uid and gid are set to match those of the target user as specified in
the passwd file and the group vector is initialized based on the group
file (unless the -\b-P\bP option was specified). If the invoking user is
- root or if the target user is the same as the invoking user, no pass-
- word is required. Otherwise, s\bsu\bud\bdo\bo requires that users authenticate
- themselves with a password by default (NOTE: in the default configura-
- tion this is the user's password, not the root password). Once a user
- has been authenticated, a timestamp is updated and the user may then
- use sudo without a password for a short period of time (5 minutes
- unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
+ root or if the target user is the same as the invoking user, no
+ password is required. Otherwise, s\bsu\bud\bdo\bo requires that users authenticate
+ themselves with a password by default (NOTE: in the default
+ configuration this is the user's password, not the root password).
+ Once a user has been authenticated, a timestamp is updated and the user
+ may then use sudo without a password for a short period of time (5
+ minutes unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below), is implied.
overridden via _\bs_\bu_\bd_\bo_\be_\br_\bs).
If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to run a command
- via s\bsu\bud\bdo\bo, mail is sent to the proper authorities, as defined at config-
- ure time or in the _\bs_\bu_\bd_\bo_\be_\br_\bs file (defaults to root). Note that the mail
- will not be sent if an unauthorized user tries to run sudo with the -\b-l\bl
- or -\b-v\bv flags. This allows users to determine for themselves whether or
- not they are allowed to use s\bsu\bud\bdo\bo.
+ via s\bsu\bud\bdo\bo, mail is sent to the proper authorities, as defined at
+ configure time or in the _\bs_\bu_\bd_\bo_\be_\br_\bs file (defaults to root). Note that
+ the mail will not be sent if an unauthorized user tries to run sudo
+ with the -\b-l\bl or -\b-v\bv flags. This allows users to determine for themselves
+ whether or not they are allowed to use s\bsu\bud\bdo\bo.
If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment variable is set,
s\bsu\bud\bdo\bo will use this value to determine who the actual user is. This can
-1.7.0 June 6, 2008 1
+1.7.0 October 24, 2008 1
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable at configure time or via the _\bs_\bu_\bd_\bo_\b-
- _\be_\br_\bs file.
+ via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable at configure time or via the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file.
O\bOP\bPT\bTI\bIO\bON\bNS\bS
s\bsu\bud\bdo\bo accepts the following command line options:
-A Normally, if s\bsu\bud\bdo\bo requires a password, it will read it from
- the current terminal. If the -\b-A\bA (_\ba_\bs_\bk_\bp_\ba_\bs_\bs) option is speci-
- fied, a helper program is executed to read the user's pass-
- word and output the password to the standard output. If
- the SUDO_ASKPASS environment variable is set, it specifies
- the path to the helper program. Otherwise, the value spec-
- ified by the _\ba_\bs_\bk_\bp_\ba_\bs_\bs option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4) is used.
+ the current terminal. If the -\b-A\bA (_\ba_\bs_\bk_\bp_\ba_\bs_\bs) option is
+ specified, a helper program is executed to read the user's
+ password and output the password to the standard output.
+ If the SUDO_ASKPASS environment variable is set, it
+ specifies the path to the helper program. Otherwise, the
+ value specified by the _\ba_\bs_\bk_\bp_\ba_\bs_\bs option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4) is
+ used.
-a _\bt_\by_\bp_\be The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use the
specified authentication type when validating the user, as
option is only available on systems that support BSD
authentication.
- -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given com-
- mand in the background. Note that if you use the -\b-b\bb option
- you cannot use shell job control to manipulate the process.
+ -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
+ command in the background. Note that if you use the -\b-b\bb
+ option you cannot use shell job control to manipulate the
+ process.
-C _\bf_\bd Normally, s\bsu\bud\bdo\bo will close all open file descriptors other
than standard input, standard output and standard error.
option is only available if the administrator has enabled
the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
- -c _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified com-
- mand with resources limited by the specified login class.
- The _\bc_\bl_\ba_\bs_\bs argument can be either a class name as defined in
- _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single '-' character. Specifying a
- _\bc_\bl_\ba_\bs_\bs of - indicates that the command should be run
- restricted by the default login capabilities for the user
- the command is run as. If the _\bc_\bl_\ba_\bs_\bs argument specifies an
- existing user class, the command must be run as root, or
- the s\bsu\bud\bdo\bo command must be run from a shell that is already
- root. This option is only available on systems with BSD
- login classes.
+ -c _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
+ command with resources limited by the specified login
+ class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name as
+ defined in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single '-' character.
+ Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the command should
+ be run restricted by the default login capabilities for the
+ user the command is run as. If the _\bc_\bl_\ba_\bs_\bs argument
+ specifies an existing user class, the command must be run
+ as root, or the s\bsu\bud\bdo\bo command must be run from a shell that
+ is already root. This option is only available on systems
+ with BSD login classes.
-E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
_\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)). It is only available when
_\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
-e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
- command, the user wishes to edit one or more files. In
- lieu of a command, the string "sudoedit" is used when
-1.7.0 June 6, 2008 2
+1.7.0 October 24, 2008 2
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ command, the user wishes to edit one or more files. In
+ lieu of a command, the string "sudoedit" is used when
consulting the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is authorized by
_\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
1. Temporary copies are made of the files to be edited
with the owner set to the invoking user.
- 2. The editor specified by the VISUAL or EDITOR environ-
- ment variables is run to edit the temporary files. If
- neither VISUAL nor EDITOR are set, the program listed
- in the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
+ 2. The editor specified by the SUDO_EDITOR, VISUAL or
+ EDITOR environment variables is run to edit the
+ temporary files. If none of SUDO_EDITOR, VISUAL or
+ EDITOR are set, the first program listed in the _\be_\bd_\bi_\bt_\bo_\br
+ _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
3. If they have been modified, the temporary files are
- copied back to their original location and the tempo-
- rary versions are removed.
+ copied back to their original location and the
+ temporary versions are removed.
If the specified file does not exist, it will be created.
Note that unlike most commands run by s\bsu\bud\bdo\bo, the editor is
group will be set to _\bg_\br_\bo_\bu_\bp.
-H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment variable to
- the homedir of the target user (root by default) as speci-
- fied in _\bp_\ba_\bs_\bs_\bw_\bd(4). By default, s\bsu\bud\bdo\bo does not modify HOME
- (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)).
+ the homedir of the target user (root by default) as
+ specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). By default, s\bsu\bud\bdo\bo does not modify
+ HOME (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)).
-h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage message
and exit.
-i [command]
- The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell spec-
- ified in the _\bp_\ba_\bs_\bs_\bw_\bd(4) entry of the target user as a login
- shell. This means that login-specific resource files such
- as .profile or .login will be read by the shell. If a com-
- mand is specified, it is passed to the shell for execution.
- Otherwise, an interactive shell is executed. s\bsu\bud\bdo\bo attempts
- to change to that user's home directory before running the
- shell. It also initializes the environment, leaving _\bD_\bI_\bS_\b-
- _\bP_\bL_\bA_\bY and _\bT_\bE_\bR_\bM unchanged, setting _\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\b-
- _\bN_\bA_\bM_\bE, and _\bP_\bA_\bT_\bH, as well as the contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt
- on Linux and AIX systems. All other environment variables
- are removed.
+ The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
+ specified in the _\bp_\ba_\bs_\bs_\bw_\bd(4) entry of the target user as a
+ login shell. This means that login-specific resource files
+ such as .profile or .login will be read by the shell. If a
+ command is specified, it is passed to the shell for
+ execution. Otherwise, an interactive shell is executed.
+ s\bsu\bud\bdo\bo attempts to change to that user's home directory
+ before running the shell. It also initializes the
+ environment, leaving _\bD_\bI_\bS_\bP_\bL_\bA_\bY and _\bT_\bE_\bR_\bM unchanged, setting
-1.7.0 June 6, 2008 3
+1.7.0 October 24, 2008 3
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ _\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and _\bP_\bA_\bT_\bH, as well as the
+ contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt on Linux and AIX systems. All
+ other environment variables are removed.
+
-K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
the user's timestamp entirely. Like -\b-k\bk, this option does
not require a password.
- -k The -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the user's times-
- tamp by setting the time on it to the Epoch. The next time
- s\bsu\bud\bdo\bo is run a password will be required. This option does
- not require a password and was added to allow a user to
- revoke s\bsu\bud\bdo\bo permissions from a .logout file.
+ -k The -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the user's
+ timestamp by setting the time on it to the Epoch. The next
+ time s\bsu\bud\bdo\bo is run a password will be required. This option
+ does not require a password and was added to allow a user
+ to revoke s\bsu\bud\bdo\bo permissions from a .logout file.
-L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list out the parameters
that may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a short
If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt) option will list
the allowed (and forbidden) commands for the invoking user
(or the user specified by the -\b-U\bU option) on the current
- host. If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is permitted by _\bs_\bu_\bd_\bo_\b-
- _\be_\br_\bs, the fully-qualified path to the command is displayed
- along with any command line arguments. If _\bc_\bo_\bm_\bm_\ba_\bn_\bd is spec-
- ified but not allowed, s\bsu\bud\bdo\bo will exit with a return value
- of 1. If the -\b-l\bl flag is specified with an l\bl argument (i.e.
- -\b-l\bll\bl), or if -\b-l\bl is specified multiple times, a longer list
- format is used.
-
- -n The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from prompt-
- ing the user for a password. If a password is required for
- the command to run, s\bsu\bud\bdo\bo will display an error messages and
- exit.
-
- -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to pre-
- serve the invoking user's group vector unaltered. By
+ host. If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is permitted by
+ _\bs_\bu_\bd_\bo_\be_\br_\bs, the fully-qualified path to the command is
+ displayed along with any command line arguments. If
+ _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified but not allowed, s\bsu\bud\bdo\bo will exit with a
+ return value of 1. If the -\b-l\bl flag is specified with an l\bl
+ argument (i.e. -\b-l\bll\bl), or if -\b-l\bl is specified multiple times,
+ a longer list format is used.
+
+ -n The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from
+ prompting the user for a password. If a password is
+ required for the command to run, s\bsu\bud\bdo\bo will display an error
+ messages and exit.
+
+ -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
+ preserve the invoking user's group vector unaltered. By
default, s\bsu\bud\bdo\bo will initialize the group vector to the list
of groups the target user is in. The real and effective
group IDs, however, are still set to match the target user.
-p _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
- password prompt and use a custom one. The following per-
- cent (`%') escapes are supported:
+ password prompt and use a custom one. The following
+ percent (`%') escapes are supported:
%H expanded to the local hostname including the domain
name (on if the machine's hostname is fully qualified
%p expanded to the user whose password is being asked for
(respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in
- _\bs_\bu_\bd_\bo_\be_\br_\bs)
-
- %U expanded to the login name of the user the command will
- be run as (defaults to root)
-1.7.0 June 6, 2008 4
+1.7.0 October 24, 2008 4
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ _\bs_\bu_\bd_\bo_\be_\br_\bs)
+
+ %U expanded to the login name of the user the command will
+ be run as (defaults to root)
+
%u expanded to the invoking user's login name
- %% two consecutive % characters are collapsed into a sin-
- gle % character
+ %% two consecutive % characters are collapsed into a
+ single % character
The prompt specified by the -\b-p\bp option will override the
system password prompt on systems that support PAM unless
listed. Only root or a user with s\bsu\bud\bdo\bo ALL on the current
host may use this option.
- -u _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified com-
- mand as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd instead
- of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as a _\bu_\bi_\bd,
- many shells require that the '#' be escaped with a back-
- slash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option is
- set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
+ -u _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
+ command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
+ instead of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as
+ a _\bu_\bi_\bd, many shells require that the '#' be escaped with a
+ backslash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option
+ is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
with a uid not listed in the password database.
-V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the version
addresses.
-v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
- user's timestamp, prompting for the user's password if nec-
- essary. This extends the s\bsu\bud\bdo\bo timeout for another 5 min-
- utes (or whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but
+ user's timestamp, prompting for the user's password if
+ necessary. This extends the s\bsu\bud\bdo\bo timeout for another 5
+ minutes (or whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but
does not run a command.
- -- The -\b--\b- flag indicates that s\bsu\bud\bdo\bo should stop processing com-
- mand line arguments. It is most useful in conjunction with
- the -\b-s\bs flag.
+ -- The -\b--\b- flag indicates that s\bsu\bud\bdo\bo should stop processing
+ command line arguments. It is most useful in conjunction
+ with the -\b-s\bs flag.
Environment variables to be set for the command may also be passed on
- the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be, e.g.
- L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables passed on the command
- line are subject to the same restrictions as normal environment vari-
- ables with one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in
- _\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run has the SETENV tag set or the command
-1.7.0 June 6, 2008 5
+1.7.0 October 24, 2008 5
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- matched is ALL, the user may set variables that would overwise be for-
- bidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
+ the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be, e.g.
+ L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables passed on the command
+ line are subject to the same restrictions as normal environment
+ variables with one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run has the SETENV tag set or the command
+ matched is ALL, the user may set variables that would overwise be
+ forbidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
Upon successful execution of a program, the return value from s\bsu\bud\bdo\bo will
simply be the return value of the program that was executed.
- Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is a configura-
- tion/permission problem or if s\bsu\bud\bdo\bo cannot execute the given command.
- In the latter case the error string is printed to stderr. If s\bsu\bud\bdo\bo can-
- not _\bs_\bt_\ba_\bt(2) one or more entries in the user's PATH an error is printed
- on stderr. (If the directory does not exist or if it is not really a
- directory, the entry is ignored and no error is printed.) This should
- not happen under normal circumstances. The most common reason for
- _\bs_\bt_\ba_\bt(2) to return "permission denied" is if you are running an auto-
- mounter and one of the directories in your PATH is on a machine that is
- currently unreachable.
+ Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is a
+ configuration/permission problem or if s\bsu\bud\bdo\bo cannot execute the given
+ command. In the latter case the error string is printed to stderr. If
+ s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one or more entries in the user's PATH an error is
+ printed on stderr. (If the directory does not exist or if it is not
+ really a directory, the entry is ignored and no error is printed.)
+ This should not happen under normal circumstances. The most common
+ reason for _\bs_\bt_\ba_\bt(2) to return "permission denied" is if you are running
+ an automounter and one of the directories in your PATH is on a machine
+ that is currently unreachable.
