-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
N\bNA\bAM\bME\bE
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-V\bV | -\b-v\bv
- s\bsu\bud\bdo\bo -\b-l\bl [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-U\bU _\bu_\bs_\be_\br_\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br_\b-
- _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ s\bsu\bud\bdo\bo -\b-l\bl [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-U\bU _\bu_\bs_\be_\br_\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- s\bsu\bud\bdo\bo [-\b-b\bbE\bEH\bHP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
- [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd]
- [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [{-\b-i\bi | -\b-s\bs] [<_\bc_\bo_\bm_\bm_\ba_\bn_\bd}]
+ s\bsu\bud\bdo\bo [-\b-b\bbE\bEH\bHP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
+ [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [{-\b-i\bi | -\b-s\bs] [<_\bc_\bo_\bm_\bm_\ba_\bn_\bd}]
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-S\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
- [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file
- ...
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-S\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
+ [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the
- superuser or another user, as specified in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file. The real and effective uid and gid are set to match
- those of the target user as specified in the passwd file
- and the group vector is initialized based on the group
- file (unless the -\b-P\bP option was specified). If the invok-
- ing user is root or if the target user is the same as the
- invoking user, no password is required. Otherwise, s\bsu\bud\bdo\bo
- requires that users authenticate themselves with a pass-
- word by default (NOTE: in the default configuration this
- is the user's password, not the root password). Once a
- user has been authenticated, a timestamp is updated and
- the user may then use sudo without a password for a short
- period of time (5 minutes unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
+ s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the superuser or
+ another user, as specified in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. The real and effective
+ uid and gid are set to match those of the target user as specified in
+ the passwd file and the group vector is initialized based on the group
+ file (unless the -\b-P\bP option was specified). If the invoking user is
+ root or if the target user is the same as the invoking user, no pass-
+ word is required. Otherwise, s\bsu\bud\bdo\bo requires that users authenticate
+ themselves with a password by default (NOTE: in the default configura-
+ tion this is the user's password, not the root password). Once a user
+ has been authenticated, a timestamp is updated and the user may then
+ use sudo without a password for a short period of time (5 minutes
+ unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
- When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below),
- is implied.
+ When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below), is implied.
- s\bsu\bud\bdo\bo determines who is an authorized user by consulting
- the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By giving s\bsu\bud\bdo\bo the -\b-v\bv flag, a user
- can update the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd. The
- password prompt itself will also time out if the user's
- password is not entered within 5 minutes (unless overrid-
- den via _\bs_\bu_\bd_\bo_\be_\br_\bs).
+ s\bsu\bud\bdo\bo determines who is an authorized user by consulting the file
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By giving s\bsu\bud\bdo\bo the -\b-v\bv flag, a user can update the time
+ stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd. The password prompt itself will also
+ time out if the user's password is not entered within 5 minutes (unless
+ overridden via _\bs_\bu_\bd_\bo_\be_\br_\bs).
- If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to
- run a command via s\bsu\bud\bdo\bo, mail is sent to the proper author-
- ities, as defined at configure time or in the _\bs_\bu_\bd_\bo_\be_\br_\bs file
- (defaults to root). Note that the mail will not be sent
- if an unauthorized user tries to run sudo with the -\b-l\bl or
- -\b-v\bv flags. This allows users to determine for themselves
- whether or not they are allowed to use s\bsu\bud\bdo\bo.
+ If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to run a command
+ via s\bsu\bud\bdo\bo, mail is sent to the proper authorities, as defined at config-
+ ure time or in the _\bs_\bu_\bd_\bo_\be_\br_\bs file (defaults to root). Note that the mail
+ will not be sent if an unauthorized user tries to run sudo with the -\b-l\bl
+ or -\b-v\bv flags. This allows users to determine for themselves whether or
+ not they are allowed to use s\bsu\bud\bdo\bo.
- If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment vari-
- able is set, s\bsu\bud\bdo\bo will use this value to determine who the
- actual user is. This can be used by a user to log
+ If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment variable is set,
+ s\bsu\bud\bdo\bo will use this value to determine who the actual user is. This can
+ be used by a user to log commands through sudo even when a root shell
+ has been invoked. It also allows the -\b-e\be flag to remain useful even
+ when being run via a sudo-run script or program. Note however, that
+ the sudoers lookup is still done for root, not the user specified by
+ SUDO_USER.
+ s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as well as
+ errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By default s\bsu\bud\bdo\bo will log
+ via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable at configure time or via the
-1.7 January 1, 2008 1
+1.7 January 21, 2008 1
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- commands through sudo even when a root shell has been
- invoked. It also allows the -\b-e\be flag to remain useful even
- when being run via a sudo-run script or program. Note
- however, that the sudoers lookup is still done for root,
- not the user specified by SUDO_USER.
- s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as
- well as errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By
- default s\bsu\bud\bdo\bo will log via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable
- at configure time or via the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file.
O\bOP\bPT\bTI\bIO\bON\bNS\bS
s\bsu\bud\bdo\bo accepts the following command line options:
- -a _\bt_\by_\bp_\be The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes
- s\bsu\bud\bdo\bo to use the specified authentication type
- when validating the user, as allowed by
- _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system administrator may
- specify a list of sudo-specific authentication
- methods by adding an "auth-sudo" entry in
- _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This option is only avail-
- able on systems that support BSD authentica-
- tion.
-
- -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run
- the given command in the background. Note
- that if you use the -\b-b\bb option you cannot use
- shell job control to manipulate the process.
-
- -C _\bf_\bd Normally, s\bsu\bud\bdo\bo will close all open file
- descriptors other than standard input, stan-
- dard output and standard error. The -\b-C\bC (_\bc_\bl_\bo_\bs_\be
- _\bf_\br_\bo_\bm) option allows the user to specify a
- starting point above the standard error (file
- descriptor three). Values less than three are
- not permitted. This option is only available
- if the administrator has enabled the _\bc_\bl_\bo_\bs_\be_\b-
- _\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option in _\bs_\bu_\bd_\bo_\be_\br_\bs(5).
-
- -c _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the
- specified command with resources limited by
- the specified login class. The _\bc_\bl_\ba_\bs_\bs argument
- can be either a class name as defined in
- _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single '-' character.
- Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the
- command should be run restricted by the
- default login capabilities for the user the
- command is run as. If the _\bc_\bl_\ba_\bs_\bs argument
- specifies an existing user class, the command
- must be run as root, or the s\bsu\bud\bdo\bo command must
- be run from a shell that is already root.
- This option is only available on systems with
- BSD login classes.
+ -a _\bt_\by_\bp_\be The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use the
+ specified authentication type when validating the user, as
+ allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system administrator may
+ specify a list of sudo-specific authentication methods by
+ adding an "auth-sudo" entry in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This
+ option is only available on systems that support BSD
+ authentication.
+
+ -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given com-
+ mand in the background. Note that if you use the -\b-b\bb option
+ you cannot use shell job control to manipulate the process.
+
+ -C _\bf_\bd Normally, s\bsu\bud\bdo\bo will close all open file descriptors other
+ than standard input, standard output and standard error.
+ The -\b-C\bC (_\bc_\bl_\bo_\bs_\be _\bf_\br_\bo_\bm) option allows the user to specify a
+ starting point above the standard error (file descriptor
+ three). Values less than three are not permitted. This
+ option is only available if the administrator has enabled
+ the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+
+ -c _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified com-
+ mand with resources limited by the specified login class.
+ The _\bc_\bl_\ba_\bs_\bs argument can be either a class name as defined in
+ _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single '-' character. Specifying a
+ _\bc_\bl_\ba_\bs_\bs of - indicates that the command should be run
+ restricted by the default login capabilities for the user
+ the command is run as. If the _\bc_\bl_\ba_\bs_\bs argument specifies an
+ existing user class, the command must be run as root, or
+ the s\bsu\bud\bdo\bo command must be run from a shell that is already
+ root. This option is only available on systems with BSD
+ login classes.
+
+ -E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)). It is only available when
+ either the matching command has the SETENV tag or the
+ _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+
+ -e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
+ command, the user wishes to edit one or more files. In
+ lieu of a command, the string "sudoedit" is used when con-
+ sulting the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is authorized by
+ _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
+ 1. Temporary copies are made of the files to be edited
+ with the owner set to the invoking user.
+ 2. The editor specified by the VISUAL or EDITOR environ-
+ ment variables is run to edit the temporary files. If
+ neither VISUAL nor EDITOR are set, the program listed
-1.7 January 1, 2008 2
+1.7 January 21, 2008 2
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- -E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will
- override the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(5)).
- It is only available when either the matching
- command has the SETENV tag or the _\bs_\be_\bt_\be_\bn_\bv
- option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(5).
- -e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead
- of running a command, the user wishes to edit
- one or more files. In lieu of a command, the
- string "sudoedit" is used when consulting the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is authorized by
- _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
+ in the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
- 1. Temporary copies are made of the files to
- be edited with the owner set to the invok-
- ing user.
+ 3. If they have been modified, the temporary files are
+ copied back to their original location and the tempo-
+ rary versions are removed.
- 2. The editor specified by the VISUAL or EDI-
- TOR environment variables is run to edit
- the temporary files. If neither VISUAL
- nor EDITOR are set, the program listed in
- the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
+ If the specified file does not exist, it will be created.
+ Note that unlike most commands run by s\bsu\bud\bdo\bo, the editor is
+ run with the invoking user's environment unmodified. If,
+ for some reason, s\bsu\bud\bdo\bo is unable to update a file with its
+ edited version, the user will receive a warning and the
+ edited copy will remain in a temporary file.
- 3. If they have been modified, the temporary
- files are copied back to their original
- location and the temporary versions are
- removed.
+ -g _\bg_\br_\bo_\bu_\bp Normally, s\bsu\bud\bdo\bo sets the primary group to the one specified
+ by the passwd database for the user the command is being
+ run as (by default, root). The -\b-g\bg (_\bg_\br_\bo_\bu_\bp) option causes
+ s\bsu\bud\bdo\bo to run the specified command with the primary group
+ set to _\bg_\br_\bo_\bu_\bp. To specify a _\bg_\bi_\bd instead of a _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be,
+ use _\b#_\bg_\bi_\bd. When running commands as a _\bg_\bi_\bd, many shells
+ require that the '#' be escaped with a backslash ('\'). If
+ no -\b-u\bu option is specified, the command will be run as the
+ invoking user (not root). In either case, the primary
+ group will be set to _\bg_\br_\bo_\bu_\bp.
- If the specified file does not exist, it will
- be created. Note that unlike most commands
- run by s\bsu\bud\bdo\bo, the editor is run with the invok-
- ing user's environment unmodified. If, for
- some reason, s\bsu\bud\bdo\bo is unable to update a file
- with its edited version, the user will receive
- a warning and the edited copy will remain in a
- temporary file.
+ -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment variable to
+ the homedir of the target user (root by default) as speci-
+ fied in _\bp_\ba_\bs_\bs_\bw_\bd(4). By default, s\bsu\bud\bdo\bo does not modify HOME
+ (see _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)).
- -g _\bg_\br_\bo_\bu_\bp Normally, s\bsu\bud\bdo\bo sets the primary group to the
- one specified by the passwd database for the
- user the command is being run as (by default,
- root). The -\b-g\bg (_\bg_\br_\bo_\bu_\bp) option causes s\bsu\bud\bdo\bo to
- run the specified command with the primary
- group set to _\bg_\br_\bo_\bu_\bp. To specify a _\bg_\bi_\bd instead
- of a _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be, use _\b#_\bg_\bi_\bd. When running com-
- mands as a _\bg_\bi_\bd, many shells require that the
- '#' be escaped with a backslash ('\'). If no
- -\b-u\bu option is specified, the command will be
- run as the invoking user (not root). In
- either case, the primary group will be set to
- _\bg_\br_\bo_\bu_\bp.
+ -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage message
+ and exit.
- -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment
- variable to the homedir of the target user
- (root by default) as specified in _\bp_\ba_\bs_\bs_\bw_\bd(5).
+ -i [command]
+ The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell spec-
+ ified in the _\bp_\ba_\bs_\bs_\bw_\bd(4) entry of the target user as a login
+ shell. This means that login-specific resource files such
+ as .profile or .login will be read by the shell. If a com-
+ mand is specified, it is passed to the shell for execution.
+ Otherwise, an interactive shell is executed. s\bsu\bud\bdo\bo attempts
+ to change to that user's home directory before running the
+ shell. It also initializes the environment, leaving _\bD_\bI_\bS_\b-
+ _\bP_\bL_\bA_\bY and _\bT_\bE_\bR_\bM unchanged, setting _\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\b-
+ _\bN_\bA_\bM_\bE, and _\bP_\bA_\bT_\bH, as well as the contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\b-
+ _\bm_\be_\bn_\bt. All other environment variables are removed.
+ -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
+ the user's timestamp entirely. Like -\b-k\bk, this option does
+ not require a password.
+ -k The -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the user's times-
+ tamp by setting the time on it to the Epoch. The next time
+ s\bsu\bud\bdo\bo is run a password will be required. This option does
+ not require a password and was added to allow a user to
+ revoke s\bsu\bud\bdo\bo permissions from a .logout file.
-1.7 January 1, 2008 3
+1.7 January 21, 2008 3
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
- By default, s\bsu\bud\bdo\bo does not modify HOME (see
- _\bs_\be_\bt_\b__\bh_\bo_\bm_\be and _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be in _\bs_\bu_\bd_\bo_\be_\br_\bs(5)).
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a
- usage message and exit.
- -i [command]
- The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs
- the shell specified in the _\bp_\ba_\bs_\bs_\bw_\bd(5) entry of
- the target user as a login shell. This means
- that login-specific resource files such as
- .profile or .login will be read by the shell.
- If a command is specified, it is passed to the
- shell for execution. Otherwise, an interac-
- tive shell is executed. s\bsu\bud\bdo\bo attempts to
- change to that user's home directory before
- running the shell. It also initializes the
- environment, leaving _\bD_\bI_\bS_\bP_\bL_\bA_\bY and _\bT_\bE_\bR_\bM
- unchanged, setting _\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE,
- and _\bP_\bA_\bT_\bH, as well as the contents of
- _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt. All other environment vari-
- ables are removed.
-
- -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except
- that it removes the user's timestamp entirely.
- Like -\b-k\bk, this option does not require a pass-
- word.
-
- -k The -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the
- user's timestamp by setting the time on it to
- the Epoch. The next time s\bsu\bud\bdo\bo is run a pass-
- word will be required. This option does not
- require a password and was added to allow a
- user to revoke s\bsu\bud\bdo\bo permissions from a .logout
- file.
-
- -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list out
- the parameters that may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs
- line along with a short description for each.
- This option is useful in conjunction with
- _\bg_\br_\be_\bp(1).
+ -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list out the parameters
+ that may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a short
+ description for each. This option is useful in conjunction
+ with _\bg_\br_\be_\bp(1).
-l [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt)
- option will list the allowed (and forbidden)
- commands for the invoking user (or the user
- specified by the -\b-U\bU option) on the current
- host. If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is per-
- mitted by _\bs_\bu_\bd_\bo_\be_\br_\bs, the fully-qualified path to
- the command is displayed along with any com-
- mand line arguments. If _\bc_\bo_\bm_\bm_\ba_\bn_\bd is not
- allowed, s\bsu\bud\bdo\bo will exit with a return value of
- 1.
-
-
-
-
-1.7 January 1, 2008 4
-
-
-
-
-
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+ If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt) option will list
+ the allowed (and forbidden) commands for the invoking user
+ (or the user specified by the -\b-U\bU option) on the current
+ host. If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is permitted by _\bs_\bu_\bd_\bo_\b-
+ _\be_\br_\bs, the fully-qualified path to the command is displayed
+ along with any command line arguments. If _\bc_\bo_\bm_\bm_\ba_\bn_\bd is not
+ allowed, s\bsu\bud\bdo\bo will exit with a return value of 1.
+ -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to pre-
+ serve the invoking user's group vector unaltered. By
+ default, s\bsu\bud\bdo\bo will initialize the group vector to the list
+ of groups the target user is in. The real and effective
+ group IDs, however, are still set to match the target user.
- -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes
- s\bsu\bud\bdo\bo to preserve the invoking user's group
- vector unaltered. By default, s\bsu\bud\bdo\bo will ini-
- tialize the group vector to the list of groups
- the target user is in. The real and effective
- group IDs, however, are still set to match the
- target user.
