[-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
- [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be]
- [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be] [-\b-t\bt _\bt_\by_\bp_\be]
+ [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
[-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
system password prompt on systems that support PAM unless
the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ -r _\br_\bo_\bl_\be The -\b-r\br (_\br_\bo_\bl_\be) option causes the new (SELinux) security
+ context to have the role specified by _\br_\bo_\bl_\be.
+
-S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
the standard input instead of the terminal device. The
password must be followed by a newline character.
the shell for execution. Otherwise, an interactive shell
is executed.
+ -t _\bt_\by_\bp_\be The -\b-t\bt (_\bt_\by_\bp_\be) option causes the new (SELinux) security
+ context to have the type specified by _\bt_\by_\bp_\be. If no type is
+ specified, the default type is derived from the specified
+ role.
+
-U _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the
-\b-l\bl option to specify the user whose privileges should be
listed. Only root or a user with s\bsu\bud\bdo\bo ALL on the current
command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
instead of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as
a _\bu_\bi_\bd, many shells require that the '#' be escaped with a
- backslash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option
- is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
- with a uid not listed in the password database.
-
- -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the version
- number and exit. If the invoking user is already root the
- -\b-V\bV option will print out a list of the defaults s\bsu\bud\bdo\bo was
- compiled with as well as the machine's local network
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ backslash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option
+ is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
+ with a uid not listed in the password database.
+
+ -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the version
+ number and exit. If the invoking user is already root the
+ -\b-V\bV option will print out a list of the defaults s\bsu\bud\bdo\bo was
+ compiled with as well as the machine's local network
addresses.
-v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp _\bs_\bu_\bd_\bo_\be_\br_\bs
options. There is effectively a whitelist for environment variables.
- If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, any variables
- not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are
- inherited from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
- _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave like a blacklist. Since it is not possible to
- blacklist all potentially dangerous environment variables, use of the
- default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
-
- In all cases, environment variables with a value beginning with () are
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, any variables
+ not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are
+ inherited from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
+ _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave like a blacklist. Since it is not possible to
+ blacklist all potentially dangerous environment variables, use of the
+ default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
+
+ In all cases, environment variables with a value beginning with () are
removed as they could be interpreted as b\bba\bas\bsh\bh functions. The list of
environment variables that s\bsu\bud\bdo\bo allows or denies is contained in the
output of sudo -V when run as root.
Since time stamp files live in the file system, they can outlive a
user's login session. As a result, a user may be able to login, run a
- command with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run
- s\bsu\bud\bdo\bo without authenticating so long as the time stamp file's
- modification time is within 5 minutes (or whatever the timeout is set
- to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, the
- time stamp has per-tty granularity but still may outlive the user's
- session. On Linux systems where the devpts filesystem is used, Solaris
- systems with the devices filesystem, as well as other systems that
- utilize a devfs filesystem that monotonically increase the inode number
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ command with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run
+ s\bsu\bud\bdo\bo without authenticating so long as the time stamp file's
+ modification time is within 5 minutes (or whatever the timeout is set
+ to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, the
+ time stamp has per-tty granularity but still may outlive the user's
+ session. On Linux systems where the devpts filesystem is used, Solaris
+ systems with the devices filesystem, as well as other systems that
+ utilize a devfs filesystem that monotonically increase the inode number
of devices as they are created (such as Mac OS X), s\bsu\bud\bdo\bo is able to
determine when a tty-based time stamp file is stale and will ignore it.