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
s\bsu\bud\bdo\bo tries to be safe when executing external commands.
If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, any variables
not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are
inherited from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
- _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave like a blacklist. Since it is not possible to black-
- list all potentially dangerous environment variables, use of the
+ _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave like a blacklist. Since it is not possible to
+ blacklist all potentially dangerous environment variables, use of the
default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
In all cases, environment variables with a value beginning with () are
before s\bsu\bud\bdo\bo even begins execution and, as such, it is not possible for
s\bsu\bud\bdo\bo to preserve them.
- To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting cur-
- rent directory) last when searching for a command in the user's PATH
- (if one or both are in the PATH). Note, however, that the actual PATH
- environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
- program that s\bsu\bud\bdo\bo executes.
-
+ To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting
-1.7.0 June 6, 2008 6
+1.7.0 October 24, 2008 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ current directory) last when searching for a command in the user's PATH
+ (if one or both are in the PATH). Note, however, that the actual PATH
+ environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
+ program that s\bsu\bud\bdo\bo executes.
+
s\bsu\bud\bdo\bo will check the ownership of its timestamp directory (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo
by default) and ignore the directory's contents if it is not owned by
root or if it is writable by a user other than root. On systems that
allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
directory is located in a directory writable by anyone (e.g., _\b/_\bt_\bm_\bp), it
is possible for a user to create the timestamp directory before s\bsu\bud\bdo\bo is
- run. However, because s\bsu\bud\bdo\bo checks the ownership and mode of the direc-
- tory and its contents, the only damage that can be done is to "hide"
- files by putting them in the timestamp dir. This is unlikely to happen
- since once the timestamp dir is owned by root and inaccessible by any
- other user, the user placing files there would be unable to get them
- back out. To get around this issue you can use a directory that is not
- world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or cre-
- ate _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate owner (root) and permissions
- (0700) in the system startup files.
+ run. However, because s\bsu\bud\bdo\bo checks the ownership and mode of the
+ directory and its contents, the only damage that can be done is to
+ "hide" files by putting them in the timestamp dir. This is unlikely to
+ happen since once the timestamp dir is owned by root and inaccessible
+ by any other user, the user placing files there would be unable to get
+ them back out. To get around this issue you can use a directory that
+ is not world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance)
+ or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate owner (root) and
+ permissions (0700) in the system startup files.
s\bsu\bud\bdo\bo will not honor timestamps set far in the future. Timestamps with
a date greater than current_time + 2 * TIMEOUT will be ignored and sudo
commands run from that shell will _\bn_\bo_\bt be logged, nor will s\bsu\bud\bdo\bo's access
control affect them. The same is true for commands that offer shell
escapes (including most editors). Because of this, care must be taken
- when giving users access to commands via s\bsu\bud\bdo\bo to verify that the com-
- mand does not inadvertently give the user an effective root shell. For
- more information, please see the PREVENTING SHELL ESCAPES section in
- _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+ when giving users access to commands via s\bsu\bud\bdo\bo to verify that the
+ command does not inadvertently give the user an effective root shell.
+ For more information, please see the PREVENTING SHELL ESCAPES section
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
s\bsu\bud\bdo\bo utilizes the following environment variables:
- EDITOR Default editor to use in -\b-e\be (sudoedit) mode if VISUAL
- is not set
+ EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
+ SUDO_EDITOR nor VISUAL is set
HOME In -\b-s\bs or -\b-H\bH mode (or if sudo was configured with the
--enable-shell-sets-home option), set to homedir of the
SUDO_ASKPASS Specifies the path to a helper program used to read the
password if no terminal is available or if the -A
- option is specified.
- SUDO_PROMPT Used as the default password prompt
- SUDO_COMMAND Set to the command run by sudo
+1.7.0 October 24, 2008 7
-1.7.0 June 6, 2008 7
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ option is specified.
+ SUDO_COMMAND Set to the command run by sudo
- SUDO_USER Set to the login of the user who invoked sudo
+ SUDO_EDITOR Default editor to use in -\b-e\be (sudoedit) mode
- SUDO_UID Set to the uid of the user who invoked sudo
+ SUDO_GID Set to the group ID of the user who invoked sudo
+
+ SUDO_PROMPT Used as the default password prompt
- SUDO_GID Set to the gid of the user who invoked sudo
+ SUDO_PS1 If set, PS1 will be set to its value for the program
+ being run
- SUDO_PS1 If set, PS1 will be set to its value
+ SUDO_UID Set to the user ID of the user who invoked sudo
+
+ SUDO_USER Set to the login of the user who invoked sudo
USER Set to the target user (root unless the -\b-u\bu option is
specified)
- VISUAL Default editor to use in -\b-e\be (sudoedit) mode
+ VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
+ SUDO_EDITOR is not set
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
Note that this runs the commands in a sub-shell to make the cd and file
redirection work.
- $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5),
- _\bv_\bi_\bs_\bu_\bd_\bo(1m)
-A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
- of code written primarily by:
+1.7.0 October 24, 2008 8
-1.7.0 June 6, 2008 8
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5),
+ _\bv_\bi_\bs_\bu_\bd_\bo(1m)
+A\bAU\bUT\bTH\bHO\bOR\bRS\bS
+ Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
+ of code written primarily by:
Todd C. Miller
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of merchantabil-
- ity and fitness for a particular purpose are disclaimed. See the
- LICENSE file distributed with s\bsu\bud\bdo\bo or
+ including, but not limited to, the implied warranties of
+ merchantability and fitness for a particular purpose are disclaimed.
+ See the LICENSE file distributed with s\bsu\bud\bdo\bo or
http://www.sudo.ws/sudo/license.html for complete details.
-
-
-
-
-
-
-
-
-
-
-1.7.0 June 6, 2008 9
+1.7.0 October 24, 2008 9
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" $Sudo$
-.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
+.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
.\"
.\" Standard preamble:
.\" ========================================================================
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. | will give a
-.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
-.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
-.\" expand to `' in nroff, nothing in troff, for use with C<>.
-.tr \(*W-|\(bv\*(Tr
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds R" ''
'br\}
.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
-.if \nF \{\
+.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
-.\"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.hy 0
-.if n .na
+.el \{\
+. de IX
+..
+.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "June 6, 2008" "1.7.0" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "October 24, 2008" "1.7.0" "MAINTENANCE COMMANDS"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
@BAMAN@The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
@BAMAN@specified authentication type when validating the user, as allowed
@BAMAN@by \fI/etc/login.conf\fR. The system administrator may specify a list
-@BAMAN@of sudo-specific authentication methods by adding an \*(L"auth\-sudo\*(R"
+@BAMAN@of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
@BAMAN@entry in \fI/etc/login.conf\fR. This option is only available on systems
@BAMAN@that support \s-1BSD\s0 authentication.
.IP "\-b" 12
Temporary copies are made of the files to be edited with the owner
set to the invoking user.
.IP "2." 4
-The editor specified by the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment
-variables is run to edit the temporary files. If neither \f(CW\*(C`VISUAL\*(C'\fR
-nor \f(CW\*(C`EDITOR\*(C'\fR are set, the program listed in the \fIeditor\fR \fIsudoers\fR
-variable is used.
+The editor specified by the \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR
+environment variables is run to edit the temporary files. If none
+of \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR are set, the first program
+listed in the \fIeditor\fR \fIsudoers\fR variable is used.
.IP "3." 4
If they have been modified, the temporary files are copied back to
their original location and the temporary versions are removed.
.ie n .IP "\*(C`EDITOR\*(C'" 16
.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16
.IX Item "EDITOR"
-Default editor to use in \fB\-e\fR (sudoedit) mode if \f(CW\*(C`VISUAL\*(C'\fR is not set
+Default editor to use in \fB\-e\fR (sudoedit) mode if neither \f(CW\*(C`SUDO_EDITOR\*(C'\fR
+nor \f(CW\*(C`VISUAL\*(C'\fR is set
.ie n .IP "\*(C`HOME\*(C'" 16
.el .IP "\f(CW\*(C`HOME\*(C'\fR" 16
.IX Item "HOME"
.IX Item "SUDO_ASKPASS"
Specifies the path to a helper program used to read the password
if no terminal is available or if the \f(CW\*(C`\-A\*(C'\fR option is specified.
-.ie n .IP "\*(C`SUDO_PROMPT\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_PROMPT\*(C'\fR" 16
-.IX Item "SUDO_PROMPT"
-Used as the default password prompt
.ie n .IP "\*(C`SUDO_COMMAND\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_COMMAND\*(C'\fR" 16
.IX Item "SUDO_COMMAND"
Set to the command run by sudo
-.ie n .IP "\*(C`SUDO_USER\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_USER\*(C'\fR" 16
-.IX Item "SUDO_USER"
-Set to the login of the user who invoked sudo
-.ie n .IP "\*(C`SUDO_UID\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_UID\*(C'\fR" 16
-.IX Item "SUDO_UID"
-Set to the uid of the user who invoked sudo
+.ie n .IP "\*(C`SUDO_EDITOR\*(C'" 16
+.el .IP "\f(CW\*(C`SUDO_EDITOR\*(C'\fR" 16
+.IX Item "SUDO_EDITOR"
+Default editor to use in \fB\-e\fR (sudoedit) mode
.ie n .IP "\*(C`SUDO_GID\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_GID\*(C'\fR" 16
.IX Item "SUDO_GID"
-Set to the gid of the user who invoked sudo
+Set to the group \s-1ID\s0 of the user who invoked sudo
+.ie n .IP "\*(C`SUDO_PROMPT\*(C'" 16
+.el .IP "\f(CW\*(C`SUDO_PROMPT\*(C'\fR" 16
+.IX Item "SUDO_PROMPT"
+Used as the default password prompt
.ie n .IP "\*(C`SUDO_PS1\*(C'" 16
.el .IP "\f(CW\*(C`SUDO_PS1\*(C'\fR" 16
.IX Item "SUDO_PS1"
-If set, \f(CW\*(C`PS1\*(C'\fR will be set to its value
+If set, \f(CW\*(C`PS1\*(C'\fR will be set to its value for the program being run
+.ie n .IP "\*(C`SUDO_UID\*(C'" 16
+.el .IP "\f(CW\*(C`SUDO_UID\*(C'\fR" 16
+.IX Item "SUDO_UID"
+Set to the user \s-1ID\s0 of the user who invoked sudo
+.ie n .IP "\*(C`SUDO_USER\*(C'" 16
+.el .IP "\f(CW\*(C`SUDO_USER\*(C'\fR" 16
+.IX Item "SUDO_USER"
+Set to the login of the user who invoked sudo
.ie n .IP "\*(C`USER\*(C'" 16
.el .IP "\f(CW\*(C`USER\*(C'\fR" 16
.IX Item "USER"
.ie n .IP "\*(C`VISUAL\*(C'" 16
.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16
.IX Item "VISUAL"
-Default editor to use in \fB\-e\fR (sudoedit) mode
+Default editor to use in \fB\-e\fR (sudoedit) mode if \f(CW\*(C`SUDO_EDITOR\*(C'\fR
+is not set
.SH "FILES"
.IX Header "FILES"
-.IP "\fI@sysconfdir@/sudoers\fR" 24
+.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
+.el .IP "\fI@sysconfdir@/sudoers\fR" 24
.IX Item "@sysconfdir@/sudoers"
List of who can run what
-.IP "\fI@timedir@\fR" 24
+.ie n .IP "\fI@timedir@\fR" 24
+.el .IP "\fI@timedir@\fR" 24
.IX Item "@timedir@"
Directory containing timestamps
.IP "\fI/etc/environment\fR" 24
file system holding ~yazza is not exported as root:
.PP
.Vb 1
-\& $ sudo -u yazza ls ~yazza
+\& $ sudo \-u yazza ls ~yazza
.Ve
.PP
To edit the \fIindex.html\fR file as user www:
.PP
.Vb 1
-\& $ sudo -u www vi ~www/htdocs/index.html
+\& $ sudo \-u www vi ~www/htdocs/index.html
.Ve
.PP
To shutdown a machine:
.PP
.Vb 1
-\& $ sudo shutdown -r +15 "quick reboot"
+\& $ sudo shutdown \-r +15 "quick reboot"
.Ve
.PP
To make a usage listing of the directories in the /home
to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
.PP
.Vb 1
-\& $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+\& $ sudo sh \-c "cd /home ; du \-s * | sort \-rn > USAGE"
.Ve
.SH "SEE ALSO"
.IX Header "SEE ALSO"
sudoers - list of which users may execute what
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases (basi-
- cally variables) and user specifications (which specify who may run
- what).
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases
+ (basically variables) and user specifications (which specify who may
+ run what).
When multiple entries match for a user, they are applied in order.
Where there are multiple matches, the last match is used (which is not
Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
- EBNF is a concise and exact way of describing the grammar of a lan-
- guage. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
+ EBNF is a concise and exact way of describing the grammar of a
+ language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
symbol ::= definition | alternate1 | alternate2 ...
Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a grammar for
the language. EBNF also contains the following operators, which many
- readers will recognize from regular expressions. Do not, however, con-
- fuse them with "wildcard" characters, which have different meanings.
+ readers will recognize from regular expressions. Do not, however,
+ confuse them with "wildcard" characters, which have different meanings.
? Means that the preceding symbol (or group of symbols) is optional.
That is, it may appear once or not at all.
-1.7.0 May 2, 2008 1
+1.7.0 October 24, 2008 1
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
Host_Alias ::= NAME '=' Host_List
Cmnd_Alias ::= NAME '=' Cmnd_List
where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias, Host_Alias, or
Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
- underscore characters ('_'). A NAME m\bmu\bus\bst\bt start with an uppercase let-
- ter. It is possible to put several alias definitions of the same type
- on a single line, joined by a colon (':'). E.g.,
+ underscore characters ('_'). A NAME m\bmu\bus\bst\bt start with an uppercase
+ letter. It is possible to put several alias definitions of the same
+ type on a single line, joined by a colon (':'). E.g.,
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
-
-1.7.0 May 2, 2008 2
+1.7.0 October 24, 2008 2
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
Host ::= '!'* hostname |
'!'* ip_addr |
'!'* network(/netmask)? |
numbers, netgroups (prefixed with '+') and other aliases. Again, the
value of an item may be negated with the '!' operator. If you do not
specify a netmask along with the network number, s\bsu\bud\bdo\bo will query each
- of the local host's network interfaces and, if the network number cor-
- responds to one of the hosts's network interfaces, the corresponding
+ of the local host's network interfaces and, if the network number
+ corresponds to one of the hosts's network interfaces, the corresponding
netmask will be used. The netmask may be specified either in standard
IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
CIDR notation (number of bits, e.g. 24 or 64). A hostname may include
If a Cmnd has associated command line arguments, then the arguments in
the Cmnd must match exactly those given by the user on the command line
(or match the wildcards if there are any). Note that the following
- characters must be escaped with a '\' if they are used in command argu-
- ments: ',', ':', '=', '\'. The special command "sudoedit" is used to
- permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be flag (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may
+ characters must be escaped with a '\' if they are used in command
+ arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
+ to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be flag (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may
take command line arguments just as a normal command does.
