The s\bsu\bud\bdo\boe\ber\brs\bs policy plugin determines a user's s\bsu\bud\bdo\bo privileges. It is the
default s\bsu\bud\bdo\bo policy plugin. The policy is driven by the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs
file or, optionally in LDAP. The policy format is described in detail in
- the _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bF_\bI_\bL_\bE _\bF_\bO_\bR_\bM_\bA_\bT section. For information on storing _\bs_\bu_\bd_\bo_\be_\br_\bs
+ the _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bF_\bI_\bL_\bE _\bF_\bO_\bR_\bM_\bA_\bT section. For information on storing s\bsu\bud\bdo\boe\ber\brs\bs
policy information in LDAP, please see sudoers.ldap(4).
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg s\bsu\bud\bdo\bo.\b.c\bco\bon\bnf\bf f\bfo\bor\br s\bsu\bud\bdo\boe\ber\brs\bs
manual.
A\bAu\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bti\bio\bon\bn a\ban\bnd\bd l\blo\bog\bgg\bgi\bin\bng\bg
- The _\bs_\bu_\bd_\bo_\be_\br_\bs security policy requires that most users authenticate
+ The s\bsu\bud\bdo\boe\ber\brs\bs security policy requires that most users authenticate
themselves before they can use s\bsu\bud\bdo\bo. A password is not required if the
invoking user is root, if the target user is the same as the invoking
user, or if the policy has disabled authentication for the user or
- command. Unlike su(1), when _\bs_\bu_\bd_\bo_\be_\br_\bs requires authentication, it
+ command. Unlike su(1), when s\bsu\bud\bdo\boe\ber\brs\bs requires authentication, it
validates the invoking user's credentials, not the target user's (or
root's) credentials. This can be changed via the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and
_\br_\bu_\bn_\ba_\bs_\bp_\bw flags, described later.
regardless of whether or not mail is sent.
If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment variable is set, the
- _\bs_\bu_\bd_\bo_\be_\br_\bs policy will use this value to determine who the actual user is.
+ s\bsu\bud\bdo\boe\ber\brs\bs policy will use this value to determine who the actual user is.
This can be used by a user to log commands through sudo even when a root
shell has been invoked. It also allows the -\b-e\be option to remain useful
even when invoked via a sudo-run script or program. Note, however, that
- the _\bs_\bu_\bd_\bo_\be_\br_\bs lookup is still done for root, not the user specified by
+ the _\bs_\bu_\bd_\bo_\be_\br_\bs file lookup is still done for root, not the user specified by
SUDO_USER.
- _\bs_\bu_\bd_\bo_\be_\br_\bs uses per-user time stamp files for credential caching. Once a
+ s\bsu\bud\bdo\boe\ber\brs\bs uses per-user time stamp files for credential caching. Once a
user has been authenticated, a record is written containing the uid that
was used to authenticate, the terminal session ID, and a time stamp
(using a monotonic clock if one is available). The user may then use
s\bsu\bud\bdo\bo without a password for a short period of time (5 minutes unless
- overridden by the _\bt_\bi_\bm_\be_\bo_\bu_\bt option). By default, _\bs_\bu_\bd_\bo_\be_\br_\bs uses a separate
+ overridden by the _\bt_\bi_\bm_\be_\bo_\bu_\bt option). By default, s\bsu\bud\bdo\boe\ber\brs\bs uses a separate
record for each tty, which means that a user's login sessions are
authenticated separately. The _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option can be disabled to
force the use of a single time stamp for all of a user's sessions.
-
- _\bs_\bu_\bd_\bo_\be_\br_\bs can log both successful and unsuccessful attempts (as well as
- errors) to syslog(3), a log file, or both. By default, _\bs_\bu_\bd_\bo_\be_\br_\bs will log
+ s\bsu\bud\bdo\boe\ber\brs\bs can log both successful and unsuccessful attempts (as well as
+ errors) to syslog(3), a log file, or both. By default, s\bsu\bud\bdo\boe\ber\brs\bs will log
via syslog(3) but this is changeable via the _\bs_\by_\bs_\bl_\bo_\bg and _\bl_\bo_\bg_\bf_\bi_\bl_\be Defaults
settings.
tags.
C\bCo\bom\bmm\bma\ban\bnd\bd e\ben\bnv\bvi\bir\bro\bon\bnm\bme\ben\bnt\bt
- Since environment variables can influence program behavior, _\bs_\bu_\bd_\bo_\be_\br_\bs
+ Since environment variables can influence program behavior, s\bsu\bud\bdo\boe\ber\brs\bs
provides a means to restrict which variables from the user's environment
are inherited by the command to be run. There are two distinct ways
- _\bs_\bu_\bd_\bo_\be_\br_\bs can deal with environment variables.
+ s\bsu\bud\bdo\boe\ber\brs\bs can deal with environment variables.
By default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled. This causes commands to be
executed with a new, minimal environment. On AIX (and Linux systems
them.
As a special case, if s\bsu\bud\bdo\bo's -\b-i\bi option (initial login) is specified,
- _\bs_\bu_\bd_\bo_\be_\br_\bs will initialize the environment regardless of the value of
+ s\bsu\bud\bdo\boe\ber\brs\bs will initialize the environment regardless of the value of
_\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt. The DISPLAY, PATH and TERM variables remain unchanged; HOME,
MAIL, SHELL, USER, and LOGNAME are set based on the target user. On AIX
(and Linux systems without PAM), the contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt are
there are multiple matches, the last match is used (which is not
necessarily the most specific match).
- The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended Backus-Naur Form
- (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file grammar will be described below in Extended Backus-Naur
+ Form (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
simple, and the definitions below are annotated.
Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may
take command line arguments just as a normal command does. Note that
``sudoedit'' is a command built into s\bsu\bud\bdo\bo itself and must be specified in
- _\bs_\bu_\bd_\bo_\be_\br_\bs without a leading path.
+ the _\bs_\bu_\bd_\bo_\be_\br_\bs file without a leading path.
If a command name is prefixed with a Digest_Spec, the command will only
match successfully if it can be verified using the specified SHA-2
setting the group to operator or system.