+ -p _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
+ password prompt and use a custom one. The following per-
+ cent (`%') escapes are supported:
- -p _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override
- the default password prompt and use a custom
- one. The following percent (`%') escapes are
- supported:
+ %H expanded to the local hostname including the domain
+ name (on if the machine's hostname is fully qualified
+ or the _\bf_\bq_\bd_\bn _\bs_\bu_\bd_\bo_\be_\br_\bs option is set)
- %H expanded to the local hostname including
- the domain name (on if the machine's host-
- name is fully qualified or the _\bf_\bq_\bd_\bn _\bs_\bu_\bd_\bo_\b-
- _\be_\br_\bs option is set)
+ %h expanded to the local hostname without the domain name
- %h expanded to the local hostname without the
- domain name
+ %p expanded to the user whose password is being asked for
+ (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs)
- %U expanded to the login name of the user the
- command will be run as (defaults to root)
+ %U expanded to the login name of the user the command will
+ be run as (defaults to root)
%u expanded to the invoking user's login name
- %% two consecutive % characters are collapsed
- into a single % character
+ %% two consecutive % characters are collapsed into a sin-
+ gle % character
- The prompt specified by the -\b-p\bp option will
- override the system password prompt on systems
- that support PAM unless the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\b-
- _\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ The prompt specified by the -\b-p\bp option will override the
+ system password prompt on systems that support PAM unless
+ the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
- -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the
- password from the standard input instead of
- the terminal device.
+ -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
+ the standard input instead of the terminal device.
-s [command]
- The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified
- by the _\bS_\bH_\bE_\bL_\bL environment variable if it is set
- or the shell as specified in _\bp_\ba_\bs_\bs_\bw_\bd(5). If a
- command is specified, it is passed to the
- shell for execution. Otherwise, an interac-
- tive shell is executed.
+ The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the _\bS_\bH_\bE_\bL_\bL
+ environment variable if it is set or the shell as specified
+ in _\bp_\ba_\bs_\bs_\bw_\bd(4). If a command is specified, it is passed to
+ the shell for execution. Otherwise, an interactive shell
- -U _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunc-
- tion with the -\b-l\bl option to specify the user
- whose privileges should be listed. Only root
- or a user with s\bsu\bud\bdo\bo ALL on the current host
- may use this option.
- -u _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the
- specified command as a user other than _\br_\bo_\bo_\bt.
+1.7 January 21, 2008 4
-1.7 January 1, 2008 5
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+ is executed.
+ -U _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the
+ -\b-l\bl option to specify the user whose privileges should be
+ listed. Only root or a user with s\bsu\bud\bdo\bo ALL on the current
+ host may use this option.
- To specify a _\bu_\bi_\bd instead of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use
- _\b#_\bu_\bi_\bd. When running commands as a _\bu_\bi_\bd, many
- shells require that the '#' be escaped with a
- backslash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw
- Defaults option is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(5)) it is
- not possible to run commands with a uid not
- listed in the password database.
+ -u _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified com-
+ mand as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd instead
+ of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as a _\bu_\bi_\bd,
+ many shells require that the '#' be escaped with a back-
+ slash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option is
+ set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
+ with a uid not listed in the password database.
- -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print
- the version number and exit. If the invoking
- user is already root the -\b-V\bV option will print
- out a list of the defaults s\bsu\bud\bdo\bo was compiled
- with as well as the machine's local network
+ -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the version
+ number and exit. If the invoking user is already root the
+ -\b-V\bV option will print out a list of the defaults s\bsu\bud\bdo\bo was
+ compiled with as well as the machine's local network
addresses.
- -v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will
- update the user's timestamp, prompting for the
- user's password if necessary. This extends
- the s\bsu\bud\bdo\bo timeout for another 5 minutes (or
- whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but
+ -v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
+ user's timestamp, prompting for the user's password if nec-
+ essary. This extends the s\bsu\bud\bdo\bo timeout for another 5 min-
+ utes (or whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but
does not run a command.
- -- The -\b--\b- flag indicates that s\bsu\bud\bdo\bo should stop
- processing command line arguments. It is most
- useful in conjunction with the -\b-s\bs flag.
-
- Environment variables to be set for the command may also
- be passed on the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be,
- e.g. L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables
- passed on the command line are subject to the same
- restrictions as normal environment variables with one
- important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\b-
- _\be_\br_\bs, the command to be run has the SETENV tag set or the
- command matched is ALL, the user may set variables that
- would overwise be forbidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(5) for more
- information.
+ -- The -\b--\b- flag indicates that s\bsu\bud\bdo\bo should stop processing com-
+ mand line arguments. It is most useful in conjunction with
+ the -\b-s\bs flag.
+
+ Environment variables to be set for the command may also be passed on
+ the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be, e.g.
+ L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables passed on the command
+ line are subject to the same restrictions as normal environment vari-
+ ables with one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run has the SETENV tag set or the command
+ matched is ALL, the user may set variables that would overwise be for-
+ bidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
R\bRE\bET\bTU\bUR\bRN\bN V\bVA\bAL\bLU\bUE\bES\bS
- Upon successful execution of a program, the return value
- from s\bsu\bud\bdo\bo will simply be the return value of the program
- that was executed.
+ Upon successful execution of a program, the return value from s\bsu\bud\bdo\bo will
+ simply be the return value of the program that was executed.
- Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is
- a configuration/permission problem or if s\bsu\bud\bdo\bo cannot exe-
- cute the given command. In the latter case the error
- string is printed to stderr. If s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one
- or more entries in the user's PATH an error is printed on
- stderr. (If the directory does not exist or if it is not
- really a directory, the entry is ignored and no error is
- printed.) This should not happen under normal circum-
- stances. The most common reason for _\bs_\bt_\ba_\bt(2) to return
- "permission denied" is if you are running an automounter
- and one of the directories in your PATH is on a machine
- that is currently unreachable.
+ Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is a configura-
+ tion/permission problem or if s\bsu\bud\bdo\bo cannot execute the given command.
+ In the latter case the error string is printed to stderr. If s\bsu\bud\bdo\bo can-
+ not _\bs_\bt_\ba_\bt(2) one or more entries in the user's PATH an error is printed
+ on stderr. (If the directory does not exist or if it is not really a
+ directory, the entry is ignored and no error is printed.) This should
+ not happen under normal circumstances. The most common reason for
+ _\bs_\bt_\ba_\bt(2) to return "permission denied" is if you are running an auto-
+ mounter and one of the directories in your PATH is on a machine that is
+ currently unreachable.
-1.7 January 1, 2008 6
+1.7 January 21, 2008 5
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
s\bsu\bud\bdo\bo tries to be safe when executing external commands.
- There are two distinct ways to deal with environment vari-
- ables. By default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt _\bs_\bu_\bd_\bo_\be_\br_\bs option is
- enabled. This causes commands to be executed with a mini-
- mal environment containing TERM, PATH, HOME, SHELL, LOG-
- NAME, USER and USERNAME in addition to variables from the
- invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp
- _\bs_\bu_\bd_\bo_\be_\br_\bs options. There is effectively a whitelist for
- environment variables.
-
- If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs,
- any variables not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
- _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are inherited from the invoking pro-
- cess. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave like
- a blacklist. Since it is not possible to blacklist all
- potentially dangerous environment variables, use of the
+ There are two distinct ways to deal with environment variables. By
+ default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt _\bs_\bu_\bd_\bo_\be_\br_\bs option is enabled. This causes commands
+ to be executed with a minimal environment containing TERM, PATH, HOME,
+ SHELL, LOGNAME, USER and USERNAME in addition to variables from the
+ invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp _\bs_\bu_\bd_\bo_\be_\br_\bs
+ options. There is effectively a whitelist for environment variables.
+
+ If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, any variables
+ not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are
+ inherited from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
+ _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave like a blacklist. Since it is not possible to black-
+ list all potentially dangerous environment variables, use of the
default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
- In all cases, environment variables with a value beginning
- with () are removed as they could be interpreted as b\bba\bas\bsh\bh
- functions. The list of environment variables that s\bsu\bud\bdo\bo
- allows or denies is contained in the output of sudo -V
- when run as root.
+ In all cases, environment variables with a value beginning with () are
+ removed as they could be interpreted as b\bba\bas\bsh\bh functions. The list of
+ environment variables that s\bsu\bud\bdo\bo allows or denies is contained in the
+ output of sudo -V when run as root.
- Note that the dynamic linker on most operating systems
- will remove variables that can control dynamic linking
- from the environment of setuid executables, including
- s\bsu\bud\bdo\bo. Depending on the operating system this may include
- _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and oth-
- ers. These type of variables are removed from the envi-
- ronment before s\bsu\bud\bdo\bo even begins execution and, as such, it
- is not possible for s\bsu\bud\bdo\bo to preserve them.
+ Note that the dynamic linker on most operating systems will remove
+ variables that can control dynamic linking from the environment of
+ setuid executables, including s\bsu\bud\bdo\bo. Depending on the operating system
+ this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
+ others. These type of variables are removed from the environment
+ before s\bsu\bud\bdo\bo even begins execution and, as such, it is not possible for
+ s\bsu\bud\bdo\bo to preserve them.
- To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both
- denoting current directory) last when searching for a com-
- mand in the user's PATH (if one or both are in the PATH).
- Note, however, that the actual PATH environment variable
- is _\bn_\bo_\bt modified and is passed unchanged to the program
- that s\bsu\bud\bdo\bo executes.
+ To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting cur-
+ rent directory) last when searching for a command in the user's PATH
+ (if one or both are in the PATH). Note, however, that the actual PATH
+ environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
+ program that s\bsu\bud\bdo\bo executes.
- s\bsu\bud\bdo\bo will check the ownership of its timestamp directory
- (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's con-
- tents if it is not owned by root or if it is writable by a
- user other than root. On systems that allow non-root
- users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
- directory is located in a directory writable by anyone
- (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the
- timestamp directory before s\bsu\bud\bdo\bo is run. However, because
- s\bsu\bud\bdo\bo checks the ownership and mode of the directory and
- its contents, the only damage that can be done is to
- "hide" files by putting them in the timestamp dir. This
- is unlikely to happen since once the timestamp dir is
+ s\bsu\bud\bdo\bo will check the ownership of its timestamp directory (_\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo
+ by default) and ignore the directory's contents if it is not owned by
+ root or if it is writable by a user other than root. On systems that
+ allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if the timestamp
+ directory is located in a directory writable by anyone (e.g., _\b/_\bt_\bm_\bp), it
+ is possible for a user to create the timestamp directory before s\bsu\bud\bdo\bo is
+ run. However, because s\bsu\bud\bdo\bo checks the ownership and mode of the direc-
+ tory and its contents, the only damage that can be done is to "hide"
+ files by putting them in the timestamp dir. This is unlikely to happen
+ since once the timestamp dir is owned by root and inaccessible by any
+ other user, the user placing files there would be unable to get them
+ back out. To get around this issue you can use a directory that is not
+ world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or cre-
+ ate _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate owner (root) and permissions
+ (0700) in the system startup files.
+ s\bsu\bud\bdo\bo will not honor timestamps set far in the future. Timestamps with
+ a date greater than current_time + 2 * TIMEOUT will be ignored and sudo
-1.7 January 1, 2008 7
+1.7 January 21, 2008 6
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- owned by root and inaccessible by any other user, the user
- placing files there would be unable to get them back out.
- To get around this issue you can use a directory that is
- not world-writable for the timestamps (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for
- instance) or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with the appropriate
- owner (root) and permissions (0700) in the system startup
- files.
- s\bsu\bud\bdo\bo will not honor timestamps set far in the future.
- Timestamps with a date greater than current_time + 2 *
- TIMEOUT will be ignored and sudo will log and complain.
- This is done to keep a user from creating his/her own
- timestamp with a bogus date on systems that allow users to
+ will log and complain. This is done to keep a user from creating
+ his/her own timestamp with a bogus date on systems that allow users to
give away files.
- Please note that s\bsu\bud\bdo\bo will normally only log the command
- it explicitly runs. If a user runs a command such as sudo
- su or sudo sh, subsequent commands run from that shell
- will _\bn_\bo_\bt be logged, nor will s\bsu\bud\bdo\bo's access control affect
- them. The same is true for commands that offer shell
- escapes (including most editors). Because of this, care
- must be taken when giving users access to commands via
- s\bsu\bud\bdo\bo to verify that the command does not inadvertently
- give the user an effective root shell. For more informa-
- tion, please see the PREVENTING SHELL ESCAPES section in
- _\bs_\bu_\bd_\bo_\be_\br_\bs(5).
+ Please note that s\bsu\bud\bdo\bo will normally only log the command it explicitly
+ runs. If a user runs a command such as sudo su or sudo sh, subsequent
+ commands run from that shell will _\bn_\bo_\bt be logged, nor will s\bsu\bud\bdo\bo's access
+ control affect them. The same is true for commands that offer shell
+ escapes (including most editors). Because of this, care must be taken
+ when giving users access to commands via s\bsu\bud\bdo\bo to verify that the com-
+ mand does not inadvertently give the user an effective root shell. For
+ more information, please see the PREVENTING SHELL ESCAPES section in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
s\bsu\bud\bdo\bo utilizes the following environment variables:
- EDITOR Default editor to use in -\b-e\be (sudoedit)
- mode if VISUAL is not set
+ EDITOR Default editor to use in -\b-e\be (sudoedit) mode if VISUAL
+ is not set
- HOME In -\b-s\bs or -\b-H\bH mode (or if sudo was config-
- ured with the --enable-shell-sets-home
- option), set to homedir of the target user
+ HOME In -\b-s\bs or -\b-H\bH mode (or if sudo was configured with the
+ --enable-shell-sets-home option), set to homedir of the
+ target user
- PATH Set to a sane value if the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh
- sudoers option is set.
+ PATH Set to a sane value if the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh sudoers option
+ is set.
- SHELL Used to determine shell to run with -s
- option
+ SHELL Used to determine shell to run with -s option
SUDO_PROMPT Used as the default password prompt
SUDO_COMMAND Set to the command run by sudo
- SUDO_USER Set to the login of the user who invoked
- sudo
+ SUDO_USER Set to the login of the user who invoked sudo
- SUDO_UID Set to the uid of the user who invoked
- sudo
+ SUDO_UID Set to the uid of the user who invoked sudo
- SUDO_GID Set to the gid of the user who invoked
+ SUDO_GID Set to the gid of the user who invoked sudo
+ SUDO_PS1 If set, PS1 will be set to its value
+ USER Set to the target user (root unless the -\b-u\bu option is
+ specified)
-1.7 January 1, 2008 8
+ VISUAL Default editor to use in -\b-e\be (sudoedit) mode
+F\bFI\bIL\bLE\bES\bS
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+ _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo Directory containing timestamps
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi m\bmo\bod\bde\be
+E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
+ Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4) entries.
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+1.7 January 21, 2008 7
- sudo
- SUDO_PS1 If set, PS1 will be set to its value
- USER Set to the target user (root unless the -\b-u\bu
- option is specified)
- VISUAL Default editor to use in -\b-e\be (sudoedit)
- mode
-F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo Directory containing timestamps
- _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi m\bmo\bod\bde\be
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
- entries.
To get a file listing of an unreadable directory:
$ sudo ls /usr/local/protected
- To list the home directory of user yazza on a machine
- where the file system holding ~yazza is not exported as
- root:
+ To list the home directory of user yazza on a machine where the file
+ system holding ~yazza is not exported as root:
$ sudo -u yazza ls ~yazza
$ sudo shutdown -r +15 "quick reboot"
- To make a usage listing of the directories in the /home
- partition. Note that this runs the commands in a sub-
- shell to make the cd and file redirection work.
+ To make a usage listing of the directories in the /home partition.
+ Note that this runs the commands in a sub-shell to make the cd and file
+ redirection work.
$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(5),
- _\bs_\bu_\bd_\bo_\be_\br_\bs(5), _\bv_\bi_\bs_\bu_\bd_\bo(8)
+ _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(4),
+ _\bv_\bi_\bs_\bu_\bd_\bo(1m)
A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this ver-
- sion consists of code written primarily by:
+ Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
+ of code written primarily by:
Todd C. Miller
See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
+ http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
+C\bCA\bAV\bVE\bEA\bAT\bTS\bS
+ There is no easy way to prevent a user from gaining a root shell if
+ that user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many
+ programs (such as editors) allow the user to run commands via shell
+ escapes, thus avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is
+ possible to prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
+ See the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual for details.
+ It is not meaningful to run the cd command directly via sudo, e.g.,
-1.7 January 1, 2008 9
+ $ sudo cd /usr/local/protected
+ since when the command exits the parent process (your shell) will still
+ be the same. Please see the EXAMPLES section for more information.
+ If users have sudo ALL there is nothing to prevent them from creating
+ their own program that gives them a root shell regardless of any '!'
+ elements in the user specification.
-SUDO(8) MAINTENANCE COMMANDS SUDO(8)
+1.7 January 21, 2008 8
- http://www.sudo.ws/sudo/history.html for a short history
- of s\bsu\bud\bdo\bo.
-C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- There is no easy way to prevent a user from gaining a root
- shell if that user is allowed to run arbitrary commands
- via s\bsu\bud\bdo\bo. Also, many programs (such as editors) allow the
- user to run commands via shell escapes, thus avoiding
- s\bsu\bud\bdo\bo's checks. However, on most systems it is possible to
- prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
- See the _\bs_\bu_\bd_\bo_\be_\br_\bs(5) manual for details.