- D\bDe\bef\bfa\bau\bul\blt\bts\bs
- Certain configuration options may be changed from their default values
- at runtime via one or more Default_Entry lines. These may affect all
-1.7.0 May 2, 2008 3
+
+
+1.7.0 October 24, 2008 3
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ D\bDe\bef\bfa\bau\bul\blt\bts\bs
+
+ Certain configuration options may be changed from their default values
+ at runtime via one or more Default_Entry lines. These may affect all
users on any host, all users on a specific host, a specific user, a
specific command, or commands being run as a specific user. Note that
per-command entries may not include command line arguments. If you
Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
implicitly boolean and can be turned off via the '!' operator. Some
- integer, string and list parameters may also be used in a boolean con-
- text to disable them. Values may be enclosed in double quotes (") when
- they contain multiple words. Special characters may be escaped with a
- backslash (\).
+ integer, string and list parameters may also be used in a boolean
+ context to disable them. Values may be enclosed in double quotes (")
+ when they contain multiple words. Special characters may be escaped
+ with a backslash (\).
- Lists have two additional assignment operators, += and -=. These oper-
- ators are used to add to and delete from a list respectively. It is
- not an error to use the -= operator to remove an element that does not
- exist in a list.
+ Lists have two additional assignment operators, += and -=. These
+ operators are used to add to and delete from a list respectively. It
+ is not an error to use the -= operator to remove an element that does
+ not exist in a list.
See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:' )
- A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
- what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
- but this can be changed on a per-command basis.
-
-1.7.0 May 2, 2008 4
+1.7.0 October 24, 2008 4
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
+ what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
+ but this can be changed on a per-command basis.
+
Let's break that down into its constituent parts:
R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
specified, the command may be run as any user in the list but no -\b-g\bg
flag may be specified. If the first Runas_List is empty but the second
is specified, the command may be run as the invoking user with the
- group set to any listed in the Runas_List. If no Runas_Spec is speci-
- fied the command may be run as r\bro\boo\bot\bt and no group may be specified.
+ group set to any listed in the Runas_List. If no Runas_Spec is
+ specified the command may be run as r\bro\boo\bot\bt and no group may be specified.
A Runas_Spec sets the default for the commands that follow it. What
this means is that for the entry:
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
- T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
- A command may have zero or more tags associated with it. There are
- eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV and
- NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in the
-1.7.0 May 2, 2008 5
+1.7.0 October 24, 2008 5
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
+
+ A command may have zero or more tags associated with it. There are
+ eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV and
+ NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in the
Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite
tag (i.e.: PASSWD overrides NOPASSWD and NOEXEC overrides EXEC).
ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
- as root on the machine rushmore as r\bro\boo\bot\bt without authenticating himself.
- If we only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the
- entry would be:
+ as r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we
+ only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry
+ would be:
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
By default, if the NOPASSWD tag is applied to any of the entries for a
user on the current host, he or she will be able to run sudo -l without
- a password. Additionally, a user may only run sudo -v without a pass-
- word if the NOPASSWD tag is present for all a user's entries that per-
- tain to the current host. This behavior may be overridden via the ver-
- ifypw and listpw options.
+ a password. Additionally, a user may only run sudo -v without a
+ password if the NOPASSWD tag is present for all a user's entries that
+ pertain to the current host. This behavior may be overridden via the
+ verifypw and listpw options.
_\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying oper-
- ating system supports it, the NOEXEC tag can be used to prevent a
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
+ operating system supports it, the NOEXEC tag can be used to prevent a
dynamically-linked executable from running further commands itself.
In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
basis. Note that if SETENV has been set for a command, any environment
- variables set on the command line way are not subject to the restric-
- tions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only
- trusted users should be allowed to set variables in this manner. If
- the command matched is A\bAL\bLL\bL, the SETENV tag is implied for that command;
- this default may be overridden by use of the UNSETENV tag.
+ variables set on the command line way are not subject to the
-
-1.7.0 May 2, 2008 6
+1.7.0 October 24, 2008 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such,
+ only trusted users should be allowed to set variables in this manner.
+ If the command matched is A\bAL\bLL\bL, the SETENV tag is implied for that
+ command; this default may be overridden by use of the UNSETENV tag.
+
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
\x For any character "x", evaluates to "x". This is used to
escape special characters such as: "*", "?", "[", and "}".
+ POSIX character classes may also be used if your system's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
+ function supports them. However, because the ':' character has special
+ meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
+
+ /bin/ls [[\:alpha\:]]*
+
+ Would match any filename beginning with a letter.
+
Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
in the pathname. When matching the command line arguments, however, a
slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
the one used by the C preprocessor. This is useful, for example, for
keeping a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in addition to a per-machine local
one. For the sake of this example the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To
- include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following
- line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
- #include /etc/sudoers.local
- When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
- file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching
- the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be pro-
- cessed. Files that are included may themselves include other files. A
- hard limit of 128 nested include files is enforced to prevent include
- file loops.
+1.7.0 October 24, 2008 7
-1.7.0 May 2, 2008 7
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To
+ include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following
+ line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ #include /etc/sudoers.local
+ When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
+ file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching
+ the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ processed. Files that are included may themselves include other files.
+ A hard limit of 128 nested include files is enforced to prevent include
+ file loops.
O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
User_Alias, Runas_Alias, or Host_Alias. You should not try to define
- your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in prefer-
- ence to your own. Please note that using A\bAL\bLL\bL can be dangerous since in
- a command context, it allows the user to run a\ban\bny\by command on the system.
+ your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
+ preference to your own. Please note that using A\bAL\bLL\bL can be dangerous
+ since in a command context, it allows the user to run a\ban\bny\by command on
+ the system.
An exclamation point ('!') can be used as a logical _\bn_\bo_\bt operator both
in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This allows one to exclude certain
ALL alias to allow a user to run "all but a few" commands rarely works
as intended (see SECURITY NOTES below).
- Long lines can be continued with a backslash ('\') as the last charac-
- ter on the line.
+ Long lines can be continued with a backslash ('\') as the last
+ character on the line.
Whitespace between elements in a list as well as special syntactic
characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':', '(', ')') is optional.
always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment variable to
the home directory of the target user (which is root
- unless the -\b-u\bu option is used). This effectively means
- that the -\b-H\bH flag is always implied. This flag is _\bo_\bf_\bf
- by default.
- authenticate If set, users must authenticate themselves via a pass-
- word (or other means of authentication) before they may
- run commands. This default may be overridden via the
- PASSWD and NOPASSWD tags. This flag is _\bo_\bn by default.
- closefrom_override
- If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which over-
- rides the default starting point at which s\bsu\bud\bdo\bo begins
- closing open file descriptors. This flag is _\bo_\bf_\bf by
- default.
+1.7.0 October 24, 2008 8
-1.7.0 May 2, 2008 8
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ unless the -\b-u\bu option is used). This effectively means
+ that the -\b-H\bH flag is always implied. This flag is _\bo_\bf_\bf
+ by default.
+ authenticate If set, users must authenticate themselves via a
+ password (or other means of authentication) before they
+ may run commands. This default may be overridden via
+ the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
+ default.
+
+ closefrom_override
+ If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
+ overrides the default starting point at which s\bsu\bud\bdo\bo
+ begins closing open file descriptors. This flag is _\bo_\bf_\bf
+ by default.
env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
VISUAL environment variables before falling back on the
- default editor list. Note that this may create a secu-
- rity hole as it allows the user to run any arbitrary
- command as root without logging. A safer alternative
- is to place a colon-separated list of editors in the
- editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only use the EDITOR
- or VISUAL if they match a value specified in editor.
- This flag is _\bo_\bf_\bf by default.
+ default editor list. Note that this may create a
+ security hole as it allows the user to run any
+ arbitrary command as root without logging. A safer
+ alternative is to place a colon-separated list of
+ editors in the editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only
+ use the EDITOR or VISUAL if they match a value
+ specified in editor. This flag is _\bo_\bf_\bf by default.
env_reset If set, s\bsu\bud\bdo\bo will reset the environment to only contain
- the LOGNAME, SHELL, USER, USERNAME and the SUDO_* vari-
- ables. Any variables in the caller's environment that
- match the env_keep and env_check lists are then added.
- The default contents of the env_keep and env_check
- lists are displayed when s\bsu\bud\bdo\bo is run by root with the
- _\b-_\bV option. If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set, its value
- will be used for the PATH environment variable. This
- flag is _\bo_\bn by default.
-
- fqdn Set this flag if you want to put fully qualified host-
- names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
- would use myhost.mydomain.edu. You may still use the
- short form if you wish (and even mix the two). Beware
- that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
- which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
- example if the machine is not plugged into the net-
- work). Also note that you must use the host's official
- name as DNS knows it. That is, you may not use a host
- alias (CNAME entry) due to performance issues and the
- fact that there is no way to get all aliases from DNS.
- If your machine's hostname (as returned by the hostname
- command) is already fully qualified you shouldn't need
- to set _\bf_\bq_\bd_\bn. This flag is _\bo_\bf_\bf by default.
+ the LOGNAME, SHELL, USER, USERNAME and the SUDO_*
+ variables. Any variables in the caller's environment
+ that match the env_keep and env_check lists are then
+ added. The default contents of the env_keep and
+ env_check lists are displayed when s\bsu\bud\bdo\bo is run by root
+ with the _\b-_\bV option. If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set,
+ its value will be used for the PATH environment
+ variable. This flag is _\bo_\bn by default.
+
+ fqdn Set this flag if you want to put fully qualified
+ hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost
+ you would use myhost.mydomain.edu. You may still use
+ the short form if you wish (and even mix the two).
+ Beware that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS
+ lookups which may make s\bsu\bud\bdo\bo unusable if DNS stops
+ working (for example if the machine is not plugged into
+ the network). Also note that you must use the host's
+ official name as DNS knows it. That is, you may not
+ use a host alias (CNAME entry) due to performance
+ issues and the fact that there is no way to get all
+ aliases from DNS. If your machine's hostname (as
+ returned by the hostname command) is already fully
+ qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
+ _\bo_\bf_\bf by default.
ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current dir) in the
- PATH environment variable; the PATH itself is not modi-
- fied. This flag is _\bo_\bf_\bf by default.
+ PATH environment variable; the PATH itself is not
- ignore_local_sudoers
- If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
- skipped. This is intended for Enterprises that wish to
- prevent the usage of local sudoers files so that only
- LDAP is used. This thwarts the efforts of rogue opera-
- tors who would attempt to add roles to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs.
- When this option is present, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even
- need to exist. Since this option tells s\bsu\bud\bdo\bo how to
- behave when no specific LDAP entries have been matched,
- this sudoOption is only meaningful for the cn=defaults
- section. This flag is _\bo_\bf_\bf by default.
- insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
- incorrect password. This flag is _\bo_\bf_\bf by default.
+1.7.0 October 24, 2008 9
-1.7.0 May 2, 2008 9
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ modified. This flag is _\bo_\bf_\bf by default.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ ignore_local_sudoers
+ If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ skipped. This is intended for Enterprises that wish to
+ prevent the usage of local sudoers files so that only
+ LDAP is used. This thwarts the efforts of rogue
+ operators who would attempt to add roles to
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option is present,
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
+ option tells s\bsu\bud\bdo\bo how to behave when no specific LDAP
+ entries have been matched, this sudoOption is only
+ meaningful for the cn=defaults section. This flag is
+ _\bo_\bf_\bf by default.
+ insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
+ incorrect password. This flag is _\bo_\bf_\bf by default.
log_host If set, the hostname will be logged in the (non-syslog)
s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
- log_year If set, the four-digit year will be logged in the
- (non-syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by
- default.
+ log_year If set, the four-digit year will be logged in the (non-
+ syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
long_otp_prompt When validating with a One Time Password (OPT) scheme
such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
_\bo_\bn by default.
noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
- NOEXEC tag has been set, unless overridden by a EXEC
- tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
- well as the "PREVENTING SHELL ESCAPES" section at the
- end of this manual. This flag is _\bo_\bf_\bf by default.
- path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
- not be found in their PATH environment variable. Some
- sites may wish to disable this as it could be used to
- gather information on the location of executables that
- the normal user does not have access to. The disadvan-
- tage is that if the executable is simply not in the
- user's PATH, s\bsu\bud\bdo\bo will tell the user that they are not
- allowed to run it, which can be confusing. This flag
- is _\bo_\bn by default.
- passprompt_override
- The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
+1.7.0 October 24, 2008 10
-1.7.0 May 2, 2008 10
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ NOEXEC tag has been set, unless overridden by a EXEC
+ tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
+ well as the "PREVENTING SHELL ESCAPES" section at the
+ end of this manual. This flag is _\bo_\bf_\bf by default.
+ path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
+ not be found in their PATH environment variable. Some
+ sites may wish to disable this as it could be used to
+ gather information on the location of executables that
+ the normal user does not have access to. The
+ disadvantage is that if the executable is simply not in
+ the user's PATH, s\bsu\bud\bdo\bo will tell the user that they are
+ not allowed to run it, which can be confusing. This
+ flag is _\bo_\bn by default.
+ passprompt_override
+ The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
normally only be used if the passwod prompt provided by
systems such as PAM matches the string "Password:". If
_\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be
used. This flag is _\bo_\bf_\bf by default.
preserve_groups By default s\bsu\bud\bdo\bo will initialize the group vector to the
- list of groups the target user is in. When _\bp_\br_\be_\b-
- _\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group vector
- is left unaltered. The real and effective group IDs,
- however, are still set to match the target user. This
- flag is _\bo_\bf_\bf by default.
