-1.7.2 June 30, 2009 1
+1.7.2 September 24, 2009 1
-1.7.2 June 30, 2009 2
+1.7.2 September 24, 2009 2
-1.7.2 June 30, 2009 3
+1.7.2 September 24, 2009 3
-1.7.2 June 30, 2009 4
+1.7.2 September 24, 2009 4
Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
- 'SETENV:' | 'NOSETENV:' )
+ 'SETENV:' | 'NOSETENV:' | 'TRANSCRIPT:' | 'NOTRANSCRIPT:')
A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
-1.7.2 June 30, 2009 5
+1.7.2 September 24, 2009 5
T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
A command may have zero or more tags associated with it. There are
- eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV and
- NOSETENV. Once a tag is set on a Cmnd, subsequent Cmnds in the
- Cmnd_Spec_List, inherit the tag unless it is overridden by the opposite
- tag (i.e.: PASSWD overrides NOPASSWD and NOEXEC overrides EXEC).
+ eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
+ NOSETENV, TRANSCRIPT and NOTRANSCRIPT. Once a tag is set on a Cmnd,
+ subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless it is
+ overridden by the opposite tag (i.e.: PASSWD overrides NOPASSWD and
+ NOEXEC overrides EXEC).
_\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
pertain to the current host. This behavior may be overridden via the
verifypw and listpw options.
- _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
-1.7.2 June 30, 2009 6
+1.7.2 September 24, 2009 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+
If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
operating system supports it, the NOEXEC tag can be used to prevent a
dynamically-linked executable from running further commands itself.
If the command matched is A\bAL\bLL\bL, the SETENV tag is implied for that
command; this default may be overridden by use of the UNSETENV tag.
+ _\bT_\bR_\bA_\bN_\bS_\bC_\bR_\bI_\bP_\bT _\ba_\bn_\bd _\bN_\bO_\bT_\bR_\bA_\bN_\bS_\bC_\bR_\bI_\bP_\bT
+
+ These tags override the value of the _\bt_\br_\ba_\bn_\bs_\bc_\br_\bi_\bp_\bt option on a per-command
+ basis. For more information, see the description of _\bt_\br_\ba_\bn_\bs_\bc_\br_\bi_\bp_\bt in the
+ "SUDOERS OPTIONS" section below.
+
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
/bin/ls [[\:alpha\:]]*
- Would match any filename beginning with a letter.
- Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
- in the pathname. When matching the command line arguments, however, a
- slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
- /usr/bin/*
+1.7.2 September 24, 2009 7
-1.7.2 June 30, 2009 7
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Would match any filename beginning with a letter.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
+ in the pathname. When matching the command line arguments, however, a
+ slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
+ /usr/bin/*
match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
end in ~ or contain a . character to avoid causing problems with
- package manager or editor temporary/backup files. Files are parsed in
- sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
- before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
- lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
- in the file names can be used to avoid such problems.
-
- Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
-1.7.2 June 30, 2009 8
+1.7.2 September 24, 2009 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ package manager or editor temporary/backup files. Files are parsed in
+ sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
+ before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
+ lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
+ in the file names can be used to avoid such problems.
+
+ Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
files in a #includedir directory unless one of them contains a syntax
error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
files directly.
always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment variable to
the home directory of the target user (which is root
unless the -\b-u\bu option is used). This effectively means
- that the -\b-H\bH option is always implied. This flag is _\bo_\bf_\bf
- by default.
-
- authenticate If set, users must authenticate themselves via a
- password (or other means of authentication) before they
- may run commands. This default may be overridden via
- the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
- default.
-1.7.2 June 30, 2009 9
+1.7.2 September 24, 2009 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ that the -\b-H\bH option is always implied. This flag is _\bo_\bf_\bf
+ by default.
+
+ authenticate If set, users must authenticate themselves via a
+ password (or other means of authentication) before they
+ may run commands. This default may be overridden via
+ the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
+ default.
+
closefrom_override
If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
overrides the default starting point at which s\bsu\bud\bdo\bo
its value will be used for the PATH environment
variable. This flag is _\bo_\bn by default.
+ fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
+ style globbing when matching pathnames. However, since
+ it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a long
+ time to complete for some patterns, especially when the
+ pattern references a network file system that is
+ mounted on demand (automounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option
+ causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function, which does
+ not access the file system to do its matching. The
+ disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is unable to match
+ relative pathnames such as _\b._\b/_\bl_\bs or _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This
+ flag is _\bo_\bf_\bf by default.