S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
- On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
- SELinux role and/or type associated with a command. If a role or type is
- specified with the command it will override any default values specified
- in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line, however, will
- supersede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs file entries may optionally have
+ an SELinux role and/or type associated with a command. If a role or type
+ is specified with the command it will override any default values
+ specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line,
+ however, will supersede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
S\bSo\bol\bla\bar\bri\bis\bs_\b_P\bPr\bri\biv\bv_\b_S\bSp\bpe\bec\bc
- On Solaris systems, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally specify Solaris
+ On Solaris systems, _\bs_\bu_\bd_\bo_\be_\br_\bs file entries may optionally specify Solaris
privilege set and/or limit privilege set associated with a command. If
privileges or limit privileges are specified with the command it will
override any default values specified in _\bs_\bu_\bd_\bo_\be_\br_\bs.
$ sudo cat /var/log/messages /etc/shadow
which is probably not what was intended. In most cases it is better to
- do command line processing outside of _\bs_\bu_\bd_\bo_\be_\br_\bs in a scripting language.
+ do command line processing outside of the _\bs_\bu_\bd_\bo_\be_\br_\bs file in a scripting
+ language.
E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
The following exceptions apply to the above rules:
"" If the empty string "" is the only command line argument in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
- with _\ba_\bn_\by arguments.
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file entry it means that command is not allowed to be
+ run with _\ba_\bn_\by arguments.
sudoedit Command line arguments to the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt built-in command should
always be path names, so a forward slash (`/') will not be
This can be used, for example, to keep a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in
addition to a local, per-machine file. For the sake of this example the
- site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will be
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from within
+ site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will
+ be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from within
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
#include /etc/sudoers.local
will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd directory
- that the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
- package installation. For example, given:
+ that the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs file rules into as part
+ of package installation. For example, given:
#includedir /etc/sudoers.d
names that include globbing characters are used with
the negation operator, `!', as such rules can be
trivially bypassed. As such, this option should not be
- used when _\bs_\bu_\bd_\bo_\be_\br_\bs contains rules that contain negated
- path names which include globbing characters. This
- flag is _\bo_\bf_\bf by default.
+ used when the _\bs_\bu_\bd_\bo_\be_\br_\bs file contains rules that contain
+ negated path names which include globbing characters.
+ This flag is _\bo_\bf_\bf by default.
fqdn Set this flag if you want to put fully qualified host
names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file when the local host name (as
log_host If set, the host name will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
- log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo_\b-_\bt_\bt_\by and
+ log_input If set, s\bsu\bud\bdo\bo will run the command in a pseudo-tty and
log all user input. If the standard input is not
connected to the user's tty, due to I/O redirection or
because the command is part of a pipeline, that input
unencrypted. In most cases, logging the command output
via _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt is all that is required.
- log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo_\b-_\bt_\bt_\by and
+ log_output If set, s\bsu\bud\bdo\bo will run the command in a pseudo-tty and
log all output that is sent to the screen, similar to
the script(1) command. If the standard output or
standard error is not connected to the user's tty, due
mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
does not enter the correct password. If the command
the user is attempting to run is not permitted by
- _\bs_\bu_\bd_\bo_\be_\br_\bs and one of the _\bm_\ba_\bi_\bl_\b__\ba_\bl_\bl_\b__\bc_\bm_\bn_\bd_\bs, _\bm_\ba_\bi_\bl_\b__\ba_\bl_\bw_\ba_\by_\bs,
+ s\bsu\bud\bdo\boe\ber\brs\bs and one of the _\bm_\ba_\bi_\bl_\b__\ba_\bl_\bl_\b__\bc_\bm_\bn_\bd_\bs, _\bm_\ba_\bi_\bl_\b__\ba_\bl_\bw_\ba_\by_\bs,
_\bm_\ba_\bi_\bl_\b__\bn_\bo_\b__\bh_\bo_\bs_\bt, _\bm_\ba_\bi_\bl_\b__\bn_\bo_\b__\bp_\be_\br_\bm_\bs or _\bm_\ba_\bi_\bl_\b__\bn_\bo_\b__\bu_\bs_\be_\br flags are
set, this flag will have no effect. This flag is _\bo_\bf_\bf
by default.
single record is used for all login sessions. This
flag is _\bo_\bn by default.
- umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
- without modification. This makes it possible to
- specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
- user's own umask and matches historical behavior. If
- _\bu_\bm_\ba_\bs_\bk_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is not set, s\bsu\bud\bdo\bo will set the umask to
- be the union of the user's umask and what is specified
- in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
+ umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file without modification. This makes it
+ possible to specify a umask in the _\bs_\bu_\bd_\bo_\be_\br_\bs file that is
+ more permissive than the user's own umask and matches
+ historical behavior. If _\bu_\bm_\ba_\bs_\bk_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is not set,
+ s\bsu\bud\bdo\bo will set the umask to be the union of the user's
+ umask and what is specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is
+ _\bo_\bf_\bf by default.
use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
target user's login class if one exists. Only
role The default SELinux role to use when constructing a new
security context to run the command. The default role
- may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
- via command line options. This option is only
+ may be overridden on a per-command basis in the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file or via command line options. This option is only
available when s\bsu\bud\bdo\bo is built with SELinux support.
runas_default The default user to run commands as if the -\b-u\bu option is
type The default SELinux type to use when constructing a new
security context to run the command. The default type
- may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
- via command line options. This option is only
+ may be overridden on a per-command basis in the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file or via command line options. This option is only
available when s\bsu\bud\bdo\bo is built with SELinux support.
S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
requirements. The group name specified should not include
a % prefix. This is not set by default.
- group_plugin A string containing a _\bs_\bu_\bd_\bo_\be_\br_\bs group plugin with optional
+ group_plugin A string containing a s\bsu\bud\bdo\boe\ber\brs\bs group plugin with optional
arguments. The string should consist of the plugin path,
either fully-qualified or relative to the
_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo directory, followed by any
a user runs s\bsu\bud\bdo\bo with the -\b-l\bl option. It has the following
possible values:
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current
- host must have the NOPASSWD flag set to avoid
- entering a password.
