S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-V\bV
- s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd]
- s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
- [-\b-U\bU _\bu_\bs_\be_\br_\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
- [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be]
+ [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-g\bg _\bg_\br_\bo_\bu_\bp_\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd]
- [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the superuser or
has been invoked. It also allows the -\b-e\be option to remain useful even
when being run via a sudo-run script or program. Note however, that
the sudoers lookup is still done for root, not the user specified by
- SUDO_USER.
-
-1.7.2 September 24, 2009 1
+1.7.3b2 December 19, 2009 1
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ SUDO_USER.
+
s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as well as
errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By default s\bsu\bud\bdo\bo will log
via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable at configure time or via the
-E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
_\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)). It is only available when
- either the matching command has the SETENV tag or the
- _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
-1.7.2 September 24, 2009 2
+1.7.3b2 December 19, 2009 2
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ either the matching command has the SETENV tag or the
+ _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+
-e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
command, the user wishes to edit one or more files. In
lieu of a command, the string "sudoedit" is used when
login shell. This means that login-specific resource files
such as .profile or .login will be read by the shell. If a
command is specified, it is passed to the shell for
- execution. Otherwise, an interactive shell is executed.
- s\bsu\bud\bdo\bo attempts to change to that user's home directory
- before running the shell. It also initializes the
-1.7.2 September 24, 2009 3
+1.7.3b2 December 19, 2009 3
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ execution. Otherwise, an interactive shell is executed.
+ s\bsu\bud\bdo\bo attempts to change to that user's home directory
+ before running the shell. It also initializes the
environment, leaving _\bD_\bI_\bS_\bP_\bL_\bA_\bY and _\bT_\bE_\bR_\bM unchanged, setting
_\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and _\bP_\bA_\bT_\bH, as well as the
contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt on Linux and AIX systems. All
prompt for a password (if one is required by _\bs_\bu_\bd_\bo_\be_\br_\bs) and
will not update the user's timestamp file.
- -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list out the parameters
- that may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a short
- description for each. This option is useful in conjunction
- with _\bg_\br_\be_\bp(1).
+ -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list the parameters that
+ may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a short
+ description for each. This option will be removed from a
+ future version of s\bsu\bud\bdo\bo.
-l[l] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt) option will list
of groups the target user is in. The real and effective
group IDs, however, are still set to match the target user.
- -p _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
- password prompt and use a custom one. The following
- percent (`%') escapes are supported:
-1.7.2 September 24, 2009 4
+1.7.3b2 December 19, 2009 4
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- %H expanded to the local hostname including the domain
- name (on if the machine's hostname is fully qualified
+ -p _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
+ password prompt and use a custom one. The following
+ percent (`%') escapes are supported:
+
+ %H expanded to the local host name including the domain
+ name (on if the machine's host name is fully qualified
or the _\bf_\bq_\bd_\bn _\bs_\bu_\bd_\bo_\be_\br_\bs option is set)
- %h expanded to the local hostname without the domain name
+ %h expanded to the local host name without the domain name
%p expanded to the user whose password is being asked for
(respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in
number and exit. If the invoking user is already root the
-\b-V\bV option will print out a list of the defaults s\bsu\bud\bdo\bo was
compiled with as well as the machine's local network
- addresses.
-
- -v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
- user's timestamp, prompting for the user's password if
-1.7.2 September 24, 2009 5
+1.7.3b2 December 19, 2009 5
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ addresses.
+
+ -v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
+ user's timestamp, prompting for the user's password if
necessary. This extends the s\bsu\bud\bdo\bo timeout for another 5
minutes (or whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but
does not run a command.
default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
In all cases, environment variables with a value beginning with () are
- removed as they could be interpreted as b\bba\bas\bsh\bh functions. The list of
- environment variables that s\bsu\bud\bdo\bo allows or denies is contained in the
- output of sudo -V when run as root.
-
-1.7.2 September 24, 2009 6
+1.7.3b2 December 19, 2009 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ removed as they could be interpreted as b\bba\bas\bsh\bh functions. The list of
+ environment variables that s\bsu\bud\bdo\bo allows or denies is contained in the
+ output of sudo -V when run as root.
+
Note that the dynamic linker on most operating systems will remove
variables that can control dynamic linking from the environment of
setuid executables, including s\bsu\bud\bdo\bo. Depending on the operating system
s\bsu\bud\bdo\bo utilizes the following environment variables:
EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
- SUDO_EDITOR nor VISUAL is set
-
- HOME In -\b-s\bs or -\b-H\bH mode (or if sudo was configured with the
- --enable-shell-sets-home option), set to homedir of the
-1.7.2 September 24, 2009 7
+1.7.3b2 December 19, 2009 7
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ SUDO_EDITOR nor VISUAL is set
+
+ HOME In -\b-s\bs or -\b-H\bH mode (or if sudo was configured with the
+ --enable-shell-sets-home option), set to homedir of the
target user
PATH Set to a sane value if the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh sudoers option
To list the home directory of user yaz on a machine where the file
system holding ~yaz is not exported as root:
- $ sudo -u yaz ls ~yaz
- To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
+1.7.3b2 December 19, 2009 8
-1.7.2 September 24, 2009 8
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ $ sudo -u yaz ls ~yaz
+ To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
$ sudo -u www vi ~www/htdocs/index.html
If users have sudo ALL there is nothing to prevent them from creating
their own program that gives them a root shell regardless of any '!'