+
fqdn Set this flag if you want to put fully qualified
hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost
you would use myhost.mydomain.edu. You may still use
Beware that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS
lookups which may make s\bsu\bud\bdo\bo unusable if DNS stops
working (for example if the machine is not plugged into
+
+
+
+1.7.2 September 24, 2009 10
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
the network). Also note that you must use the host's
official name as DNS knows it. That is, you may not
use a host alias (CNAME entry) due to performance
operators who would attempt to add roles to
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option is present,
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
-
-
-
-1.7.2 June 30, 2009 10
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
option tells s\bsu\bud\bdo\bo how to behave when no specific LDAP
entries have been matched, this sudoOption is only
meaningful for the cn=defaults section. This flag is
allowed to run commands on the current host. This flag
is _\bo_\bf_\bf by default.
+
+
+
+1.7.2 September 24, 2009 11
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
invoking user is allowed to use s\bsu\bud\bdo\bo but the command
they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
sites may wish to disable this as it could be used to
gather information on the location of executables that
the normal user does not have access to. The
-
-
-
-1.7.2 June 30, 2009 11
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
disadvantage is that if the executable is simply not in
the user's PATH, s\bsu\bud\bdo\bo will tell the user that they are
not allowed to run it, which can be confusing. This
to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
run from a login session and not via other means such
as _\bc_\br_\bo_\bn(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
+
+
+
+1.7.2 September 24, 2009 12
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
default.
root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
flag is _\bo_\bf_\bf by default.
set_home If set and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the HOME
-
-
-
-1.7.2 June 30, 2009 12
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
environment variable will be set to the home directory
of the target user (which is root unless the -\b-u\bu option
is used). This effectively makes the -\b-s\bs option imply
shell listed in the invoking user's /etc/passwd entry
if not). This flag is _\bo_\bf_\bf by default.
- fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
- style globbing when matching pathnames. However, since
- it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a long
- time to complete for some patterns, especially when the
- pattern references a network file system that is
- mounted on demand (automounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option
- causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function, which does
- not access the file system to do its matching. The
- disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is unable to match
- relative pathnames such as _\b._\b/_\bl_\bs or _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This
- flag is _\bo_\bf_\bf by default.
-
stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
effective UIDs are set to the target user (root by
- default). This option changes that behavior such that
- the real UID is left as the invoking user's UID. In
- other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
- This can be useful on systems that disable some
- potentially dangerous functionality when a program is
- run setuid. This option is only effective on systems
- with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
- This flag is _\bo_\bf_\bf by default.
-
-1.7.2 June 30, 2009 13
+1.7.2 September 24, 2009 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ default). This option changes that behavior such that
+ the real UID is left as the invoking user's UID. In
+ other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
+ This can be useful on systems that disable some
+ potentially dangerous functionality when a program is
+ run setuid. This option is only effective on systems
+ with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
+ This flag is _\bo_\bf_\bf by default.
+
targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
specified by the -\b-u\bu option (defaults to root) instead
of the password of the invoking user. Note that this
database as an argument to the -\b-u\bu option. This flag is
_\bo_\bf_\bf by default.
+ transcript If set, s\bsu\bud\bdo\bo will log a transcript of the command being
+ run, similar to the _\bs_\bc_\br_\bi_\bp_\bt(1) command. In this mode
+ s\bsu\bud\bdo\bo will allocate a new _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and log all input
+ and output for the command (except when echo is turned
+ off as when a password is entered). Transcripts are
+ logged to the _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bs_\be_\bs_\bs_\bi_\bo_\bn directory with a
+ unique transcript ID that is included in the normal
+ s\bsu\bud\bdo\bo log line, prefixed with _\bT_\bS_\bI_\bD_\b=.
+
+ Transcripts may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
+ utility, which can also be used to list or search the
+ available transcripts.
+
+ A side effect of this mode is that it will not be
+ possible to suspend the command being run (because it
+ is running in a different tty with its own job
+ control). If a shell is being run, commands executed
+ by that shell will have normal job control but the
+ shell itself may not be suspended.
+
tty_tickets If set, users must authenticate on a per-tty basis.