+ list of groups the target user is in. When
+ _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
+ vector is left unaltered. The real and effective group
+ IDs, however, are still set to match the target user.
+ This flag is _\bo_\bf_\bf by default.
requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
to a real tty. This will disallow things like "rsh
this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
get a root shell by doing something like "sudo sudo
/bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
- will also prevent root and from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt. Dis-
- abling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional security;
- it exists purely for historical reasons. This flag is
- _\bo_\bn by default.
+ will also prevent root and from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+ Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
+ security; it exists purely for historical reasons.
+ This flag is _\bo_\bn by default.
rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
of the password of the invoking user. This flag is _\bo_\bf_\bf
instead of the password of the invoking user. This
flag is _\bo_\bf_\bf by default.
+
+
+1.7.0 October 24, 2008 11
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs flag the HOME
environment variable will be set to the home directory
of the target user (which is root unless the -\b-u\bu option
system) use LOGNAME to determine the real identity of
the user, it may be desirable to change this behavior.
This can be done by negating the set_logname option.
- Note that if the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been dis-
- abled, entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override the
- value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bf_\bf by default.
-
-
-
-1.7.0 May 2, 2008 11
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
+ Note that if the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been
+ disabled, entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
+ the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bf_\bf by default.
setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
command line. Additionally, environment variables set
- via the command line are not subject to the restric-
- tions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp.
- As such, only trusted users should be allowed to set
- variables in this manner. This flag is _\bo_\bf_\bf by default.
+ via the command line are not subject to the
+ restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be
+ allowed to set variables in this manner. This flag is
+ _\bo_\bf_\bf by default.
shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
if the -\b-s\bs flag had been given. That is, it runs a
default). This option changes that behavior such that
the real UID is left as the invoking user's UID. In
other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
- This can be useful on systems that disable some poten-
- tially dangerous functionality when a program is run
- setuid. This option is only effective on systems with
- either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function. This
- flag is _\bo_\bf_\bf by default.
+ This can be useful on systems that disable some
+ potentially dangerous functionality when a program is
+ run setuid. This option is only effective on systems
+ with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
+ This flag is _\bo_\bf_\bf by default.
targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
specified by the -\b-u\bu flag (defaults to root) instead of
- the password of the invoking user. Note that this pre-
- cludes the use of a uid not listed in the passwd
+ the password of the invoking user. Note that this
+ precludes the use of a uid not listed in the passwd
database as an argument to the -\b-u\bu flag. This flag is
_\bo_\bf_\bf by default.
Normally, s\bsu\bud\bdo\bo uses a directory in the ticket dir with
the same name as the user running it. With this flag
enabled, s\bsu\bud\bdo\bo will use a file named for the tty the
+
+
+
+1.7.0 October 24, 2008 12
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
user is logged in on in that directory. This flag is
_\bo_\bf_\bf by default.
use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
- target user's login class if one exists. Only avail-
- able if s\bsu\bud\bdo\bo is configured with the --with-logincap
- option. This flag is _\bo_\bf_\bf by default.
+ target user's login class if one exists. Only
+ available if s\bsu\bud\bdo\bo is configured with the
+ --with-logincap option. This flag is _\bo_\bf_\bf by default.
I\bIn\bnt\bte\beg\bge\ber\brs\bs:
is 3.
passwd_tries The number of tries a user gets to enter his/her
-
-
-
-1.7.0 May 2, 2008 12
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
password before s\bsu\bud\bdo\bo logs the failure and exits. The
default is 3.
to always prompt for a password. If set to a value
less than 0 the user's timestamp will never expire.
This can be used to allow users to create or delete
- their own timestamps via sudo -v and sudo -k respec-
- tively.
+ their own timestamps via sudo -v and sudo -k
+ respectively.
umask Umask to use when running the command. Negate this
option or set it to 0777 to preserve the user's umask.
editor A colon (':') separated list of editors allowed to be
used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will choose the editor that
- matches the user's EDITOR environment variable if pos-
- sible, or the first editor in the list that exists and
- is executable. The default is the path to vi on your
- system.
+
+
+
+1.7.0 October 24, 2008 13
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ matches the user's EDITOR environment variable if
+ possible, or the first editor in the list that exists
+ and is executable. The default is the path to vi on
+ your system.
mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
%h will expand to the hostname of the machine. Default
passprompt The default prompt to use when asking for a password;
can be overridden via the -\b-p\bp option or the SUDO_PROMPT
-
-
-
-1.7.0 May 2, 2008 13
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
environment variable. The following percent (`%')
escapes are supported:
%H expanded to the local hostname including the domain
- name (on if the machine's hostname is fully quali-
- fied or the _\bf_\bq_\bd_\bn option is set)
+ name (on if the machine's hostname is fully
+ qualified or the _\bf_\bq_\bd_\bn option is set)
%h expanded to the local hostname without the domain
name
root. Note that if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
before any Runas_Alias specifications.
- syslog_badpri Syslog priority to use when user authenticates unsuc-
- cessfully. Defaults to alert.
+ syslog_badpri Syslog priority to use when user authenticates
+ unsuccessfully. Defaults to alert.
+
+ syslog_goodpri Syslog priority to use when user authenticates
+ successfully. Defaults to notice.
+
+ sudoers_locale Locale to use when parsing the sudoers file. Note that
+
+
+
+1.7.0 October 24, 2008 14
+
+
+
- syslog_goodpri Syslog priority to use when user authenticates success-
- fully. Defaults to notice.
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ changing the locale may affect how sudoers is
+ interpreted. Defaults to "C".
timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
The default is _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo.
askpass The _\ba_\bs_\bk_\bp_\ba_\bs_\bs option specifies the fully-qualilfy path to a
helper program used to read the user's password when no
terminal is available. This may be the case when s\bsu\bud\bdo\bo is
- executed from a graphical (as opposed to text-based) appli-
- cation. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs should display
- the argument passed to it as the prompt and write the
- user's password to the standard output. The value of
+ executed from a graphical (as opposed to text-based)
+ application. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs should
+ display the argument passed to it as the prompt and write
+ the user's password to the standard output. The value of
_\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
variable.
env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be options specifies the fully-qualilfy path to a
-
-
-
-1.7.0 May 2, 2008 14
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
file containing variables to be set in the environment of
the program being run. Entries in this file should be of
- the form VARIABLE=value. Variables in this file are sub-
- ject to other s\bsu\bud\bdo\bo environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp
+ the form VARIABLE=value. Variables in this file are
+ subject to other s\bsu\bud\bdo\bo environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp
and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
exempt_group
requirements. This is not set by default.
lecture This option controls when a short lecture will be printed
- along with the password prompt. It has the following pos-
- sible values:
+ along with the password prompt. It has the following
+ possible values:
always Always lecture the user.
a user runs s\bsu\bud\bdo\bo with the -\b-l\bl flag. It has the following
possible values:
+
+
+1.7.0 October 24, 2008 15
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
must have the NOPASSWD flag set to avoid entering a
password.
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\ba_\bn_\by.
- logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file). Set-
- ting a path turns on logging to a file; negating this
+ logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
+ Setting a path turns on logging to a file; negating this
option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
-
-
-1.7.0 May 2, 2008 15
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
mailerpath Path to mail program used to send warning mail. Defaults
s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
- trust the people running s\bsu\bud\bdo\bo to have a sane PATH environ-
- ment variable you may want to use this. Another use is if
- you want to have the "root path" be separate from the "user
- path." Users in the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp
- option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This is not set by
- default.
+ trust the people running s\bsu\bud\bdo\bo to have a sane PATH
+ environment variable you may want to use this. Another use
+ is if you want to have the "root path" be separate from the
+ "user path." Users in the group specified by the
+ _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
+ is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
to disable syslog logging). Defaults to local2.
must have the NOPASSWD flag set to avoid entering a
password.
+
+
+1.7.0 October 24, 2008 16
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
always The user must always enter a password to use the -\b-v\bv
flag.
env_check Environment variables to be removed from the user's
environment if the variable's value contains % or /
characters. This can be used to guard against printf-
- style format vulnerabilities in poorly-written pro-
- grams. The argument may be a double-quoted, space-
-
-
-
-1.7.0 May 2, 2008 16
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
+ style format vulnerabilities in poorly-written
+ programs. The argument may be a double-quoted, space-
separated list or a single value without double-quotes.
The list can be replaced, added to, deleted from, or
disabled by using the =, +=, -=, and ! operators
env_delete Environment variables to be removed from the user's
environment. The argument may be a double-quoted,
- space-separated list or a single value without dou-
- ble-quotes. The list can be replaced, added to,
- deleted from, or disabled by using the =, +=, -=, and !
- operators respectively. The default list of environ-
- ment variables to remove is displayed when s\bsu\bud\bdo\bo is run
- by root with the _\b-_\bV option. Note that many operating
- systems will remove potentially dangerous variables
- from the environment of any setuid process (such as
- s\bsu\bud\bdo\bo).
+ space-separated list or a single value without double-
+ quotes. The list can be replaced, added to, deleted
+ from, or disabled by using the =, +=, -=, and !
+ operators respectively. The default list of
+ environment variables to remove is displayed when s\bsu\bud\bdo\bo
+ is run by root with the _\b-_\bV option. Note that many
+ operating systems will remove potentially dangerous
+ variables from the environment of any setuid process
+ (such as s\bsu\bud\bdo\bo).
env_keep Environment variables to be preserved in the user's
environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
with the _\b-_\bV option.
+
+
+
+1.7.0 October 24, 2008 17
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following values for the
syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your
OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3,
l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities
- are supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be, and w\bwa\bar\brn\bn-\b-
- i\bin\bng\bg.
+ are supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be, and
+ w\bwa\bar\brn\bni\bin\bng\bg.
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
-
-
-
-
-
-
-1.7.0 May 2, 2008 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo
to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't
want to subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt
+
+
+
+1.7.0 October 24, 2008 18
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
need not give a password, and we don't want to reset the LOGNAME, USER
- or USERNAME environment variables when running commands as root. Addi-
- tionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an addi-
- tional local log file and make sure we log the year in each log line
- since the log entries will be kept around for several years. Lastly,
- we disable shell escapes for the commands in the PAGERS Cmnd_Alias
- (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
+ or USERNAME environment variables when running commands as root.
+ Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an
+ additional local log file and make sure we log the year in each log
+ line since the log entries will be kept around for several years.
+ Lastly, we disable shell escapes for the commands in the PAGERS
+ Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
# Override built-in defaults
Defaults syslog=auth
The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
what.
-
-
-1.7.0 May 2, 2008 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance.
Here, those are commands related to backups, killing processes, the
- printing system, shutting down the system, and any commands in the
- directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
- joe ALL = /usr/bin/su operator
- The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
- pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
+1.7.0 October 24, 2008 19
- The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
- the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take mul-
- tiple usernames on the command line.
- bob SPARC = (OP) ALL : SGI = (OP) ALL
- The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
- listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
- jim +biglab = ALL
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.7.0 May 2, 2008 19
+ printing system, shutting down the system, and any commands in the
+ directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
+ joe ALL = /usr/bin/su operator
+ The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
+ pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+ The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
+ the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
+ multiple usernames on the command line.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ bob SPARC = (OP) ALL : SGI = (OP) ALL
+ The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
+ listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
+
+ jim +biglab = ALL
The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
fred ALL = (DB) NOPASSWD: ALL
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias (o\bor\bra\ba-\b-
- c\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
+ (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
steve CSNETS = (operator) /usr/local/op_commands/
- The user s\bst\bte\bev\bve\be may run any command in the directory /usr/local/op_com-
- mands/ but only as user operator.
+ The user s\bst\bte\bev\bve\be may run any command in the directory
+ /usr/local/op_commands/ but only as user operator.
+
+
+
+1.7.0 October 24, 2008 20
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
matt valkyrie = KILL
This is a bit tedious for users to type, so it is a prime candidate for
encapsulating in a shell script.
-
-
-
-1.7.0 May 2, 2008 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
It is generally not effective to "subtract" commands from ALL using the
'!' operator. A user can trivially circumvent this by copying the
- desired command to a different name and then executing that. For exam-
- ple:
+ desired command to a different name and then executing that. For
+ example:
bill ALL = ALL, !SU, !SHELLS
Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
_\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
use a shell escape from an editor or other program. Therefore, these
- kind of restrictions should be considered advisory at best (and rein-
- forced by policy).
+ kind of restrictions should be considered advisory at best (and
+ reinforced by policy).
P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
pleases, including run other programs. This can be a security issue
since it is not uncommon for a program to allow shell escapes, which
lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
- that permit shell escapes include shells (obviously), editors, pagina-
- tors, mail and terminal programs.
+ that permit shell escapes include shells (obviously), editors,
+ paginators, mail and terminal programs.
There are two basic approaches to this problem:
restrict Avoid giving users access to commands that allow the user to
run arbitrary commands. Many editors have a restricted mode
where shell escapes are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better
- solution to running editors via s\bsu\bud\bdo\bo. Due to the large num-
- ber of programs that offer shell escapes, restricting users
- to the set of programs that do not if often unworkable.
+ solution to running editors via s\bsu\bud\bdo\bo. Due to the large
+ number of programs that offer shell escapes, restricting
+ users to the set of programs that do not if often unworkable.
noexec Many systems that support shared libraries have the ability
- to override default library functions by pointing an environ-
- ment variable (usually LD_PRELOAD) to an alternate shared
- library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality can be
- used to prevent a program run by s\bsu\bud\bdo\bo from executing any
- other programs. Note, however, that this applies only to
- native dynamically-linked executables. Statically-linked
- executables and foreign executables running under binary emu-
- lation are not affected.
+ to override default library functions by pointing an
+ environment variable (usually LD_PRELOAD) to an alternate
+ shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality
- To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run the
- following as root:
- sudo -V | grep "dummy exec"
- If the resulting output contains a line that begins with:
+1.7.0 October 24, 2008 21
- File containing dummy exec functions:
- then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
- in the standard library with its own that simply return an
- error. Unfortunately, there is no foolproof way to know
- whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
-1.7.0 May 2, 2008 21
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ can be used to prevent a program run by s\bsu\bud\bdo\bo from executing
+ any other programs. Note, however, that this applies only to
+ native dynamically-linked executables. Statically-linked
+ executables and foreign executables running under binary
+ emulation are not affected.