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs file entries for the
+ current host must have the NOPASSWD flag set to
+ avoid entering a password.
always The user must always enter a password to use the
-\b-l\bl option.
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for
- the current host must have the NOPASSWD flag set
- to avoid entering a password.
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs file entries
+ for the current host must have the NOPASSWD flag
+ set to avoid entering a password.
never The user need never enter a password to use the
-\b-l\bl option.
a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
possible values:
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
- must have the NOPASSWD flag set to avoid entering a
- password.
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs file entries for the current
+ host must have the NOPASSWD flag set to avoid
+ entering a password.
always The user must always enter a password to use the -\b-v\bv
option.
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD flag set to
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs file entries for
+ the current host must have the NOPASSWD flag set to
avoid entering a password.
never The user need never enter a password to use the -\b-v\bv
unable to open/read /etc/sudoers
The _\bs_\bu_\bd_\bo_\be_\br_\bs file could not be opened for reading. This can happen
when the _\bs_\bu_\bd_\bo_\be_\br_\bs file is located on a remote file system that maps
- user ID 0 to a different value. Normally, s\bsu\bud\bdo\boe\ber\brs\bs tries to open
- _\bs_\bu_\bd_\bo_\be_\br_\bs using group permissions to avoid this problem. Consider
+ user ID 0 to a different value. Normally, s\bsu\bud\bdo\boe\ber\brs\bs tries to open the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file using group permissions to avoid this problem. Consider
either changing the ownership of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs or adding an argument
like ``sudoers_uid=N'' (where `N' is the user ID that owns the _\bs_\bu_\bd_\bo_\be_\br_\bs
file) to the end of the s\bsu\bud\bdo\boe\ber\brs\bs Plugin line in the sudo.conf(4) file.
line in the sudo.conf(4) file.
unable to open /var/run/sudo/ts/username
- _\bs_\bu_\bd_\bo_\be_\br_\bs was unable to read or create the user's time stamp file. This
+ s\bsu\bud\bdo\boe\ber\brs\bs was unable to read or create the user's time stamp file. This
can happen when _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\bo_\bw_\bn_\be_\br is set to a user other than root and
the mode on _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo is not searchable by group or other. The
default mode for _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo is 0711.
unable to write to /var/run/sudo/ts/username
- _\bs_\bu_\bd_\bo_\be_\br_\bs was unable to write to the user's time stamp file.
+ s\bsu\bud\bdo\boe\ber\brs\bs was unable to write to the user's time stamp file.
/var/run/sudo/ts is owned by uid X, should be Y
The time stamp directory is owned by a user other than _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\bo_\bw_\bn_\be_\br.
This can occur when the value of _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\bo_\bw_\bn_\be_\br has been changed.
- _\bs_\bu_\bd_\bo_\be_\br_\bs will ignore the time stamp directory until the owner is
+ s\bsu\bud\bdo\boe\ber\brs\bs will ignore the time stamp directory until the owner is
corrected.
/var/run/sudo/ts is group writable
The time stamp directory is group-writable; it should be writable only
by _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\bo_\bw_\bn_\be_\br. The default mode for the time stamp directory is
- 0700. _\bs_\bu_\bd_\bo_\be_\br_\bs will ignore the time stamp directory until the mode is
+ 0700. s\bsu\bud\bdo\boe\ber\brs\bs will ignore the time stamp directory until the mode is
corrected.
N\bNo\bot\bte\bes\bs o\bon\bn l\blo\bog\bgg\bgi\bin\bng\bg v\bvi\bia\ba s\bsy\bys\bsl\blo\bog\bg
- By default, _\bs_\bu_\bd_\bo_\be_\br_\bs logs messages via syslog(3). The _\bd_\ba_\bt_\be, _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be, and
- _\bp_\br_\bo_\bg_\bn_\ba_\bm_\be fields are added by the syslog daemon, not _\bs_\bu_\bd_\bo_\be_\br_\bs itself. As
+ By default, s\bsu\bud\bdo\boe\ber\brs\bs logs messages via syslog(3). The _\bd_\ba_\bt_\be, _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be, and
+ _\bp_\br_\bo_\bg_\bn_\ba_\bm_\be fields are added by the syslog daemon, not s\bsu\bud\bdo\boe\ber\brs\bs itself. As
such, they may vary in format on different systems.
On most systems, syslog(3) has a relatively small log buffer. To prevent
and before the continued command line arguments.
N\bNo\bot\bte\bes\bs o\bon\bn l\blo\bog\bgg\bgi\bin\bng\bg t\bto\bo a\ba f\bfi\bil\ble\be
- If the _\bl_\bo_\bg_\bf_\bi_\bl_\be option is set, _\bs_\bu_\bd_\bo_\be_\br_\bs will log to a local file, such as
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo. When logging to a file, _\bs_\bu_\bd_\bo_\be_\br_\bs uses a format similar to
+ If the _\bl_\bo_\bg_\bf_\bi_\bl_\be option is set, s\bsu\bud\bdo\boe\ber\brs\bs will log to a local file, such as
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo. When logging to a file, s\bsu\bud\bdo\boe\ber\brs\bs uses a format similar to
syslog(3), with a few important differences:
1. The _\bp_\br_\bo_\bg_\bn_\ba_\bm_\be and _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be fields are not present.
_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo_\b/_\bt_\bs Directory containing time stamps for the
- _\bs_\bu_\bd_\bo_\be_\br_\bs security policy
+ s\bsu\bud\bdo\boe\ber\brs\bs security policy
_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo_\b/_\bl_\be_\bc_\bt_\bu_\br_\be_\bd Directory containing lecture status files for
- the _\bs_\bu_\bd_\bo_\be_\br_\bs security policy
+ the s\bsu\bud\bdo\boe\ber\brs\bs security policy
_\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on AIX and
Linux systems
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
- contrived. First, we allow a few environment variables to pass and then
- define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+ Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs file entries. Admittedly, some of these are a
+ bit contrived. First, we allow a few environment variables to pass and
+ then define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
# Run X applications through sudo; HOME is used to find the
# .Xauthority file. Note that other programs use HOME to find
that grant privileges, it can result in a security issue for rules that
subtract or revoke privileges.
- For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
+ For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs file entry:
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt (see below).