Normally, s\bsu\bud\bdo\bo uses a directory in the ticket dir with
the same name as the user running it. With this flag
use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
target user's login class if one exists. Only
available if s\bsu\bud\bdo\bo is configured with the
+
+
+
+1.7.2 September 24, 2009 14
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
--with-logincap option. This flag is _\bo_\bf_\bf by default.
visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
value is used to decide when to wrap lines for nicer
log files. This has no effect on the syslog log file,
only the file log. The default is 80 (use 0 or negate
-
-
-
-1.7.2 June 30, 2009 14
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
the option to disable word wrap).
passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
S\bSt\btr\bri\bin\bng\bgs\bs:
+
+
+1.7.2 September 24, 2009 15
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
badpass_message Message that is displayed if a user enters an incorrect
password. The default is Sorry, try again. unless
insults are enabled.
escapes are supported:
%H expanded to the local hostname including the domain
-
-
-
-1.7.2 June 30, 2009 15
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
name (on if the machine's hostname is fully
qualified or the _\bf_\bq_\bd_\bn option is set)
before any Runas_Alias specifications.
syslog_badpri Syslog priority to use when user authenticates
+
+
+
+1.7.2 September 24, 2009 16
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
unsuccessfully. Defaults to alert.
syslog_goodpri Syslog priority to use when user authenticates
variable.
env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be options specifies the fully qualified path to
-
-
-
-1.7.2 June 30, 2009 16
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
a file containing variables to be set in the environment of
the program being run. Entries in this file should either
be of the form VARIABLE=value or export VARIABLE=value.
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\bo_\bn_\bc_\be.
+
+
+
+
+1.7.2 September 24, 2009 17
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
lecture_file
Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
will be used in place of the standard lecture if the named
logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
Setting a path turns on logging to a file; negating this
-
-
-
-1.7.2 June 30, 2009 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
is if you want to have the "root path" be separate from the
"user path." Users in the group specified by the
_\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
- is not set by default.
+ option is @secure_path@ by default.
syslog Syslog facility if syslog is being used for logging (negate
+
+
+
+1.7.2 September 24, 2009 18
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
to disable syslog logging). Defaults to local2.
verifypw This option controls when a password will be required when
env_check Environment variables to be removed from the user's
environment if the variable's value contains % or /
characters. This can be used to guard against printf-
-
-
-
-1.7.2 June 30, 2009 18
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
style format vulnerabilities in poorly-written
programs. The argument may be a double-quoted, space-
separated list or a single value without double-quotes.
any setuid process (such as s\bsu\bud\bdo\bo).
env_keep Environment variables to be preserved in the user's
+
+
+
+1.7.2 September 24, 2009 19
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
This allows fine-grained control over the environment
s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
_\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bs_\be_\bs_\bs_\bi_\bo_\bn Transcript logs
+
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
-
-
-
-
-1.7.2 June 30, 2009 19
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Cmnd_Alias KILL = /usr/bin/kill
+
+
+
+1.7.2 September 24, 2009 20
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
Cmnd_Alias HALT = /usr/sbin/halt
Defaults!PAGERS noexec
The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
-
-
-
-1.7.2 June 30, 2009 20
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
what.
root ALL = (ALL) ALL
The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
(the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
those networks, only 128.138.204.0 has an explicit netmask (in CIDR
+
+
+
+1.7.2 September 24, 2009 21
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
notation) indicating it is a class C network. For the other networks
in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be used during matching.
the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
multiple usernames on the command line.
-
-
-1.7.2 June 30, 2009 21
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
bob SPARC = (OP) ALL : SGI = (OP) ALL
The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+
+
+
+1.7.2 September 24, 2009 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
not allowed to specify any options to the _\bs_\bu(1) command.
and wim), may run any command as user www (which owns the web pages) or
simply _\bs_\bu(1) to www.
-
-
-
-
-1.7.2 June 30, 2009 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
+
+
+
+1.7.2 September 24, 2009 23
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
pleases, including run other programs. This can be a security issue
since it is not uncommon for a program to allow shell escapes, which
lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
sudo -V | grep "dummy exec"
-
-
-
-1.7.2 June 30, 2009 23
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
If the resulting output contains a line that begins with:
File containing dummy exec functions:
This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
+
+
+
+1.7.2 September 24, 2009 24
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
from executing other commands (such as a shell). If you are
unsure whether or not your system is capable of supporting
_\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
Limited free support is available via the sudo-users mailing list, see
-
-
-
-1.7.2 June 30, 2009 24
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
the archives.
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.7.2 June 30, 2009 25
+1.7.2 September 24, 2009 25
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "June 30, 2009" "1.7.2" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "September 24, 2009" "1.7.2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
\&
\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
-\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq )
+\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqTRANSCRIPT:\*(Aq | \*(AqNOTRANSCRIPT:\*(Aq)
.Ve
.PP
A \fBuser specification\fR determines which commands a user may run
.Sh "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
-eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR, \f(CW\*(C`EXEC\*(C'\fR,
-\&\f(CW\*(C`SETENV\*(C'\fR and \f(CW\*(C`NOSETENV\*(C'\fR.
+eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
+\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`TRANSCRIPT\*(C'\fR and \f(CW\*(C`NOTRANSCRIPT\*(C'\fR.
Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR, subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the
\&\f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless it is overridden by the
opposite tag (i.e.: \f(CW\*(C`PASSWD\*(C'\fR overrides \f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR
variables in this manner. If the command matched is \fB\s-1ALL\s0\fR, the
\&\f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this default may
be overridden by use of the \f(CW\*(C`UNSETENV\*(C'\fR tag.
+.PP
+\fI\s-1TRANSCRIPT\s0 and \s-1NOTRANSCRIPT\s0\fR
+.IX Subsection "TRANSCRIPT and NOTRANSCRIPT"
+.PP
+These tags override the value of the \fItranscript\fR option on a
+per-command basis. For more information, see the description of
+\&\fItranscript\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
.Sh "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
run by root with the \fI\-V\fR option. If the \fIsecure_path\fR option
is set, its value will be used for the \f(CW\*(C`PATH\*(C'\fR environment variable.
This flag is \fIon\fR by default.
+.IP "fast_glob" 16
+.IX Item "fast_glob"
+Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
+globbing when matching pathnames. However, since it accesses the
+file system, \fIglob\fR\|(3) can take a long time to complete for some
+patterns, especially when the pattern references a network file
+system that is mounted on demand (automounted). The \fIfast_glob\fR
+option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
+not access the file system to do its matching. The disadvantage
+of \fIfast_glob\fR is that it is unable to match relative pathnames
+such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default.
.IP "fqdn" 16
.IX Item "fqdn"
Set this flag if you want to put fully qualified hostnames in the
shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
set, falling back on the shell listed in the invoking user's
/etc/passwd entry if not). This flag is \fIoff\fR by default.
-.IP "fast_glob" 16
-.IX Item "fast_glob"
-Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
-globbing when matching pathnames. However, since it accesses the
-file system, \fIglob\fR\|(3) can take a long time to complete for some
-patterns, especially when the pattern references a network file
-system that is mounted on demand (automounted). The \fIfast_glob\fR
-option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
-not access the file system to do its matching. The disadvantage
-of \fIfast_glob\fR is that it is unable to match relative pathnames
-such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default.
.IP "stay_setuid" 16
.IX Item "stay_setuid"
Normally, when \fBsudo\fR executes a command the real and effective
invoking user. Note that this precludes the use of a uid not listed
in the passwd database as an argument to the \fB\-u\fR option.
This flag is \fIoff\fR by default.
+.IP "transcript" 16
+.IX Item "transcript"
+If set, \fBsudo\fR will log a transcript of the command being run,
+similar to the \fIscript\fR\|(1) command. In this mode \fBsudo\fR will allocate
+a new \fIpseudo tty\fR and log all input and output for the command (except
+when echo is turned off as when a password is entered). Transcripts
+are logged to the \fI/var/log/sudo\-session\fR directory with a unique
+transcript \s-1ID\s0 that is included in the normal \fBsudo\fR log line,
+prefixed with \fITSID=\fR.
+.Sp
+Transcripts may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
+can also be used to list or search the available transcripts.
+.Sp
+A side effect of this mode is that it will not be possible to suspend
+the command being run (because it is running in a different tty
+with its own job control). If a shell is being run, commands
+executed by that shell will have normal job control but the shell
+itself may not be suspended.
.IP "tty_tickets" 16
.IX Item "tty_tickets"
If set, users must authenticate on a per-tty basis. Normally,
want to use this. Another use is if you want to have the \*(L"root path\*(R"
be separate from the \*(L"user path.\*(R" Users in the group specified by the
\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
-This is not set by default.
+This option is @secure_path@ by default.
.IP "syslog" 12
.IX Item "syslog"
Syslog facility if syslog is being used for logging (negate to
.IP "\fI/etc/netgroup\fR" 24
.IX Item "/etc/netgroup"
List of network groups
+.IP "\fI/var/log/sudo\-session\fR" 24
+.IX Item "/var/log/sudo-session"
+Transcript logs
.SH "EXAMPLES"
.IX Header "EXAMPLES"
Below are example \fIsudoers\fR entries. Admittedly, some of
projects / sudo / commitdiff