_\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
variable.
-
+ env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be options specifies the fully-qualilfy path to a
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ file containing variables to be set in the environment of
+ the program being run. Entries in this file should be of
+ the form VARIABLE=value. Variables in this file are sub-
+ ject to other s\bsu\bud\bdo\bo environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp
+ and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
+
exempt_group
Users in this group are exempt from password and PATH
requirements. This is not set by default.
ting a path turns on logging to a file; negating this
option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
- mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
-
- mailerpath Path to mail program used to send warning mail. Defaults
- to the path to sendmail found at configure time.
-
-
1.7.0 May 2, 2008 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
+
+ mailerpath Path to mail program used to send warning mail. Defaults
+ to the path to sendmail found at configure time.
+
mailfrom Address to use for the "from" address when sending warning
and error mail. The address should be enclosed in double
quotes (") to protect against s\bsu\bud\bdo\bo interpreting the @ sign.
environment if the variable's value contains % or /
characters. This can be used to guard against printf-
style format vulnerabilities in poorly-written pro-
- grams. The argument may be a double-quoted, space-sep-
- arated list or a single value without double-quotes.
- The list can be replaced, added to, deleted from, or
- disabled by using the =, +=, -=, and ! operators
- respectively. Regardless of whether the env_reset
- option is enabled or disabled, variables specified by
+ grams. The argument may be a double-quoted, space-
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ separated list or a single value without double-quotes.
+ The list can be replaced, added to, deleted from, or
+ disabled by using the =, +=, -=, and ! operators
+ respectively. Regardless of whether the env_reset
+ option is enabled or disabled, variables specified by
env_check will be preserved in the environment if they
pass the aforementioned check. The default list of
environment variables to check is displayed when s\bsu\bud\bdo\bo
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
- # User alias specification
- User_Alias FULLTIMERS = millert, mikef, dowdy
- User_Alias PARTTIMERS = bostley, jwfox, crawl
- User_Alias WEBMASTERS = will, wendy, wim
- # Runas alias specification
- Runas_Alias OP = root, operator
- Runas_Alias DB = oracle, sybase
+
+
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ # User alias specification
+ User_Alias FULLTIMERS = millert, mikef, dowdy
+ User_Alias PARTTIMERS = bostley, jwfox, crawl
+ User_Alias WEBMASTERS = will, wendy, wim
+
+ # Runas alias specification
+ Runas_Alias OP = root, operator
+ Runas_Alias DB = oracle, sybase
+
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
SGI = grolsch, dandelion, black :\
The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
what.
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
-
- We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
- any user.
- FULLTIMERS ALL = NOPASSWD: ALL
+1.7.0 May 2, 2008 18
-1.7.0 May 2, 2008 18
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
+ any user.
+ FULLTIMERS ALL = NOPASSWD: ALL
Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
any host without authenticating themselves.
jim +biglab = ALL
- The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
- s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
-
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-
- Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
- well as add and remove users, so they are allowed to run those commands
-
1.7.0 May 2, 2008 19
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
+ s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
+
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+
+ Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
+ well as add and remove users, so they are allowed to run those commands
on all machines.
fred ALL = (DB) NOPASSWD: ALL
This is a bit tedious for users to type, so it is a prime candidate for
encapsulating in a shell script.
-S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- It is generally not effective to "subtract" commands from ALL using the
- '!' operator. A user can trivially circumvent this by copying the
- desired command to a different name and then executing that. For exam-
- ple:
-
- bill ALL = ALL, !SU, !SHELLS
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
+ It is generally not effective to "subtract" commands from ALL using the
+ '!' operator. A user can trivially circumvent this by copying the
+ desired command to a different name and then executing that. For exam-
+ ple:
+
+ bill ALL = ALL, !SU, !SHELLS
+
Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
_\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
use a shell escape from an editor or other program. Therefore, these
in the standard library with its own that simply return an
error. Unfortunately, there is no foolproof way to know
whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
- should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
- MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
- UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating sys-
- tems that support the LD_PRELOAD environment variable. Check
- your operating system's manual pages for the dynamic linker
- (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
- if LD_PRELOAD is supported.
-
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
+ MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
+ UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating sys-
+ tems that support the LD_PRELOAD environment variable. Check
+ your operating system's manual pages for the dynamic linker
+ (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
+ if LD_PRELOAD is supported.
+
To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as docu-
mented in the User Specification section above. Here is that
example again:
including, but not limited to, the implied warranties of merchantabil-
ity and fitness for a particular purpose are disclaimed. See the
LICENSE file distributed with s\bsu\bud\bdo\bo or
+
+
+
+1.7.0 May 2, 2008 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
http://www.sudo.ws/sudo/license.html for complete details.
-1.7.0 May 2, 2008 22
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+1.7.0 May 2, 2008 23
projects / sudo / commitdiff