Administrators should not rely on this feature as it is not universally
SUDO_UID Set to the user ID of the user who invoked sudo
- SUDO_USER Set to the login of the user who invoked sudo
- USER Set to the target user (root unless the -\b-u\bu option is
- specified)
- VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
- SUDO_EDITOR is not set
+1.7.3b3 June 10, 2010 8
-1.7.3b3 June 10, 2010 8
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ SUDO_USER Set to the login of the user who invoked sudo
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ USER Set to the target user (root unless the -\b-u\bu option is
+ specified)
+ VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
+ SUDO_EDITOR is not set
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
_\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5),
_\bv_\bi_\bs_\bu_\bd_\bo(1m)
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
- of code written primarily by:
-
- Todd C. Miller
-
- See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
- http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+A\bAU\bUT\bTH\bHO\bOR\bRS\bS
+ Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
+ of code written primarily by:
+
+ Todd C. Miller
+
+ See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
+ http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
+
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
There is no easy way to prevent a user from gaining a root shell if
that user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many
-
-
-
-
-
-
-
-
-
1.7.3b3 June 10, 2010 10
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
- Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+ Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
+ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
+
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
- Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
- and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
+ and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
+
We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
+ S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
+ On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
+ SELinux role and/or type associated with a command. If a role or type
+ is specified with the command it will override any default values
+ specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line,
+ however, will supercede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
A command may have zero or more tags associated with it. There are
eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
By default, if the NOPASSWD tag is applied to any of the entries for a
user on the current host, he or she will be able to run sudo -l without
a password. Additionally, a user may only run sudo -v without a
- password if the NOPASSWD tag is present for all a user's entries that
- pertain to the current host. This behavior may be overridden via the
- verifypw and listpw options.
- _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
- operating system supports it, the NOEXEC tag can be used to prevent a
- dynamically-linked executable from running further commands itself.
+1.7.3b3 June 10, 2010 6
-1.7.3b3 June 10, 2010 6
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ password if the NOPASSWD tag is present for all a user's entries that
+ pertain to the current host. This behavior may be overridden via the
+ verifypw and listpw options.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
+ operating system supports it, the NOEXEC tag can be used to prevent a
+ dynamically-linked executable from running further commands itself.
In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
[!...] Matches any character n\bno\bot\bt in the specified range.
- \x For any character "x", evaluates to "x". This is used to
- escape special characters such as: "*", "?", "[", and "}".
- POSIX character classes may also be used if your system's _\bg_\bl_\bo_\bb(3) and
- _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) functions support them. However, because the ':' character
- has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
- /bin/ls [[\:alpha\:]]*
- Would match any file name beginning with a letter.
+1.7.3b3 June 10, 2010 7
-1.7.3b3 June 10, 2010 7
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ \x For any character "x", evaluates to "x". This is used to
+ escape special characters such as: "*", "?", "[", and "}".
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ POSIX character classes may also be used if your system's _\bg_\bl_\bo_\bb(3) and
+ _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) functions support them. However, because the ':' character
+ has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
+ /bin/ls [[\:alpha\:]]*
+
+ Would match any file name beginning with a letter.
Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
in the path name. When matching the command line arguments, however, a
will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
- the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
- package installation. For example, given:
-
- #includedir /etc/sudoers.d
-
- s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
- end in ~ or contain a . character to avoid causing problems with
- package manager or editor temporary/backup files. Files are parsed in
- sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
- before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
- lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
+ package installation. For example, given:
+
+ #includedir /etc/sudoers.d
+
+ s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
+ end in ~ or contain a . character to avoid causing problems with
+ package manager or editor temporary/backup files. Files are parsed in
+ sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
+ before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
+ lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
in the file names can be used to avoid such problems.
earlier. A list of all supported Defaults parameters, grouped by type,
are listed below.
- B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
-
- always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment variable to
- the home directory of the target user (which is root
- unless the -\b-u\bu option is used). This effectively means
- that the -\b-H\bH option is always implied. This flag is _\bo_\bf_\bf
- by default.
-
- authenticate If set, users must authenticate themselves via a
- password (or other means of authentication) before they
-
1.7.3b3 June 10, 2010 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
+
+ always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment variable to
+ the home directory of the target user (which is root
+ unless the -\b-u\bu option is used). This effectively means
+ that the -\b-H\bH option is always implied. This flag is _\bo_\bf_\bf
+ by default.