- It is not meaningful to run the cd command directly via
- sudo, e.g.,
- $ sudo cd /usr/local/protected
-
- since when the command exits the parent process (your
- shell) will still be the same. Please see the EXAMPLES
- section for more information.
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- If users have sudo ALL there is nothing to prevent them
- from creating their own program that gives them a root
- shell regardless of any '!' elements in the user specifi-
- cation.
- Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel
- bugs that make setuid shell scripts unsafe on some operat-
- ing systems (if your OS has a /dev/fd/ directory, setuid
- shell scripts are generally safe).
+ Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that
+ make setuid shell scripts unsafe on some operating systems (if your OS
+ has a /dev/fd/ directory, setuid shell scripts are generally safe).
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
- bug report at http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mail-
- ing list, see http://www.sudo.ws/mail-
- man/listinfo/sudo-users to subscribe or search the
- archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied war-
- ranties, including, but not limited to, the implied war-
- ranties of merchantability and fitness for a particular
- purpose are disclaimed. See the LICENSE file distributed
- with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com-
- plete details.
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantabil-
+ ity and fitness for a particular purpose are disclaimed. See the
+ LICENSE file distributed with s\bsu\bud\bdo\bo or
+ http://www.sudo.ws/sudo/license.html for complete details.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-1.7 January 1, 2008 10
+1.7 January 21, 2008 9
sudoers - list of which users may execute what
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries:
- aliases (basically variables) and user specifications
- (which specify who may run what).
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases (basi-
+ cally variables) and user specifications (which specify who may run
+ what).
- When multiple entries match for a user, they are applied
- in order. Where there are multiple matches, the last
- match is used (which is not necessarily the most specific
- match).
+ When multiple entries match for a user, they are applied in order.
+ Where there are multiple matches, the last match is used (which is not
+ necessarily the most specific match).
- The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended
- Backus-Naur Form (EBNF). Don't despair if you don't know
- what EBNF is; it is fairly simple, and the definitions
- below are annotated.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended Backus-Naur
+ Form (EBNF). Don't despair if you don't know what EBNF is; it is
+ fairly simple, and the definitions below are annotated.
Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
- EBNF is a concise and exact way of describing the grammar
- of a language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\b-
- _\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
+ EBNF is a concise and exact way of describing the grammar of a lan-
+ guage. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
symbol ::= definition | alternate1 | alternate2 ...
- Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a
- grammar for the language. EBNF also contains the follow-
- ing operators, which many readers will recognize from reg-
- ular expressions. Do not, however, confuse them with
- "wildcard" characters, which have different meanings.
+ Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a grammar for
+ the language. EBNF also contains the following operators, which many
+ readers will recognize from regular expressions. Do not, however, con-
+ fuse them with "wildcard" characters, which have different meanings.
- ? Means that the preceding symbol (or group of symbols)
- is optional. That is, it may appear once or not at
- all.
+ ? Means that the preceding symbol (or group of symbols) is optional.
+ That is, it may appear once or not at all.
- * Means that the preceding symbol (or group of symbols)
- may appear zero or more times.
+ * Means that the preceding symbol (or group of symbols) may appear
+ zero or more times.
- + Means that the preceding symbol (or group of symbols)
- may appear one or more times.
+ + Means that the preceding symbol (or group of symbols) may appear
+ one or more times.
- Parentheses may be used to group symbols together. For
- clarity, we will use single quotes ('') to designate what
- is a verbatim character string (as opposed to a symbol
- name).
+ Parentheses may be used to group symbols together. For clarity, we
+ will use single quotes ('') to designate what is a verbatim character
+ string (as opposed to a symbol name).
A\bAl\bli\bia\bas\bse\bes\bs
- There are four kinds of aliases: User_Alias, Runas_Alias,
- Host_Alias and Cmnd_Alias.
+ There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
+ and Cmnd_Alias.
+ Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
+ 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
+ 'Host_Alias' Host_Alias (':' Host_Alias)* |
+ 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
+ User_Alias ::= NAME '=' User_List
+ Runas_Alias ::= NAME '=' Runas_List
-1.7 December 10, 2007 1
+1.7 January 21, 2008 1
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
- 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
- 'Host_Alias' Host_Alias (':' Host_Alias)* |
- 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
-
- User_Alias ::= NAME '=' User_List
-
- Runas_Alias ::= NAME '=' Runas_List
-
Host_Alias ::= NAME '=' Host_List
Cmnd_Alias ::= NAME '=' Cmnd_List
Alias_Type NAME = item1, item2, ...
- where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias,
- Host_Alias, or Cmnd_Alias. A NAME is a string of upper-
- case letters, numbers, and underscore characters ('_'). A
- NAME m\bmu\bus\bst\bt start with an uppercase letter. It is possible
- to put several alias definitions of the same type on a
- single line, joined by a colon (':'). E.g.,
+ where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias, Host_Alias, or
+ Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
+ underscore characters ('_'). A NAME m\bmu\bus\bst\bt start with an uppercase let-
+ ter. It is possible to put several alias definitions of the same type
+ on a single line, joined by a colon (':'). E.g.,
Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
- The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member
- follow.
+ The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member follow.
User_List ::= User |
User ',' User_List
'!'* '+'netgroup |
'!'* User_Alias
- A User_List is made up of one or more usernames, uids
- (prefixed with '#'), system groups (prefixed with '%'),
- netgroups (prefixed with '+') and User_Aliases. Each list
- item may be prefixed with zero or more '!' operators. An
- odd number of '!' operators negate the value of the item;
- an even number just cancel each other out.
+ A User_List is made up of one or more usernames, uids (prefixed with
+ '#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
+ and User_Aliases. Each list item may be prefixed with zero or more '!'
+ operators. An odd number of '!' operators negate the value of the
+ item; an even number just cancel each other out.
Runas_List ::= Runas_Member |
Runas_Member ',' Runas_List
+ Runas_Member ::= '!'* username |
+ '!'* '#'uid |
+ '!'* '%'group |
+ '!'* +netgroup |
+ '!'* Runas_Alias
+ A Runas_List is similar to a User_List except that instead of
+ User_Aliases it can contain Runas_Aliases. Note that usernames and
+ groups are matched as strings. In other words, two users (groups) with
+ the same uid (gid) are considered to be distinct. If you wish to match
+ all usernames with the same uid (e.g. root and toor), you can use a uid
+ instead (#0 in the example given).
+ Host_List ::= Host |
+ Host ',' Host_List
-
-1.7 December 10, 2007 2
+1.7 January 21, 2008 2
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Runas_Member ::= '!'* username |
- '!'* '#'uid |
- '!'* '%'group |
- '!'* +netgroup |
- '!'* Runas_Alias
-
- A Runas_List is similar to a User_List except that instead
- of User_Aliases it can contain Runas_Aliases. Note that
- usernames and groups are matched as strings. In other
- words, two users (groups) with the same uid (gid) are con-
- sidered to be distinct. If you wish to match all user-
- names with the same uid (e.g. root and toor), you can use
- a uid instead (#0 in the example given).
-
- Host_List ::= Host |
- Host ',' Host_List
-
Host ::= '!'* hostname |
'!'* ip_addr |
'!'* network(/netmask)? |
'!'* '+'netgroup |
'!'* Host_Alias
- A Host_List is made up of one or more hostnames, IP
- addresses, network numbers, netgroups (prefixed with '+')
- and other aliases. Again, the value of an item may be
- negated with the '!' operator. If you do not specify a
- netmask along with the network number, s\bsu\bud\bdo\bo will query
- each of the local host's network interfaces and, if the
- network number corresponds to one of the hosts's network
- interfaces, the corresponding netmask will be used. The
- netmask may be specified either in standard IP address
- notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
- CIDR notation (number of bits, e.g. 24 or 64). A hostname
- may include shell-style wildcards (see the Wildcards sec-
- tion below), but unless the hostname command on your
- machine returns the fully qualified hostname, you'll need
- to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
+ A Host_List is made up of one or more hostnames, IP addresses, network
+ numbers, netgroups (prefixed with '+') and other aliases. Again, the
+ value of an item may be negated with the '!' operator. If you do not
+ specify a netmask along with the network number, s\bsu\bud\bdo\bo will query each
+ of the local host's network interfaces and, if the network number cor-
+ responds to one of the hosts's network interfaces, the corresponding
+ netmask will be used. The netmask may be specified either in standard
+ IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
+ CIDR notation (number of bits, e.g. 24 or 64). A hostname may include
+ shell-style wildcards (see the Wildcards section below), but unless the
+ hostname command on your machine returns the fully qualified hostname,
+ you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
'!'* "sudoedit" |
'!'* Cmnd_Alias
- A Cmnd_List is a list of one or more commandnames, direc-
- tories, and other aliases. A commandname is a fully qual-
- ified filename which may include shell-style wildcards
+ A Cmnd_List is a list of one or more commandnames, directories, and
+ other aliases. A commandname is a fully qualified filename which may
+ include shell-style wildcards (see the Wildcards section below). A
+ simple filename allows the user to run the command with any arguments
+ he/she wishes. However, you may also specify command line arguments
+ (including wildcards). Alternately, you can specify "" to indicate
+ that the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A
+ directory is a fully qualified pathname ending in a '/'. When you
+ specify a directory in a Cmnd_List, the user will be able to run any
+ file within that directory (but not in any subdirectories therein).
+
+ If a Cmnd has associated command line arguments, then the arguments in
+ the Cmnd must match exactly those given by the user on the command line
+ (or match the wildcards if there are any). Note that the following
+ characters must be escaped with a '\' if they are used in command argu-
+ ments: ',', ':', '=', '\'. The special command "sudoedit" is used to
+ permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be flag (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may
+ take command line arguments just as a normal command does.
+ D\bDe\bef\bfa\bau\bul\blt\bts\bs
+ Certain configuration options may be changed from their default values
+ at runtime via one or more Default_Entry lines. These may affect all
-1.7 December 10, 2007 3
+1.7 January 21, 2008 3
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- (see the Wildcards section below). A simple filename
- allows the user to run the command with any arguments
- he/she wishes. However, you may also specify command line
- arguments (including wildcards). Alternately, you can
- specify "" to indicate that the command may only be run
- w\bwi\bit\bth\bho\bou\but\bt command line arguments. A directory is a fully
- qualified pathname ending in a '/'. When you specify a
- directory in a Cmnd_List, the user will be able to run any
- file within that directory (but not in any subdirectories
- therein).
-
- If a Cmnd has associated command line arguments, then the
- arguments in the Cmnd must match exactly those given by
- the user on the command line (or match the wildcards if
- there are any). Note that the following characters must
- be escaped with a '\' if they are used in command argu-
- ments: ',', ':', '=', '\'. The special command "sudoedit"
- is used to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be flag (or
- as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may take command line arguments just as
- a normal command does.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- D\bDe\bef\bfa\bau\bul\blt\bts\bs
- Certain configuration options may be changed from their
- default values at runtime via one or more Default_Entry
- lines. These may affect all users on any host, all users
- on a specific host, a specific user, a specific command,
- or commands being run as a specific user. Note that per-
- command entries may not include command line arguments.
- If you need to specify arguments, define a Cmnd_Alias and
- reference that instead.
+ users on any host, all users on a specific host, a specific user, a
+ specific command, or commands being run as a specific user. Note that
+ per-command entries may not include command line arguments. If you
+ need to specify arguments, define a Cmnd_Alias and reference that
+ instead.
Default_Type ::= 'Defaults' |
'Defaults' '@' Host_List |
Parameter '-=' Value |
'!'* Parameter
- Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or
- l\bli\bis\bst\bts\bs. Flags are implicitly boolean and can be turned off
- via the '!' operator. Some integer, string and list
- parameters may also be used in a boolean context to dis-
- able them. Values may be enclosed in double quotes (")
- when they contain multiple words. Special characters may
-
-
-
-1.7 December 10, 2007 4
-
-
+ Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
+ implicitly boolean and can be turned off via the '!' operator. Some
+ integer, string and list parameters may also be used in a boolean con-
+ text to disable them. Values may be enclosed in double quotes (") when
+ they contain multiple words. Special characters may be escaped with a
+ backslash (\).
+ Lists have two additional assignment operators, += and -=. These oper-
+ ators are used to add to and delete from a list respectively. It is
+ not an error to use the -= operator to remove an element that does not
+ exist in a list.
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- be escaped with a backslash (\).
-
- Lists have two additional assignment operators, += and -=.
- These operators are used to add to and delete from a list
- respectively. It is not an error to use the -= operator
- to remove an element that does not exist in a list.
-
- See "SUDOERS OPTIONS" for a list of supported Defaults
- parameters.
+ See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
'SETENV:' | 'NOSETENV:' )
- A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may
- run (and as what user) on specified hosts. By default,
- commands are run as r\bro\boo\bot\bt, but this can be changed on a
- per-command basis.
-
- Let's break that down into its constituent parts:
-
- R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
+ A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
+ what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
+ but this can be changed on a per-command basis.
- A Runas_Spec determines the user and/or the group that a
- command may be run as. A fully-specified Runas_Spec con-
- sists of two Runas_Lists (as defined above) separated by a
- colon (':') and enclosed in a set of parentheses. The
- first Runas_List indicates which users the command may be
- run as via s\bsu\bud\bdo\bo's -\b-u\bu flag. The second defines a list of
- groups that can be specified via s\bsu\bud\bdo\bo's -\b-g\bg flag. If both
- Runas_Lists are specified, the command may be run with any
- combination of users and groups listed in their respective
- Runas_Lists. If only the first is specified, the command
- may be run as any user in the list but no -\b-g\bg flag may be
- specified. If the first Runas_List is empty but the sec-
- ond is specified, the command may be run as the invoking
- user with the group set to any listed in the Runas_List.
- If no Runas_Spec is specified the command may be run as
- r\bro\boo\bot\bt and no group may be specified.
- A Runas_Spec sets the default for the commands that follow
- it. What this means is that for the entry:
+1.7 January 21, 2008 4
-1.7 December 10, 2007 5
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Let's break that down into its constituent parts:
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
+ A Runas_Spec determines the user and/or the group that a command may be
+ run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
+ defined above) separated by a colon (':') and enclosed in a set of
+ parentheses. The first Runas_List indicates which users the command
+ may be run as via s\bsu\bud\bdo\bo's -\b-u\bu flag. The second defines a list of groups
+ that can be specified via s\bsu\bud\bdo\bo's -\b-g\bg flag. If both Runas_Lists are
+ specified, the command may be run with any combination of users and
+ groups listed in their respective Runas_Lists. If only the first is
+ specified, the command may be run as any user in the list but no -\b-g\bg
+ flag may be specified. If the first Runas_List is empty but the second
+ is specified, the command may be run as the invoking user with the
+ group set to any listed in the Runas_List. If no Runas_Spec is speci-
+ fied the command may be run as r\bro\boo\bot\bt and no group may be specified.
+
+ A Runas_Spec sets the default for the commands that follow it. What
+ this means is that for the entry:
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
- The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
- -- but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+ The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm -- but only
+ as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
$ sudo -u operator /bin/ls.
- It is also possible to override a Runas_Spec later on in
- an entry. If we modify the entry like so:
+ It is also possible to override a Runas_Spec later on in an entry. If
+ we modify the entry like so:
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
- Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br,
- but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
+ Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
+ and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
- We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either
- the user or group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
+ We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
+ group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill, \
/usr/bin/lprm
- In the following example, user t\btc\bcm\bm may run commands that
- access a modem device file with the dialer group. Note
- that in this example only the group will be set, the com-
- mand still runs as user t\btc\bcm\bm.
+ In the following example, user t\btc\bcm\bm may run commands that access a modem
+ device file with the dialer group. Note that in this example only the
+ group will be set, the command still runs as user t\btc\bcm\bm.
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
- A command may have zero or more tags associated with it.
- There are eight possible tag values, NOPASSWD, PASSWD,
- NOEXEC, EXEC, SETENV and NOSETENV. Once a tag is set on a
- Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the
- tag unless it is overridden by the opposite tag (i.e.:
- PASSWD overrides NOPASSWD and NOEXEC overrides EXEC).
+ A command may have zero or more tags associated with it. There are
+ eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV and
+ NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in the
- _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
- By default, s\bsu\bud\bdo\bo requires that a user authenticate him or
- herself before running a command. This behavior can be
- modified via the NOPASSWD tag. Like a Runas_Spec, the
- NOPASSWD tag sets a default for the commands that follow
- it in the Cmnd_Spec_List. Conversely, the PASSWD tag can
- be used to reverse things. For example:
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+1.7 January 21, 2008 5
- would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as root on the machine rushmore as r\bro\boo\bot\bt
- without authenticating himself. If we only want r\bra\bay\by to be
- able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry would
- be:
-1.7 December 10, 2007 6
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite
+ tag (i.e.: PASSWD overrides NOPASSWD and NOEXEC overrides EXEC).
