.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "July 9, 2007" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudo, sudoedit \- execute a command as another user
.SH "SYNOPSIS"
[\fB\-c\fR\ \fIclass\fR|\fI\-\fR] [\fB\-p\fR\ \fIprompt\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] {\fB\-e\fR\ file\ [...]\ |\ \fB\-i\fR\ |\ \fB\-s\fR\ |\ \fIcommand\fR}
.PP
-\&\fBsudoedit\fR [\fB\-a\fR\ \fIauth_type\fR]
+\&\fBsudoedit\fR [\fB\-a\fR\ \fIauth_type\fR] [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
[\fB\-p\fR\ \fIprompt\fR] [\fB\-S\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
file [...]
.SH "DESCRIPTION"
.PP
Environment variables to be set for the command may also be passed
on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g.
-\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. This is only permitted
-when the \fIsetenv\fR option is set in \fIsudoers\fR or the command to
-be run has the \f(CW\*(C`SETENV\*(C'\fR tag set. See sudoers(@mansectform@)
-for more information.
+\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the
+command line are subject to the same restrictions as normal environment
+variables with one important exception. If the \fIsetenv\fR option
+is set in \fIsudoers\fR or the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag
+set the user may set variables that would overwise be forbidden.
+See sudoers(@mansectform@) for more information.
.SH "RETURN VALUES"
.IX Header "RETURN VALUES"
Upon successful execution of a program, the return value from \fBsudo\fR
unreachable.
.SH "SECURITY NOTES"
.IX Header "SECURITY NOTES"
-\&\fBsudo\fR tries to be safe when executing external commands. Variables
-that control how dynamic loading and binding is done can be used
-to subvert the program that \fBsudo\fR runs. To combat this the
-\&\f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`_RLD_*\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR (\s-1HP\-UX\s0 only), and \f(CW\*(C`LIBPATH\*(C'\fR (\s-1AIX\s0
-only) environment variables are removed from the environment passed
-on to all commands executed. \fBsudo\fR will also remove the \f(CW\*(C`IFS\*(C'\fR,
-\&\f(CW\*(C`CDPATH\*(C'\fR, \f(CW\*(C`ENV\*(C'\fR, \f(CW\*(C`BASH_ENV\*(C'\fR, \f(CW\*(C`KRB_CONF\*(C'\fR, \f(CW\*(C`KRBCONFDIR\*(C'\fR, \f(CW\*(C`KRBTKFILE\*(C'\fR,
-\&\f(CW\*(C`KRB5_CONFIG\*(C'\fR, \f(CW\*(C`LOCALDOMAIN\*(C'\fR, \f(CW\*(C`RES_OPTIONS\*(C'\fR, \f(CW\*(C`HOSTALIASES\*(C'\fR,
-\&\f(CW\*(C`NLSPATH\*(C'\fR, \f(CW\*(C`PATH_LOCALE\*(C'\fR, \f(CW\*(C`TERMINFO\*(C'\fR, \f(CW\*(C`TERMINFO_DIRS\*(C'\fR and
-\&\f(CW\*(C`TERMPATH\*(C'\fR variables as they too can pose a threat. If the
-\&\f(CW\*(C`TERMCAP\*(C'\fR variable is set and is a pathname, it too is ignored.
-Additionally, if the \f(CW\*(C`LC_*\*(C'\fR or \f(CW\*(C`LANGUAGE\*(C'\fR variables contain the
-\&\f(CW\*(C`/\*(C'\fR or \f(CW\*(C`%\*(C'\fR characters, they are ignored. Environment variables
-with a value beginning with \f(CW\*(C`()\*(C'\fR are also removed as they could
-be interpreted as \fBbash\fR functions. If \fBsudo\fR has been
-compiled with SecurID support, the \f(CW\*(C`VAR_ACE\*(C'\fR, \f(CW\*(C`USR_ACE\*(C'\fR and
-\&\f(CW\*(C`DLC_ACE\*(C'\fR variables are cleared as well. The list of environment
-variables that \fBsudo\fR clears is contained in the output of
-\&\f(CW\*(C`sudo \-V\*(C'\fR when run as root.