+ To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run the
+ following as root:
+ sudo -V | grep "dummy exec"
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ If the resulting output contains a line that begins with:
+ File containing dummy exec functions:
+ then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
+ in the standard library with its own that simply return an
+ error. Unfortunately, there is no foolproof way to know
+ whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
- UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating sys-
- tems that support the LD_PRELOAD environment variable. Check
- your operating system's manual pages for the dynamic linker
- (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
- if LD_PRELOAD is supported.
+ UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating
+ systems that support the LD_PRELOAD environment variable.
+ Check your operating system's manual pages for the dynamic
+ linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
+ to see if LD_PRELOAD is supported.
- To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as docu-
- mented in the User Specification section above. Here is that
- example again:
+ To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as
+ documented in the User Specification section above. Here is
+ that example again:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
locks the file and does grammatical checking. It is imperative that
- _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a syntac-
- tically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
+ syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+
+
+
+
+1.7.0 October 24, 2008 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
When using netgroups of machines (as opposed to users), if you store
fully qualified hostnames in the netgroup (as is usually the case), you
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of merchantabil-
- ity and fitness for a particular purpose are disclaimed. See the
- LICENSE file distributed with s\bsu\bud\bdo\bo or
-
-
-
-1.7.0 May 2, 2008 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
+ including, but not limited to, the implied warranties of
+ merchantability and fitness for a particular purpose are disclaimed.
+ See the LICENSE file distributed with s\bsu\bud\bdo\bo or
http://www.sudo.ws/sudo/license.html for complete details.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.0 May 2, 2008 23
+1.7.0 October 24, 2008 23
+\bo s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety. When LDAP is
used, there are only two or three LDAP queries per invocation.
- This makes it especially fast and particularly usable in LDAP envi-
- ronments.
+ This makes it especially fast and particularly usable in LDAP
+ environments.
- +\bo s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs. It is not pos-
- sible to load LDAP data into the server that does not conform to
+ +\bo s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs. It is not
+ possible to load LDAP data into the server that does not conform to
the sudoers schema, so proper syntax is guaranteed. It is still
possible to have typos in a user or host name, but this will not
prevent s\bsu\bud\bdo\bo from running.
+\bo It is possible to specify per-entry options that override the
- global default options. _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs only supports default options
- and limited options associated with user/host/commands/aliases.
- The syntax is complicated and can be difficult for users to under-
- stand. Placing the options directly in the entry is more natural.
+ global default options. _\b@_\bs_\by_\bs_\bc_\bo_\bn_\bf_\bd_\bi_\br_\b@_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs only supports default
+ options and limited options associated with
+ user/host/commands/aliases. The syntax is complicated and can be
+ difficult for users to understand. Placing the options directly in
+ the entry is more natural.
+\bo The v\bvi\bis\bsu\bud\bdo\bo program is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking
- and syntax checking of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file. Since LDAP updates
- are atomic, locking is no longer necessary. Because syntax is
- checked when the data is inserted into LDAP, there is no need for a
- specialized tool to check syntax.
+ and syntax checking of the _\b@_\bs_\by_\bs_\bc_\bo_\bn_\bf_\bd_\bi_\br_\b@_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file. Since LDAP
+ updates are atomic, locking is no longer necessary. Because syntax
+ is checked when the data is inserted into LDAP, there is no need
+ for a specialized tool to check syntax.
Another major difference between LDAP and file-based _\bs_\bu_\bd_\bo_\be_\br_\bs is that in
LDAP, s\bsu\bud\bdo\bo-specific Aliases are not supported.
Cmnd_Aliases are not really required either since it is possible to
have multiple users listed in a sudoRole. Instead of defining a
- Cmnd_Alias that is referenced by multiple users, one can create a sudo-
- Role that contains the commands and assign multiple users to it.
+ Cmnd_Alias that is referenced by multiple users, one can create a
+ sudoRole that contains the commands and assign multiple users to it.
S\bSU\bUD\bDO\bOe\ber\brs\bs L\bLD\bDA\bAP\bP c\bco\bon\bnt\bta\bai\bin\bne\ber\br
- The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers LDAP con-
- tainer.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers LDAP
+ container.
Sudo first looks for the cn=default entry in the SUDOers container. If
- found, the multi-valued sudoOption attribute is parsed in the same
-1.7.0 May 10, 2008 1
+1.7.0 October 24, 2008 1
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- manner as a global Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following
- example, the SSH_AUTH_SOCK variable will be preserved in the environ-
- ment for all users.
+ found, the multi-valued sudoOption attribute is parsed in the same
+ manner as a global Defaults line in _\b@_\bs_\by_\bs_\bc_\bo_\bn_\bf_\bd_\bi_\br_\b@_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the
+ following example, the SSH_AUTH_SOCK variable will be preserved in the
+ environment for all users.
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: top
as. The special value ALL will match any group.
Each component listed above should contain a single value, but there
- may be multiple instances of each component type. A sudoRole must con-
- tain at least one sudoUser, sudoHost and sudoCommand.
+ may be multiple instances of each component type. A sudoRole must
+ contain at least one sudoUser, sudoHost and sudoCommand.
The following example allows users in group wheel to run any command on
any host via s\bsu\bud\bdo\bo:
-
-1.7.0 May 10, 2008 2
+1.7.0 October 24, 2008 2
sudoCommand: ALL
sudoCommand: !/bin/sh
+ # LDAP equivalent of puddles
+ # Notice that even though ALL comes last, it still behaves like
+ # role1 since the LDAP code assumes the more paranoid configuration
+ dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role2
+ sudoUser: puddles
-
-
-
-
-
-
-
-
-1.7.0 May 10, 2008 3
+1.7.0 October 24, 2008 3
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- # LDAP equivalent of puddles
- # Notice that even though ALL comes last, it still behaves like
- # role1 since the LDAP code assumes the more paranoid configuration
- dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role2
- sudoUser: puddles
sudoHost: ALL
sudoCommand: !/bin/sh
sudoCommand: ALL
on your LDAP server. In addition, be sure to index the 'sudoUser'
attribute.
- Three versions of the schema: one for OpenLDAP servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\b-
- _\bD_\bA_\bP), one for Netscape-derived servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt), and one for
- Microsoft Active Directory (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bA_\bc_\bt_\bi_\bv_\be_\bD_\bi_\br_\be_\bc_\bt_\bo_\br_\by) may be found in the
- s\bsu\bud\bdo\bo distribution.
+ Three versions of the schema: one for OpenLDAP servers
+ (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP), one for Netscape-derived servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt),
+ and one for Microsoft Active Directory (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bA_\bc_\bt_\bi_\bv_\be_\bD_\bi_\br_\be_\bc_\bt_\bo_\br_\by) may be
+ found in the s\bsu\bud\bdo\bo distribution.
- The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included in the EXAMPLES sec-
- tion.
+ The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included in the EXAMPLES
+ section.
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
- Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific configuration.
+ Sudo reads the _\b@_\bl_\bd_\ba_\bp_\b__\bc_\bo_\bn_\bf_\b@ file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo
- parses _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ from
+ parses _\b@_\bl_\bd_\ba_\bp_\b__\bc_\bo_\bn_\bf_\b@ itself and may support options that differ from
those described in the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual.
Also note that on systems using the OpenLDAP libraries, default values
specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are
+ not used.
+ Only those options explicitly listed in _\b@_\bl_\bd_\ba_\bp_\b__\bc_\bo_\bn_\bf_\b@ that are supported
+ by s\bsu\bud\bdo\bo are honored. Configuration options are listed below in upper
+ case but are parsed in a case-independent manner.
+ U\bUR\bRI\bI ldap[s]://[hostname[:port]] ...
+ Specifies a whitespace-delimited list of one or more URIs
-1.7.0 May 10, 2008 4
+1.7.0 October 24, 2008 4
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- not used.
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf that are sup-
- ported by s\bsu\bud\bdo\bo are honored. Configuration options are listed below in
- upper case but are parsed in a case-independent manner.
- U\bUR\bRI\bI ldap[s]://[hostname[:port]] ...
- Specifies a whitespace-delimited list of one or more URIs describ-
- ing the LDAP server(s) to connect to. The _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be either
- l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS (SSL)
- encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389 for
- ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
+ describing the LDAP server(s) to connect to. The _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be
+ either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS
+ (SSL) encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389
+ for ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Only systems using the OpenSSL
libraries support the mixing of ldap:// and ldaps:// URIs. The
Netscape-derived libraries used on most commercial versions of Unix
is included for backwards compatibility.
B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
- The B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in sec-
- onds, to wait while trying to connect to an LDAP server. If multi-
- ple U\bUR\bRI\bIs or H\bHO\bOS\bST\bTs are specified, this is the amount of time to wait
- before trying the next one in the list.
+ The B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in
+ seconds, to wait while trying to connect to an LDAP server. If
+ multiple U\bUR\bRI\bIs or H\bHO\bOS\bST\bTs are specified, this is the amount of time to
+ wait before trying the next one in the list.
T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
The T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in seconds,
example.com.
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG debug_level
- This sets the debug level for s\bsu\bud\bdo\bo LDAP queries. Debugging infor-
- mation is printed to the standard error. A value of 1 results in a
- moderate amount of debugging information. A value of 2 shows the
- results of the matches themselves. This parameter should not be
- set in a production environment as the extra information is likely
- to confuse users.
+ This sets the debug level for s\bsu\bud\bdo\bo LDAP queries. Debugging
+ information is printed to the standard error. A value of 1 results
+ in a moderate amount of debugging information. A value of 2 shows
+ the results of the matches themselves. This parameter should not
+ be set in a production environment as the extra information is
+ likely to confuse users.
+ B\bBI\bIN\bND\bDD\bDN\bN DN
+ The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
+ Distinguished Name (DN), to use when performing LDAP operations.
+ If not specified, LDAP operations are performed with an anonymous
+ identity. By default, most LDAP servers will allow anonymous
+ access.
-1.7.0 May 10, 2008 5
+1.7.0 October 24, 2008 5
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- B\bBI\bIN\bND\bDD\bDN\bN DN
- The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a Dis-
- tinguished Name (DN), to use when performing LDAP operations. If
- not specified, LDAP operations are performed with an anonymous
- identity. By default, most LDAP servers will allow anonymous
- access.
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
B\bBI\bIN\bND\bDP\bPW\bW secret
The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
The R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing privileged LDAP
operations, such as _\bs_\bu_\bd_\bo_\be_\br_\bs queries. The password corresponding to
- the identity should be stored in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bs_\be_\bc_\br_\be_\bt. If not speci-
- fied, the B\bBI\bIN\bND\bDD\bDN\bN identity is used (if any).
+ the identity should be stored in _\b@_\bl_\bd_\ba_\bp_\b__\bs_\be_\bc_\br_\be_\bt_\b@. If not specified,
+ the B\bBI\bIN\bND\bDD\bDN\bN identity is used (if any).
L\bLD\bDA\bAP\bP_\b_V\bVE\bER\bRS\bSI\bIO\bON\bN number
The version of the LDAP protocol to use when connecting to the
server. The default value is protocol version 3.
S\bSS\bSL\bL on/true/yes/off/false/no
- If the S\bSS\bSL\bL parameter is set to on, true or yes, TLS (SSL) encryp-
- tion is always used when communicating with the LDAP server. Typi-
- cally, this involves connecting to the server on port 636 (ldaps).
+ If the S\bSS\bSL\bL parameter is set to on, true or yes, TLS (SSL)
+ encryption is always used when communicating with the LDAP server.
+ Typically, this involves connecting to the server on port 636
+ (ldaps).
S\bSS\bSL\bL start_tls
- If the S\bSS\bSL\bL parameter is set to start_tls, the LDAP server connec-
- tion is initiated normally and TLS encryption is begun before the
- bind credentials are sent. This has the advantage of not requiring
- a dedicated port for encrypted communications. This parameter is
- only supported by LDAP servers that honor the start_tls extension,
- such as the OpenLDAP server.
+ If the S\bSS\bSL\bL parameter is set to start_tls, the LDAP server
+ connection is initiated normally and TLS encryption is begun before
+ the bind credentials are sent. This has the advantage of not
+ requiring a dedicated port for encrypted communications. This
+ parameter is only supported by LDAP servers that honor the
+ start_tls extension, such as the OpenLDAP server.
T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR on/true/yes/off/false/no
- If enabled, T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR will cause the LDAP server's TLS certifi-
- cated to be verified. If the server's TLS certificate cannot be
- verified (usually because it is signed by an unknown certificate
- authority), s\bsu\bud\bdo\bo will be unable to connect to it. If T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR
- is disabled, no check is made.
+ If enabled, T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR will cause the LDAP server's TLS
+ certificated to be verified. If the server's TLS certificate
+ cannot be verified (usually because it is signed by an unknown
+ certificate authority), s\bsu\bud\bdo\bo will be unable to connect to it. If
+ T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR is disabled, no check is made.
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE file name
- The path to a certificate authority bundle which contains the cer-
- tificates for all the Certificate Authorities the client knows to
- be valid, e.g. _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only sup-
- ported by the OpenLDAP libraries.
+ The path to a certificate authority bundle which contains the
+ certificates for all the Certificate Authorities the client knows
+ to be valid, e.g. _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only
+ supported by the OpenLDAP libraries.
T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
containing individual Certificate Authority certificates, e.g.
_\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\be_\br_\bt_\bs. The directory specified by T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR is
checked after T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE. This option is only supported by the
+ OpenLDAP libraries.
+ T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT file name
+ The path to a file containing the client certificate which can be
+ used to authenticate the client to the LDAP server. The
+ certificate type depends on the LDAP libraries used.
-1.7.0 May 10, 2008 6
-
+1.7.0 October 24, 2008 6
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- OpenLDAP libraries.
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT file name
- The path to a file containing the client certificate which can be
- used to authenticate the client to the LDAP server. The certifi-
- cate type depends on the LDAP libraries used.
OpenLDAP:
tls_cert /etc/ssl/client_cert.pem
R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
The SASL user name to use when R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL is enabled.
+ S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS none/properties
+ SASL security properties or _\bn_\bo_\bn_\be for no properties. See the SASL
+ programmer's manual for details.