+ _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself
+ before running a command. This behavior can be modified via the
+ NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
+ the commands that follow it in the Cmnd_Spec_List. Conversely, the
+ PASSWD tag can be used to reverse things. For example:
+
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+ would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
+ as root on the machine rushmore as r\bro\boo\bot\bt without authenticating himself.
+ If we only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the
+ entry would be:
ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
- Note, however, that the PASSWD tag has no effect on users
- who are in the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
+ Note, however, that the PASSWD tag has no effect on users who are in
+ the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
- By default, if the NOPASSWD tag is applied to any of the
- entries for a user on the current host, he or she will be
- able to run sudo -l without a password. Additionally, a
- user may only run sudo -v without a password if the
- NOPASSWD tag is present for all a user's entries that per-
- tain to the current host. This behavior may be overridden
- via the verifypw and listpw options.
+ By default, if the NOPASSWD tag is applied to any of the entries for a
+ user on the current host, he or she will be able to run sudo -l without
+ a password. Additionally, a user may only run sudo -v without a pass-
+ word if the NOPASSWD tag is present for all a user's entries that per-
+ tain to the current host. This behavior may be overridden via the ver-
+ ifypw and listpw options.
_\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
- underlying operating system supports it, the NOEXEC tag
- can be used to prevent a dynamically-linked executable
- from running further commands itself.
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying oper-
+ ating system supports it, the NOEXEC tag can be used to prevent a
+ dynamically-linked executable from running further commands itself.
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be
- and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- See the "PREVENTING SHELL ESCAPES" section below for more
- details on how NOEXEC works and whether or not it will
- work on your system.
+ See the "PREVENTING SHELL ESCAPES" section below for more details on
+ how NOEXEC works and whether or not it will work on your system.
_\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
- These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a
- per-command basis. Note that if SETENV has been set for a
- command, any environment variables set on the command line
- way are not subject to the restrictions imposed by
- _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted
- users should be allowed to set variables in this manner.
- If the command matched is A\bAL\bLL\bL, the SETENV tag is implied
- for that command; this default may be overridden by use of
- the UNSETENV tag.
+ These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
+ basis. Note that if SETENV has been set for a command, any environment
+ variables set on the command line way are not subject to the restric-
+ tions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only
+ trusted users should be allowed to set variables in this manner. If
+ the command matched is A\bAL\bLL\bL, the SETENV tag is implied for that command;
+ this default may be overridden by use of the UNSETENV tag.
- W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
- s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob char-
- acters) to be used in pathnames as well as command line
- arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done
- via the P\bPO\bOS\bSI\bIX\bX _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routine. Note that these are _\bn_\bo_\bt
- regular expressions.
- * Matches any set of zero or more characters.
- ? Matches any single character.
+1.7 January 21, 2008 6
- [...] Matches any character in the specified range.
-1.7 December 10, 2007 7
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
+ s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
+ used in pathnames as well as command line arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routine.
+ Note that these are _\bn_\bo_\bt regular expressions.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ * Matches any set of zero or more characters.
+
+ ? Matches any single character.
+ [...] Matches any character in the specified range.
[!...] Matches any character n\bno\bot\bt in the specified range.
- \x For any character "x", evaluates to "x". This is
- used to escape special characters such as: "*",
- "?", "[", and "}".
+ \x For any character "x", evaluates to "x". This is used to
+ escape special characters such as: "*", "?", "[", and "}".
- Note that a forward slash ('/') will n\bno\bot\bt be matched by
- wildcards used in the pathname. When matching the command
- line arguments, however, a slash d\bdo\boe\bes\bs get matched by wild-
- cards. This is to make a path like:
+ Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
+ in the pathname. When matching the command line arguments, however, a
+ slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
/usr/bin/*
The following exceptions apply to the above rules:
- "" If the empty string "" is the only command line
- argument in the _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that com-
- mand is not allowed to be run with a\ban\bny\by arguments.
+ "" If the empty string "" is the only command line argument in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
+ with a\ban\bny\by arguments.
I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
- It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within
- the _\bs_\bu_\bd_\bo_\be_\br_\bs file currently being parsed using the #include
- directive, similar to the one used by the C preprocessor.
- This is useful, for example, for keeping a site-wide _\bs_\bu_\bd_\bo_\b-
- _\be_\br_\bs file in addition to a per-machine local one. For the
- sake of this example the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-
- _\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-
- _\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
+ It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file currently being parsed using the #include directive, similar to
+ the one used by the C preprocessor. This is useful, for example, for
+ keeping a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in addition to a per-machine local
+ one. For the sake of this example the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To
+ include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following
+ line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
#include /etc/sudoers.local
- When s\bsu\bud\bdo\bo reaches this line it will suspend processing of
- the current file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\b-
- _\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl,
- the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be processed. Files that
- are included may themselves include other files. A hard
- limit of 128 nested include files is enforced to prevent
- include file loops.
-
- O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
-
- The pound sign ('#') is used to indicate a comment (unless
- it is part of a #include directive or unless it occurs in
- the context of a user name and is followed by one or more
- digits, in which case it is treated as a uid). Both the
- comment character and any text after it, up to the end of
- the line, are ignored.
+ When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
+ file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching
+ the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be pro-
+ cessed. Files that are included may themselves include other files. A
+ hard limit of 128 nested include files is enforced to prevent include
+ file loops.
-1.7 December 10, 2007 8
+1.7 January 21, 2008 7
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always
- causes a match to succeed. It can be used wherever one
- might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
- or Host_Alias. You should not try to define your own
- _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
- preference to your own. Please note that using A\bAL\bLL\bL can be
- dangerous since in a command context, it allows the user
- to run a\ban\bny\by command on the system.
-
- An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
- operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
- allows one to exclude certain values. Note, however, that
- using a ! in conjunction with the built-in ALL alias to
- allow a user to run "all but a few" commands rarely works
+ O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
+
+ The pound sign ('#') is used to indicate a comment (unless it is part
+ of a #include directive or unless it occurs in the context of a user
+ name and is followed by one or more digits, in which case it is treated
+ as a uid). Both the comment character and any text after it, up to the
+ end of the line, are ignored.
+
+ The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
+ succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
+ User_Alias, Runas_Alias, or Host_Alias. You should not try to define
+ your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in prefer-
+ ence to your own. Please note that using A\bAL\bLL\bL can be dangerous since in
+ a command context, it allows the user to run a\ban\bny\by command on the system.
+
+ An exclamation point ('!') can be used as a logical _\bn_\bo_\bt operator both
+ in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This allows one to exclude certain
+ values. Note, however, that using a ! in conjunction with the built-in
+ ALL alias to allow a user to run "all but a few" commands rarely works
as intended (see SECURITY NOTES below).
- Long lines can be continued with a backslash ('\') as the
- last character on the line.
+ Long lines can be continued with a backslash ('\') as the last charac-
+ ter on the line.
- Whitespace between elements in a list as well as special
- syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
- '(', ')') is optional.
+ Whitespace between elements in a list as well as special syntactic
+ characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':', '(', ')') is optional.
- The following characters must be escaped with a backslash
- ('\') when used as part of a word (e.g. a username or
- hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
+ The following characters must be escaped with a backslash ('\') when
+ used as part of a word (e.g. a username or hostname): '@', '!', '=',
+ ':', ',', '(', ')', '\'.
S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
- s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as
- explained earlier. A list of all supported Defaults
- parameters, grouped by type, are listed below.
+ s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
+ earlier. A list of all supported Defaults parameters, grouped by type,
+ are listed below.
F\bFl\bla\bag\bgs\bs:
- always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment
- variable to the home directory of the tar-
- get user (which is root unless the -\b-u\bu
- option is used). This effectively means
- that the -\b-H\bH flag is always implied. This
- flag is _\bo_\bf_\bf by default.
-
- authenticate If set, users must authenticate themselves
- via a password (or other means of authen-
- tication) before they may run commands.
- This default may be overridden via the
- PASSWD and NOPASSWD tags. This flag is _\bo_\bn
+ always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment variable to
+ the home directory of the target user (which is root
+ unless the -\b-u\bu option is used). This effectively means
+ that the -\b-H\bH flag is always implied. This flag is _\bo_\bf_\bf
by default.
- closefrom_override
- If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option
- which overrides the default starting point
- at which s\bsu\bud\bdo\bo begins closing open file
- descriptors. This flag is _\bo_\bf_\bf by default.
+ authenticate If set, users must authenticate themselves via a pass-
+ word (or other means of authentication) before they may
+ run commands. This default may be overridden via the
+ PASSWD and NOPASSWD tags. This flag is _\bo_\bn by default.
+ closefrom_override
+ If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which over-
+ rides the default starting point at which s\bsu\bud\bdo\bo begins
+ closing open file descriptors. This flag is _\bo_\bf_\bf by
+ default.
-1.7 December 10, 2007 9
+1.7 January 21, 2008 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the
- EDITOR or VISUAL environment variables
- before falling back on the default editor
- list. Note that this may create a secu-
- rity hole as it allows the user to run any
- arbitrary command as root without logging.
- A safer alternative is to place a colon-
- separated list of editors in the editor
- variable. v\bvi\bis\bsu\bud\bdo\bo will then only use the
- EDITOR or VISUAL if they match a value
- specified in editor. This flag is _\bo_\bf_\bf by
- default.
+ env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
+ VISUAL environment variables before falling back on the
+ default editor list. Note that this may create a secu-
+ rity hole as it allows the user to run any arbitrary
+ command as root without logging. A safer alternative
+ is to place a colon-separated list of editors in the
+ editor variable. v\bvi\bis\bsu\bud\bdo\bo will then only use the EDITOR
+ or VISUAL if they match a value specified in editor.
+ This flag is _\bo_\bf_\bf by default.
- env_reset If set, s\bsu\bud\bdo\bo will reset the environment to
- only contain the LOGNAME, SHELL, USER,
- USERNAME and the SUDO_* variables. Any
- variables in the caller's environment that
- match the env_keep and env_check lists are
- then added. The default contents of the
- env_keep and env_check lists are displayed
- when s\bsu\bud\bdo\bo is run by root with the _\b-_\bV
- option. If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set,
- its value will be used for the PATH envi-
- ronment variable. This flag is _\bo_\bn by
- default.
+ env_reset If set, s\bsu\bud\bdo\bo will reset the environment to only contain
+ the LOGNAME, SHELL, USER, USERNAME and the SUDO_* vari-
+ ables. Any variables in the caller's environment that
+ match the env_keep and env_check lists are then added.
+ The default contents of the env_keep and env_check
+ lists are displayed when s\bsu\bud\bdo\bo is run by root with the
+ _\b-_\bV option. If the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set, its value
+ will be used for the PATH environment variable. This
+ flag is _\bo_\bn by default.
+
+ fqdn Set this flag if you want to put fully qualified host-
+ names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
+ would use myhost.mydomain.edu. You may still use the
+ short form if you wish (and even mix the two). Beware
+ that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
+ which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
+ example if the machine is not plugged into the net-
+ work). Also note that you must use the host's official
+ name as DNS knows it. That is, you may not use a host
+ alias (CNAME entry) due to performance issues and the
+ fact that there is no way to get all aliases from DNS.
+ If your machine's hostname (as returned by the hostname
+ command) is already fully qualified you shouldn't need
+ to set _\bf_\bq_\bd_\bn. This flag is _\bo_\bf_\bf by default.
+
+ ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current dir) in the
+ PATH environment variable; the PATH itself is not modi-
+ fied. This flag is _\bo_\bf_\bf by default.
- fqdn Set this flag if you want to put fully
- qualified hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
- I.e., instead of myhost you would use
- myhost.mydomain.edu. You may still use
- the short form if you wish (and even mix
- the two). Beware that turning on _\bf_\bq_\bd_\bn
- requires s\bsu\bud\bdo\bo to make DNS lookups which
- may make s\bsu\bud\bdo\bo unusable if DNS stops work-
- ing (for example if the machine is not
- plugged into the network). Also note that
- you must use the host's official name as
- DNS knows it. That is, you may not use a
- host alias (CNAME entry) due to perfor-
- mance issues and the fact that there is no
- way to get all aliases from DNS. If your
- machine's hostname (as returned by the
- hostname command) is already fully quali-
- fied you shouldn't need to set _\bf_\bq_\bd_\bn. This
+ ignore_local_sudoers
+ If set via LDAP, parsing of @sysconfdir@/sudoers will
+ be skipped. This is intended for Enterprises that wish
+ to prevent the usage of local sudoers files so that
+ only LDAP is used. This thwarts the efforts of rogue
+ operators who would attempt to add roles to
+ @sysconfdir@/sudoers. When this option is present,
+ @sysconfdir@/sudoers does not even need to exist.
+ Since this option tells s\bsu\bud\bdo\bo how to behave when no spe-
+ cific LDAP entries have been matched, this sudoOption
+ is only meaningful for the cn=defaults section. This
flag is _\bo_\bf_\bf by default.
- ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (cur-
- rent dir) in the PATH environment vari-
- able; the PATH itself is not modified.
- This flag is _\bo_\bf_\bf by default.
-
- ignore_local_sudoers
- If set via LDAP, parsing of
- @sysconfdir@/sudoers will be skipped.
+ insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
+ incorrect password. This flag is _\bo_\bf_\bf by default.
-1.7 December 10, 2007 10
+1.7 January 21, 2008 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- This is intended for Enterprises that wish
- to prevent the usage of local sudoers
- files so that only LDAP is used. This
- thwarts the efforts of rogue operators who
- would attempt to add roles to
- @sysconfdir@/sudoers. When this option is
- present, @sysconfdir@/sudoers does not
- even need to exist. Since this option
- tells s\bsu\bud\bdo\bo how to behave when no specific
- LDAP entries have been matched, this
- sudoOption is only meaningful for the
- cn=defaults section. This flag is _\bo_\bf_\bf by
+ log_host If set, the hostname will be logged in the (non-syslog)
+ s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
+
+ log_year If set, the four-digit year will be logged in the
+ (non-syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by
default.
- insults If set, s\bsu\bud\bdo\bo will insult users when they
- enter an incorrect password. This flag is
- _\bo_\bf_\bf by default.
+ long_otp_prompt When validating with a One Time Password (OPT) scheme
+ such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
+ make it easier to cut and paste the challenge to a
+ local window. It's not as pretty as the default but
+ some people find it more convenient. This flag is _\bo_\bf_\bf
+ by default.
- log_host If set, the hostname will be logged in the
- (non-syslog) s\bsu\bud\bdo\bo log file. This flag is
- _\bo_\bf_\bf by default.
+ mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
+ s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
- log_year If set, the four-digit year will be logged
- in the (non-syslog) s\bsu\bud\bdo\bo log file. This
- flag is _\bo_\bf_\bf by default.
+ mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
+ does not enter the correct password. This flag is _\bo_\bf_\bf
+ by default.
- long_otp_prompt When validating with a One Time Password
- (OPT) scheme such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-
- line prompt is used to make it easier to
- cut and paste the challenge to a local
- window. It's not as pretty as the default
- but some people find it more convenient.
- This flag is _\bo_\bf_\bf by default.
+ mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
+ allowed to run commands on the current host. This flag
+ is _\bo_\bf_\bf by default.
- mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a
- users runs s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by
+ mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user is allowed to use s\bsu\bud\bdo\bo but the command
+ they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
+ entry or is explicitly denied. This flag is _\bo_\bf_\bf by
default.
- mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user
- running s\bsu\bud\bdo\bo does not enter the correct
- password. This flag is _\bo_\bf_\bf by default.
-
- mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo
- user if the invoking user exists in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not allowed to run
- commands on the current host. This flag
- is _\bo_\bf_\bf by default.
+ mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
+ _\bo_\bn by default.
+
+ noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
+ NOEXEC tag has been set, unless overridden by a EXEC
+ tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
+ well as the "PREVENTING SHELL ESCAPES" section at the
+ end of this manual. This flag is _\bo_\bf_\bf by default.
+
+ path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
+ not be found in their PATH environment variable. Some
+ sites may wish to disable this as it could be used to
+ gather information on the location of executables that
+ the normal user does not have access to. The disadvan-
+ tage is that if the executable is simply not in the
+ user's PATH, s\bsu\bud\bdo\bo will tell the user that they are not
+ allowed to run it, which can be confusing. This flag
+ is _\bo_\bn by default.
- mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo
- user if the invoking user is allowed to
- use s\bsu\bud\bdo\bo but the command they are trying
- is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file entry
- or is explicitly denied. This flag is _\bo_\bf_\bf
- by default.
+ passprompt_override
+ The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
-1.7 December 10, 2007 11
+1.7 January 21, 2008 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo
- user if the invoking user is not in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is _\bo_\bn by default.