+
+ authenticate If set, users must authenticate themselves via a
+ password (or other means of authentication) before they
may run commands. This default may be overridden via
the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
default.
alternative is to place a colon-separated list of
editors in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
use the EDITOR or VISUAL if they match a value
- specified in editor. This flag is _\bo_\bn by default.
+ specified in editor. This flag is _\bo_\bf_\bf by default.
env_reset If set, s\bsu\bud\bdo\bo will reset the environment to only contain
the LOGNAME, SHELL, USER, USERNAME and the SUDO_*
option causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function,
which does not access the file system to do its
matching. The disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is
- unable to match relative path names such as _\b._\b/_\bl_\bs or
- _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has security implications when path
- names that include globbing characters are used with
- the negation operator, '!', as such rules can be
- trivially bypassed. As such, this option should not be
- used when _\bs_\bu_\bd_\bo_\be_\br_\bs contains rules that contain negated
- path names which include globbing characters. This
- flag is _\bo_\bf_\bf by default.
-
- fqdn Set this flag if you want to put fully qualified host
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ unable to match relative path names such as _\b._\b/_\bl_\bs or
+ _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has security implications when path
+ names that include globbing characters are used with
+ the negation operator, '!', as such rules can be
+ trivially bypassed. As such, this option should not be
+ used when _\bs_\bu_\bd_\bo_\be_\br_\bs contains rules that contain negated
+ path names which include globbing characters. This
+ flag is _\bo_\bf_\bf by default.
+
+ fqdn Set this flag if you want to put fully qualified host
names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
would use myhost.mydomain.edu. You may still use the
short form if you wish (and even mix the two). Beware
ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current dir) in the
PATH environment variable; the PATH itself is not
- modified. This flag is _\bo_\bn by default.
+ modified. This flag is _\bo_\bf_\bf by default.
ignore_local_sudoers
If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
_\bo_\bf_\bf by default.
insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
- incorrect password. This flag is _\bo_\bn by default.
+ incorrect password. This flag is _\bo_\bf_\bf by default.
log_host If set, the host name will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
long_otp_prompt When validating with a One Time Password (OPT) scheme
such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
make it easier to cut and paste the challenge to a
- local window. It's not as pretty as the default but
- some people find it more convenient. This flag is _\bo_\bf_\bf
- by default.
-
- mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
- s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
-
- mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
- does not enter the correct password. This flag is _\bo_\bf_\bf
- by default.
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ local window. It's not as pretty as the default but
+ some people find it more convenient. This flag is _\bo_\bf_\bf
+ by default.
+
+ mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
+ s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
+
+ mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
+ does not enter the correct password. This flag is _\bo_\bf_\bf
+ by default.
+
mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
allowed to run commands on the current host. This flag
_\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
vector is left unaltered. The real and effective group
IDs, however, are still set to match the target user.
- This flag is _\bo_\bf_\bf by default.
-
- pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
- Unix programs, by turning off echo until the user hits
- the return (or enter) key. Some users become confused
- by this as it appears to them that s\bsu\bud\bdo\bo has hung at
- this point. When _\bp_\bw_\bf_\be_\be_\bd_\bb_\ba_\bc_\bk is set, s\bsu\bud\bdo\bo will provide
- visual feedback when the user presses a key. Note that
- this does have a security impact as an onlooker may be
- able to determine the length of the password being
- entered. This flag is _\bo_\bf_\bf by default.
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ This flag is _\bo_\bf_\bf by default.
+
+ pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
+ Unix programs, by turning off echo until the user hits
+ the return (or enter) key. Some users become confused
+ by this as it appears to them that s\bsu\bud\bdo\bo has hung at
+ this point. When _\bp_\bw_\bf_\be_\be_\bd_\bb_\ba_\bc_\bk is set, s\bsu\bud\bdo\bo will provide
+ visual feedback when the user presses a key. Note that
+ this does have a security impact as an onlooker may be
+ able to determine the length of the password being
+ entered. This flag is _\bo_\bf_\bf by default.