+\&\fBsudo\fR tries to be safe when executing external commands.
+.PP
+There are two distinct ways to deal with environment variables.
+By default, the \fIenv_reset\fR \fIsudoers\fR option is enabled.
+This causes commands to be executed with a minimal environment
+containing \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR
+and \f(CW\*(C`USERNAME\*(C'\fR in addition to variables from the invoking process
+permitted by the \fIenv_check\fR and \fIenv_keep\fR \fIsudoers\fR options.
+There is effectively a whitelist for environment variables.
+.PP
+If, however, the \fIenv_reset\fR option is disabled in \fIsudoers\fR, any
+variables not explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR
+options are inherited from the invoking process. In this case,
+\&\fIenv_check\fR and \fIenv_delete\fR behave like a blacklist. Since it
+is not possible to blacklist all potentially dangerous environment
+variables, use of the default \fIenv_reset\fR behavior is encouraged.
+.PP
+In all cases, environment variables with a value beginning with
+\&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions.
+The list of environment variables that \fBsudo\fR allows or denies is
+contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root.
+.PP
+Note that the dynamic linker on most operating systems will remove
+variables that can control dynamic linking from the environment of
+setuid executables, including \fBsudo\fR. Depending on the operating
+system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR,
+\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are
+removed from the environment before \fBsudo\fR even begins execution
+and, as such, it is not possible for \fBsudo\fR to preserve them.
.PP
To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting
current directory) last when searching for a command in the user's
actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
unchanged to the program that \fBsudo\fR executes.
.PP
-For security reasons, if your \s-1OS\s0 supports shared libraries and does
-not disable user-defined library search paths for setuid programs
-(most do), you should either use a linker option that disables this
-behavior or link \fBsudo\fR statically.
-.PP
\&\fBsudo\fR will check the ownership of its timestamp directory
(\fI@timedir@\fR by default) and ignore the directory's contents if
it is not owned by root or if it is writable by a user other than
.IX Header "FILES"
.Vb 2
\& @sysconfdir@/sudoers List of who can run what
-\& @timedir@ Directory containing timestamps
+\& @timedir@ Directory containing timestamps
.Ve
.SH "EXAMPLES"
.IX Header "EXAMPLES"
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "June 23, 2007" "1.7" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "July 9, 2007" "1.7" "MAINTENANCE COMMANDS"
.SH "NAME"
sudoers \- list of which users may execute what
.SH "DESCRIPTION"
It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
that does not exist in a list.
.PP
+See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
+.Sh "User Specification"
+.IX Subsection "User Specification"
+.Vb 2
+\& User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
+\& (':' Host_List '=' Cmnd_Spec_List)*
+.Ve
+.PP
+.Vb 2
+\& Cmnd_Spec_List ::= Cmnd_Spec |
+\& Cmnd_Spec ',' Cmnd_Spec_List
+.Ve
+.PP
+.Vb 1
+\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+.Ve
+.PP
+.Vb 1
+\& Runas_Spec ::= '(' Runas_List ')'
+.Ve
+.PP
+.Vb 2
+\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+\& 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:')
+.Ve
+.PP
+A \fBuser specification\fR determines which commands a user may run
+(and as what user) on specified hosts. By default, commands are
+run as \fBroot\fR, but this can be changed on a per-command basis.
+.PP
+Let's break that down into its constituent parts:
+.Sh "Runas_Spec"
+.IX Subsection "Runas_Spec"
+A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above)
+enclosed in a set of parentheses. If you do not specify a
+\&\f(CW\*(C`Runas_Spec\*(C'\fR in the user specification, a default \f(CW\*(C`Runas_Spec\*(C'\fR
+of \fBroot\fR will be used. A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for
+commands that follow it. What this means is that for the entry:
+.PP
+.Vb 1
+\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+.Ve
+.PP
+The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
+\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
+.PP
+.Vb 1
+\& $ sudo -u operator /bin/ls.