+ normally only be used if the passwod prompt provided by
+ systems such as PAM matches the string "Password:". If
+ _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be
+ used. This flag is _\bo_\bf_\bf by default.
- noexec If set, all commands run via s\bsu\bud\bdo\bo will
- behave as if the NOEXEC tag has been set,
- unless overridden by a EXEC tag. See the
- description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
- well as the "PREVENTING SHELL ESCAPES"
- section at the end of this manual. This
+ preserve_groups By default s\bsu\bud\bdo\bo will initialize the group vector to the
+ list of groups the target user is in. When _\bp_\br_\be_\b-
+ _\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group vector
+ is left unaltered. The real and effective group IDs,
+ however, are still set to match the target user. This
flag is _\bo_\bf_\bf by default.
- path_info Normally, s\bsu\bud\bdo\bo will tell the user when a
- command could not be found in their PATH
- environment variable. Some sites may wish
- to disable this as it could be used to
- gather information on the location of exe-
- cutables that the normal user does not
- have access to. The disadvantage is that
- if the executable is simply not in the
- user's PATH, s\bsu\bud\bdo\bo will tell the user that
- they are not allowed to run it, which can
- be confusing. This flag is _\bo_\bn by default.
-
- passprompt_override
- The password prompt specified by
- _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will normally only be used if
- the passwod prompt provided by systems
- such as PAM matches the string "Pass-
- word:". If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set,
- _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be used. This flag
- is _\bo_\bf_\bf by default.
-
- preserve_groups By default s\bsu\bud\bdo\bo will initialize the group
- vector to the list of groups the target
- user is in. When _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set,
- the user's existing group vector is left
- unaltered. The real and effective group
- IDs, however, are still set to match the
- target user. This flag is _\bo_\bf_\bf by default.
-
- requiretty If set, s\bsu\bud\bdo\bo will only run when the user
- is logged in to a real tty. This will
- disallow things like "rsh somehost sudo
- ls" since _\br_\bs_\bh(1) does not allocate a tty.
- Because it is not possible to turn off
- echo when there is no tty present, some
- sites may wish to set this flag to prevent
- a user from entering a visible password.
+ requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
+ to a real tty. This will disallow things like "rsh
+ somehost sudo ls" since _\br_\bs_\bh(1) does not allocate a tty.
+ Because it is not possible to turn off echo when there
+ is no tty present, some sites may wish to set this flag
+ to prevent a user from entering a visible password.
This flag is _\bo_\bf_\bf by default.
- root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too.
- Disabling this prevents users from "chain-
- ing" s\bsu\bud\bdo\bo commands to get a root shell by
-
-
-
-1.7 December 10, 2007 12
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- doing something like "sudo sudo /bin/sh".
- Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
- will also prevent root and from running
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt. Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no
- real additional security; it exists purely
- for historical reasons. This flag is _\bo_\bn
+ root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
+ this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
+ get a root shell by doing something like "sudo sudo
+ /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
+ will also prevent root and from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt. Dis-
+ abling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional security;
+ it exists purely for historical reasons. This flag is
+ _\bo_\bn by default.
+
+ rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
+ of the password of the invoking user. This flag is _\bo_\bf_\bf
by default.
- rootpw If set, s\bsu\bud\bdo\bo will prompt for the root
- password instead of the password of the
- invoking user. This flag is _\bo_\bf_\bf by
- default.
-
- runaspw If set, s\bsu\bud\bdo\bo will prompt for the password
- of the user defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt
- option (defaults to root) instead of the
- password of the invoking user. This flag
- is _\bo_\bf_\bf by default.
-
- set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs
- flag the HOME environment variable will be
- set to the home directory of the target
- user (which is root unless the -\b-u\bu option
- is used). This effectively makes the -\b-s\bs
- flag imply -\b-H\bH. This flag is _\bo_\bf_\bf by
- default.
-
- set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER
- and USERNAME environment variables to the
- name of the target user (usually root
- unless the -\b-u\bu flag is given). However,
- since some programs (including the RCS
- revision control system) use LOGNAME to
- determine the real identity of the user,
- it may be desirable to change this behav-
- ior. This can be done by negating the
- set_logname option. Note that if the
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been disabled,
- entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
- the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is
- _\bo_\bf_\bf by default.
+ runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option (defaults to root)
+ instead of the password of the invoking user. This
+ flag is _\bo_\bf_\bf by default.
- setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt
- option from the command line. Addition-
- ally, environment variables set via the
- command line are not subject to the
- restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk,
- _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only
- trusted users should be allowed to set
- variables in this manner. This flag is
- _\bo_\bf_\bf by default.
+ set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs flag the HOME
+ environment variable will be set to the home directory
+ of the target user (which is root unless the -\b-u\bu option
+ is used). This effectively makes the -\b-s\bs flag imply -\b-H\bH.
+ This flag is _\bo_\bf_\bf by default.
- shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no argu-
- ments it acts as if the -\b-s\bs flag had been
+ set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and USERNAME
+ environment variables to the name of the target user
+ (usually root unless the -\b-u\bu flag is given). However,
+ since some programs (including the RCS revision control
+ system) use LOGNAME to determine the real identity of
+ the user, it may be desirable to change this behavior.
+ This can be done by negating the set_logname option.
+ Note that if the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option has not been dis-
+ abled, entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override the
+ value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bf_\bf by default.
-1.7 December 10, 2007 13
+1.7 January 21, 2008 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- given. That is, it runs a shell as root
- (the shell is determined by the SHELL
- environment variable if it is set, falling
- back on the shell listed in the invoking
- user's /etc/passwd entry if not). This
+ setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
+ command line. Additionally, environment variables set
+ via the command line are not subject to the restric-
+ tions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp.
+ As such, only trusted users should be allowed to set
+ variables in this manner. This flag is _\bo_\bf_\bf by default.
+
+ shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
+ if the -\b-s\bs flag had been given. That is, it runs a
+ shell as root (the shell is determined by the SHELL
+ environment variable if it is set, falling back on the
+ shell listed in the invoking user's /etc/passwd entry
+ if not). This flag is _\bo_\bf_\bf by default.
+
+ stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
+ effective UIDs are set to the target user (root by
+ default). This option changes that behavior such that
+ the real UID is left as the invoking user's UID. In
+ other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
+ This can be useful on systems that disable some poten-
+ tially dangerous functionality when a program is run
+ setuid. This option is only effective on systems with
+ either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function. This
flag is _\bo_\bf_\bf by default.
- stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the
- real and effective UIDs are set to the
- target user (root by default). This
- option changes that behavior such that the
- real UID is left as the invoking user's
- UID. In other words, this makes s\bsu\bud\bdo\bo act
- as a setuid wrapper. This can be useful
- on systems that disable some potentially
- dangerous functionality when a program is
- run setuid. This option is only effective
- on systems with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or
- _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function. This flag is _\bo_\bf_\bf by
- default.
+ targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ specified by the -\b-u\bu flag (defaults to root) instead of
+ the password of the invoking user. Note that this pre-
+ cludes the use of a uid not listed in the passwd
+ database as an argument to the -\b-u\bu flag. This flag is
+ _\bo_\bf_\bf by default.
+
+ tty_tickets If set, users must authenticate on a per-tty basis.
+ Normally, s\bsu\bud\bdo\bo uses a directory in the ticket dir with
+ the same name as the user running it. With this flag
+ enabled, s\bsu\bud\bdo\bo will use a file named for the tty the
+ user is logged in on in that directory. This flag is
+ _\bo_\bf_\bf by default.
- targetpw If set, s\bsu\bud\bdo\bo will prompt for the password
- of the user specified by the -\b-u\bu flag
- (defaults to root) instead of the password
- of the invoking user. Note that this pre-
- cludes the use of a uid not listed in the
- passwd database as an argument to the -\b-u\bu
- flag. This flag is _\bo_\bf_\bf by default.
-
- tty_tickets If set, users must authenticate on a per-
- tty basis. Normally, s\bsu\bud\bdo\bo uses a direc-
- tory in the ticket dir with the same name
- as the user running it. With this flag
- enabled, s\bsu\bud\bdo\bo will use a file named for
- the tty the user is logged in on in that
- directory. This flag is _\bo_\bf_\bf by default.
-
- use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults spec-
- ified for the target user's login class if
- one exists. Only available if s\bsu\bud\bdo\bo is
- configured with the --with-logincap
+ use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
+ target user's login class if one exists. Only avail-
+ able if s\bsu\bud\bdo\bo is configured with the --with-logincap
option. This flag is _\bo_\bf_\bf by default.
I\bIn\bnt\bte\beg\bge\ber\brs\bs:
- closefrom Before it executes a command, s\bsu\bud\bdo\bo will
- close all open file descriptors other than
- standard input, standard output and stan-
- dard error (ie: file descriptors 0-2).
- The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to spec-
- ify a different file descriptor at which
- to start closing. The default is 3.
+ closefrom Before it executes a command, s\bsu\bud\bdo\bo will close all open
+ file descriptors other than standard input, standard
+ output and standard error (ie: file descriptors 0-2).
+ The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to specify a different
+ file descriptor at which to start closing. The default
+ is 3.
- passwd_tries The number of tries a user gets to enter
+ passwd_tries The number of tries a user gets to enter his/her
-1.7 December 10, 2007 14
+1.7 January 21, 2008 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- his/her password before s\bsu\bud\bdo\bo logs the
- failure and exits. The default is 3.
+ password before s\bsu\bud\bdo\bo logs the failure and exits. The
+ default is 3.
I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- loglinelen Number of characters per line for the file
- log. This value is used to decide when to
- wrap lines for nicer log files. This has
- no effect on the syslog log file, only the
- file log. The default is 80 (use 0 or
- negate the option to disable word wrap).
+ loglinelen Number of characters per line for the file log. This
+ value is used to decide when to wrap lines for nicer
+ log files. This has no effect on the syslog log file,
+ only the file log. The default is 80 (use 0 or negate
+ the option to disable word wrap).
- passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password
- prompt times out. The default is 5; set
- this to 0 for no password timeout.
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
+ out. The default is 5; set this to 0 for no password
+ timeout.
timestamp_timeout
- Number of minutes that can elapse before
- s\bsu\bud\bdo\bo will ask for a passwd again. The
- default is 5. Set this to 0 to always
- prompt for a password. If set to a value
- less than 0 the user's timestamp will
- never expire. This can be used to allow
- users to create or delete their own times-
- tamps via sudo -v and sudo -k respec-
+ Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
+ for a passwd again. The default is 5. Set this to 0
+ to always prompt for a password. If set to a value
+ less than 0 the user's timestamp will never expire.
+ This can be used to allow users to create or delete
+ their own timestamps via sudo -v and sudo -k respec-
tively.
- umask Umask to use when running the command.
- Negate this option or set it to 0777 to
- preserve the user's umask. The default is
- 0022.
+ umask Umask to use when running the command. Negate this
+ option or set it to 0777 to preserve the user's umask.
+ The default is 0022.
S\bSt\btr\bri\bin\bng\bgs\bs:
- badpass_message Message that is displayed if a user enters
- an incorrect password. The default is
- Sorry, try again. unless insults are
- enabled.
-
- editor A colon (':') separated list of editors
- allowed to be used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo
- will choose the editor that matches the
- user's EDITOR environment variable if pos-
- sible, or the first editor in the list
- that exists and is executable. The
- default is the path to vi on your system.
-
- mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo
- user. The escape %h will expand to the
- hostname of the machine. Default is ***
- SECURITY information for %h ***.
+ badpass_message Message that is displayed if a user enters an incorrect
+ password. The default is Sorry, try again. unless
+ insults are enabled.
+
+ editor A colon (':') separated list of editors allowed to be
+ used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will choose the editor that
+ matches the user's EDITOR environment variable if pos-
+ sible, or the first editor in the list that exists and
+ is executable. The default is the path to vi on your
+ system.
+
+ mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
+ %h will expand to the hostname of the machine. Default
+ is *** SECURITY information for %h ***.
+
+ noexec_file Path to a shared library containing dummy versions of
+ the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b) library functions
+ that just return an error. This is used to implement
+ the _\bn_\bo_\be_\bx_\be_\bc functionality on systems that support
+ LD_PRELOAD or its equivalent. Defaults to
+ _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
- noexec_file Path to a shared library containing dummy
- versions of the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and
+ passprompt The default prompt to use when asking for a password;
+ can be overridden via the -\b-p\bp option or the SUDO_PROMPT
-1.7 December 10, 2007 15
+1.7 January 21, 2008 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b) library functions that just
- return an error. This is used to imple-
- ment the _\bn_\bo_\be_\bx_\be_\bc functionality on systems
- that support LD_PRELOAD or its equivalent.
- Defaults to
- _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
-
- passprompt The default prompt to use when asking for
- a password; can be overridden via the -\b-p\bp
- option or the SUDO_PROMPT environment
- variable. The following percent (`%')
+ environment variable. The following percent (`%')
escapes are supported:
- %H expanded to the local hostname includ-
- ing the domain name (on if the
- machine's hostname is fully qualified
- or the _\bf_\bq_\bd_\bn option is set)
+ %H expanded to the local hostname including the domain
+ name (on if the machine's hostname is fully quali-
+ fied or the _\bf_\bq_\bd_\bn option is set)
- %h expanded to the local hostname without
- the domain name
+ %h expanded to the local hostname without the domain
+ name
- %U expanded to the login name of the user
- the command will be run as (defaults
- to root)
+ %p expanded to the user whose password is being asked
+ for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
+ flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
- %u expanded to the invoking user's login
- name
+ %U expanded to the login name of the user the command
+ will be run as (defaults to root)
- %% two consecutive % characters are col-
- lapsed into a single % character
+ %u expanded to the invoking user's login name
+
+ %% two consecutive % characters are collapsed into a
+ single % character
The default value is Password:.
- runas_default The default user to run commands as if the
- -\b-u\bu flag is not specified on the command
- line. This defaults to root. Note that
- if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
+ runas_default The default user to run commands as if the -\b-u\bu flag is
+ not specified on the command line. This defaults to
+ root. Note that if _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt is set it m\bmu\bus\bst\bt occur
before any Runas_Alias specifications.
- syslog_badpri Syslog priority to use when user authenti-
- cates unsuccessfully. Defaults to alert.
+ syslog_badpri Syslog priority to use when user authenticates unsuc-
+ cessfully. Defaults to alert.
- syslog_goodpri Syslog priority to use when user authenti-
- cates successfully. Defaults to notice.
+ syslog_goodpri Syslog priority to use when user authenticates success-
+ fully. Defaults to notice.
- timestampdir The directory in which s\bsu\bud\bdo\bo stores its
- timestamp files. The default is
- _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo.
+ timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
+ The default is _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo.
- timestampowner The owner of the timestamp directory and
- the timestamps stored therein. The
- default is root.
+ timestampowner The owner of the timestamp directory and the timestamps
+ stored therein. The default is root.
S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ exempt_group
+ Users in this group are exempt from password and PATH
+ requirements. This is not set by default.
+ lecture This option controls when a short lecture will be printed
+ along with the password prompt. It has the following pos-
+ sible values:
-1.7 December 10, 2007 16
+ always Always lecture the user.
+ never Never lecture the user.
+1.7 January 21, 2008 14
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- exempt_group
- Users in this group are exempt from password
- and PATH requirements. This is not set by
- default.
- lecture This option controls when a short lecture will
- be printed along with the password prompt. It
- has the following possible values:
- always Always lecture the user.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- never Never lecture the user.
- once Only lecture the user the first time
- they run s\bsu\bud\bdo\bo.
+ once Only lecture the user the first time they run s\bsu\bud\bdo\bo.
- If no value is specified, a value of _\bo_\bn_\bc_\be is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\bo_\bn_\bc_\be.
+ If no value is specified, a value of _\bo_\bn_\bc_\be is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\bo_\bn_\bc_\be.
lecture_file
- Path to a file containing an alternate s\bsu\bud\bdo\bo
- lecture that will be used in place of the
- standard lecture if the named file exists. By
- default, s\bsu\bud\bdo\bo uses a built-in lecture.
+ Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
+ will be used in place of the standard lecture if the named
+ file exists. By default, s\bsu\bud\bdo\bo uses a built-in lecture.
- listpw This option controls when a password will be
- required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
- flag. It has the following possible values:
+ listpw This option controls when a password will be required when
+ a user runs s\bsu\bud\bdo\bo with the -\b-l\bl flag. It has the following
+ possible values:
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD
- flag set to avoid entering a password.
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
+ must have the NOPASSWD flag set to avoid entering a
+ password.
- always The user must always enter a password
- to use the -\b-l\bl flag.
+ always The user must always enter a password to use the -\b-l\bl
+ flag.
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
- entries for the current host must have
- the NOPASSWD flag set to avoid enter-
- ing a password.
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ current host must have the NOPASSWD flag set to
+ avoid entering a password.
- never The user need never enter a password
- to use the -\b-l\bl flag.