+
requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
run from a login session and not via other means such
the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bf_\bf by default.
setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
- command line. Additionally, environment variables set
- via the command line are not subject to the
- restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be
- allowed to set variables in this manner. This flag is
- _\bo_\bf_\bf by default.
-
- shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
- if the -\b-s\bs option had been given. That is, it runs a
- shell as root (the shell is determined by the SHELL
- environment variable if it is set, falling back on the
- shell listed in the invoking user's /etc/passwd entry
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ command line. Additionally, environment variables set
+ via the command line are not subject to the
+ restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be
+ allowed to set variables in this manner. This flag is
+ _\bo_\bf_\bf by default.
+
+ shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
+ if the -\b-s\bs option had been given. That is, it runs a
+ shell as root (the shell is determined by the SHELL
+ environment variable if it is set, falling back on the
+ shell listed in the invoking user's /etc/passwd entry
if not). This flag is _\bo_\bf_\bf by default.
stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
using a unique session ID that is included in the
normal s\bsu\bud\bdo\bo log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
- Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
- utility, which can also be used to list or search the
- available logs.
-
- tty_tickets If set, users must authenticate on a per-tty basis.
- Normally, s\bsu\bud\bdo\bo uses a directory in the ticket dir with
- the same name as the user running it. With this flag
- enabled, s\bsu\bud\bdo\bo will use a file named for the tty the
- user is logged in on in that directory. This flag is
- _\bo_\bf_\bf by default.
-
-
1.7.3b3 June 10, 2010 14
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
+ utility, which can also be used to list or search the
+ available logs.
+
+ tty_tickets If set, users must authenticate on a per-tty basis.
+ Normally, s\bsu\bud\bdo\bo uses a directory in the ticket dir with
+ the same name as the user running it. With this flag
+ enabled, s\bsu\bud\bdo\bo will use a file named for the tty the
+ user is logged in on in that directory. This flag is
+ _\bo_\bf_\bf by default.
+
umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
without modification. This makes it possible to
specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- loglinelen Number of characters per line for the file log. This
- value is used to decide when to wrap lines for nicer
- log files. This has no effect on the syslog log file,
- only the file log. The default is 80 (use 0 or negate
- the option to disable word wrap).
-
- passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
- out, or 0 for no timeout. The timeout may include a
- fractional component if minute granularity is
- insufficient, for example 2.5. The default is 5.
-
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ loglinelen Number of characters per line for the file log. This
+ value is used to decide when to wrap lines for nicer
+ log files. This has no effect on the syslog log file,
+ only the file log. The default is 80 (use 0 or negate
+ the option to disable word wrap).
+
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
+ out, or 0 for no timeout. The timeout may include a
+ fractional component if minute granularity is
+ insufficient, for example 2.5. The default is 5.
+
timestamp_timeout
Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
for a passwd again. The timeout may include a
LD_PRELOAD or its equivalent. Defaults to
_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
- passprompt The default prompt to use when asking for a password;
- can be overridden via the -\b-p\bp option or the SUDO_PROMPT
- environment variable. The following percent (`%')
- escapes are supported:
-
- %H expanded to the local host name including the
- domain name (on if the machine's host name is fully
- qualified or the _\bf_\bq_\bd_\bn option is set)
-
- %h expanded to the local host name without the domain
-
1.7.3b3 June 10, 2010 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ passprompt The default prompt to use when asking for a password;
+ can be overridden via the -\b-p\bp option or the SUDO_PROMPT
+ environment variable. The following percent (`%')
+ escapes are supported:
+
+ %H expanded to the local host name including the
+ domain name (on if the machine's host name is fully
+ qualified or the _\bf_\bq_\bd_\bn option is set)
+
+ %h expanded to the local host name without the domain
name
%p expanded to the user whose password is being asked
The default value is Password:.