+ K\bKR\bRB\bB5\b5_\b_C\bCC\bCN\bNA\bAM\bME\bE file name
+ The path to the Kerberos 5 credential cache to use when
+ authenticating with the remote server.
-1.7.0 May 10, 2008 7
-
+1.7.0 October 24, 2008 7
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS none/properties
- SASL security properties or _\bn_\bo_\bn_\be for no properties. See the SASL
- programmer's manual for details.
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- K\bKR\bRB\bB5\b5_\b_C\bCC\bCN\bNA\bAM\bME\bE file name
- The path to the Kerberos 5 credential cache to use when authenti-
- cating with the remote server.
See the ldap.conf entry in the EXAMPLES section.
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
Unless it is disabled at build time, s\bsu\bud\bdo\bo consults the Name Service
- Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order.
- Sudo looks for a line beginning with sudoers: and uses this to deter-
- mine the search order. Note that s\bsu\bud\bdo\bo does not stop searching after
- the first match and later matches take precedence over earlier ones.
+ Switch file, _\b@_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b__\bc_\bo_\bn_\bf_\b@, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order.
+ Sudo looks for a line beginning with sudoers: and uses this to
+ determine the search order. Note that s\bsu\bud\bdo\bo does not stop searching
+ after the first match and later matches take precedence over earlier
+ ones.
The following sources are recognized:
sudoers: ldap
- If the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
- line, the following default is assumed:
+ If the _\b@_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b__\bc_\bo_\bn_\bf_\b@ file is not present or there is no sudoers line,
+ the following default is assumed:
sudoers: files
- Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
+ Note that _\b@_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b__\bc_\bo_\bn_\bf_\b@ is supported even when the underlying
operating system does not use an nsswitch.conf file.
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
+ _\b@_\bl_\bd_\ba_\bp_\b__\bc_\bo_\bn_\bf_\b@ LDAP configuration file
- _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
+ _\b@_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b__\bc_\bo_\bn_\bf_\b@ determines sudoers source order
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
+ # Either specify one or more URIs or one or more host:port pairs.
+ # If neither is specified sudo will default to localhost, port 389.
+ #
+ #host ldapserver
+ #host ldapserver1 ldapserver2:390
+ #
+ # Default port if host is specified without one, defaults to 389.
+ #port 389
+ #
+ # URI will override the host and port settings.
-
-
-
-1.7.0 May 10, 2008 8
+1.7.0 October 24, 2008 8
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- # Either specify one or more URIs or one or more host:port pairs.
- # If neither is specified sudo will default to localhost, port 389.
- #
- #host ldapserver
- #host ldapserver1 ldapserver2:390
- #
- # Default port if host is specified without one, defaults to 389.
- #port 389
- #
- # URI will override the host and port settings.
uri ldap://ldapserver
#uri ldaps://secureldapserver
#uri ldaps://secureldapserver ldap://ldapserver
# If you enable tls_checkpeer, specify either tls_cacertfile
# or tls_cacertdir. Only supported when using OpenLDAP.
#
+ #tls_cacertfile /etc/certs/trusted_signers.pem
+ #tls_cacertdir /etc/certs
+ #
+ # For systems that don't have /dev/random
+ # use this along with PRNGD or EGD.pl to seed the
+ # random number pool to generate cryptographic session keys.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_randfile /etc/egd-pool
+ #
-1.7.0 May 10, 2008 9
+1.7.0 October 24, 2008 9
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- #tls_cacertfile /etc/certs/trusted_signers.pem
- #tls_cacertdir /etc/certs
- #
- # For systems that don't have /dev/random
- # use this along with PRNGD or EGD.pl to seed the
- # random number pool to generate cryptographic session keys.
- # Only supported when using OpenLDAP.
- #
- #tls_randfile /etc/egd-pool
- #
# You may restrict which ciphers are used. Consult your SSL
# documentation for which options go here.
# Only supported when using OpenLDAP.
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
-1.7.0 May 10, 2008 10
+1.7.0 October 24, 2008 10
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- attributetype ( 1.3.6.1.4.1.15953.9.1.2
- NAME 'sudoHost'
- DESC 'Host(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
- attributetype ( 1.3.6.1.4.1.15953.9.1.3
- NAME 'sudoCommand'
DESC 'Command(s) to be executed by sudo'
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- The way that _\bs_\bu_\bd_\bo_\be_\br_\bs is parsed differs between Note that there are dif-
- ferences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs is parsed compared to file-
- based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the "Differences between LDAP and non-LDAP sudoers"
- section for more information.
+ The way that _\bs_\bu_\bd_\bo_\be_\br_\bs is parsed differs between Note that there are
+ differences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs is parsed compared to
+ file-based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the "Differences between LDAP and non-LDAP
+ sudoers" section for more information.
+B\bBU\bUG\bGS\bS
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
+S\bSU\bUP\bPP\bPO\bOR\bRT\bT
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
-1.7.0 May 10, 2008 11
+1.7.0 October 24, 2008 11
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- http://www.sudo.ws/sudo/bugs/
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of merchantabil-
- ity and fitness for a particular purpose are disclaimed. See the
- LICENSE file distributed with s\bsu\bud\bdo\bo or
+ including, but not limited to, the implied warranties of
+ merchantability and fitness for a particular purpose are disclaimed.
+ See the LICENSE file distributed with s\bsu\bud\bdo\bo or
http://www.sudo.ws/sudo/license.html for complete details.
-1.7.0 May 10, 2008 12
+
+
+
+
+
+
+
+
+
+1.7.0 October 24, 2008 12
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $Sudo$
-.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
+.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
.\"
.\" Standard preamble:
.\" ========================================================================
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. | will give a
-.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
-.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
-.\" expand to `' in nroff, nothing in troff, for use with C<>.
-.tr \(*W-|\(bv\*(Tr
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds R" ''
'br\}
.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
-.if \nF \{\
+.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
-.\"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.hy 0
-.if n .na
+.el \{\
+. de IX
+..
+.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "May 10, 2008" "1.7.0" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "October 24, 2008" "1.7.0" "MAINTENANCE COMMANDS"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
.SH "NAME"
sudoers.ldap \- sudo LDAP configuration
.SH "DESCRIPTION"
this will not prevent \fBsudo\fR from running.
.IP "\(bu" 4
It is possible to specify per-entry options that override the global
-default options. \fI@sysconfdir@/sudoers\fR only supports default options and
+default options. \fI\f(CI@sysconfdir\fI@/sudoers\fR only supports default options and
limited options associated with user/host/commands/aliases. The
syntax is complicated and can be difficult for users to understand.
Placing the options directly in the entry is more natural.
.IP "\(bu" 4
The \fBvisudo\fR program is no longer needed. \fBvisudo\fR provides
-locking and syntax checking of the \fI@sysconfdir@/sudoers\fR file.
+locking and syntax checking of the \fI\f(CI@sysconfdir\fI@/sudoers\fR file.
Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary.
Because syntax is checked when the data is inserted into \s-1LDAP\s0, there
is no need for a specialized tool to check syntax.
.PP
Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container.
If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the
-same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI@sysconfdir@/sudoers\fR. In
+same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI\f(CI@sysconfdir\fI@/sudoers\fR. In
the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved
in the environment for all users.
.PP
\& objectClass: top
\& objectClass: sudoRole
\& cn: defaults
-\& description: Default sudoOption's go here
+\& description: Default sudoOption\*(Aqs go here
\& sudoOption: env_keep+=SSH_AUTH_SOCK
.Ve
.PP
the following components:
.IP "\fBsudoUser\fR" 4
.IX Item "sudoUser"
-A user name, uid (prefixed with \f(CW'#'\fR), Unix group (prefixed with
-a \f(CW'%'\fR) or user netgroup (prefixed with a \f(CW'+'\fR).
+A user name, uid (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
+a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed with a \f(CW\*(Aq+\*(Aq\fR).
.IP "\fBsudoHost\fR" 4
.IX Item "sudoHost"
A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed
-with a \f(CW'+'\fR).
+with a \f(CW\*(Aq+\*(Aq\fR).
The special value \f(CW\*(C`ALL\*(C'\fR will match any host.
.IP "\fBsudoCommand\fR" 4
.IX Item "sudoCommand"
A Unix command with optional command line arguments, potentially
including globbing characters (aka wild cards).
The special value \f(CW\*(C`ALL\*(C'\fR will match any command.
-If a command is prefixed with an exclamation point \f(CW'!'\fR, the
+If a command is prefixed with an exclamation point \f(CW\*(Aq!\*(Aq\fR, the
user will be prohibited from running that command.
.IP "\fBsudoOption\fR" 4
.IX Item "sudoOption"
specific to the \f(CW\*(C`sudoRole\*(C'\fR in which it resides.
.IP "\fBsudoRunAsUser\fR" 4
.IX Item "sudoRunAsUser"
-A user name or uid (prefixed with \f(CW'#'\fR) that commands may be run
-as or a Unix group (prefixed with a \f(CW'%'\fR) or user netgroup (prefixed
-with a \f(CW'+'\fR) that contains a list of users that commands may be
+A user name or uid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run
+as or a Unix group (prefixed with a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed
+with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be
run as.
The special value \f(CW\*(C`ALL\*(C'\fR will match any user.
.IP "\fBsudoRunAsGroup\fR" 4
.IX Item "sudoRunAsGroup"
-A Unix group or gid (prefixed with \f(CW'#'\fR) that commands may be run as.
+A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as.
The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
.PP
Each component listed above should contain a single value, but there
\& johnny ALL=(root) ALL,!/bin/sh
\& # Always allows all commands because ALL is matched last
\& puddles ALL=(root) !/bin/sh,ALL
-.Ve
-.PP
-.Vb 10
+\&
\& # LDAP equivalent of johnny
\& # Allows all commands except shell
-\& dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+\& dn: cn=role1,ou=Sudoers,dc=my\-domain,dc=com
\& objectClass: sudoRole
\& objectClass: top
\& cn: role1
\& sudoHost: ALL
\& sudoCommand: ALL
\& sudoCommand: !/bin/sh
-.Ve
-.PP
-.Vb 11
+\&
\& # LDAP equivalent of puddles
\& # Notice that even though ALL comes last, it still behaves like
\& # role1 since the LDAP code assumes the more paranoid configuration
-\& dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+\& dn: cn=role2,ou=Sudoers,dc=my\-domain,dc=com
\& objectClass: sudoRole
\& objectClass: top
\& cn: role2
\& # does not match all but joe
\& # rather, does not match anyone
\& sudoUser: !joe
-.Ve
-.PP
-.Vb 4
+\&
\& # does not match all but joe
\& # rather, matches everyone including Joe
\& sudoUser: ALL
\& sudoUser: !joe
-.Ve
-.PP
-.Vb 4
+\&
\& # does not match all but web01
\& # rather, matches all hosts including web01
\& sudoHost: ALL
section.
.Sh "Configuring ldap.conf"
.IX Subsection "Configuring ldap.conf"
-Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
+Sudo reads the \fI\f(CI@ldap_conf\fI@\fR file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not \fBsudo\fR\-specific. Note that
-\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options
+\&\fBsudo\fR parses \fI\f(CI@ldap_conf\fI@\fR itself and may support options
that differ from those described in the \fIldap.conf\fR\|(@mansectform@) manual.
.PP
Also note that on systems using the OpenLDAP libraries, default
values specified in \fI/etc/openldap/ldap.conf\fR or the user's
\&\fI.ldaprc\fR files are not used.
.PP
-Only those options explicitly listed in \fI@ldap_conf@\fR that are
+Only those options explicitly listed in \fI\f(CI@ldap_conf\fI@\fR that are
supported by \fBsudo\fR are honored. Configuration options are listed
below in upper case but are parsed in a case-independent manner.
.IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4
The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
operations, such as \fIsudoers\fR queries. The password corresponding
-to the identity should be stored in \fI@ldap_secret@\fR.
+to the identity should be stored in \fI\f(CI@ldap_secret\fI@\fR.
If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
.IP "\fB\s-1LDAP_VERSION\s0\fR number" 4
.IX Item "LDAP_VERSION number"
OpenLDAP:
\f(CW\*(C`tls_cert /etc/ssl/client_cert.pem\*(C'\fR
.Sp
-Netscape\-derived:
+Netscape-derived:
\f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR
.Sp
When using Netscape-derived libraries, this file may also contain
.IX Item "TLS_KEY file name"
The path to a file containing the private key which matches the
certificate specified by \fB\s-1TLS_CERT\s0\fR. The private key must not be
-password\-protected. The key type depends on the \s-1LDAP\s0 libraries
+password-protected. The key type depends on the \s-1LDAP\s0 libraries
used.
.Sp
OpenLDAP:
\f(CW\*(C`tls_key /etc/ssl/client_key.pem\*(C'\fR
.Sp
-Netscape\-derived:
+Netscape-derived:
\f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR
.IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4
.IX Item "TLS_RANDFILE file name"
.Sh "Configuring nsswitch.conf"
.IX Subsection "Configuring nsswitch.conf"
Unless it is disabled at build time, \fBsudo\fR consults the Name
-Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR
+Service Switch file, \fI\f(CI@nsswitch_conf\fI@\fR, to specify the \fIsudoers\fR
search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers:\*(C'\fR and
uses this to determine the search order. Note that \fBsudo\fR does
not stop searching after the first match and later matches take
\& sudoers: ldap
.Ve
.PP
-If the \fI@nsswitch_conf@\fR file is not present or there is no
+If the \fI\f(CI@nsswitch_conf\fI@\fR file is not present or there is no
sudoers line, the following default is assumed:
.PP
.Vb 1
\& sudoers: files
.Ve
.PP
-Note that \fI@nsswitch_conf@\fR is supported even when the underlying
+Note that \fI\f(CI@nsswitch_conf\fI@\fR is supported even when the underlying
operating system does not use an nsswitch.conf file.
.SH "FILES"
.IX Header "FILES"
-.IP "\fI@ldap_conf@\fR" 24
+.ie n .IP "\fI\fI@ldap_conf\fI@\fR" 24
+.el .IP "\fI\f(CI@ldap_conf\fI@\fR" 24
.IX Item "@ldap_conf@"
\&\s-1LDAP\s0 configuration file
-.IP "\fI@nsswitch_conf@\fR" 24
+.ie n .IP "\fI\fI@nsswitch_conf\fI@\fR" 24
+.el .IP "\fI\f(CI@nsswitch_conf\fI@\fR" 24
.IX Item "@nsswitch_conf@"
determines sudoers source order
.SH "EXAMPLES"
.IX Header "EXAMPLES"
.Sh "Example ldap.conf"
.IX Subsection "Example ldap.conf"
-.Vb 95
+.Vb 10
\& # Either specify one or more URIs or one or more host:port pairs.