+ never The user need never enter a password to use the -\b-l\bl
+ flag.
- If no value is specified, a value of _\ba_\bn_\by is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\ba_\bn_\by.
+ If no value is specified, a value of _\ba_\bn_\by is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\ba_\bn_\by.
- logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log
- file). Setting a path turns on logging to a
- file; negating this option turns it off. By
+ logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file). Set-
+ ting a path turns on logging to a file; negating this
+ option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
+ mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
+ mailerpath Path to mail program used to send warning mail. Defaults
+ to the path to sendmail found at configure time.
-1.7 December 10, 2007 17
+ mailto Address to send warning and error mail to. The address
+ should be enclosed in double quotes (") to protect against
+ s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
+ secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
+ trust the people running s\bsu\bud\bdo\bo to have a sane PATH environ-
+ ment variable you may want to use this. Another use is if
+ you want to have the "root path" be separate from the "user
+ path." Users in the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp
+ option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This is not set by
+ default.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+1.7 January 21, 2008 15
- default, s\bsu\bud\bdo\bo logs via syslog.
- mailerflags Flags to use when invoking mailer. Defaults to
- -\b-t\bt.
- mailerpath Path to mail program used to send warning
- mail. Defaults to the path to sendmail found
- at configure time.
- mailto Address to send warning and error mail to.
- The address should be enclosed in double
- quotes (") to protect against s\bsu\bud\bdo\bo interpret-
- ing the @ sign. Defaults to root.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- secure_path Path used for every command run from s\bsu\bud\bdo\bo. If
- you don't trust the people running s\bsu\bud\bdo\bo to
- have a sane PATH environment variable you may
- want to use this. Another use is if you want
- to have the "root path" be separate from the
- "user path." Users in the group specified by
- the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by
- _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This is not set by default.
- syslog Syslog facility if syslog is being used for
- logging (negate to disable syslog logging).
- Defaults to local2.
+ syslog Syslog facility if syslog is being used for logging (negate
+ to disable syslog logging). Defaults to local2.
- verifypw This option controls when a password will be
- required when a user runs s\bsu\bud\bdo\bo with the -\b-v\bv
- flag. It has the following possible values:
+ verifypw This option controls when a password will be required when
+ a user runs s\bsu\bud\bdo\bo with the -\b-v\bv flag. It has the following
+ possible values:
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD
- flag set to avoid entering a password.
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
+ must have the NOPASSWD flag set to avoid entering a
+ password.
- always The user must always enter a password
- to use the -\b-v\bv flag.
+ always The user must always enter a password to use the -\b-v\bv
+ flag.
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
- entries for the current host must have
- the NOPASSWD flag set to avoid enter-
- ing a password.
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
+ current host must have the NOPASSWD flag set to
+ avoid entering a password.
- never The user need never enter a password
- to use the -\b-v\bv flag.
+ never The user need never enter a password to use the -\b-v\bv
+ flag.
- If no value is specified, a value of _\ba_\bl_\bl is
- implied. Negating the option results in a
- value of _\bn_\be_\bv_\be_\br being used. The default value
- is _\ba_\bl_\bl.
+ If no value is specified, a value of _\ba_\bl_\bl is implied.
+ Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
+ The default value is _\ba_\bl_\bl.
L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- env_check Environment variables to be removed from
+ env_check Environment variables to be removed from the user's
+ environment if the variable's value contains % or /
+ characters. This can be used to guard against printf-
+ style format vulnerabilities in poorly-written pro-
+ grams. The argument may be a double-quoted, space-sep-
+ arated list or a single value without double-quotes.
+ The list can be replaced, added to, deleted from, or
+ disabled by using the =, +=, -=, and ! operators
+ respectively. Regardless of whether the env_reset
+ option is enabled or disabled, variables specified by
+ env_check will be preserved in the environment if they
+ pass the aforementioned check. The default list of
+ environment variables to check is displayed when s\bsu\bud\bdo\bo
+ is run by root with the _\b-_\bV option.
+ env_delete Environment variables to be removed from the user's
+ environment. The argument may be a double-quoted,
+ space-separated list or a single value without dou-
+ ble-quotes. The list can be replaced, added to,
+ deleted from, or disabled by using the =, +=, -=, and !
+ operators respectively. The default list of environ-
+ ment variables to remove is displayed when s\bsu\bud\bdo\bo is run
+ by root with the _\b-_\bV option. Note that many operating
+ systems will remove potentially dangerous variables
+ from the environment of any setuid process (such as
+ s\bsu\bud\bdo\bo).
-1.7 December 10, 2007 18
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- the user's environment if the variable's
- value contains % or / characters. This
- can be used to guard against printf-style
- format vulnerabilities in poorly-written
- programs. The argument may be a dou-
- ble-quoted, space-separated list or a sin-
- gle value without double-quotes. The list
- can be replaced, added to, deleted from,
- or disabled by using the =, +=, -=, and !
- operators respectively. Regardless of
- whether the env_reset option is enabled or
- disabled, variables specified by env_check
- will be preserved in the environment if
- they pass the aforementioned check. The
- default list of environment variables to
- check is displayed when s\bsu\bud\bdo\bo is run by
- root with the _\b-_\bV option.
-
- env_delete Environment variables to be removed from
- the user's environment. The argument may
- be a double-quoted, space-separated list
- or a single value without double-quotes.
- The list can be replaced, added to,
- deleted from, or disabled by using the =,
- +=, -=, and ! operators respectively. The
- default list of environment variables to
- remove is displayed when s\bsu\bud\bdo\bo is run by
- root with the _\b-_\bV option. Note that many
- operating systems will remove potentially
- dangerous variables from the environment
- of any setuid process (such as s\bsu\bud\bdo\bo).
-
- env_keep Environment variables to be preserved in
- the user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt
- option is in effect. This allows fine-
- grained control over the environment
- s\bsu\bud\bdo\bo-spawned processes will receive. The
- argument may be a double-quoted, space-
- separated list or a single value without
- double-quotes. The list can be replaced,
- added to, deleted from, or disabled by
- using the =, +=, -=, and ! operators
- respectively. The default list of vari-
- ables to keep is displayed when s\bsu\bud\bdo\bo is
- run by root with the _\b-_\bV option.
-
- When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following
- values for the syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg
- Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your OS supports it), a\bau\but\bth\bh, d\bda\bae\be-\b-
- m\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3, l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5,
- l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities are
- supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be,
- and w\bwa\bar\brn\bni\bin\bng\bg.
-
-
-
-
-1.7 December 10, 2007 19
+1.7 January 21, 2008 16
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ env_keep Environment variables to be preserved in the user's
+ environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
+ This allows fine-grained control over the environment
+ s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
+ be a double-quoted, space-separated list or a single
+ value without double-quotes. The list can be replaced,
+ added to, deleted from, or disabled by using the =, +=,
+ -=, and ! operators respectively. The default list of
+ variables to keep is displayed when s\bsu\bud\bdo\bo is run by root
+ with the _\b-_\bV option.
+
+ When logging via _\bs_\by_\bs_\bl_\bo_\bg(3), s\bsu\bud\bdo\bo accepts the following values for the
+ syslog facility (the value of the s\bsy\bys\bsl\blo\bog\bg Parameter): a\bau\but\bth\bhp\bpr\bri\biv\bv (if your
+ OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1, l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3,
+ l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7. The following syslog priorities
+ are supported: a\bal\ble\ber\brt\bt, c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be, and w\bwa\bar\brn\bn-\b-
+ i\bin\bng\bg.
+
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
_\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
_\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
- these are a bit contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+ Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
+ contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
+
+
+
+
+
+
+
+
+
+
+
+1.7 January 21, 2008 17
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias SU = /usr/bin/su
Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
- Here we override some of the compiled in default values.
- We want s\bsu\bud\bdo\bo to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility
- in all cases. We don't want to subject the full time
- staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt need not give a
- password, and we don't want to reset the LOGNAME, USER or
- USERNAME environment variables when running commands as
- root. Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS
- Host_Alias, we keep an additional local log file and make
- sure we log the year in each log line since the log
- entries will be kept around for several years. Lastly, we
- disable shell escapes for the commands in the PAGERS
- Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
-
-
-
-1.7 December 10, 2007 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
+ Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo
+ to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't
+ want to subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt
+ need not give a password, and we don't want to reset the LOGNAME, USER
+ or USERNAME environment variables when running commands as root. Addi-
+ tionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an addi-
+ tional local log file and make sure we log the year in each log line
+ since the log entries will be kept around for several years. Lastly,
+ we disable shell escapes for the commands in the PAGERS Cmnd_Alias
+ (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
# Override built-in defaults
Defaults syslog=auth
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
Defaults!PAGERS noexec
- The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter-
- mines who may run what.
+ The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
+ what.
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
- We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on
- any host as any user.
+ We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
+ any user.
FULLTIMERS ALL = NOPASSWD: ALL
- Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run
- any command on any host without authenticating themselves.
+ Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
+ any host without authenticating themselves.
PARTTIMERS ALL = ALL
- Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run
- any command on any host but they must authenticate them-
- selves first (since the entry lacks the NOPASSWD tag).
+ Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
+ any host but they must authenticate themselves first (since the entry
+ lacks the NOPASSWD tag).
jack CSNETS = ALL
- The user j\bja\bac\bck\bk may run any command on the machines in the
- _\bC_\bS_\bN_\bE_\bT_\bS alias (the networks 128.138.243.0, 128.138.204.0,
- and 128.138.242.0). Of those networks, only 128.138.204.0
- has an explicit netmask (in CIDR notation) indicating it
- is a class C network. For the other networks in _\bC_\bS_\bN_\bE_\bT_\bS,
- the local machine's netmask will be used during matching.
- lisa CUNETS = ALL
- The user l\bli\bis\bsa\ba may run any command on any host in the
- _\bC_\bU_\bN_\bE_\bT_\bS alias (the class B network 128.138.0.0).
+1.7 January 21, 2008 18
- operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
- sudoedit /etc/printcap, /usr/oper/bin/
- The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple main-
- tenance. Here, those are commands related to backups,
- killing processes, the printing system, shutting down the
- system, and any commands in the directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
- joe ALL = /usr/bin/su operator
-
- The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.7 December 10, 2007 21
+ The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
+ (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
+ those networks, only 128.138.204.0 has an explicit netmask (in CIDR
+ notation) indicating it is a class C network. For the other networks
+ in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be used during matching.
+ lisa CUNETS = ALL
+ The user l\bli\bis\bsa\ba may run any command on any host in the _\bC_\bU_\bN_\bE_\bT_\bS alias (the
+ class B network 128.138.0.0).
+ operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
+ sudoedit /etc/printcap, /usr/oper/bin/
+ The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance.
+ Here, those are commands related to backups, killing processes, the
+ printing system, shutting down the system, and any commands in the
+ directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ joe ALL = /usr/bin/su operator
+ The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root
- The user p\bpe\bet\bte\be is allowed to change anyone's password
- except for root on the _\bH_\bP_\bP_\bA machines. Note that this
- assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take multiple usernames on the
- command line.
+ The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
+ the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take mul-
+ tiple usernames on the command line.
bob SPARC = (OP) ALL : SGI = (OP) ALL
- The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
- machines as any user listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt
- and o\bop\bpe\ber\bra\bat\bto\bor\br).
+ The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
+ listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
jim +biglab = ALL
- The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb
- netgroup. s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to
- the '+' prefix.
+ The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
+ s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the
- printers as well as add and remove users, so they are
- allowed to run those commands on all machines.
+ Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
+ well as add and remove users, so they are allowed to run those commands
+ on all machines.
fred ALL = (DB) NOPASSWD: ALL
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
- Runas_Alias (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias (o\bor\bra\ba-\b-
+ c\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
- On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except
- root but he is not allowed to give _\bs_\bu(1) any flags.
+ On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
+ not allowed to give _\bs_\bu(1) any flags.
- jen ALL, !SERVERS = ALL
- The user j\bje\ben\bn may run any command on any machine except for
- those in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and
- ns).
- jill SERVERS = /usr/bin/, !SU, !SHELLS
+1.7 January 21, 2008 19
- For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run
- any commands in the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those
- commands belonging to the _\bS_\bU and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
- steve CSNETS = (operator) /usr/local/op_commands/
- The user s\bst\bte\bev\bve\be may run any command in the directory
- /usr/local/op_commands/ but only as user operator.
-
- matt valkyrie = KILL
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-1.7 December 10, 2007 22
+ jen ALL, !SERVERS = ALL
+ The user j\bje\ben\bn may run any command on any machine except for those in the
+ _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and ns).
+ jill SERVERS = /usr/bin/, !SU, !SHELLS
+ For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
+ the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU
+ and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
+ steve CSNETS = (operator) /usr/local/op_commands/
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ The user s\bst\bte\bev\bve\be may run any command in the directory /usr/local/op_com-
+ mands/ but only as user operator.
+ matt valkyrie = KILL
- On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be
- able to kill hung processes.
+ On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be able to kill
+ hung processes.
WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
- On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias
- (will, wendy, and wim), may run any command as user www
- (which owns the web pages) or simply _\bs_\bu(1) to www.
+ On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias (will, wendy,
+ and wim), may run any command as user www (which owns the web pages) or
+ simply _\bs_\bu(1) to www.
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
- Any user may mount or unmount a CD-ROM on the machines in
- the CDROM Host_Alias (orion, perseus, hercules) without
- entering a password. This is a bit tedious for users to
- type, so it is a prime candidate for encapsulating in a
- shell script.
+ Any user may mount or unmount a CD-ROM on the machines in the CDROM
+ Host_Alias (orion, perseus, hercules) without entering a password.
+ This is a bit tedious for users to type, so it is a prime candidate for
+ encapsulating in a shell script.
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- It is generally not effective to "subtract" commands from
- ALL using the '!' operator. A user can trivially circum-
- vent this by copying the desired command to a different
- name and then executing that. For example:
+ It is generally not effective to "subtract" commands from ALL using the
+ '!' operator. A user can trivially circumvent this by copying the
+ desired command to a different name and then executing that. For exam-
+ ple:
bill ALL = ALL, !SU, !SHELLS
- Doesn't really prevent b\bbi\bil\bll\bl from running the commands
- listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those com-
- mands to a different name, or use a shell escape from an
- editor or other program. Therefore, these kind of
- restrictions should be considered advisory at best (and
- reinforced by policy).
+ Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
+ _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
+ use a shell escape from an editor or other program. Therefore, these
+ kind of restrictions should be considered advisory at best (and rein-
+ forced by policy).
P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
- Once s\bsu\bud\bdo\bo executes a program, that program is free to do
- whatever it pleases, including run other programs. This
- can be a security issue since it is not uncommon for a
- program to allow shell escapes, which lets a user bypass
- s\bsu\bud\bdo\bo's access control and logging. Common programs that
- permit shell escapes include shells (obviously), editors,
- paginators, mail and terminal programs.
-
- There are two basic approaches to this problem:
-
- restrict Avoid giving users access to commands that allow
- the user to run arbitrary commands. Many edi-
- tors have a restricted mode where shell escapes
- are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better solu-
- tion to running editors via s\bsu\bud\bdo\bo. Due to the
- large number of programs that offer shell
- escapes, restricting users to the set of pro-
- grams that do not if often unworkable.
+ Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
+ pleases, including run other programs. This can be a security issue
+ since it is not uncommon for a program to allow shell escapes, which
+ lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
- noexec Many systems that support shared libraries have
-
-1.7 December 10, 2007 23
+1.7 January 21, 2008 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- the ability to override default library func-
- tions by pointing an environment variable (usu-
- ally LD_PRELOAD) to an alternate shared library.
- On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality can
- be used to prevent a program run by s\bsu\bud\bdo\bo from
- executing any other programs. Note, however,
- that this applies only to native dynamically-
- linked executables. Statically-linked executa-
- bles and foreign executables running under
- binary emulation are not affected.
+ that permit shell escapes include shells (obviously), editors, pagina-
+ tors, mail and terminal programs.
+
+ There are two basic approaches to this problem:
- To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you
- can run the following as root:
+ restrict Avoid giving users access to commands that allow the user to
+ run arbitrary commands. Many editors have a restricted mode
+ where shell escapes are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better
+ solution to running editors via s\bsu\bud\bdo\bo. Due to the large num-
+ ber of programs that offer shell escapes, restricting users
+ to the set of programs that do not if often unworkable.
+
+ noexec Many systems that support shared libraries have the ability
+ to override default library functions by pointing an environ-
+ ment variable (usually LD_PRELOAD) to an alternate shared
+ library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality can be
+ used to prevent a program run by s\bsu\bud\bdo\bo from executing any
+ other programs. Note, however, that this applies only to
+ native dynamically-linked executables. Statically-linked
+ executables and foreign executables running under binary emu-
+ lation are not affected.