+ role The default SELinux role to use when constructing a new
+ security context to run the command. The default role
+ may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
+ via command line options. This option is only
+ available whe s\bsu\bud\bdo\bo is built with SELinux support.
+
runas_default The default user to run commands as if the -\b-u\bu option is
not specified on the command line. This defaults to
root. Note that if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
timestampowner The owner of the timestamp directory and the timestamps
stored therein. The default is root.
+ type The default SELinux type to use when constructing a new
+
+
+
+1.7.3b3 June 10, 2010 17
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ security context to run the command. The default type
+ may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
+ via command line options. This option is only
+ available whe s\bsu\bud\bdo\bo is built with SELinux support.
+
S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
askpass The _\ba_\bs_\bk_\bp_\ba_\bs_\bs option specifies the fully qualified path to a
the program being run. Entries in this file should either
be of the form VARIABLE=value or export VARIABLE=value.
The value may optionally be surrounded by single or double
-
-
-
-1.7.3b3 June 10, 2010 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
must have the NOPASSWD flag set to avoid entering a
+
+
+
+1.7.3b3 June 10, 2010 18
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
password.
always The user must always enter a password to use the -\b-l\bl
mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
-
-
-
-1.7.3b3 June 10, 2010 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
mailerpath Path to mail program used to send warning mail. Defaults
to the path to sendmail found at configure time.
option is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
- to disable syslog logging). Defaults to authpriv.
+ to disable syslog logging). Defaults to local2.
verifypw This option controls when a password will be required when
a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
password.
always The user must always enter a password to use the -\b-v\bv
+
+
+
+1.7.3b3 June 10, 2010 19
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
option.
any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
programs. The argument may be a double-quoted, space-
separated list or a single value without double-quotes.
The list can be replaced, added to, deleted from, or
-
-
-
-1.7.3b3 June 10, 2010 19
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
disabled by using the =, +=, -=, and ! operators
respectively. Regardless of whether the env_reset
option is enabled or disabled, variables specified by
with the _\b-_\bV option.
When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following values for the
+
+
+
+1.7.3b3 June 10, 2010 20
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your
OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3,
l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
-
-
-
-
-
-
-1.7.3b3 June 10, 2010 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo
+
+
+
+1.7.3b3 June 10, 2010 21
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't
want to subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt
need not give a password, and we don't want to reset the LOGNAME, USER
Defaults!PAGERS noexec
The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
-
-
-
-1.7.3b3 June 10, 2010 21
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
what.
root ALL = (ALL) ALL
operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
sudoedit /etc/printcap, /usr/oper/bin/
+
+
+
+1.7.3b3 June 10, 2010 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance.
Here, those are commands related to backups, killing processes, the
printing system, shutting down the system, and any commands in the
the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
multiple user names on the command line.
-
-
-1.7.3b3 June 10, 2010 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
bob SPARC = (OP) ALL : SGI = (OP) ALL
The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
jill SERVERS = /usr/bin/, !SU, !SHELLS
For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
+
+
+
+1.7.3b3 June 10, 2010 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU
and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
and wim), may run any command as user www (which owns the web pages) or
simply _\bs_\bu(1) to www.
-
-
-
-
-1.7.3b3 June 10, 2010 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
/usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
+
+
+
+1.7.3b3 June 10, 2010 24
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
number of programs that offer shell escapes, restricting
users to the set of programs that do not if often unworkable.
-
-
-
-1.7.3b3 June 10, 2010 24
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
noexec Many systems that support shared libraries have the ability
to override default library functions by pointing an
environment variable (usually LD_PRELOAD) to an alternate
documented in the User Specification section above. Here is
that example again:
+
+
+
+1.7.3b3 June 10, 2010 25
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
-
-
-
-1.7.3b3 June 10, 2010 25
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
locks the file and does grammatical checking. It is imperative that
_\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
1.7.3b3 June 10, 2010 26
projects / sudo / commitdiff