S\bSe\bec\bcu\bur\bre\be e\bed\bdi\bit\bti\bin\bng\bg
- The _\bs_\bu_\bd_\bo_\be_\br_\bs plugin includes s\bsu\bud\bdo\boe\bed\bdi\bit\bt support which allows users to
+ The s\bsu\bud\bdo\boe\ber\brs\bs plugin includes s\bsu\bud\bdo\boe\bed\bdi\bit\bt support which allows users to
securely edit files with the editor of their choice. As s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a
- built-in command, it must be specified in _\bs_\bu_\bd_\bo_\be_\br_\bs without a leading path.
- However, it may take command line arguments just as a normal command
- does. Wildcards used in _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt command line arguments are expected to
- be path names, so a forward slash (`/') will not be matched by a
- wildcard.
+ built-in command, it must be specified in the _\bs_\bu_\bd_\bo_\be_\br_\bs file without a
+ leading path. However, it may take command line arguments just as a
+ normal command does. Wildcards used in _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt command line arguments
+ are expected to be path names, so a forward slash (`/') will not be
+ matched by a wildcard.
Unlike other s\bsu\bud\bdo\bo commands, the editor is run with the permissions of the
invoking user and with the environment unmodified. More information may
same file system.
T\bTi\bim\bme\be s\bst\bta\bam\bmp\bp f\bfi\bil\ble\be c\bch\bhe\bec\bck\bks\bs
- _\bs_\bu_\bd_\bo_\be_\br_\bs will check the ownership of its time stamp directory
+ s\bsu\bud\bdo\boe\ber\brs\bs will check the ownership of its time stamp directory
(_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo_\b/_\bt_\bs by default) and ignore the directory's contents if it
is not owned by root or if it is writable by a user other than root.
Older versions of s\bsu\bud\bdo\bo stored time stamp files in _\b/_\bt_\bm_\bp; this is no longer
While the time stamp directory _\bs_\bh_\bo_\bu_\bl_\bd be cleared at reboot time, not all
systems contain a _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn directory. To avoid potential problems,
- _\bs_\bu_\bd_\bo_\be_\br_\bs will ignore time stamp files that date from before the machine
+ s\bsu\bud\bdo\boe\ber\brs\bs will ignore time stamp files that date from before the machine
booted on systems where the boot time is available.
Some systems with graphical desktop environments allow unprivileged users
- to change the system clock. Since _\bs_\bu_\bd_\bo_\be_\br_\bs relies on the system clock for
+ to change the system clock. Since s\bsu\bud\bdo\boe\ber\brs\bs relies on the system clock for
time stamp validation, it may be possible on such systems for a user to
run s\bsu\bud\bdo\bo for longer than _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\b__\bt_\bi_\bm_\be_\bo_\bu_\bt by setting the clock back. To
- combat this, _\bs_\bu_\bd_\bo_\be_\br_\bs uses a monotonic clock (which never moves backwards)
+ combat this, s\bsu\bud\bdo\boe\ber\brs\bs uses a monotonic clock (which never moves backwards)
for its time stamps if the system supports it.
- _\bs_\bu_\bd_\bo_\be_\br_\bs will not honor time stamps set far in the future. Time stamps
+ s\bsu\bud\bdo\boe\ber\brs\bs will not honor time stamps set far in the future. Time stamps
with a date greater than current_time + 2 * TIMEOUT will be ignored and
- _\bs_\bu_\bd_\bo_\be_\br_\bs will log and complain.
+ s\bsu\bud\bdo\boe\ber\brs\bs will log and complain.
Since time stamp files live in the file system, they can outlive a user's
login session. As a result, a user may be able to login, run a command
with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run s\bsu\bud\bdo\bo without
authenticating so long as the record's time stamp is within 5 minutes (or
- whatever value the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs
- option is enabled, the time stamp record includes the device number of
- the terminal the user authenticated with. This provides per-tty
- granularity but time stamp records still may outlive the user's session.
- The time stamp record also includes the session ID of the process that
- last authenticated. This prevents processes in different terminal
- sessions from using the same time stamp record. It also helps reduce the
- chance that a user will be able to run s\bsu\bud\bdo\bo without entering a password
- when logging out and back in again on the same terminal.
+ whatever value the timeout is set to in the _\bs_\bu_\bd_\bo_\be_\br_\bs file). When the
+ _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled, the time stamp record includes the device
+ number of the terminal the user authenticated with. This provides per-
+ tty granularity but time stamp records still may outlive the user's
+ session. The time stamp record also includes the session ID of the
+ process that last authenticated. This prevents processes in different
+ terminal sessions from using the same time stamp record. It also helps
+ reduce the chance that a user will be able to run s\bsu\bud\bdo\bo without entering a
+ password when logging out and back in again on the same terminal.
D\bDE\bEB\bBU\bUG\bGG\bGI\bIN\bNG\bG
Versions 1.8.4 and higher of the s\bsu\bud\bdo\boe\ber\brs\bs plugin support a flexible
_\ba_\bu_\bt_\bh user authentication
- _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs settings
+ _\bd_\be_\bf_\ba_\bu_\bl_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs file _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs settings
_\be_\bn_\bv environment handling
_\bl_\bo_\bg_\bg_\bi_\bn_\bg logging support
- _\bm_\ba_\bt_\bc_\bh matching of users, groups, hosts and netgroups in _\bs_\bu_\bd_\bo_\be_\br_\bs
+ _\bm_\ba_\bt_\bc_\bh matching of users, groups, hosts and netgroups in the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file
_\bn_\be_\bt_\bi_\bf network interface handling
- _\bn_\bs_\bs network service switch handling in _\bs_\bu_\bd_\bo_\be_\br_\bs
+ _\bn_\bs_\bs network service switch handling in s\bsu\bud\bdo\boe\ber\brs\bs
_\bp_\ba_\br_\bs_\be_\br _\bs_\bu_\bd_\bo_\be_\br_\bs file parsing
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
- locks the file and does grammatical checking. It is imperative that
- _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
+ locks the file and does grammatical checking. It is imperative that the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
When using netgroups of machines (as opposed to users), if you store
\fISUDOERS FILE FORMAT\fR
section.