+.Ve
+.PP
+It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
+entry. If we modify the entry like so:
+.PP
+.Vb 1
+\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+.Ve
+.PP
+Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
+but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
+.Sh "Tag_Spec"
+.IX Subsection "Tag_Spec"
+A command may have zero or more tags associated with it. There are
+eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
+\&\f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR.
+Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
+\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
+opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR
+overrides \f(CW\*(C`EXEC\*(C'\fR).
+.PP
+\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
+.IX Subsection "NOPASSWD and PASSWD"
+.PP
+By default, \fBsudo\fR requires that a user authenticate him or herself
+before running a command. This behavior can be modified via the
+\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
+a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
+Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
+For example:
+.PP
+.Vb 1
+\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+.Ve
+.PP
+would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
+\&\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
+authenticating himself. If we only want \fBray\fR to be able to
+run \fI/bin/kill\fR without a password the entry would be:
+.PP
+.Vb 1
+\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+.Ve
+.PP
+Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
+in the group specified by the \fIexempt_group\fR option.
+.PP
+By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
+for a user on the current host, he or she will be able to run
+\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
+\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
+for all a user's entries that pertain to the current host.
+This behavior may be overridden via the verifypw and listpw options.
+.PP
+\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
+.IX Subsection "NOEXEC and EXEC"
+.PP
+If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
+operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
+a dynamically-linked executable from running further commands itself.
+.PP
+In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
+and \fI/usr/bin/vi\fR but shell escapes will be disabled.
+.PP
+.Vb 1
+\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+.Ve
+.PP
+See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
+on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
+.PP
+\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
+.IX Subsection "SETENV and NOSETENV"
+.PP
+These tags override the value of the \fIsetenv\fR option on a per-command
+basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, any
+environment variables set on the command line way are not subject
+to the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
+\&\fIenv_keep\fR. As such, only trusted users should be allowed to set
+variables in this manner.
+.PP
+\fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR
+.IX Subsection "MONITOR and NOMONITOR"
+.PP
+If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option,
+the \f(CW\*(C`MONITOR\*(C'\fR tag can be used to cause programs spawned by a command
+to be checked against \fIsudoers\fR and logged just like they would
+be if run through \fBsudo\fR directly. This is useful in conjunction
+with commands that allow shell escapes such as editors, shells and
+paginators.
+.PP
+In the following example, user \fBchuck\fR may run any command on the
+machine research in monitor mode.
+.PP
+.Vb 1
+\& chuck research = MONITOR: ALL
+.Ve
+.PP
+See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
+on how \f(CW\*(C`MONITOR\*(C'\fR works and whether or not it will work on your system.
+.Sh "Wildcards"
+.IX Subsection "Wildcards"
+\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
+to be used in pathnames as well as command line arguments in the
+\&\fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
+\&\fIfnmatch\fR\|(3) routine. Note that these are \fInot\fR regular expressions.
+.ie n .IP "\*(C`*\*(C'" 8
+.el .IP "\f(CW\*(C`*\*(C'\fR" 8
+.IX Item "*"
+Matches any set of zero or more characters.
+.ie n .IP "\*(C`?\*(C'" 8
+.el .IP "\f(CW\*(C`?\*(C'\fR" 8
+.IX Item "?"
+Matches any single character.
+.ie n .IP "\*(C`[...]\*(C'" 8
+.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
+.IX Item "[...]"
+Matches any character in the specified range.
+.ie n .IP "\*(C`[!...]\*(C'" 8
+.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
+.IX Item "[!...]"
+Matches any character \fBnot\fR in the specified range.
+.ie n .IP "\*(C`\ex\*(C'" 8
+.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
+.IX Item "x"
+For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
+escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
+.PP
+Note that a forward slash ('/') will \fBnot\fR be matched by
+wildcards used in the pathname. When matching the command
+line arguments, however, a slash \fBdoes\fR get matched by
+wildcards. This is to make a path like:
+.PP
+.Vb 1
+\& /usr/bin/*
+.Ve
+.PP
+match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
+.Sh "Exceptions to wildcard rules"
+.IX Subsection "Exceptions to wildcard rules"
+The following exceptions apply to the above rules:
+.ie n .IP """""" 8
+.el .IP "\f(CW``''\fR" 8
+.IX Item """"""
+If the empty string \f(CW""\fR is the only command line argument in the
+\&\fIsudoers\fR entry it means that command is not allowed to be run
+with \fBany\fR arguments.
