) to an alternate shared library.
-1.6.8 September 6, 2004 21
+1.6.9 September 30, 2004 22
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- If the resulting output contains a line that begins with:
+ On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality can
+ be used to prevent a program run by sudo from
+ executing any other programs. Note, however,
+ that this applies only to native dynamically-
+ linked executables. Statically-linked executa
+ bles and foreign executables running under
+ binary emulation are not affected.
- File containing dummy exec functions:
+ To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you
+ can run the following as root:
- then s\bsu\bud\bdo\bo may be able to replace the exec family of func
- tions in the standard library with its own that simply
- return an error. Unfortunately, there is no foolproof way
- to know whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time.
- _\bN_\bo_\be_\bx_\be_\bc should work on SunOS, Solaris, *BSD, Linux, IRIX,
- Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to
- work on AIX and UnixWare. _\bN_\bo_\be_\bx_\be_\bc is expected to work on
- most operating systems that support the LD_PRELOAD envi
- ronment variable. Check your operating system's manual
- pages for the dynamic linker (usually ld.so, ld.so.1,
- dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is sup
- ported.
+ sudo -V | grep "dummy exec"
- To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as doc
- umented in the User Specification section above. Here is
- that example again:
+ If the resulting output contains a line that
+ begins with:
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+ File containing dummy exec functions:
+
+ then s\bsu\bud\bdo\bo may be able to replace the exec family
+ of functions in the standard library with its
+ own that simply return an error. Unfortunately,
+ there is no foolproof way to know whether or not
+ _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bN_\bo_\be_\bx_\be_\bc should
+ work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
+ UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt
+ to work on AIX and UnixWare. _\bN_\bo_\be_\bx_\be_\bc is expected
+ to work on most operating systems that support
+ the LD_PRELOAD environment variable. Check your
+ operating system's manual pages for the dynamic
+ linker (usually ld.so, ld.so.1, dyld, dld.sl,
+ rld, or loader) to see if LD_PRELOAD is sup
+ ported.
+
+ To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC
+ tag as documented in the User Specification sec
+ tion above. Here is that example again:
+
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+ This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi with _\bn_\bo_\be_\bx_\be_\bc enabled. This will pre
+ vent those two commands from executing other
+ commands (such as a shell). If you are unsure
+ whether or not your system is capable of sup
+ porting _\bn_\bo_\be_\bx_\be_\bc you can always just try it out
+ and see if it works.
+
+ tracing On operating systems that support the s\bsy\bys\bst\btr\bra\bac\bce\be
+ pseudo-device, the --with-systrace configure
+ option can be used to compile support for com
+ mand tracing in s\bsu\bud\bdo\bo. With s\bsy\bys\bst\btr\bra\bac\bce\be support
+ s\bsu\bud\bdo\bo can transparently intercept a new command,
+ allow or deny it based on _\bs_\bu_\bd_\bo_\be_\br_\bs, and log the
+ result. This does require that s\bsu\bud\bdo\bo become a
+
+
+
+1.6.9 September 30, 2004 23
- This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those
- two commands from executing other commands (such as a
- shell). If you are unsure whether or not your system is
- capable of supporting _\bn_\bo_\be_\bx_\be_\bc you can always just try it
- out and see if it works.
- Note that disabling shell escapes is not a panacea. Pro
- grams running as root are still capable of many poten
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ daemon that persists until the command and all
+ its descendents have finished.
+
+ To enable tracing on a per-command basis, use
+ the TRACE tag as documented in the User Specifi
+ cation section above. Here is that example
+ again:
+
+ chuck research = TRACE: ALL
+
+ This allows user c\bch\bhu\buc\bck\bk to run any command on the
+ machine research with tracing enabled. Any com
+ mands run via shell escapes will be logged by
+ sudo.
+
+ At the time of this writing the s\bsy\bys\bst\btr\bra\bac\bce\be pseudo-
+ device comes standard with OpenBSD and NetBSD
+ and is available as patches to FreeBSD, MacOS X
+ and Linux. See <http://www.systrace.org/> for
+ more information.
+
+ Note that restricting shell escapes is not a panacea.
+ Programs running as root are still capable of many poten
tially hazardous operations (such as changing or overwrit
ing files) that could lead to unintended privilege escala
tion. In the specific case of an editor, a safer approach
hostname be fully qualified as returned by the hostname
command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
+ bug report at http://www.sudo.ws/sudo/bugs/
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+ Commercial support is available for s\bsu\bud\bdo\bo, see
+ http://www.sudo.ws/sudo/support.html for details.