For information on storing
-\fIsudoers\fR
+\fBsudoers\fR
policy information
in LDAP, please see
sudoers.ldap(@mansectform@).
please refer to its manual.
.SS "Authentication and logging"
The
-\fIsudoers\fR
+\fBsudoers\fR
security policy requires that most users authenticate
themselves before they can use
\fBsudo\fR.
Unlike
su(1),
when
-\fIsudoers\fR
+\fBsudoers\fR
requires
authentication, it validates the invoking user's credentials, not
the target user's (or root's) credentials.
\fRSUDO_USER\fR
environment variable
is set, the
-\fIsudoers\fR
+\fBsudoers\fR
policy will use this value to determine who
the actual user is.
This can be used by a user to log commands
sudo-run script or program.
Note, however, that the
\fIsudoers\fR
-lookup is still done for root, not the user specified by
+file lookup is still done for root, not the user specified by
\fRSUDO_USER\fR.
.PP
-\fIsudoers\fR
+\fBsudoers\fR
uses per-user time stamp files for credential caching.
Once a user has been authenticated, a record is written
containing the uid that was used to authenticate, the
option)
\&.
By default,
-\fIsudoers\fR
+\fBsudoers\fR
uses a separate record for each tty, which means that
a user's login sessions are authenticated separately.
The
\fItty_tickets\fR
option can be disabled to force the use of a
single time stamp for all of a user's sessions.
-.PP
-\fIsudoers\fR
+\fBsudoers\fR
can log both successful and unsuccessful attempts (as well
as errors) to
syslog(3),
a log file, or both.
By default,
-\fIsudoers\fR
+\fBsudoers\fR
will log via
syslog(3)
but this is changeable via the
command tags.
.SS "Command environment"
Since environment variables can influence program behavior,
-\fIsudoers\fR
+\fBsudoers\fR
provides a means to restrict which variables from the user's
environment are inherited by the command to be run.
There are two
distinct ways
-\fIsudoers\fR
+\fBsudoers\fR
can deal with environment variables.
.PP
By default, the
\fB\-i\fR
option (initial login) is
specified,
-\fIsudoers\fR
+\fBsudoers\fR
will initialize the environment regardless
of the value of
\fIenv_reset\fR.
.PP
The
\fIsudoers\fR
-grammar will be described below in Extended Backus-Naur
+file grammar will be described below in Extended Backus-Naur
Form (EBNF).
Don't despair if you are unfamiliar with EBNF; it is fairly simple,
and the definitions below are annotated.
\(Lq\fRsudoedit\fR\(Rq
is a command built into
\fBsudo\fR
-itself and must be specified in
+itself and must be specified in the
\fIsudoers\fR
-without a leading path.
+file without a leading path.
.PP
If a
\fRcommand name\fR
.SS "SELinux_Spec"
On systems with SELinux support,
\fIsudoers\fR
-entries may optionally have an SELinux role and/or type associated
+file entries may optionally have an SELinux role and/or type associated
with a command.
If a role or
type is specified with the command it will override any default values
.SS "Solaris_Priv_Spec"
On Solaris systems,
\fIsudoers\fR
-entries may optionally specify Solaris privilege set and/or limit
+file entries may optionally specify Solaris privilege set and/or limit
privilege set associated with a command.
If privileges or limit privileges are specified with the command
it will override any default values specified in
.PP
which is probably not what was intended.
In most cases it is better to do command line processing
-outside of
+outside of the
\fIsudoers\fR
-in a scripting language.
+file in a scripting language.
.SS "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
.TP 10n
\fR\&""\fR
is the only command line argument in the
\fIsudoers\fR
-entry it means that command is not allowed to be run with
+file entry it means that command is not allowed to be run with
\fIany\fR
arguments.
.TP 10n
file in addition to a local, per-machine file.
For the sake of this example the site-wide
\fIsudoers\fR
-will be
+file will be
\fI/etc/sudoers\fR
and the per-machine one will be
\fI/etc/sudoers.local\fR.
\fIsudoers.d\fR
directory that the system package manager can drop
\fIsudoers\fR
-rules
-into as part of package installation.
+file rules into as part of package installation.
For example, given:
.nf
.sp
characters are used with the negation operator,
\(oq!\&\(cq,
as such rules can be trivially bypassed.
-As such, this option should not be used when
+As such, this option should not be used when the
\fIsudoers\fR
-contains rules that contain negated path names which include globbing
+file contains rules that contain negated path names which include globbing
characters.
This flag is
\fIoff\fR
log_input
If set,
\fBsudo\fR
-will run the command in a
-\fIpseudo-tty\fR
-and log all user input.
+will run the command in a pseudo-tty and log all user input.
If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file.
log_output
If set,
\fBsudo\fR
-will run the command in a
-\fIpseudo-tty\fR
-and log all output that is sent to the screen, similar to the
+will run the command in a pseudo-tty and log all output that is sent
+to the screen, similar to the
script(1)
command.
If the standard output or standard error is not connected to the
\fBsudo\fR
does not enter the correct password.
If the command the user is attempting to run is not permitted by
-\fIsudoers\fR
+\fBsudoers\fR
and one of the
\fImail_all_cmnds\fR,
\fImail_always\fR,
umask_override
If set,
\fBsudo\fR
-will set the umask as specified by
+will set the umask as specified in the
\fIsudoers\fR
-without modification.
-This makes it possible to specify a more permissive umask in
+file without modification.
+This makes it possible to specify a umask in the
\fIsudoers\fR
-than the user's own umask and matches historical behavior.
+file that is more permissive than the user's own umask and matches
+historical behavior.
If
\fIumask_override\fR
is not set,
role
The default SELinux role to use when constructing a new security
context to run the command.
-The default role may be overridden on a per-command basis in
+The default role may be overridden on a per-command basis in the
\fIsudoers\fR
-or via command line options.
+file or via command line options.
This option is only available when
\fBsudo\fR
is built with SELinux support.
type
The default SELinux type to use when constructing a new security
context to run the command.
-The default type may be overridden on a per-command basis in
+The default type may be overridden on a per-command basis in the
\fIsudoers\fR
-or via command line options.
+file or via command line options.