+
+ To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run the
+ following as root:
sudo -V | grep "dummy exec"
- If the resulting output contains a line that
- begins with:
+ If the resulting output contains a line that begins with:
File containing dummy exec functions:
- then s\bsu\bud\bdo\bo may be able to replace the exec family
- of functions in the standard library with its
- own that simply return an error. Unfortunately,
- there is no foolproof way to know whether or not
- _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc should
- work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64
- UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt
- to work on AIX and UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected
- to work on most operating systems that support
- the LD_PRELOAD environment variable. Check your
- operating system's manual pages for the dynamic
- linker (usually ld.so, ld.so.1, dyld, dld.sl,
- rld, or loader) to see if LD_PRELOAD is sup-
- ported.
-
- To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC
- tag as documented in the User Specification sec-
- tion above. Here is that example again:
+ then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
+ in the standard library with its own that simply return an
+ error. Unfortunately, there is no foolproof way to know
+ whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
+ should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
+ MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
+ UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating sys-
+ tems that support the LD_PRELOAD environment variable. Check
+ your operating system's manual pages for the dynamic linker
+ (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see
+ if LD_PRELOAD is supported.
+
+ To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as docu-
+ mented in the User Specification section above. Here is that
+ example again:
aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi with _\bn_\bo_\be_\bx_\be_\bc enabled. This will pre-
- vent those two commands from executing other
- commands (such as a shell). If you are unsure
- whether or not your system is capable of sup-
- porting _\bn_\bo_\be_\bx_\be_\bc you can always just try it out
- and see if it works.
+ This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
+ with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
+ from executing other commands (such as a shell). If you are
+ unsure whether or not your system is capable of supporting
+ _\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
- Note that restricting shell escapes is not a panacea.
- Programs running as root are still capable of many poten-
- tially hazardous operations (such as changing or overwrit-
- ing files) that could lead to unintended privilege
-
-1.7 December 10, 2007 24
+1.7 January 21, 2008 21
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- escalation. In the specific case of an editor, a safer
+ Note that restricting shell escapes is not a panacea. Programs running
+ as root are still capable of many potentially hazardous operations
+ (such as changing or overwriting files) that could lead to unintended
+ privilege escalation. In the specific case of an editor, a safer
approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo
- command which locks the file and does grammatical check-
- ing. It is imperative that _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax
- errors since s\bsu\bud\bdo\bo will not run with a syntactically incor-
- rect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
- When using netgroups of machines (as opposed to users), if
- you store fully qualified hostnames in the netgroup (as is
- usually the case), you either need to have the machine's
- hostname be fully qualified as returned by the hostname
- command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
+ locks the file and does grammatical checking. It is imperative that
+ _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a syntac-
+ tically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+
+ When using netgroups of machines (as opposed to users), if you store
+ fully qualified hostnames in the netgroup (as is usually the case), you
+ either need to have the machine's hostname be fully qualified as
+ returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
- bug report at http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mail-
- ing list, see http://www.sudo.ws/mail-
- man/listinfo/sudo-users to subscribe or search the
- archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied war-
- ranties, including, but not limited to, the implied war-
- ranties of merchantability and fitness for a particular
- purpose are disclaimed. See the LICENSE file distributed
- with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com-
- plete details.
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantabil-
+ ity and fitness for a particular purpose are disclaimed. See the
+ LICENSE file distributed with s\bsu\bud\bdo\bo or
+ http://www.sudo.ws/sudo/license.html for complete details.
+
-1.7 December 10, 2007 25
+1.7 January 21, 2008 22
sudoers.ldap - sudo LDAP configuration
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- In addition to the standard _\bs_\bu_\bd_\bo_\be_\br_\bs file, s\bsu\bud\bdo\bo may be con-
- figured via LAP. This can be especially useful for syn-
- chronizing _\bs_\bu_\bd_\bo_\be_\br_\bs in a large, distributed environment.
+ In addition to the standard _\bs_\bu_\bd_\bo_\be_\br_\bs file, s\bsu\bud\bdo\bo may be configured via
+ LAP. This can be especially useful for synchronizing _\bs_\bu_\bd_\bo_\be_\br_\bs in a
+ large, distributed environment.
Using LDAP for _\bs_\bu_\bd_\bo_\be_\br_\bs has several benefits:
- +\bo s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety.
- When LDAP is used, there are only two or three LDAP
- queries per invocation. This makes it especially fast
- and particularly usable in LDAP environments.
+ +\bo s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety. When LDAP is
+ used, there are only two or three LDAP queries per invocation.
+ This makes it especially fast and particularly usable in LDAP envi-
+ ronments.
+
+ +\bo s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs. It is not pos-
+ sible to load LDAP data into the server that does not conform to
+ the sudoers schema, so proper syntax is guaranteed. It is still
+ possible to have typos in a user or host name, but this will not
+ prevent s\bsu\bud\bdo\bo from running.
+
+ +\bo It is possible to specify per-entry options that override the
+ global default options. _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs only supports default options
+ and limited options associated with user/host/commands/aliases.
+ The syntax is complicated and can be difficult for users to under-
+ stand. Placing the options directly in the entry is more natural.
+
+ +\bo The v\bvi\bis\bsu\bud\bdo\bo program is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking
+ and syntax checking of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file. Since LDAP updates
+ are atomic, locking is no longer necessary. Because syntax is
+ checked when the data is inserted into LDAP, there is no need for a
+ specialized tool to check syntax.
+
+ Another major difference between LDAP and file-based _\bs_\bu_\bd_\bo_\be_\br_\bs is that in
+ LDAP, s\bsu\bud\bdo\bo-specific Aliases are not supported.
+
+ For the most part, there is really no need for s\bsu\bud\bdo\bo-specific Aliases.
+ Unix groups or user netgroups can be used in place of User_Aliases and
+ RunasAliases. Host netgroups can be used in place of HostAliases.
+ Since Unix groups and netgroups can also be stored in LDAP there is no
+ real need for s\bsu\bud\bdo\bo-specific aliases.
+
+ Cmnd_Aliases are not really required either since it is possible to
+ have multiple users listed in a sudoRole. Instead of defining a
+ Cmnd_Alias that is referenced by multiple users, one can create a sudo-
+ Role that contains the commands and assign multiple users to it.
- +\bo s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs.
- It is not possible to load LDAP data into the server
- that does not conform to the sudoers schema, so proper
- syntax is guaranteed. It is still possible to have
- typos in a user or host name, but this will not pre-
- vent s\bsu\bud\bdo\bo from running.
-
- +\bo It is possible to specify per-entry options that over-
- ride the global default options. _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs only
- supports default options and limited options associ-
- ated with user/host/commands/aliases. The syntax is
- complicated and can be difficult for users to under-
- stand. Placing the options directly in the entry is
- more natural.
-
- +\bo v\bvi\bis\bsu\bud\bdo\bo is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking
- and syntax checking of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file. Since
- LDAP updates are atomic, locking is no longer neces-
- sary. Because syntax is checked when the data is
- inserted into LDAP, there is no need for a specialized
- tool to check syntax.
-
- Another major difference between LDAP and file-based _\bs_\bu_\bd_\bo_\b-
- _\be_\br_\bs is that in LDAP, s\bsu\bud\bdo\bo-specific Aliases are not sup-
- ported.
-
- For the most part, there is really no need for s\bsu\bud\bdo\bo-spe-
- cific Aliases. Unix groups or user netgroups can be used
- in place of User_Aliases and RunasAliases. Host netgroups
- can be used in place of HostAliases. Since Unix groups
- and netgroups can also be stored in LDAP there is no real
- need for s\bsu\bud\bdo\bo-specific aliases.
+ S\bSU\bUD\bDO\bOe\ber\brs\bs L\bLD\bDA\bAP\bP c\bco\bon\bnt\bta\bai\bin\bne\ber\br
- Cmnd_Aliases are not really required either since it is
- possible to have multiple users listed in a sudoRole.
- Instead of defining a Cmnd_Alias that is referenced by
- multiple users, one can create a sudoRole that contains
- the commands and assign multiple users to it.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers LDAP con-
+ tainer.
+ Sudo first looks for the cn=default entry in the SUDOers container. If
+ found, the multi-valued sudoOption attribute is parsed in the same
-1.7 January 20, 2008 1
+1.7 January 21, 2008 1
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- S\bSU\bUD\bDO\bOe\ber\brs\bs L\bLD\bDA\bAP\bP c\bco\bon\bnt\bta\bai\bin\bne\ber\br
-
- The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers
- LDAP container.
-
- Sudo first looks for the cn=default entry in the SUDOers
- container. If found, the multi-valued sudoOption
- attribute is parsed in the same manner as a global
- Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following example,
- the SSH_AUTH_SOCK variable will be preserved in the envi-
- ronment for all users.
+ manner as a global Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following
+ example, the SSH_AUTH_SOCK variable will be preserved in the environ-
+ ment for all users.
dn: cn=defaults,ou=SUDOers,dc=example,dc=com
objectClass: top
description: Default sudoOption's go here
sudoOption: env_keep+=SSH_AUTH_SOCK
- The equivalent of a sudoer in LDAP is a sudoRole. It con-
- sists of the following components:
+ The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
+ following components:
s\bsu\bud\bdo\boU\bUs\bse\ber\br
- A user name, uid (prefixed with '#'), Unix group (pre-
- fixed with a '%') or user netgroup (prefixed with a
- '+').
+ A user name, uid (prefixed with '#'), Unix group (prefixed with a
+ '%') or user netgroup (prefixed with a '+').
s\bsu\bud\bdo\boH\bHo\bos\bst\bt
- A host name, IP address, IP network, or host netgroup
- (prefixed with a '+'). The special value ALL will
- match any host.
+ A host name, IP address, IP network, or host netgroup (prefixed
+ with a '+'). The special value ALL will match any host.
s\bsu\bud\bdo\boC\bCo\bom\bmm\bma\ban\bnd\bd
- A Unix command with optional command line arguments,
- potentially including globbing characters (aka wild
- cards). The special value ALL will match any command.
- If a command is prefixed with an exclamation point
- '!', the user will be prohibited from running that
- command.
+ A Unix command with optional command line arguments, potentially
+ including globbing characters (aka wild cards). The special value
+ ALL will match any command. If a command is prefixed with an
+ exclamation point '!', the user will be prohibited from running
+ that command.
s\bsu\bud\bdo\boO\bOp\bpt\bti\bio\bon\bn
- Identical in function to the global options described
- above, but specific to the sudoRole in which it
- resides.
+ Identical in function to the global options described above, but
+ specific to the sudoRole in which it resides.
s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsU\bUs\bse\ber\br
- A user name or uid (prefixed with '#') that commands
- may be run as or a Unix group (prefixed with a '%') or
- user netgroup (prefixed with a '+') that contains a
- list of users that commands may be run as. The spe-
- cial value ALL will match any user.
+ A user name or uid (prefixed with '#') that commands may be run as
+ or a Unix group (prefixed with a '%') or user netgroup (prefixed
+ with a '+') that contains a list of users that commands may be run
+ as. The special value ALL will match any user.
s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsG\bGr\bro\bou\bup\bp
- A Unix group or gid (prefixed with '#') that commands
+ A Unix group or gid (prefixed with '#') that commands may be run
+ as. The special value ALL will match any group.
+ Each component listed above should contain a single value, but there
+ may be multiple instances of each component type. A sudoRole must con-
+ tain at least one sudoUser, sudoHost and sudoCommand.
+
+ The following example allows users in group wheel to run any command on
+ any host via s\bsu\bud\bdo\bo:
-1.7 January 20, 2008 2
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+1.7 January 21, 2008 2
- may be run as. The special value ALL will match any
- group.
- Each component listed above should contain a single value,
- but there may be multiple instances of each component
- type. A sudoRole must contain at least one sudoUser,
- sudoHost and sudoCommand.
- The following example allows users in group wheel to run
- any command on any host via s\bsu\bud\bdo\bo:
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
objectClass: top
A\bAn\bna\bat\bto\bom\bmy\by o\bof\bf L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs l\blo\boo\bok\bku\bup\bp
- When looking up a sudoer using LDAP there are only two or
- three LDAP queries per invocation. The first query is to
- parse the global options. The second is to match against
- the user's name and the groups that the user belongs to.
- (The special ALL tag is matched in this query too.) If no
- match is returned for the user's name and groups, a third
- query returns all entries containing user netgroups and
- checks to see if the user belongs to any of them.
+ When looking up a sudoer using LDAP there are only two or three LDAP
+ queries per invocation. The first query is to parse the global
+ options. The second is to match against the user's name and the groups
+ that the user belongs to. (The special ALL tag is matched in this
+ query too.) If no match is returned for the user's name and groups, a
+ third query returns all entries containing user netgroups and checks to
+ see if the user belongs to any of them.
D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
- There are some subtle differences in the way sudoers is
- handled once in LDAP. Probably the biggest is that
- according to the RFC, LDAP ordering is arbitrary and you
- cannot expect that Attributes and Entries are returned in
- any specific order. If there are conflicting command
- rules on an entry, the negative takes precedence. This is
- called paranoid behavior (not necessarily the most spe-
- cific match).
+ There are some subtle differences in the way sudoers is handled once in
+ LDAP. Probably the biggest is that according to the RFC, LDAP ordering
+ is arbitrary and you cannot expect that Attributes and Entries are
+ returned in any specific order. If there are conflicting command rules
+ on an entry, the negative takes precedence. This is called paranoid
+ behavior (not necessarily the most specific match).
Here is an example:
# Always allows all commands because ALL is matched last
puddles ALL=(root) !/bin/sh,ALL
+ # LDAP equivalent of johnny
+ # Allows all commands except shell
+ dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role1
+ sudoUser: johnny
+ sudoHost: ALL
+ sudoCommand: ALL
+ sudoCommand: !/bin/sh
-1.7 January 20, 2008 3
+1.7 January 21, 2008 3
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- # LDAP equivalent of johnny
- # Allows all commands except shell
- dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role1
- sudoUser: johnny
- sudoHost: ALL
- sudoCommand: ALL
- sudoCommand: !/bin/sh
+
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
# LDAP equivalent of puddles
# Notice that even though ALL comes last, it still behaves like
sudoCommand: !/bin/sh
sudoCommand: ALL
- Another difference is that negations on the Host, User or
- Runas are currently ignorred. For example, the following
- attributes do not behave the way one might expect.
+ Another difference is that negations on the Host, User or Runas are
+ currently ignorred. For example, the following attributes do not
+ behave the way one might expect.
# does not match all but joe
# rather, does not match anyone
S\bSu\bud\bdo\boe\ber\brs\bs S\bSc\bch\bhe\bem\bma\ba
- In order to use s\bsu\bud\bdo\bo's LDAP support, the s\bsu\bud\bdo\bo schema must
- be installed on your LDAP server. In addition, be sure to
- index the 'sudoUser' attribute.
-
- Two versions of the schema, one for OpenLDAP servers
- (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP) and another for Netscape-derived servers
- (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt), may be found in the s\bsu\bud\bdo\bo distribution.
+ In order to use s\bsu\bud\bdo\bo's LDAP support, the s\bsu\bud\bdo\bo schema must be installed
+ on your LDAP server. In addition, be sure to index the 'sudoUser'
+ attribute.
- The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included in the
- EXAMPLES section.
+ Two versions of the schema, one for OpenLDAP servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP)
+ and another for Netscape-derived servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt), may be found
+ in the s\bsu\bud\bdo\bo distribution.
+ The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included in the EXAMPLES sec-
+ tion.
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
+ Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific configuration.
+ Typically, this file is shared amongst different LDAP-aware clients.
+ As such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo
+ parses _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ from
+ those described in the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual.
-1.7 January 20, 2008 4
+ Also note that on systems using the OpenLDAP libraries, default values
+ specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are
+ not used.
+1.7 January 21, 2008 4
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
- Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific con-
- figuration. Typically, this file is shared amongst dif-
- ferent LDAP-aware clients. As such, most of the settings
- are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo parses
- _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ
- from those described in the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual.
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- Also note that on systems using the OpenLDAP libraries,
- default values specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the
- user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are not used.
- Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf
- that are supported by s\bsu\bud\bdo\bo are honored. Configuration
- options are listed below in upper case but are parsed in a
- case-independent manner.
+ Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf that are sup-
+ ported by s\bsu\bud\bdo\bo are honored. Configuration options are listed below in
+ upper case but are parsed in a case-independent manner.
U\bUR\bRI\bI ldap[s]://[hostname[:port]] ...
- Specifies a whitespace-delimited list of one or more
- URIs describing the LDAP server(s) to connect to. The
- _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being
- for servers that support TLS (SSL) encryption. If no
- _\bp_\bo_\br_\bt is specified, the default is port 389 for ldap://
- or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is speci-
- fied, s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Only systems
- using the OpenSSL libraries support the mixing of
- ldap:// and ldaps:// URIs. The Netscape-derived
- libraries used on most commercial versions of Unix are
- only capable of supporting one or the other.