\& # If neither is specified sudo will default to localhost, port 389.
\& #
\& #tls_cacertfile /etc/certs/trusted_signers.pem
\& #tls_cacertdir /etc/certs
\& #
-\& # For systems that don't have /dev/random
+\& # For systems that don\*(Aqt have /dev/random
\& # use this along with PRNGD or EGD.pl to seed the
\& # random number pool to generate cryptographic session keys.
\& # Only supported when using OpenLDAP.
\& #
-\& #tls_randfile /etc/egd-pool
+\& #tls_randfile /etc/egd\-pool
\& #
\& # You may restrict which ciphers are used. Consult your SSL
\& # documentation for which options go here.
\& # Only supported when using OpenLDAP.
\& #
-\& #tls_ciphers <cipher-list>
+\& #tls_ciphers <cipher\-list>
\& #
\& # Sudo can provide a client certificate when communicating to
\& # the LDAP server.
\& #tls_key /etc/certs/client_key.pem
\& #
\& # For SunONE or iPlanet LDAP, the file specified by tls_cert may
-\& # contain CA certs and/or the client's cert. If the client's
+\& # contain CA certs and/or the client\*(Aqs cert. If the client\*(Aqs
\& # cert is included, tls_key should be specified as well.
\& # For backward compatibility, sslpath may be used in place of tls_cert.
\& #tls_cert /var/ldap/cert7.db
.PP
.Vb 6
\& attributetype ( 1.3.6.1.4.1.15953.9.1.1
-\& NAME 'sudoUser'
-\& DESC 'User(s) who may run sudo'
+\& NAME \*(AqsudoUser\*(Aq
+\& DESC \*(AqUser(s) who may run sudo\*(Aq
\& EQUALITY caseExactIA5Match
\& SUBSTR caseExactIA5SubstringsMatch
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-.Ve
-.PP
-.Vb 6
+\&
\& attributetype ( 1.3.6.1.4.1.15953.9.1.2
-\& NAME 'sudoHost'
-\& DESC 'Host(s) who may run sudo'
+\& NAME \*(AqsudoHost\*(Aq
+\& DESC \*(AqHost(s) who may run sudo\*(Aq
\& EQUALITY caseExactIA5Match
\& SUBSTR caseExactIA5SubstringsMatch
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-.Ve
-.PP
-.Vb 5
+\&
\& attributetype ( 1.3.6.1.4.1.15953.9.1.3
-\& NAME 'sudoCommand'
-\& DESC 'Command(s) to be executed by sudo'
+\& NAME \*(AqsudoCommand\*(Aq
+\& DESC \*(AqCommand(s) to be executed by sudo\*(Aq
\& EQUALITY caseExactIA5Match
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-.Ve
-.PP
-.Vb 5
+\&
\& attributetype ( 1.3.6.1.4.1.15953.9.1.4
-\& NAME 'sudoRunAs'
-\& DESC 'User(s) impersonated by sudo'
+\& NAME \*(AqsudoRunAs\*(Aq
+\& DESC \*(AqUser(s) impersonated by sudo\*(Aq
\& EQUALITY caseExactIA5Match
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-.Ve
-.PP
-.Vb 5
+\&
\& attributetype ( 1.3.6.1.4.1.15953.9.1.5
-\& NAME 'sudoOption'
-\& DESC 'Options(s) followed by sudo'
+\& NAME \*(AqsudoOption\*(Aq
+\& DESC \*(AqOptions(s) followed by sudo\*(Aq
\& EQUALITY caseExactIA5Match
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-.Ve
-.PP
-.Vb 5
+\&
\& attributetype ( 1.3.6.1.4.1.15953.9.1.6
-\& NAME 'sudoRunAsUser'
-\& DESC 'User(s) impersonated by sudo'
+\& NAME \*(AqsudoRunAsUser\*(Aq
+\& DESC \*(AqUser(s) impersonated by sudo\*(Aq
\& EQUALITY caseExactIA5Match
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-.Ve
-.PP
-.Vb 5
+\&
\& attributetype ( 1.3.6.1.4.1.15953.9.1.7
-\& NAME 'sudoRunAsGroup'
-\& DESC 'Group(s) impersonated by sudo'
+\& NAME \*(AqsudoRunAsGroup\*(Aq
+\& DESC \*(AqGroup(s) impersonated by sudo\*(Aq
\& EQUALITY caseExactIA5Match
\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-.Ve
-.PP
-.Vb 6
-\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
-\& DESC 'Sudoer Entries'
+\&
+\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL
+\& DESC \*(AqSudoer Entries\*(Aq
\& MUST ( cn )
\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
\& sudoRunAsGroup $ sudoOption $ description )
.IX Header "CAVEATS"
The way that \fIsudoers\fR is parsed differs between Note that there
are differences in the way that LDAP-based \fIsudoers\fR is parsed
-compared to file-based \fIsudoers\fR. See the \*(L"Differences between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
+compared to file-based \fIsudoers\fR. See the \*(L"Differences between
+\&\s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
.SH "BUGS"
.IX Header "BUGS"
If you feel you have found a bug in \fBsudo\fR, please submit a bug report
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" $Sudo$
-.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
+.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
.\"
.\" Standard preamble:
.\" ========================================================================
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. | will give a
-.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
-.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
-.\" expand to `' in nroff, nothing in troff, for use with C<>.
-.tr \(*W-|\(bv\*(Tr
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds R" ''
'br\}
.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
-.if \nF \{\
+.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
-.\"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.hy 0
-.if n .na
+.el \{\
+. de IX
+..
+.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "May 2, 2008" "1.7.0" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "October 24, 2008" "1.7.0" "MAINTENANCE COMMANDS"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
.PP
.Vb 4
-\& Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
-\& 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
-\& 'Host_Alias' Host_Alias (':' Host_Alias)* |
-\& 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
-.Ve
-.PP
-.Vb 1
-\& User_Alias ::= NAME '=' User_List
-.Ve
-.PP
-.Vb 1
-\& Runas_Alias ::= NAME '=' Runas_List
-.Ve
-.PP
-.Vb 1
-\& Host_Alias ::= NAME '=' Host_List
-.Ve
-.PP
-.Vb 1
-\& Cmnd_Alias ::= NAME '=' Cmnd_List
-.Ve
-.PP
-.Vb 1
-\& NAME ::= [A-Z]([A-Z][0-9]_)*
+\& Alias ::= \*(AqUser_Alias\*(Aq User_Alias (\*(Aq:\*(Aq User_Alias)* |
+\& \*(AqRunas_Alias\*(Aq Runas_Alias (\*(Aq:\*(Aq Runas_Alias)* |
+\& \*(AqHost_Alias\*(Aq Host_Alias (\*(Aq:\*(Aq Host_Alias)* |
+\& \*(AqCmnd_Alias\*(Aq Cmnd_Alias (\*(Aq:\*(Aq Cmnd_Alias)*
+\&
+\& User_Alias ::= NAME \*(Aq=\*(Aq User_List
+\&
+\& Runas_Alias ::= NAME \*(Aq=\*(Aq Runas_List
+\&
+\& Host_Alias ::= NAME \*(Aq=\*(Aq Host_List
+\&
+\& Cmnd_Alias ::= NAME \*(Aq=\*(Aq Cmnd_List
+\&
+\& NAME ::= [A\-Z]([A\-Z][0\-9]_)*
.Ve
.PP
Each \fIalias\fR definition is of the form
.PP
.Vb 2
\& User_List ::= User |
-\& User ',' User_List
-.Ve
-.PP
-.Vb 5
-\& User ::= '!'* username |
-\& '!'* '#'uid |
-\& '!'* '%'group |
-\& '!'* '+'netgroup |
-\& '!'* User_Alias
+\& User \*(Aq,\*(Aq User_List
+\&
+\& User ::= \*(Aq!\*(Aq* username |
+\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
+\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
+\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
+\& \*(Aq!\*(Aq* User_Alias
.Ve
.PP
A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids (prefixed
.PP
.Vb 2
\& Runas_List ::= Runas_Member |
-\& Runas_Member ',' Runas_List
-.Ve
-.PP
-.Vb 5
-\& Runas_Member ::= '!'* username |
-\& '!'* '#'uid |
-\& '!'* '%'group |
-\& '!'* +netgroup |
-\& '!'* Runas_Alias
+\& Runas_Member \*(Aq,\*(Aq Runas_List
+\&
+\& Runas_Member ::= \*(Aq!\*(Aq* username |
+\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
+\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
+\& \*(Aq!\*(Aq* +netgroup |
+\& \*(Aq!\*(Aq* Runas_Alias
.Ve
.PP
A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
.PP
.Vb 2
\& Host_List ::= Host |
-\& Host ',' Host_List
-.Ve
-.PP
-.Vb 5
-\& Host ::= '!'* hostname |
-\& '!'* ip_addr |
-\& '!'* network(/netmask)? |
-\& '!'* '+'netgroup |
-\& '!'* Host_Alias
+\& Host \*(Aq,\*(Aq Host_List
+\&
+\& Host ::= \*(Aq!\*(Aq* hostname |
+\& \*(Aq!\*(Aq* ip_addr |
+\& \*(Aq!\*(Aq* network(/netmask)? |
+\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
+\& \*(Aq!\*(Aq* Host_Alias
.Ve
.PP
A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
.PP
.Vb 2
\& Cmnd_List ::= Cmnd |
-\& Cmnd ',' Cmnd_List
-.Ve
-.PP
-.Vb 3
+\& Cmnd \*(Aq,\*(Aq Cmnd_List
+\&
\& commandname ::= filename |
\& filename args |
-\& filename '""'
-.Ve
-.PP
-.Vb 4
-\& Cmnd ::= '!'* commandname |
-\& '!'* directory |
-\& '!'* "sudoedit" |
-\& '!'* Cmnd_Alias
+\& filename \*(Aq""\*(Aq
+\&
+\& Cmnd ::= \*(Aq!\*(Aq* commandname |
+\& \*(Aq!\*(Aq* directory |
+\& \*(Aq!\*(Aq* "sudoedit" |
+\& \*(Aq!\*(Aq* Cmnd_Alias
.Ve
.PP
A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
that instead.
.PP
.Vb 5
-\& Default_Type ::= 'Defaults' |
-\& 'Defaults' '@' Host_List |
-\& 'Defaults' ':' User_List |
-\& 'Defaults' '!' Cmnd_List |
-\& 'Defaults' '>' Runas_List
-.Ve
-.PP
-.Vb 1
+\& Default_Type ::= \*(AqDefaults\*(Aq |
+\& \*(AqDefaults\*(Aq \*(Aq@\*(Aq Host_List |
+\& \*(AqDefaults\*(Aq \*(Aq:\*(Aq User_List |
+\& \*(AqDefaults\*(Aq \*(Aq!\*(Aq Cmnd_List |
+\& \*(AqDefaults\*(Aq \*(Aq>\*(Aq Runas_List
+\&
\& Default_Entry ::= Default_Type Parameter_List
-.Ve
-.PP
-.Vb 2
+\&
\& Parameter_List ::= Parameter |
-\& Parameter ',' Parameter_List
-.Ve
-.PP
-.Vb 4
-\& Parameter ::= Parameter '=' Value |
-\& Parameter '+=' Value |
-\& Parameter '-=' Value |
-\& '!'* Parameter
+\& Parameter \*(Aq,\*(Aq Parameter_List
+\&
+\& Parameter ::= Parameter \*(Aq=\*(Aq Value |
+\& Parameter \*(Aq+=\*(Aq Value |
+\& Parameter \*(Aq\-=\*(Aq Value |
+\& \*(Aq!\*(Aq* Parameter
.Ve
.PP
Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
.Sh "User Specification"
.IX Subsection "User Specification"
.Vb 2
-\& User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
-\& (':' Host_List '=' Cmnd_Spec_List)*
-.Ve
-.PP
-.Vb 2
+\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
+\& (\*(Aq:\*(Aq Host_List \*(Aq=\*(Aq Cmnd_Spec_List)*
+\&
\& Cmnd_Spec_List ::= Cmnd_Spec |
-\& Cmnd_Spec ',' Cmnd_Spec_List
-.Ve
-.PP
-.Vb 1
+\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
+\&
\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
-.Ve
-.PP
-.Vb 1
-\& Runas_Spec ::= '(' Runas_List? (: Runas_List)? ')'
-.Ve
-.PP
-.Vb 2
-\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
-\& 'SETENV:' | 'NOSETENV:' )
+\&
+\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (: Runas_List)? \*(Aq)\*(Aq
+\&
+\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
+\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq )
.Ve
.PP
A \fBuser specification\fR determines which commands a user may run
\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
.PP
.Vb 1
-\& $ sudo -u operator /bin/ls.
+\& $ sudo \-u operator /bin/ls.
.Ve
.PP
It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
.Ve
.PP
would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
-\&\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
+\&\fI/usr/bin/lprm\fR as \fBroot\fR on the machine rushmore without
authenticating himself. If we only want \fBray\fR to be able to
run \fI/bin/kill\fR without a password the entry would be:
.PP
For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
.PP
+\&\s-1POSIX\s0 character classes may also be used if your system's
+\&\fIfnmatch\fR\|(3) function supports them. However, because the
+\&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must
+be escaped. For example:
+.PP
+.Vb 1
+\& /bin/ls [[\e:alpha\e:]]*
+.Ve
+.PP
+Would match any filename beginning with a letter.
+.PP
Note that a forward slash ('/') will \fBnot\fR be matched by
wildcards used in the pathname. When matching the command
line arguments, however, a slash \fBdoes\fR get matched by
password. This flag is \fI@insults@\fR by default.
.IP "log_host" 16
.IX Item "log_host"
-If set, the hostname will be logged in the (non\-syslog) \fBsudo\fR log file.
+If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file.
This flag is \fIoff\fR by default.
.IP "log_year" 16
.IX Item "log_year"
-If set, the four-digit year will be logged in the (non\-syslog) \fBsudo\fR log file.
+If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
This flag is \fIoff\fR by default.