This option is only available when
\fBsudo\fR
is built with SELinux support.
.TP 14n
group_plugin
A string containing a
-\fIsudoers\fR
+\fBsudoers\fR
group plugin with optional arguments.
The string should consist of the plugin
path, either fully-qualified or relative to the
all
All the user's
\fIsudoers\fR
-entries for the current host must have
+file entries for the current host must have
the
\fRNOPASSWD\fR
flag set to avoid entering a password.
any
At least one of the user's
\fIsudoers\fR
-entries for the current host
+file entries for the current host
must have the
\fRNOPASSWD\fR
flag set to avoid entering a password.
all
All the user's
\fIsudoers\fR
-entries for the current host must have the
+file entries for the current host must have the
\fRNOPASSWD\fR
flag set to avoid entering a password.
.PD
any
At least one of the user's
\fIsudoers\fR
-entries for the current host must have the
+file entries for the current host must have the
\fRNOPASSWD\fR
flag set to avoid entering a password.
.TP 8n
a different value.
Normally,
\fBsudoers\fR
-tries to open
+tries to open the
\fIsudoers\fR
-using group permissions to avoid this problem.
+file using group permissions to avoid this problem.
Consider either changing the ownership of
\fI@sysconfdir@/sudoers\fR
or adding an argument like
file.
.TP 3n
unable to open @rundir@/ts/username
-\fIsudoers\fR
+\fBsudoers\fR
was unable to read or create the user's time stamp file.
This can happen when
\fItimestampowner\fR
is 0711.
.TP 3n
unable to write to @rundir@/ts/username
-\fIsudoers\fR
+\fBsudoers\fR
was unable to write to the user's time stamp file.
.TP 3n
@rundir@/ts is owned by uid X, should be Y
This can occur when the value of
\fItimestampowner\fR
has been changed.
-\fIsudoers\fR
+\fBsudoers\fR
will ignore the time stamp directory until the owner is corrected.
.TP 3n
@rundir@/ts is group writable
The time stamp directory is group-writable; it should be writable only by
\fItimestampowner\fR.
The default mode for the time stamp directory is 0700.
-\fIsudoers\fR
+\fBsudoers\fR
will ignore the time stamp directory until the mode is corrected.
.SS "Notes on logging via syslog"
By default,
-\fIsudoers\fR
+\fBsudoers\fR
logs messages via
syslog(3).
The
and
\fIprogname\fR
fields are added by the syslog daemon, not
-\fIsudoers\fR
+\fBsudoers\fR
itself.
As such, they may vary in format on different systems.
.PP
If the
\fIlogfile\fR
option is set,
-\fIsudoers\fR
+\fBsudoers\fR
will log to a local file, such as
\fI/var/log/sudo\fR.
When logging to a file,
-\fIsudoers\fR
+\fBsudoers\fR
uses a format similar to
syslog(3),
with a few important differences:
.TP 26n
\fI@rundir@/ts\fR
Directory containing time stamps for the
-\fIsudoers\fR
+\fBsudoers\fR
security policy
.TP 26n
\fI@vardir@/lectured\fR
Directory containing lecture status files for the
-\fIsudoers\fR
+\fBsudoers\fR
security policy
.TP 26n
\fI/etc/environment\fR
.SH "EXAMPLES"
Below are example
\fIsudoers\fR
-entries.
+file entries.
Admittedly, some of these are a bit contrived.
First, we allow a few environment variables to pass and then define our
\fIaliases\fR:
.PP
For example, given the following
\fIsudoers\fR
-entry:
+file entry:
.nf
.sp
.RS 0n
(see below).
.SS "Secure editing"
The
-\fIsudoers\fR
+\fBsudoers\fR
plugin includes
\fBsudoedit\fR
support which allows users to securely edit files with the editor
of their choice.
As
\fBsudoedit\fR
-is a built-in command, it must be specified in
+is a built-in command, it must be specified in the
\fIsudoers\fR
-without a leading path.
+file without a leading path.
However, it may take command line arguments just as a normal command does.
Wildcards used in
\fIsudoedit\fR
However, it is still possible to create a hard link if the directory
is writable and the link target resides on the same file system.
.SS "Time stamp file checks"
-\fIsudoers\fR
+\fBsudoers\fR
will check the ownership of its time stamp directory
(\fI@rundir@/ts\fR
by default)
\fI/var/run\fR
directory.
To avoid potential problems,
-\fIsudoers\fR
+\fBsudoers\fR
will ignore time stamp files that date from before the machine booted
on systems where the boot time is available.
.PP
Some systems with graphical desktop environments allow unprivileged
users to change the system clock.
Since
-\fIsudoers\fR
+\fBsudoers\fR
relies on the system clock for time stamp validation, it may be
possible on such systems for a user to run
\fBsudo\fR
\fItimestamp_timeout\fR
by setting the clock back.
To combat this,
-\fIsudoers\fR
+\fBsudoers\fR
uses a monotonic clock (which never moves backwards) for its time stamps
if the system supports it.
.PP
-\fIsudoers\fR
+\fBsudoers\fR
will not honor time stamps set far in the future.
Time stamps with a date greater than current_time + 2 *
\fRTIMEOUT\fR
will be ignored and
-\fIsudoers\fR
+\fBsudoers\fR
will log and complain.
.PP
Since time stamp files live in the file system, they can outlive a
\fBsudo\fR
without authenticating so long as the record's time stamp is within
\fR@timeout@\fR
-minutes (or whatever value the timeout is set to in
-\fIsudoers\fR).
+minutes (or whatever value the timeout is set to in the
+\fIsudoers\fR
+file).
When the
\fItty_tickets\fR
option is enabled, the time stamp record includes the device
.TP 10n
\fIdefaults\fR
\fIsudoers\fR
+file
\fIDefaults\fR
settings
.TP 10n
logging support
.TP 10n
\fImatch\fR
-matching of users, groups, hosts and netgroups in
+matching of users, groups, hosts and netgroups in the
\fIsudoers\fR
+file
.TP 10n
\fInetif\fR
network interface handling
.TP 10n
\fInss\fR
network service switch handling in
-\fIsudoers\fR
+\fBsudoers\fR
.TP 10n
\fIparser\fR
\fIsudoers\fR
\fBvisudo\fR
command which locks the file and does grammatical checking.