+ Specifies a whitespace-delimited list of one or more URIs describ-
+ ing the LDAP server(s) to connect to. The _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be either
+ l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS (SSL)
+ encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389 for
+ ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
+ s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Only systems using the OpenSSL
+ libraries support the mixing of ldap:// and ldaps:// URIs. The
+ Netscape-derived libraries used on most commercial versions of Unix
+ are only capable of supporting one or the other.
H\bHO\bOS\bST\bT name[:port] ...
- If no U\bUR\bRI\bI is specified, the H\bHO\bOS\bST\bT parameter specifies a
- whitespace-delimited list of LDAP servers to connect
- to. Each host may include an optional _\bp_\bo_\br_\bt separated
- by a colon (':'). The H\bHO\bOS\bST\bT parameter is deprecated in
- favor of the U\bUR\bRI\bI specification and is included for
- backwards compatibility.
+ If no U\bUR\bRI\bI is specified, the H\bHO\bOS\bST\bT parameter specifies a whitespace-
+ delimited list of LDAP servers to connect to. Each host may
+ include an optional _\bp_\bo_\br_\bt separated by a colon (':'). The H\bHO\bOS\bST\bT
+ parameter is deprecated in favor of the U\bUR\bRI\bI specification and is
+ included for backwards compatibility.
P\bPO\bOR\bRT\bT port_number
- If no U\bUR\bRI\bI is specified, the P\bPO\bOR\bRT\bT parameter specifies
- the default port to connect to on the LDAP server if a
- H\bHO\bOS\bST\bT parameter does not specify the port itself. If
- no P\bPO\bOR\bRT\bT parameter is used, the default is port 389 for
- LDAP and port 636 for LDAP over TLS (SSL). The P\bPO\bOR\bRT\bT
- parameter is deprecated in favor of the U\bUR\bRI\bI specifica-
- tion and is included for backwards compatibility.
+ If no U\bUR\bRI\bI is specified, the P\bPO\bOR\bRT\bT parameter specifies the default
+ port to connect to on the LDAP server if a H\bHO\bOS\bST\bT parameter does not
+ specify the port itself. If no P\bPO\bOR\bRT\bT parameter is used, the default
+ is port 389 for LDAP and port 636 for LDAP over TLS (SSL). The
+ P\bPO\bOR\bRT\bT parameter is deprecated in favor of the U\bUR\bRI\bI specification and
+ is included for backwards compatibility.
B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
- The B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of
- time, in seconds, to wait while trying to connect to
- an LDAP server. If multiple U\bUR\bRI\bIs or H\bHO\bOS\bST\bTs are speci-
- fied, this is the amount of time to wait before trying
- the next one in the list.
+ The B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in sec-
+ onds, to wait while trying to connect to an LDAP server. If multi-
+ ple U\bUR\bRI\bIs or H\bHO\bOS\bST\bTs are specified, this is the amount of time to wait
+ before trying the next one in the list.
+ T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
+ The T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in seconds,
+ to wait for a response to an LDAP query.
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE base
+ The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries. Typically
+ this is of the form ou=SUDOers,dc=example,dc=com for the domain
+ example.com.
-1.7 January 20, 2008 5
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG debug_level
+ This sets the debug level for s\bsu\bud\bdo\bo LDAP queries. Debugging infor-
+ mation is printed to the standard error. A value of 1 results in a
+ moderate amount of debugging information. A value of 2 shows the
+ results of the matches themselves. This parameter should not be
+ set in a production environment as the extra information is likely
+ to confuse users.
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+1.7 January 21, 2008 5
- T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
- The T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time,
- in seconds, to wait for a response to an LDAP query.
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE base
- The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries.
- Typically this is of the form ou=SUDOers,dc=exam-
- ple,dc=com for the domain example.com.
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG debug_level
- This sets the debug level for s\bsu\bud\bdo\bo LDAP queries.
- Debugging information is printed to the standard
- error. A value of 1 results in a moderate amount of
- debugging information. A value of 2 shows the results
- of the matches themselves. This parameter should not
- be set in a production environment as the extra infor-
- mation is likely to confuse users.
+
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
B\bBI\bIN\bND\bDD\bDN\bN DN
- The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the
- form of a Distinguished Name (DN), to use when per-
- forming LDAP operations. If not specified, LDAP oper-
- ations are performed with an anonymous identity. By
- default, most LDAP servers will allow anonymous
+ The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a Dis-
+ tinguished Name (DN), to use when performing LDAP operations. If
+ not specified, LDAP operations are performed with an anonymous
+ identity. By default, most LDAP servers will allow anonymous
access.
B\bBI\bIN\bND\bDP\bPW\bW secret
- The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use
- when performing LDAP operations. This is typically
- used in conjunction with the B\bBI\bIN\bND\bDD\bDN\bN parameter.
+ The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
+ LDAP operations. This is typically used in conjunction with the
+ B\bBI\bIN\bND\bDD\bDN\bN parameter.
R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN DN
- The R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in
- the form of a Distinguished Name (DN), to use when
- performing privileged LDAP operations, such as _\bs_\bu_\bd_\bo_\be_\br_\bs
- queries. The password corresponding to the identity
- should be stored in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bs_\be_\bc_\br_\be_\bt. If not speci-
+ The R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
+ Distinguished Name (DN), to use when performing privileged LDAP
+ operations, such as _\bs_\bu_\bd_\bo_\be_\br_\bs queries. The password corresponding to
+ the identity should be stored in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bs_\be_\bc_\br_\be_\bt. If not speci-
fied, the B\bBI\bIN\bND\bDD\bDN\bN identity is used (if any).
L\bLD\bDA\bAP\bP_\b_V\bVE\bER\bRS\bSI\bIO\bON\bN number
- The version of the LDAP protocol to use when connect-
- ing to the server. The default value is protocol ver-
- sion 3.
+ The version of the LDAP protocol to use when connecting to the
+ server. The default value is protocol version 3.
S\bSS\bSL\bL on/true/yes/off/false/no
- If the S\bSS\bSL\bL parameter is set to on, true or yes, TLS
- (SSL) encryption is always used when communicating
- with the LDAP server. Typically, this involves con-
- necting to the server on port 636 (ldaps).
+ If the S\bSS\bSL\bL parameter is set to on, true or yes, TLS (SSL) encryp-
+ tion is always used when communicating with the LDAP server. Typi-
+ cally, this involves connecting to the server on port 636 (ldaps).
S\bSS\bSL\bL start_tls
- If the S\bSS\bSL\bL parameter is set to start_tls, the LDAP
- server connection is initiated normally and TLS
- encryption is begun before the bind credentials are
+ If the S\bSS\bSL\bL parameter is set to start_tls, the LDAP server connec-
+ tion is initiated normally and TLS encryption is begun before the
+ bind credentials are sent. This has the advantage of not requiring
+ a dedicated port for encrypted communications. This parameter is
+ only supported by LDAP servers that honor the start_tls extension,
+ such as the OpenLDAP server.
+ T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR on/true/yes/off/false/no
+ If enabled, T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR will cause the LDAP server's TLS certifi-
+ cated to be verified. If the server's TLS certificate cannot be
+ verified (usually because it is signed by an unknown certificate
+ authority), s\bsu\bud\bdo\bo will be unable to connect to it. If T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR
+ is disabled, no check is made.
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE file name
+ The path to a certificate authority bundle which contains the cer-
+ tificates for all the Certificate Authorities the client knows to
+ be valid, e.g. _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only sup-
+ ported by the OpenLDAP libraries.
-1.7 January 20, 2008 6
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
+ Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
+ containing individual Certificate Authority certificates, e.g.
+ _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\be_\br_\bt_\bs. The directory specified by T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR is
+ checked after T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE. This option is only supported by the
+1.7 January 21, 2008 6
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- sent. This has the advantage of not requiring a dedi-
- cated port for encrypted communications. This parame-
- ter is only supported by LDAP servers that honor the
- start_tls extension, such as the OpenLDAP server.
- T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR on/true/yes/off/false/no
- If enabled, T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR will cause the LDAP server's
- TLS certificated to be verified. If the server's TLS
- certificate cannot be verified (usually because it is
- signed by an unknown certificate authority), s\bsu\bud\bdo\bo will
- be unable to connect to it. If T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR is dis-
- abled, no check is made.
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE file name
- The path to a certificate authority bundle which con-
- tains the certificates for all the Certificate Author-
- ities the client knows to be valid, e.g.
- _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only supported
- by the OpenLDAP libraries.
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
- Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is
- a directory containing individual Certificate Author-
- ity certificates, e.g. _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\be_\br_\bt_\bs. The directory
- specified by T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR is checked after T\bTL\bLS\bS_\b_C\bCA\bAC\bC-\b-
- E\bER\bRT\bTF\bFI\bIL\bLE\bE. This option is only supported by the OpenL-
- DAP libraries.
+ OpenLDAP libraries.
T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT file name
- The path to a file containing the client certificate
- which can be used to authenticate the client to the
- LDAP server. The certificate type depends on the LDAP
- libraries used.
+ The path to a file containing the client certificate which can be
+ used to authenticate the client to the LDAP server. The certifi-
+ cate type depends on the LDAP libraries used.
OpenLDAP:
tls_cert /etc/ssl/client_cert.pem
Netscape-derived:
tls_cert /var/ldap/cert7.db
- When using Netscape-derived libraries, this file may
- also contain Certificate Authority certificates.
+ When using Netscape-derived libraries, this file may also contain
+ Certificate Authority certificates.
T\bTL\bLS\bS_\b_K\bKE\bEY\bY file name
- The path to a file containing the private key which
- matches the certificate specified by T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT. The
- private key must not be password-protected. The key
- type depends on the LDAP libraries used.
+ The path to a file containing the private key which matches the
+ certificate specified by T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT. The private key must not be
+ password-protected. The key type depends on the LDAP libraries
+ used.
OpenLDAP:
tls_cert /etc/ssl/client_key.pem
Netscape-derived:
tls_cert /var/ldap/key3.db
-
-
-1.7 January 20, 2008 7
-
-
-
-
-
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE file name
- The T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE parameter specifies the path to an
- entropy source for systems that lack a random device.
- It is generally used in conjunction with _\bp_\br_\bn_\bg_\bd or _\be_\bg_\bd.
- This option is only supported by the OpenLDAP
- libraries.
+ The T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE parameter specifies the path to an entropy source
+ for systems that lack a random device. It is generally used in
+ conjunction with _\bp_\br_\bn_\bg_\bd or _\be_\bg_\bd. This option is only supported by
+ the OpenLDAP libraries.
T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS cipher list
- The T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS parameter allows the administer to
- restrict which encryption algorithms may be used for
- TLS (SSL) connections. See the OpenSSL manual for a
- list of valid ciphers. This option is only supported
- by the OpenLDAP libraries.
+ The T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS parameter allows the administer to restrict which
+ encryption algorithms may be used for TLS (SSL) connections. See
+ the OpenSSL manual for a list of valid ciphers. This option is
+ only supported by the OpenLDAP libraries.
U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
- Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL
- authentication.
+ Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL authentication.
S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
- The SASL user name to use when connecting to the LDAP
- server. By default, s\bsu\bud\bdo\bo will use an anonymous con-
- nection.
+ The SASL user name to use when connecting to the LDAP server. By
+ default, s\bsu\bud\bdo\bo will use an anonymous connection.
R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
- Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when
- connecting to an LDAP server from a privileged pro-
- cess, such as s\bsu\bud\bdo\bo.
+ Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
+ to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
- The SASL user name to use when R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL is
- enabled.
+ The SASL user name to use when R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL is enabled.
- S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS none/properties
- SASL security properties or _\bn_\bo_\bn_\be for no properties.
- See the SASL programmer's manual for details.
- K\bKR\bRB\bB5\b5_\b_C\bCC\bCN\bNA\bAM\bME\bE file name
- The path to the Kerberos 5 credential cache to use
- when authenticating with the remote server.
- See the ldap.conf entry in the EXAMPLES section.
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
+1.7 January 21, 2008 7
- Sudo consults the Name Service Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\b-
- _\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order. Sudo
- looks for a line beginning with sudoers: and uses this to
- determine the search order. Note that s\bsu\bud\bdo\bo does not stop
- searching after the first match and later matches take
- precedence over earlier ones.
-
- The following sources are recognized:
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-1.7 January 20, 2008 8
+ S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS none/properties
+ SASL security properties or _\bn_\bo_\bn_\be for no properties. See the SASL
+ programmer's manual for details.
+ K\bKR\bRB\bB5\b5_\b_C\bCC\bCN\bNA\bAM\bME\bE file name
+ The path to the Kerberos 5 credential cache to use when authenti-
+ cating with the remote server.
+ See the ldap.conf entry in the EXAMPLES section.
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+ Sudo consults the Name Service Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to
+ specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order. Sudo looks for a line beginning with
+ sudoers: and uses this to determine the search order. Note that s\bsu\bud\bdo\bo
+ does not stop searching after the first match and later matches take
+ precedence over earlier ones.
+ The following sources are recognized:
files read sudoers from F</etc/sudoers>
ldap read sudoers from LDAP
- In addition, the entry [NOTFOUND=return] will short-cir-
- cuit the search if the user was not found in the preceding
- source.
+ In addition, the entry [NOTFOUND=return] will short-circuit the search
+ if the user was not found in the preceding source.
- To consult LDAP first followed by the local sudoers file
- (if it exists), use:
+ To consult LDAP first followed by the local sudoers file (if it
+ exists), use:
sudoers: ldap files
sudoers: ldap
- If the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf file is not present or there is
- no sudoers line, the following default is assumed:
+ If the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
+ line, the following default is assumed:
sudoers: files
- Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the
- underlying operating system does not use an nsswitch.conf
- file.
+ Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
+ operating system does not use an nsswitch.conf file.
F\bFI\bIL\bLE\bES\bS
_\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7 January 20, 2008 9
+1.7 January 21, 2008 8
-1.7 January 20, 2008 10
+1.7 January 21, 2008 9
S\bSu\bud\bdo\bo s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
- The following schema is in OpenLDAP format. Simply copy
- it to the schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba),
- add the proper include line in slapd.conf and restart
- s\bsl\bla\bap\bpd\bd.
-
-
-
-
-
+ The following schema is in OpenLDAP format. Simply copy it to the
+ schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba), add the proper include
+ line in slapd.conf and restart s\bsl\bla\bap\bpd\bd.
+ attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-1.7 January 20, 2008 11
+1.7 January 21, 2008 10
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- attributetype ( 1.3.6.1.4.1.15953.9.1.1
- NAME 'sudoUser'
- DESC 'User(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
attributetype ( 1.3.6.1.4.1.15953.9.1.2
NAME 'sudoHost'
DESC 'Host(s) who may run sudo'
sudoRunAsGroup $ sudoOption $ description )
)
+ X\bXX\bXX\bX n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf e\bex\bxa\bam\bmp\bpl\ble\be?\b?
+ X\bXX\bXX\bX m\bmo\bor\bre\be e\bex\bxh\bha\bau\bus\bst\bti\biv\bve\be s\bsu\bud\bdo\boe\ber\brs\bs l\bld\bdi\bif\bf e\bex\bxa\bam\bmp\bpl\ble\be?\b?
-
-
-1.7 January 20, 2008 12
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+1.7 January 21, 2008 11
- X\bXX\bXX\bX n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf e\bex\bxa\bam\bmp\bpl\ble\be?\b?
- X\bXX\bXX\bX m\bmo\bor\bre\be e\bex\bxh\bha\bau\bus\bst\bti\biv\bve\be s\bsu\bud\bdo\boe\ber\brs\bs l\bld\bdi\bif\bf e\bex\bxa\bam\bmp\bpl\ble\be?\b?
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- The way that _\bs_\bu_\bd_\bo_\be_\br_\bs is parsed differs between Note that
- there are differences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs
- is parsed compared to file-based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the "Dif-
- ferences between LDAP and non-LDAP sudoers" section for
- more information.
+ The way that _\bs_\bu_\bd_\bo_\be_\br_\bs is parsed differs between Note that there are dif-
+ ferences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs is parsed compared to file-
+ based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the "Differences between LDAP and non-LDAP sudoers"
+ section for more information.
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a
- bug report at http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mail-
- ing list, see http://www.sudo.ws/mail-
- man/listinfo/sudo-users to subscribe or search the
- archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
+ the archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied war-
- ranties, including, but not limited to, the implied war-
- ranties of merchantability and fitness for a particular
- purpose are disclaimed. See the LICENSE file distributed
- with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for com-
- plete details.
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantabil-
+ ity and fitness for a particular purpose are disclaimed. See the
+ LICENSE file distributed with s\bsu\bud\bdo\bo or
+ http://www.sudo.ws/sudo/license.html for complete details.
+
+
+
+
+
+
+
+
+
+
+
+
-1.7 January 20, 2008 13
+1.7 January 21, 2008 12
projects / sudo / commitdiff