+.Sh "Including other files from within sudoers"
+.IX Subsection "Including other files from within sudoers"
+It is possible to include other \fIsudoers\fR files from within the
+\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR
+directive, similar to the one used by the C preprocessor. This is
+useful, for example, for keeping a site-wide \fIsudoers\fR file in
+addition to a per-machine local one. For the sake of this example
+the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the per-machine
+one will be \fI/etc/sudoers.local\fR. To include \fI/etc/sudoers.local\fR
+from \fI/etc/sudoers\fR we would use the following line in \fI/etc/sudoers\fR:
+.PP
+.Vb 1
+\& #include /etc/sudoers.local
+.Ve
+.PP
+When \fBsudo\fR reaches this line it will suspend processing of the
+current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
+Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
+\&\fI/etc/sudoers\fR will be processed. Files that are included may
+themselves include other files. A hard limit of 128 nested include
+files is enforced to prevent include file loops.
+.Sh "Other special characters and reserved words"
+.IX Subsection "Other special characters and reserved words"
+The pound sign ('#') is used to indicate a comment (unless it is
+part of a #include directive or unless it occurs in the context of
+a user name and is followed by one or more digits, in which case
+it is treated as a uid). Both the comment character and any text
+after it, up to the end of the line, are ignored.
+.PP
+The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
+a match to succeed. It can be used wherever one might otherwise
+use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
+You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
+built-in alias will be used in preference to your own. Please note
+that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
+allows the user to run \fBany\fR command on the system.
+.PP
+An exclamation point ('!') can be used as a logical \fInot\fR operator
+both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
+exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
+conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
+run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
+\&\s-1NOTES\s0 below).
+.PP
+Long lines can be continued with a backslash ('\e') as the last
+character on the line.
+.PP
+Whitespace between elements in a list as well as special syntactic
+characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
+.PP
+The following characters must be escaped with a backslash ('\e') when
+used as part of a word (e.g.\ a username or hostname):
+\&'@', '!', '=', ':', ',', '(', ')', '\e'.
+.SH "SUDOERS OPTIONS"
+.IX Header "SUDOERS OPTIONS"
+Sudo's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
+explained earlier. A list of all supported Defaults parameters,
+grouped by type, are listed below.
+.PP
\&\fBFlags\fR:
.IP "long_otp_prompt" 12
.IX Item "long_otp_prompt"
The default is 3.
.IP "setenv" 12
.IX Item "setenv"
-Allow the user to set additional environment variables from the
-command line. Note that variables set this way are not subject to
-the restrictions imposed by \fIenv_check\fR, \fIenv_delete\fR, or
-\&\fIenv_reset\fR. As such, only trusted users should be allowed to set
-variables in this manner.
+Allow the user to disable the \fIenv_reset\fR option from the command
+line. Additionally, environment variables set via the command line
+are not subject to the restrictions imposed by \fIenv_check\fR,
+\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
+be allowed to set variables in this manner.
.PP
\&\fBStrings\fR:
.IP "mailsub" 12
\&\fBlocal6\fR, and \fBlocal7\fR. The following syslog priorities are
supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR,
\&\fBnotice\fR, and \fBwarning\fR.
-.Sh "User Specification"
-.IX Subsection "User Specification"
-.Vb 2
-\& User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
-\& (':' Host_List '=' Cmnd_Spec_List)*
-.Ve
-.PP
-.Vb 2
-\& Cmnd_Spec_List ::= Cmnd_Spec |
-\& Cmnd_Spec ',' Cmnd_Spec_List
-.Ve
-.PP
-.Vb 1
-\& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
-.Ve
-.PP
-.Vb 1
-\& Runas_Spec ::= '(' Runas_List ')'
-.Ve
-.PP
-.Vb 2
-\& Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
-\& 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:')
-.Ve
-.PP
-A \fBuser specification\fR determines which commands a user may run
-(and as what user) on specified hosts. By default, commands are
-run as \fBroot\fR, but this can be changed on a per-command basis.