.IP "long_otp_prompt" 16
.IX Item "long_otp_prompt"
.IX Item "noexec"
If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
-description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
+description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0
+\&\s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
.IP "path_info" 16
.IX Item "path_info"
Normally, \fBsudo\fR will tell the user when a command could not be
.IX Item "syslog_goodpri"
Syslog priority to use when user authenticates successfully.
Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
+.IP "sudoers_locale" 16
+.IX Item "sudoers_locale"
+Locale to use when parsing the sudoers file. Note that changing
+the locale may affect how sudoers is interpreted.
+Defaults to \f(CW"C"\fR.
.IP "timestampdir" 16
.IX Item "timestampdir"
The directory in which \fBsudo\fR stores its timestamp files.
The \fIaskpass\fR option specifies the fully-qualilfy path to a helper
program used to read the user's password when no terminal is
available. This may be the case when \fBsudo\fR is executed from a
-graphical (as opposed to text\-based) application. The program
+graphical (as opposed to text-based) application. The program
specified by \fIaskpass\fR should display the argument passed to it
as the prompt and write the user's password to the standard output.
The value of \fIaskpass\fR may be overridden by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR
Environment variables to be removed from the user's environment if
the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
be used to guard against printf-style format vulnerabilities in
-poorly-written programs. The argument may be a double\-quoted,
-space-separated list or a single value without double\-quotes. The
+poorly-written programs. The argument may be a double-quoted,
+space-separated list or a single value without double-quotes. The
list can be replaced, added to, deleted from, or disabled by using
the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless
of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables
.IP "env_delete" 16
.IX Item "env_delete"
Environment variables to be removed from the user's environment.
-The argument may be a double\-quoted, space-separated list or a
-single value without double\-quotes. The list can be replaced, added
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of environment
variables to remove is displayed when \fBsudo\fR is run by root with the
Environment variables to be preserved in the user's environment
when the \fIenv_reset\fR option is in effect. This allows fine-grained
control over the environment \fBsudo\fR\-spawned processes will receive.
-The argument may be a double\-quoted, space-separated list or a
-single value without double\-quotes. The list can be replaced, added
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes. The list can be replaced, added
to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
is displayed when \fBsudo\fR is run by root with the \fI\-V\fR option.
\&\fBnotice\fR, and \fBwarning\fR.
.SH "FILES"
.IX Header "FILES"
-.IP "\fI@sysconfdir@/sudoers\fR" 24
+.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
+.el .IP "\fI@sysconfdir@/sudoers\fR" 24
.IX Item "@sysconfdir@/sudoers"
List of who can run what
.IP "\fI/etc/group\fR" 24
\& User_Alias FULLTIMERS = millert, mikef, dowdy
\& User_Alias PARTTIMERS = bostley, jwfox, crawl
\& User_Alias WEBMASTERS = will, wendy, wim
-.Ve
-.PP
-.Vb 3
+\&
\& # Runas alias specification
\& Runas_Alias OP = root, operator
\& Runas_Alias DB = oracle, sybase
-.Ve
-.PP
-.Vb 9
+\&
\& # Host alias specification
\& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
\& SGI = grolsch, dandelion, black :\e
\& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
\& Host_Alias SERVERS = master, mail, www, ns
\& Host_Alias CDROM = orion, perseus, hercules
-.Ve
-.PP
-.Vb 13
+\&
\& # Cmnd alias specification
\& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
\& /usr/sbin/restore, /usr/sbin/rrestore
(\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR).
.PP
.Vb 7
-\& # Override built-in defaults
+\& # Override built\-in defaults
\& Defaults syslog=auth
\& Defaults>root !set_logname
\& Defaults:FULLTIMERS !lecture
The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
.PP
.Vb 1
-\& pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
+\& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root
.Ve
.PP
The user \fBpete\fR is allowed to change anyone's password except for
(\fBoracle\fR or \fBsybase\fR) without giving a password.
.PP
.Vb 1
-\& john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+\& john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root*
.Ve
.PP
On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
.PP
.Vb 2
\& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
-\& /sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM
+\& /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM
.Ve
.PP
Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0
the following as root:
.Sp
.Vb 1
-\& sudo -V | grep "dummy exec"
+\& sudo \-V | grep "dummy exec"
.Ve
.Sp
If the resulting output contains a line that begins with:
then \fBsudo\fR may be able to replace the exec family of functions
in the standard library with its own that simply return an error.
Unfortunately, there is no foolproof way to know whether or not
-\&\fInoexec\fR will work at compile\-time. \fInoexec\fR should work on
+\&\fInoexec\fR will work at compile-time. \fInoexec\fR should work on
SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX
11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fInoexec\fR
is expected to work on most operating systems that support the
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
v\bvi\bis\bsu\bud\bdo\bo edits the _\bs_\bu_\bd_\bo_\be_\br_\bs file in a safe fashion, analogous to _\bv_\bi_\bp_\bw(1m).
- v\bvi\bis\bsu\bud\bdo\bo locks the _\bs_\bu_\bd_\bo_\be_\br_\bs file against multiple simultaneous edits, pro-
- vides basic sanity checks, and checks for parse errors. If the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file is currently being edited you will receive a message to try again
- later.
-
- There is a hard-coded list of editors that v\bvi\bis\bsu\bud\bdo\bo will use set at com-
- pile-time that may be overridden via the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs Default vari-
- able. This list defaults to the path to _\bv_\bi(1) on your system, as
+ v\bvi\bis\bsu\bud\bdo\bo locks the _\bs_\bu_\bd_\bo_\be_\br_\bs file against multiple simultaneous edits,
+ provides basic sanity checks, and checks for parse errors. If the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file is currently being edited you will receive a message to
+ try again later.
+
+ There is a hard-coded list of editors that v\bvi\bis\bsu\bud\bdo\bo will use set at
+ compile-time that may be overridden via the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs Default
+ variable. This list defaults to the path to _\bv_\bi(1) on your system, as
determined by the _\bc_\bo_\bn_\bf_\bi_\bg_\bu_\br_\be script. Normally, v\bvi\bis\bsu\bud\bdo\bo does not honor
- the VISUAL or EDITOR environment variables unless they contain an edi-
- tor in the aforementioned editors list. However, if v\bvi\bis\bsu\bud\bdo\bo is config-
- ured with the _\b-_\b-_\bw_\bi_\bt_\bh_\b-_\be_\bn_\bv_\be_\bd_\bi_\bt_\bo_\br flag or the _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br Default variable
- is set in _\bs_\bu_\bd_\bo_\be_\br_\bs, v\bvi\bis\bsu\bud\bdo\bo will use any the editor defines by VISUAL or
- EDITOR. Note that this can be a security hole since it allows the user
- to execute any program they wish simply by setting VISUAL or EDITOR.
+ the VISUAL or EDITOR environment variables unless they contain an
+ editor in the aforementioned editors list. However, if v\bvi\bis\bsu\bud\bdo\bo is
+ configured with the _\b-_\b-_\bw_\bi_\bt_\bh_\b-_\be_\bn_\bv_\be_\bd_\bi_\bt_\bo_\br flag or the _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br Default
+ variable is set in _\bs_\bu_\bd_\bo_\be_\br_\bs, v\bvi\bis\bsu\bud\bdo\bo will use any the editor defines by
+ VISUAL or EDITOR. Note that this can be a security hole since it
+ allows the user to execute any program they wish simply by setting
+ VISUAL or EDITOR.
v\bvi\bis\bsu\bud\bdo\bo parses the _\bs_\bu_\bd_\bo_\be_\br_\bs file after the edit and will not save the
changes if there is a syntax error. Upon finding an error, v\bvi\bis\bsu\bud\bdo\bo will
-f _\bs_\bu_\bd_\bo_\be_\br_\bs Specify and alternate _\bs_\bu_\bd_\bo_\be_\br_\bs file location. With this
option v\bvi\bis\bsu\bud\bdo\bo will edit (or check) the _\bs_\bu_\bd_\bo_\be_\br_\bs file of your
- choice, instead of the default, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. The lock
- file used is the specified _\bs_\bu_\bd_\bo_\be_\br_\bs file with ".tmp"
+ choice, instead of the default, _\b@_\bs_\by_\bs_\bc_\bo_\bn_\bf_\bd_\bi_\br_\b@_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. The
+ lock file used is the specified _\bs_\bu_\bd_\bo_\be_\br_\bs file with ".tmp"
appended to it.
-q Enable q\bqu\bui\bie\bet\bt mode. In this mode details about syntax
- errors are not printed. This option is only useful when
-1.7.0 May 2, 2008 1
+1.7.0 October 24, 2008 1
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
+ errors are not printed. This option is only useful when
combined with the -\b-c\bc flag.
-s Enable s\bst\btr\bri\bic\bct\bt checking of the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If an alias is
EDITOR Used by visudo if VISUAL is not set
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+ _\b@_\bs_\by_\bs_\bc_\bo_\bn_\bf_\bd_\bi_\br_\b@_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bt_\bm_\bp Lock file for visudo
+ _\b@_\bs_\by_\bs_\bc_\bo_\bn_\bf_\bd_\bi_\br_\b@_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bt_\bm_\bp
+ Lock file for visudo
D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS
sudoers file busy, try again later.
Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
Either you are trying to use an undeclare
{User,Runas,Host,Cmnd}_Alias or you have a user or hostname listed
- that consists solely of uppercase letters, digits, and the under-
- score ('_') character. In the latter case, you can ignore the
+ that consists solely of uppercase letters, digits, and the
+ underscore ('_') character. In the latter case, you can ignore the
warnings (s\bsu\bud\bdo\bo will not complain). In -\b-s\bs (strict) mode these are
errors, not warnings.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\bv_\bi(1), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bp_\bw(8)
-A\bAU\bUT\bTH\bHO\bOR\bR
- Many people have worked on _\bs_\bu_\bd_\bo over the years; this version of v\bvi\bis\bsu\bud\bdo\bo
- was written by:
-1.7.0 May 2, 2008 2
+
+1.7.0 October 24, 2008 2
VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
+A\bAU\bUT\bTH\bHO\bOR\bR
+ Many people have worked on _\bs_\bu_\bd_\bo over the years; this version of v\bvi\bis\bsu\bud\bdo\bo
+ was written by:
+
Todd Miller
See the HISTORY file in the sudo distribution or visit
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
v\bvi\bis\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of merchantabil-
- ity and fitness for a particular purpose are disclaimed. See the
- LICENSE file distributed with s\bsu\bud\bdo\bo or
+ including, but not limited to, the implied warranties of
+ merchantability and fitness for a particular purpose are disclaimed.
+ See the LICENSE file distributed with s\bsu\bud\bdo\bo or
http://www.sudo.ws/sudo/license.html for complete details.
-
-
-
-
-1.7.0 May 2, 2008 3
+1.7.0 October 24, 2008 3
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" $Sudo$
-.\" Automatically generated by Pod::Man v1.37, Pod::Parser v1.32
+.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
.\"
.\" Standard preamble:
.\" ========================================================================
..
.\" Set up some character translations and predefined strings. \*(-- will
.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. | will give a
-.\" real vertical bar. \*(C+ will give a nicer C++. Capital omega is used to
-.\" do unbreakable dashes and therefore won't be available. \*(C` and \*(C'
-.\" expand to `' in nroff, nothing in troff, for use with C<>.
-.tr \(*W-|\(bv\*(Tr
+.\" double quote, and \*(R" will give a right double quote. \*(C+ will
+.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
+.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
+.\" nothing in troff, for use with C<>.
+.tr \(*W-
.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
.ie n \{\
. ds -- \(*W-
. ds R" ''
'br\}
.\"
+.\" Escape single quotes in literal strings from groff's Unicode transform.
+.ie \n(.g .ds Aq \(aq
+.el .ds Aq '
+.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
-.if \nF \{\
+.ie \nF \{\
. de IX
. tm Index:\\$1\t\\n%\t"\\$2"
..
. nr % 0
. rr F
.\}
-.\"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.hy 0
-.if n .na
+.el \{\
+. de IX
+..
+.\}
.\"
.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
.\" Fear. Run. Save yourself. No user-serviceable parts.
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "May 2, 2008" "1.7.0" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "October 24, 2008" "1.7.0" "MAINTENANCE COMMANDS"
+.\" For nroff, turn off justification. Always turn off hyphenation; it makes
+.\" way too many mistakes in technical documents.
+.if n .ad l
+.nh
.SH "NAME"
visudo \- edit the sudoers file
.SH "SYNOPSIS"
.IX Item "-f sudoers"
Specify and alternate \fIsudoers\fR file location. With this option
\&\fBvisudo\fR will edit (or check) the \fIsudoers\fR file of your choice,
-instead of the default, \fI@sysconfdir@/sudoers\fR. The lock file used
+instead of the default, \fI\f(CI@sysconfdir\fI@/sudoers\fR. The lock file used
is the specified \fIsudoers\fR file with \*(L".tmp\*(R" appended to it.
.IP "\-q" 12
.IX Item "-q"
Used by visudo if \s-1VISUAL\s0 is not set
.SH "FILES"
.IX Header "FILES"
-.IP "\fI@sysconfdir@/sudoers\fR" 24
+.ie n .IP "\fI\fI@sysconfdir\fI@/sudoers\fR" 24
+.el .IP "\fI\f(CI@sysconfdir\fI@/sudoers\fR" 24
.IX Item "@sysconfdir@/sudoers"
List of who can run what
-.IP "\fI@sysconfdir@/sudoers.tmp\fR" 24
+.ie n .IP "\fI\fI@sysconfdir\fI@/sudoers.tmp\fR" 24
+.el .IP "\fI\f(CI@sysconfdir\fI@/sudoers.tmp\fR" 24
.IX Item "@sysconfdir@/sudoers.tmp"
Lock file for visudo
.SH "DIAGNOSTICS"
.IP "sudoers file busy, try again later." 4
.IX Item "sudoers file busy, try again later."
Someone else is currently editing the \fIsudoers\fR file.
-.IP "@sysconfdir@/sudoers.tmp: Permission denied" 4
+.ie n .IP "@sysconfdir@/sudoers.tmp: Permission denied" 4
+.el .IP "\f(CW@sysconfdir\fR@/sudoers.tmp: Permission denied" 4
.IX Item "@sysconfdir@/sudoers.tmp: Permission denied"
You didn't run \fBvisudo\fR as root.
.IP "Can't find you in the passwd database" 4
projects / sudo / commitdiff