shell-style wildcards (see the Wildcards section below), but unless the
host name command on your machine returns the fully qualified host
name, you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
+ Note s\bsu\bud\bdo\bo only inspects actual network interfaces; this means that IP
+ address 127.0.0.1 (localhost) will never match. Also, the host name
+ "localhost" will only match if that is the actual host name, which is
+ usually only the case for non-networked systems.
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It
may take command line arguments just as a normal command does.
- D\bDe\bef\bfa\bau\bul\blt\bts\bs
- Certain configuration options may be changed from their default values
- at runtime via one or more Default_Entry lines. These may affect all
- users on any host, all users on a specific host, a specific user, a
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ D\bDe\bef\bfa\bau\bul\blt\bts\bs
+ Certain configuration options may be changed from their default values
+ at runtime via one or more Default_Entry lines. These may affect all
+ users on any host, all users on a specific host, a specific user, a
specific command, or commands being run as a specific user. Note that
per-command entries may not include command line arguments. If you
need to specify arguments, define a Cmnd_Alias and reference that
SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
- Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
- 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
- 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
-
1.8.0b1 July 21, 2010 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+ Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
+ 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
+
A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
but this can be changed on a per-command basis.
device file with the dialer group. Note that in this example only the
group will be set, the command still runs as user t\btc\bcm\bm.
- tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
- /usr/local/bin/minicom
-
-
-
1.8.0b1 July 21, 2010 7
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
+ /usr/local/bin/minicom
+
S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
SELinux role and/or type associated with a command. If a role or type
In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
- See the "PREVENTING SHELL ESCAPES" section below for more details on
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+ See the "PREVENTING SHELL ESCAPES" section below for more details on
how NOEXEC works and whether or not it will work on your system.
_\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
Would match any file name beginning with a letter.
- Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
- in the path name. When matching the command line arguments, however, a
- slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
+ in the path name. When matching the command line arguments, however, a
+ slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
+
/usr/bin/*
match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
- in the file names can be used to avoid such problems.
-
- Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
+ in the file names can be used to avoid such problems.
+
+ Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
files in a #includedir directory unless one of them contains a syntax
error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
files directly.
configurations where _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled. This flag
is _\bo_\bf_\bf by default.
- authenticate If set, users must authenticate themselves via a
- password (or other means of authentication) before they
- may run commands. This default may be overridden via
-
1.8.0b1 July 21, 2010 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ authenticate If set, users must authenticate themselves via a
+ password (or other means of authentication) before they
+ may run commands. This default may be overridden via
the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
default.
path names which include globbing characters. This
flag is _\bo_\bf_\bf by default.
- fqdn Set this flag if you want to put fully qualified host
- names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
-
1.8.0b1 July 21, 2010 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ fqdn Set this flag if you want to put fully qualified host
+ names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
would use myhost.mydomain.edu. You may still use the
short form if you wish (and even mix the two). Beware
that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
does not enter the correct password. This flag is _\bo_\bf_\bf
- by default.
-
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ by default.
+
mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
allowed to run commands on the current host. This flag
this point. When _\bp_\bw_\bf_\be_\be_\bd_\bb_\ba_\bc_\bk is set, s\bsu\bud\bdo\bo will provide
visual feedback when the user presses a key. Note that
this does have a security impact as an onlooker may be
- able to determine the length of the password being
- entered. This flag is _\bo_\bf_\bf by default.
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ able to determine the length of the password being
+ entered. This flag is _\bo_\bf_\bf by default.
+
requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
run from a login session and not via other means such
should be allowed to set variables in this manner.
This flag is _\bo_\bf_\bf by default.
- shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
- if the -\b-s\bs option had been given. That is, it runs a
-
1.8.0b1 July 21, 2010 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
+ if the -\b-s\bs option had been given. That is, it runs a
shell as root (the shell is determined by the SHELL
environment variable if it is set, falling back on the
shell listed in the invoking user's /etc/passwd entry
tty_tickets If set, users must authenticate on a per-tty basis.