It is
-imperative that
+imperative that the
\fIsudoers\fR
-be free of syntax errors since
+file be free of syntax errors since
\fBsudo\fR
will not run with a syntactically incorrect
\fIsudoers\fR
.Sx SUDOERS FILE FORMAT
section.
For information on storing
-.Em sudoers
+.Nm sudoers
policy information
in LDAP, please see
.Xr sudoers.ldap @mansectform@ .
please refer to its manual.
.Ss Authentication and logging
The
-.Em sudoers
+.Nm sudoers
security policy requires that most users authenticate
themselves before they can use
.Nm sudo .
Unlike
.Xr su 1 ,
when
-.Em sudoers
+.Nm sudoers
requires
authentication, it validates the invoking user's credentials, not
the target user's (or root's) credentials.
.Ev SUDO_USER
environment variable
is set, the
-.Em sudoers
+.Nm sudoers
policy will use this value to determine who
the actual user is.
This can be used by a user to log commands
sudo-run script or program.
Note, however, that the
.Em sudoers
-lookup is still done for root, not the user specified by
+file lookup is still done for root, not the user specified by
.Ev SUDO_USER .
.Pp
-.Em sudoers
+.Nm sudoers
uses per-user time stamp files for credential caching.
Once a user has been authenticated, a record is written
containing the uid that was used to authenticate, the
option
.Pc .
By default,
-.Em sudoers
+.Nm sudoers
uses a separate record for each tty, which means that
a user's login sessions are authenticated separately.
The
.Em tty_tickets
option can be disabled to force the use of a
single time stamp for all of a user's sessions.
-.Pp
-.Em sudoers
+.Nm sudoers
can log both successful and unsuccessful attempts (as well
as errors) to
.Xr syslog 3 ,
a log file, or both.
By default,
-.Em sudoers
+.Nm sudoers
will log via
.Xr syslog 3
but this is changeable via the
command tags.
.Ss Command environment
Since environment variables can influence program behavior,
-.Em sudoers
+.Nm sudoers
provides a means to restrict which variables from the user's
environment are inherited by the command to be run.
There are two
distinct ways
-.Em sudoers
+.Nm sudoers
can deal with environment variables.
.Pp
By default, the
.Fl i
option (initial login) is
specified,
-.Em sudoers
+.Nm sudoers
will initialize the environment regardless
of the value of
.Em env_reset .
.Pp
The
.Em sudoers
-grammar will be described below in Extended Backus-Naur
+file grammar will be described below in Extended Backus-Naur
Form (EBNF).
Don't despair if you are unfamiliar with EBNF; it is fairly simple,
and the definitions below are annotated.
.Dq Li sudoedit
is a command built into
.Nm sudo
-itself and must be specified in
+itself and must be specified in the
.Em sudoers
-without a leading path.
+file without a leading path.
.Pp
If a
.Li command name
.Ss SELinux_Spec
On systems with SELinux support,
.Em sudoers
-entries may optionally have an SELinux role and/or type associated
+file entries may optionally have an SELinux role and/or type associated
with a command.
If a role or
type is specified with the command it will override any default values
.Ss Solaris_Priv_Spec
On Solaris systems,
.Em sudoers
-entries may optionally specify Solaris privilege set and/or limit
+file entries may optionally specify Solaris privilege set and/or limit
privilege set associated with a command.
If privileges or limit privileges are specified with the command
it will override any default values specified in
.Pp
which is probably not what was intended.
In most cases it is better to do command line processing
-outside of
+outside of the
.Em sudoers
-in a scripting language.
+file in a scripting language.
.Ss Exceptions to wildcard rules
The following exceptions apply to the above rules:
.Bl -tag -width 8n
.Li \&""
is the only command line argument in the
.Em sudoers
-entry it means that command is not allowed to be run with
+file entry it means that command is not allowed to be run with
.Em any
arguments.
.It sudoedit
file in addition to a local, per-machine file.
For the sake of this example the site-wide
.Em sudoers
-will be
+file will be
.Pa /etc/sudoers
and the per-machine one will be
.Pa /etc/sudoers.local .
.Pa sudoers.d
directory that the system package manager can drop
.Em sudoers
-rules
-into as part of package installation.
+file rules into as part of package installation.
For example, given:
.Bd -literal -offset 4n
#includedir /etc/sudoers.d
characters are used with the negation operator,
.Ql !\& ,
as such rules can be trivially bypassed.
-As such, this option should not be used when
+As such, this option should not be used when the
.Em sudoers
-contains rules that contain negated path names which include globbing
+file contains rules that contain negated path names which include globbing
characters.
This flag is
.Em off
.It log_input
If set,
.Nm sudo
-will run the command in a
-.Em pseudo-tty
-and log all user input.
+will run the command in a pseudo-tty and log all user input.
If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file.
.It log_output
If set,
.Nm sudo
-will run the command in a
-.Em pseudo-tty
-and log all output that is sent to the screen, similar to the
+will run the command in a pseudo-tty and log all output that is sent
+to the screen, similar to the
.Xr script 1
command.
If the standard output or standard error is not connected to the
.Nm sudo
does not enter the correct password.
If the command the user is attempting to run is not permitted by
-.Em sudoers
+.Nm sudoers
and one of the
.Em mail_all_cmnds ,
.Em mail_always ,
.It umask_override
If set,
.Nm sudo
-will set the umask as specified by
+will set the umask as specified in the
.Em sudoers
-without modification.
-This makes it possible to specify a more permissive umask in
+file without modification.
+This makes it possible to specify a umask in the
.Em sudoers
-than the user's own umask and matches historical behavior.
+file that is more permissive than the user's own umask and matches
+historical behavior.
If
.Em umask_override
is not set,
.It role
The default SELinux role to use when constructing a new security
context to run the command.
-The default role may be overridden on a per-command basis in
+The default role may be overridden on a per-command basis in the
.Em sudoers
-or via command line options.
+file or via command line options.
This option is only available when
.Nm sudo
is built with SELinux support.
.It type
The default SELinux type to use when constructing a new security
context to run the command.