+ Limited free support is available via the sudo-users mail
+ ing list, see
-1.6.8 September 6, 2004 22
-
+1.6.9 September 30, 2004 24
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
- bug report at http://www.sudo.ws/sudo/bugs/
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Commercial support is available for s\bsu\bud\bdo\bo, see
- http://www.sudo.ws/sudo/support.html for details.
- Limited free support is available via the sudo-users mail
- ing list, see http://www.sudo.ws/mail
- man/listinfo/sudo-users to subscribe or search the
- archives.
+ http://www.sudo.ws/mailman/listinfo/sudo-users to sub
+ scribe or search the archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
S\bSu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
-1.6.8 September 6, 2004 23
+
+
+
+
+
+
+
+
+
+
+1.6.9 September 30, 2004 25
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "September 6, 2004" "1.6.8" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "September 30, 2004" "1.6.9" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
If set, all commands run via sudo will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
+.IP "trace" 12
+.IX Item "trace"
+If set, all commands run via sudo will behave as if the \f(CW\*(C`TRACE\*(C'\fR
+tag has been set, unless overridden by a \f(CW\*(C`NOTRACE\*(C'\fR tag. See the
+description of \fI\s-1TRACE\s0 and \s-1NOTRACE\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. Be aware that
+tracing is only supported on certain operating systems. On systems
+where it is not supported this flag will have no effect.
+This flag is \fIoff\fR by default.
.IP "ignore_local_sudoers" 12
.IX Item "ignore_local_sudoers"
If set via \s-1LDAP\s0, parsing of \f(CW@sysconfdir\fR@/sudoers will be skipped.
\& Runas_Spec ::= '(' Runas_List ')'
.Ve
.PP
-.Vb 1
-\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:')
+.Vb 2
+\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+\& 'TRACE' | 'NOTRACE')
.Ve
.PP
A \fBuser specification\fR determines which commands a user may run
.Sh "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
-four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR.
+four possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
+\&\f(CW\*(C`TRACE\*(C'\fR and \f(CW\*(C`NOTRACE\*(C'\fR.
Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
-opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`EXEC\*(C'\fR
-overrides \f(CW\*(C`NOEXEC\*(C'\fR).
+opposite tag (ie: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOTRACE\*(C'\fR
+overrides \f(CW\*(C`TRACE\*(C'\fR).
.PP
\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
.IX Subsection "NOPASSWD and PASSWD"
\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
.IX Subsection "NOEXEC and EXEC"
.PP
-If sudo has been compiled with \fInoexec\fR support and the underlying
-operating system support it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
+If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
+operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
a dynamically-linked executable from running further commands itself.
.PP
In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
.Ve
.PP
See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
-on how \fInoexec\fR works and whether or not it will work on your system.
+on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
+.PP
+\fI\s-1TRACE\s0 and \s-1NOTRACE\s0\fR
+.IX Subsection "TRACE and NOTRACE"
+.PP
+If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option,
+the \f(CW\*(C`TRACE\*(C'\fR tag can be used to cause programs spawned by a command
+to be checked against \fIsudoers\fR and logged just like they would
+be if run through \fBsudo\fR directly. This is useful in conjunction
+with commands that allow shell escapes such as editors, shells and
+paginators.
+.PP
+In the following example, user \fBchuck\fR may run any command on the
+machine research with tracing enabled.
+.PP
+.Vb 1
+\& chuck research = TRACE: ALL
+.Ve
+.PP
+See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
+on how \f(CW\*(C`TRACE\*(C'\fR works and whether or not it will work on your system.
.Sh "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
If the empty string \f(CW""\fR is the only command line argument in the
\&\fIsudoers\fR entry it means that command is not allowed to be run
with \fBany\fR arguments.
+.Sh "Including other files from within sudoers"
+.IX Subsection "Including other files from within sudoers"
+It is possible to include other \fIsudoers\fR files from within the
+\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR
+directive, similar to the one used by the C preprocessor. This is
+useful, for example, for keeping a site-wide \fIsudoers\fR file in
+addition to a per-machine local one. For the sake of this example
+the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the per-machine
+one will be \fI/etc/sudoers.local\fR. To include \fI/etc/sudoers.local\fR
+from \fI/etc/sudoers\fR we would use the following line in \fI/etc/sudoers\fR:
+.PP
+.Vb 1
+\& #include /etc/sudoers.local
+.Ve
+.PP
+When \fBsudo\fR reaches this line it will suspend processing of the
+current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
+Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
+\&\fI/etc/sudoers\fR will be processed. Files that are included may
+themselves include other files. A hard limit of 128 nested include
+files is enforced to prevent include file loops.