-.PP
-Let's break that down into its constituent parts:
-.Sh "Runas_Spec"
-.IX Subsection "Runas_Spec"
-A \f(CW\*(C`Runas_Spec\*(C'\fR is simply a \f(CW\*(C`Runas_List\*(C'\fR (as defined above)
-enclosed in a set of parentheses. If you do not specify a
-\&\f(CW\*(C`Runas_Spec\*(C'\fR in the user specification, a default \f(CW\*(C`Runas_Spec\*(C'\fR
-of \fBroot\fR will be used. A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for
-commands that follow it. What this means is that for the entry:
-.PP
-.Vb 1
-\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
-.Ve
-.PP
-The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
-\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
-.PP
-.Vb 1
-\& $ sudo -u operator /bin/ls.
-.Ve
-.PP
-It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
-entry. If we modify the entry like so:
-.PP
-.Vb 1
-\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
-.Ve
-.PP
-Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
-but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
-.Sh "Tag_Spec"
-.IX Subsection "Tag_Spec"
-A command may have zero or more tags associated with it. There are
-eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
-\&\f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`MONITOR\*(C'\fR and \f(CW\*(C`NOMONITOR\*(C'\fR.
-Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
-\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
-opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR
-overrides \f(CW\*(C`EXEC\*(C'\fR).
-.PP
-\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
-.IX Subsection "NOPASSWD and PASSWD"
-.PP
-By default, \fBsudo\fR requires that a user authenticate him or herself
-before running a command. This behavior can be modified via the
-\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
-a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
-Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
-For example:
-.PP
-.Vb 1
-\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
-.Ve
-.PP
-would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
-\&\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without
-authenticating himself. If we only want \fBray\fR to be able to
-run \fI/bin/kill\fR without a password the entry would be:
-.PP
-.Vb 1
-\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
-.Ve
-.PP
-Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
-in the group specified by the \fIexempt_group\fR option.
-.PP
-By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
-for a user on the current host, he or she will be able to run
-\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
-\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
-for all a user's entries that pertain to the current host.
-This behavior may be overridden via the verifypw and listpw options.
-.PP
-\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
-.IX Subsection "NOEXEC and EXEC"
-.PP
-If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
-operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
-a dynamically-linked executable from running further commands itself.
-.PP
-In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
-and \fI/usr/bin/vi\fR but shell escapes will be disabled.
-.PP
-.Vb 1
-\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-.Ve
-.PP
-See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
-on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
-.PP
-\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
-.IX Subsection "SETENV and NOSETENV"
-.PP
-These tags override the value of the \fIsetenv\fR option on a per-command
-basis. Note that environment variables set on the command line way
-are not subject to the restrictions imposed by \fIenv_check\fR,
-\&\fIenv_delete\fR, or \fIenv_reset\fR. As such, only trusted users should
-be allowed to set variables in this manner.
-.PP
-\fI\s-1MONITOR\s0 and \s-1NOMONITOR\s0\fR
-.IX Subsection "MONITOR and NOMONITOR"
-.PP
-If \fBsudo\fR has been configured with the \f(CW\*(C`\-\-with\-systrace\*(C'\fR option,
-the \f(CW\*(C`MONITOR\*(C'\fR tag can be used to cause programs spawned by a command
-to be checked against \fIsudoers\fR and logged just like they would
-be if run through \fBsudo\fR directly. This is useful in conjunction
-with commands that allow shell escapes such as editors, shells and
-paginators.
-.PP
-In the following example, user \fBchuck\fR may run any command on the
-machine research in monitor mode.
-.PP
-.Vb 1
-\& chuck research = MONITOR: ALL
-.Ve
-.PP
-See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
-on how \f(CW\*(C`MONITOR\*(C'\fR works and whether or not it will work on your system.