-The default type may be overridden on a per-command basis in
+The default type may be overridden on a per-command basis in the
.Em sudoers
-or via command line options.
+file or via command line options.
This option is only available when
.Nm sudo
is built with SELinux support.
This is not set by default.
.It group_plugin
A string containing a
-.Em sudoers
+.Nm sudoers
group plugin with optional arguments.
The string should consist of the plugin
path, either fully-qualified or relative to the
.It all
All the user's
.Em sudoers
-entries for the current host must have
+file entries for the current host must have
the
.Li NOPASSWD
flag set to avoid entering a password.
.It any
At least one of the user's
.Em sudoers
-entries for the current host
+file entries for the current host
must have the
.Li NOPASSWD
flag set to avoid entering a password.
.It all
All the user's
.Em sudoers
-entries for the current host must have the
+file entries for the current host must have the
.Li NOPASSWD
flag set to avoid entering a password.
.It always
.It any
At least one of the user's
.Em sudoers
-entries for the current host must have the
+file entries for the current host must have the
.Li NOPASSWD
flag set to avoid entering a password.
.It never
a different value.
Normally,
.Nm
-tries to open
+tries to open the
.Em sudoers
-using group permissions to avoid this problem.
+file using group permissions to avoid this problem.
Consider either changing the ownership of
.Pa @sysconfdir@/sudoers
or adding an argument like
.Xr sudo.conf @mansectform@
file.
.It unable to open @rundir@/ts/username
-.Em sudoers
+.Nm sudoers
was unable to read or create the user's time stamp file.
This can happen when
.Em timestampowner
.Pa @rundir@
is 0711.
.It unable to write to @rundir@/ts/username
-.Em sudoers
+.Nm sudoers
was unable to write to the user's time stamp file.
.It @rundir@/ts is owned by uid X, should be Y
The time stamp directory is owned by a user other than
This can occur when the value of
.Em timestampowner
has been changed.
-.Em sudoers
+.Nm sudoers
will ignore the time stamp directory until the owner is corrected.
.It @rundir@/ts is group writable
The time stamp directory is group-writable; it should be writable only by
.Em timestampowner .
The default mode for the time stamp directory is 0700.
-.Em sudoers
+.Nm sudoers
will ignore the time stamp directory until the mode is corrected.
.El
.Ss Notes on logging via syslog
By default,
-.Em sudoers
+.Nm sudoers
logs messages via
.Xr syslog 3 .
The
and
.Em progname
fields are added by the syslog daemon, not
-.Em sudoers
+.Nm sudoers
itself.
As such, they may vary in format on different systems.
.Pp
If the
.Em logfile
option is set,
-.Em sudoers
+.Nm sudoers
will log to a local file, such as
.Pa /var/log/sudo .
When logging to a file,
-.Em sudoers
+.Nm sudoers
uses a format similar to
.Xr syslog 3 ,
with a few important differences:
I/O log files
.It Pa @rundir@/ts
Directory containing time stamps for the
-.Em sudoers
+.Nm sudoers
security policy
.It Pa @vardir@/lectured
Directory containing lecture status files for the
-.Em sudoers
+.Nm sudoers
security policy
.It Pa /etc/environment
Initial environment for
.Sh EXAMPLES
Below are example
.Em sudoers
-entries.
+file entries.
Admittedly, some of these are a bit contrived.
First, we allow a few environment variables to pass and then define our
.Em aliases :
.Pp
For example, given the following
.Em sudoers
-entry:
+file entry:
.Bd -literal
john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
(see below).
.Ss Secure editing
The
-.Em sudoers
+.Nm sudoers
plugin includes
.Nm sudoedit
support which allows users to securely edit files with the editor
of their choice.
As
.Nm sudoedit
-is a built-in command, it must be specified in
+is a built-in command, it must be specified in the
.Em sudoers
-without a leading path.
+file without a leading path.
However, it may take command line arguments just as a normal command does.
Wildcards used in
.Em sudoedit
However, it is still possible to create a hard link if the directory
is writable and the link target resides on the same file system.
.Ss Time stamp file checks
-.Em sudoers
+.Nm sudoers
will check the ownership of its time stamp directory
.Po
.Pa @rundir@/ts
.Pa /var/run
directory.
To avoid potential problems,
-.Em sudoers
+.Nm sudoers
will ignore time stamp files that date from before the machine booted
on systems where the boot time is available.
.Pp
Some systems with graphical desktop environments allow unprivileged
users to change the system clock.
Since
-.Em sudoers
+.Nm sudoers
relies on the system clock for time stamp validation, it may be
possible on such systems for a user to run
.Nm sudo
.Em timestamp_timeout
by setting the clock back.
To combat this,
-.Em sudoers
+.Nm sudoers
uses a monotonic clock (which never moves backwards) for its time stamps
if the system supports it.
.Pp
-.Em sudoers
+.Nm sudoers
will not honor time stamps set far in the future.
Time stamps with a date greater than current_time + 2 *
.Li TIMEOUT
will be ignored and
-.Em sudoers
+.Nm sudoers
will log and complain.
.Pp
Since time stamp files live in the file system, they can outlive a
.Nm sudo
without authenticating so long as the record's time stamp is within
.Li @timeout@
-minutes (or whatever value the timeout is set to in
-.Em sudoers ) .
+minutes (or whatever value the timeout is set to in the
+.Em sudoers
+file).
When the
.Em tty_tickets
option is enabled, the time stamp record includes the device
user authentication
.It Em defaults
.Em sudoers
+file
.Em Defaults
settings
.It Em env
.It Em logging
logging support
.It Em match
-matching of users, groups, hosts and netgroups in
+matching of users, groups, hosts and netgroups in the
.Em sudoers
+file
.It Em netif
network interface handling
.It Em nss
network service switch handling in
-.Em sudoers
+.Nm sudoers
.It Em parser
.Em sudoers
file parsing
.Nm visudo
command which locks the file and does grammatical checking.
It is
-imperative that
+imperative that the
.Em sudoers
-be free of syntax errors since
+file be free of syntax errors since
.Nm sudo
will not run with a syntactically incorrect
.Em sudoers
projects / sudo / commitdiff