- elements in the user specification.
-
- Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that
- make setuid shell scripts unsafe on some operating systems (if your OS
-1.7.2 September 24, 2009 9
+1.7.3b2 December 19, 2009 9
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ elements in the user specification.
+
+ Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that
+ make setuid shell scripts unsafe on some operating systems (if your OS
has a /dev/fd/ directory, setuid shell scripts are generally safe).
B\bBU\bUG\bGS\bS
-
-
-
-
-1.7.2 September 24, 2009 10
+1.7.3b2 December 19, 2009 10
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" $Sudo$
-.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
+.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.\" ========================================================================
.\"
.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "September 24, 2009" "1.7.2" "MAINTENANCE COMMANDS"
+.TH SUDO @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
.PP
\&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
-[\fB\-p\fR\ \fIprompt\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
.PP
\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
-[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-[\fB\-U\fR\ \fIusername\fR] [\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] [\fIcommand\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR]
.PP
\&\fBsudo\fR [\fB\-AbEHnPS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
-[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
@SEMAN@[\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
-[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
+[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
[\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR]
.PP
\&\fBsudoedit\fR [\fB\-AnS\fR]
@BAMAN@[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
@LCMAN@[\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
-[\fB\-g\fR\ \fIgroupname\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR] file ...
+[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
+[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ...
.SH "DESCRIPTION"
.IX Header "DESCRIPTION"
\&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
timestamp file.
.IP "\-L" 12
.IX Item "-L"
-The \fB\-L\fR (\fIlist\fR defaults) option will list out the parameters
-that may be set in a \fIDefaults\fR line along with a short description
-for each. This option is useful in conjunction with \fIgrep\fR\|(1).
+The \fB\-L\fR (\fIlist\fR defaults) option will list the parameters that
+may be set in a \fIDefaults\fR line along with a short description for
+each. This option will be removed from a future version of \fBsudo\fR.
.IP "\-l[l] [\fIcommand\fR]" 12
.IX Item "-l[l] [command]"
If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list
.ie n .IP "%H" 4
.el .IP "\f(CW%H\fR" 4
.IX Item "%H"
-expanded to the local hostname including the domain name
-(on if the machine's hostname is fully qualified or the \fIfqdn\fR
+expanded to the local host name including the domain name
+(on if the machine's host name is fully qualified or the \fIfqdn\fR
\&\fIsudoers\fR option is set)
.ie n .IP "%h" 4
.el .IP "\f(CW%h\fR" 4
.IX Item "%h"
-expanded to the local hostname without the domain name
+expanded to the local host name without the domain name
.ie n .IP "%p" 4
.el .IP "\f(CW%p\fR" 4
.IX Item "%p"
B<sudo> B<-v> [B<-AknS>]
S<[B<-a> I<auth_type>]>
-S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]>
+S<[B<-g> I<group
name>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-u> I<username>|I<#uid>]>
B<sudo> B<-l[l]> [B<-AknS>]
S<[B<-a> I<auth_type>]>
-S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]>
-S<[B<-U> I<username>]> S<[B<-u> I<username>|I<#uid>]> [I<command>]
+S<[B<-g> I<group
name>|I<#gid>]> S<[B<-p> I<prompt>]>
+S<[B<-U> I<user name>]> S<[B<-u> I<user name>|I<#uid>]> [I<command>]
B<sudo> [B<-AbEHnPS>]
S<[B<-a> I<auth_type>]>
S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]>
-S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]>
+S<[B<-g> I<group
name>|I<#gid>]> S<[B<-p> I<prompt>]>
S<[B<-r> I<role>]> S<[B<-t> I<type>]>
-S<[B<-u> I<username>|I<#uid>]>
+S<[B<-u> I<user name>|I<#uid>]>
S<[B<VAR>=I<value>]> S<[B<-i> | B<-s>]> [I<command>]
B<sudoedit> [B<-AnS>]
S<[B<-a> I<auth_type>]>
S<[B<-C> I<fd>]>
S<[B<-c> I<class>|I<->]>
-S<[B<-g> I<groupname>|I<#gid>]> S<[B<-p> I<prompt>]>
-S<[B<-u> I<username>|I<#uid>]> file ...
+S<[B<-g> I<group
name>|I<#gid>]> S<[B<-p> I<prompt>]>
+S<[B<-u> I<user name>|I<#uid>]> file ...