.Sh "Other special characters and reserved words"
.IX Subsection "Other special characters and reserved words"
-The pound sign ('#') is used to indicate a comment (unless it
-occurs in the context of a user name and is followed by one or
-more digits, in which case it is treated as a uid). Both the
-comment character and any text after it, up to the end of the line,
-are ignored.
+The pound sign ('#') is used to indicate a comment (unless it is
+part of a #include directive or unless it occurs in the context of
+a user name and is followed by one or more digits, in which case
+it is treated as a uid). Both the comment character and any text
+after it, up to the end of the line, are ignored.
.PP
The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
a match to succeed. It can be used wherever one might otherwise
Once \fBsudo\fR executes a program, that program is free to do whatever
it pleases, including run other programs. This can be a security
issue since it is not uncommon for a program to allow shell escapes,
-which lets a user bypass \fBsudo\fR's restrictions. Common programs
-that permit shell escapes include shells (obviously), editors,
-paginators, mail and terminal programs.
-.PP
+which lets a user bypass \fBsudo\fR's access control and logging.
+Common programs that permit shell escapes include shells (obviously),
+editors, paginators, mail and terminal programs.
+.PP
+There are three basic approaches to this problem:
+.IP "restrict" 10
+.IX Item "restrict"
+Avoid giving users access to commands that allow the user to run
+arbitrary commands. Many editors have a restricted mode where shell
+escapes are disabled, though \fBsudoedit\fR is a better solution to
+running editors via sudo. Due to the large number of programs that
+offer shell escapes, restricting users to the set of programs that
+do not if often unworkable.
+.IP "noexec" 10
+.IX Item "noexec"
Many systems that support shared libraries have the ability to
override default library functions by pointing an environment
variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
Note, however, that this applies only to native dynamically-linked
executables. Statically-linked executables and foreign executables
running under binary emulation are not affected.
-.PP
+.Sp
To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run
the following as root:
-.PP
+.Sp
.Vb 1
\& sudo -V | grep "dummy exec"
.Ve
-.PP
+.Sp
If the resulting output contains a line that begins with:
-.PP
+.Sp
.Vb 1
\& File containing dummy exec functions:
.Ve
-.PP
+.Sp
then \fBsudo\fR may be able to replace the exec family of functions
in the standard library with its own that simply return an error.
Unfortunately, there is no foolproof way to know whether or not
\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
-.PP
+.Sp
To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
in the User Specification section above. Here is that example again:
-.PP
+.Sp
.Vb 1
\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
.Ve
-.PP
+.Sp
This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR
with \fInoexec\fR enabled. This will prevent those two commands from
executing other commands (such as a shell). If you are unsure
whether or not your system is capable of supporting \fInoexec\fR you
can always just try it out and see if it works.
-.PP
-Note that disabling shell escapes is not a panacea. Programs running
-as root are still capable of many potentially hazardous operations
-(such as changing or overwriting files) that could lead to unintended
-privilege escalation. In the specific case of an editor, a safer
-approach is to give the user permission to run \fBsudoedit\fR.
+.IP "tracing" 10
+.IX Item "tracing"
+On operating systems that support the \fBsystrace\fR pseudo\-device,
+the \f(CW\*(C`\-\-with\-systrace\*(C'\fR configure option can be used to compile
+support for command tracing in \fBsudo\fR. With \fBsystrace\fR support
+\&\fBsudo\fR can transparently intercept a new command, allow or deny
+it based on \fIsudoers\fR, and log the result. This does require that
+\&\fBsudo\fR become a daemon that persists until the command and all its
+descendents have finished.
+.Sp
+To enable tracing on a per-command basis, use the \f(CW\*(C`TRACE\*(C'\fR tag as
+documented in the User Specification section above. Here is that
+example again:
+.Sp
+.Vb 1
+\& chuck research = TRACE: ALL
+.Ve
+.Sp
+This allows user \fBchuck\fR to run any command on the machine research
+with tracing enabled. Any commands run via shell escapes will be
+logged by sudo.
+.Sp
+At the time of this writing the \fBsystrace\fR pseudo-device comes
+standard with OpenBSD and NetBSD and is available as patches to
+FreeBSD, MacOS X and Linux. See <http://www.systrace.org/> for
+more information.
+.PP
+Note that restricting shell escapes is not a panacea. Programs
+running as root are still capable of many potentially hazardous
+operations (such as changing or overwriting files) that could lead
+to unintended privilege escalation. In the specific case of an
+editor, a safer approach is to give the user permission to run
+\&\fBsudoedit\fR.
.SH "SEE ALSO"
.IX Header "SEE ALSO"
\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), sudo(@mansectsu@), visudo(@mansectsu@)
projects / sudo / commitdiff