With this flag enabled, s\bsu\bud\bdo\bo will use a file named for
- the tty the user is logged in on in the user's time
- stamp directory. If disabled, the time stamp of the
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ the tty the user is logged in on in the user's time
+ stamp directory. If disabled, the time stamp of the
directory is used instead. This flag is _\bo_\bn by default.
umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
the option to disable word wrap).
passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
- out, or 0 for no timeout. The timeout may include a
- fractional component if minute granularity is
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ out, or 0 for no timeout. The timeout may include a
+ fractional component if minute granularity is
insufficient, for example 2.5. The default is 5.
timestamp_timeout
%H expanded to the local host name including the
domain name (on if the machine's host name is fully
- qualified or the _\bf_\bq_\bd_\bn option is set)
-
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ qualified or the _\bf_\bq_\bd_\bn option is set)
+
%h expanded to the local host name without the domain
name
S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- askpass The _\ba_\bs_\bk_\bp_\ba_\bs_\bs option specifies the fully qualified path to a
- helper program used to read the user's password when no
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ askpass The _\ba_\bs_\bk_\bp_\ba_\bs_\bs option specifies the fully qualified path to a
+ helper program used to read the user's password when no
terminal is available. This may be the case when s\bsu\bud\bdo\bo is
executed from a graphical (as opposed to text-based)
application. The program specified by _\ba_\bs_\bk_\bp_\ba_\bs_\bs should
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\bo_\bn_\bc_\be.
- lecture_file
- Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ lecture_file
+ Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
will be used in place of the standard lecture if the named
file exists. By default, s\bsu\bud\bdo\bo uses a built-in lecture.
option is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
- to disable syslog logging). Defaults to local2.
-
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ to disable syslog logging). Defaults to local2.
+
verifypw This option controls when a password will be required when
a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
possible values:
any setuid process (such as s\bsu\bud\bdo\bo).
env_keep Environment variables to be preserved in the user's
- environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
- This allows fine-grained control over the environment
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
+ This allows fine-grained control over the environment
s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
be a double-quoted, space-separated list or a single
value without double-quotes. The list can be replaced,
# Host alias specification
Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
- SGI = grolsch, dandelion, black :\
- ALPHA = widget, thalamus, foobar :\
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
HPPA = boa, nag, python
Host_Alias CUNETS = 128.138.0.0/255.255.0.0
Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
any host without authenticating themselves.
- PARTTIMERS ALL = ALL
-
1.8.0b1 July 21, 2010 24
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ PARTTIMERS ALL = ALL
+
Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
any host but they must authenticate themselves first (since the entry
lacks the NOPASSWD tag).
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
- well as add and remove users, so they are allowed to run those commands
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
+ well as add and remove users, so they are allowed to run those commands
on all machines.
fred ALL = (DB) NOPASSWD: ALL
desired command to a different name and then executing that. For
example:
- bill ALL = ALL, !SU, !SHELLS
-
1.8.0b1 July 21, 2010 26
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ bill ALL = ALL, !SU, !SHELLS
+
Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
_\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
use a shell escape from an editor or other program. Therefore, these
sudo -V | grep "dummy exec"
- If the resulting output contains a line that begins with:
-
1.8.0b1 July 21, 2010 27
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ If the resulting output contains a line that begins with:
+
File containing dummy exec functions:
then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
give away files if the time stamp directory is located in a world-
writable directory.
- On systems where the boot time is available, _\bs_\bu_\bd_\bo_\be_\br_\bs will ignore time
-
1.8.0b1 July 21, 2010 28
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ On systems where the boot time is available, _\bs_\bu_\bd_\bo_\be_\br_\bs will ignore time
stamps that date from before the machine booted.
Since time stamp files live in the file system, they can outlive a
-
1.8.0b1 July 21, 2010 29
projects / sudo / commitdiff