-.Sh "Wildcards"
-.IX Subsection "Wildcards"
-\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
-to be used in pathnames as well as command line arguments in the
-\&\fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
-\&\fIfnmatch\fR\|(3) routine. Note that these are \fInot\fR regular expressions.
-.ie n .IP "\*(C`*\*(C'" 8
-.el .IP "\f(CW\*(C`*\*(C'\fR" 8
-.IX Item "*"
-Matches any set of zero or more characters.
-.ie n .IP "\*(C`?\*(C'" 8
-.el .IP "\f(CW\*(C`?\*(C'\fR" 8
-.IX Item "?"
-Matches any single character.
-.ie n .IP "\*(C`[...]\*(C'" 8
-.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
-.IX Item "[...]"
-Matches any character in the specified range.
-.ie n .IP "\*(C`[!...]\*(C'" 8
-.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
-.IX Item "[!...]"
-Matches any character \fBnot\fR in the specified range.
-.ie n .IP "\*(C`\ex\*(C'" 8
-.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
-.IX Item "x"
-For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
-escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R".
-.PP
-Note that a forward slash ('/') will \fBnot\fR be matched by
-wildcards used in the pathname. When matching the command
-line arguments, however, a slash \fBdoes\fR get matched by
-wildcards. This is to make a path like:
-.PP
-.Vb 1
-\& /usr/bin/*
-.Ve
-.PP
-match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
-.Sh "Exceptions to wildcard rules"
-.IX Subsection "Exceptions to wildcard rules"
-The following exceptions apply to the above rules:
-.ie n .IP """""" 8
-.el .IP "\f(CW``''\fR" 8
-.IX Item """"""
-If the empty string \f(CW""\fR is the only command line argument in the
-\&\fIsudoers\fR entry it means that command is not allowed to be run
-with \fBany\fR arguments.
-.Sh "Including other files from within sudoers"
-.IX Subsection "Including other files from within sudoers"
-It is possible to include other \fIsudoers\fR files from within the
-\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR
-directive, similar to the one used by the C preprocessor. This is
-useful, for example, for keeping a site-wide \fIsudoers\fR file in
-addition to a per-machine local one. For the sake of this example
-the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the per-machine
-one will be \fI/etc/sudoers.local\fR. To include \fI/etc/sudoers.local\fR
-from \fI/etc/sudoers\fR we would use the following line in \fI/etc/sudoers\fR:
-.PP
-.Vb 1
-\& #include /etc/sudoers.local
-.Ve
-.PP
-When \fBsudo\fR reaches this line it will suspend processing of the
-current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
-Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
-\&\fI/etc/sudoers\fR will be processed. Files that are included may
-themselves include other files. A hard limit of 128 nested include
-files is enforced to prevent include file loops.
-.Sh "Other special characters and reserved words"
-.IX Subsection "Other special characters and reserved words"
-The pound sign ('#') is used to indicate a comment (unless it is
-part of a #include directive or unless it occurs in the context of
-a user name and is followed by one or more digits, in which case
-it is treated as a uid). Both the comment character and any text
-after it, up to the end of the line, are ignored.
-.PP
-The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
-a match to succeed. It can be used wherever one might otherwise
-use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
-You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
-built-in alias will be used in preference to your own. Please note
-that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
-allows the user to run \fBany\fR command on the system.
-.PP
-An exclamation point ('!') can be used as a logical \fInot\fR operator
-both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
-exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
-conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
-run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
-\&\s-1NOTES\s0 below).
-.PP
-Long lines can be continued with a backslash ('\e') as the last
-character on the line.
-.PP
-Whitespace between elements in a list as well as special syntactic
-characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
-.PP
-The following characters must be escaped with a backslash ('\e') when
-used as part of a word (e.g.\ a username or hostname):
-\&'@', '!', '=', ':', ',', '(', ')', '\e'.
.SH "FILES"
.IX Header "FILES"
.Vb 3
projects / sudo / commitdiff