=head1 DESCRIPTION
=item C<%H>
-expanded to the local hostname including the domain name
-(on if the machine's hostname is fully qualified or the I<fqdn>
+expanded to the local host name including the domain name
+(on if the machine's host name is fully qualified or the I<fqdn>
I<sudoers> option is set)
=item C<%h>
-expanded to the local hostname without the domain name
+expanded to the local host name without the domain name
=item C<%p>
Form (EBNF). Don't despair if you don't know what EBNF is; it is
fairly simple, and the definitions below are annotated.
- Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
-
+ Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
EBNF is a concise and exact way of describing the grammar of a
language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
will use single quotes ('') to designate what is a verbatim character
string (as opposed to a symbol name).
- A\bAl\bli\bia\bas\bse\bes\bs
-
+ A\bAl\bli\bia\bas\bse\bes\bs
There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
and Cmnd_Alias.
Runas_Alias ::= NAME '=' Runas_List
+ Host_Alias ::= NAME '=' Host_List
-1.7.2 September 24, 2009 1
+1.7.3b2 December 19, 2009 1
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Host_Alias ::= NAME '=' Host_List
Cmnd_Alias ::= NAME '=' Cmnd_List
User_List ::= User |
User ',' User_List
- User ::= '!'* username |
+ User ::= '!'* user name |
'!'* '#'uid |
'!'* '%'group |
'!'* '+'netgroup |
'!'* '%:'nonunix_group |
'!'* User_Alias
- A User_List is made up of one or more usernames, uids (prefixed with
+ A User_List is made up of one or more user names, uids (prefixed with
'#'), system groups (prefixed with '%'), netgroups (prefixed with '+')
and User_Aliases. Each list item may be prefixed with zero or more '!'
operators. An odd number of '!' operators negate the value of the
item; an even number just cancel each other out.
- A username, group, netgroup and nonunix_groups may be enclosed in
- double quotes to avoid the need for escaping special characters.
- Alternately, special characters may be specified in escaped hex mode,
- e.g. \x20 for space.
+ A user name, group, netgroup or nonunix_group may be enclosed in double
+ quotes to avoid the need for escaping special characters. Alternately,
+ special characters may be specified in escaped hex mode, e.g. \x20 for
+ space.
The nonunix_group syntax depends on the underlying implementation. For
instance, the QAS AD backend supports the following formats:
Note that quotes around group names are optional. Unquoted strings
must use a backslash (\) to escape spaces and the '@' symbol.
+ Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
-1.7.2 September 24, 2009 2
+1.7.3b2 December 19, 2009 2
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Runas_List ::= Runas_Member |
- Runas_Member ',' Runas_List
- Runas_Member ::= '!'* username |
+ Runas_Member ::= '!'* user name |
'!'* '#'uid |
'!'* '%'group |
'!'* +netgroup |
'!'* Runas_Alias
A Runas_List is similar to a User_List except that instead of
- User_Aliases it can contain Runas_Aliases. Note that usernames and
+ User_Aliases it can contain Runas_Aliases. Note that user names and
groups are matched as strings. In other words, two users (groups) with
the same uid (gid) are considered to be distinct. If you wish to match
- all usernames with the same uid (e.g. root and toor), you can use a uid
- instead (#0 in the example given).
+ all user names with the same uid (e.g. root and toor), you can use a
+ uid instead (#0 in the example given).
Host_List ::= Host |
Host ',' Host_List
- Host ::= '!'* hostname |
+ Host ::= '!'* host name |
'!'* ip_addr |
'!'* network(/netmask)? |
'!'* '+'netgroup |
'!'* Host_Alias
- A Host_List is made up of one or more hostnames, IP addresses, network
+ A Host_List is made up of one or more host names, IP addresses, network
numbers, netgroups (prefixed with '+') and other aliases. Again, the
value of an item may be negated with the '!' operator. If you do not
specify a netmask along with the network number, s\bsu\bud\bdo\bo will query each
corresponds to one of the hosts's network interfaces, the corresponding
netmask will be used. The netmask may be specified either in standard
IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
- CIDR notation (number of bits, e.g. 24 or 64). A hostname may include
+ CIDR notation (number of bits, e.g. 24 or 64). A host name may include
shell-style wildcards (see the Wildcards section below), but unless the
- hostname command on your machine returns the fully qualified hostname,
- you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
+ host name command on your machine returns the fully qualified host
+ name, you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
Cmnd_List ::= Cmnd |
Cmnd ',' Cmnd_List
- commandname ::= filename |
- filename args |
- filename '""'
+ commandname ::= file name |
+ file name args |
+ file name '""'
Cmnd ::= '!'* commandname |
'!'* directory |
'!'* Cmnd_Alias
A Cmnd_List is a list of one or more commandnames, directories, and
- other aliases. A commandname is a fully qualified filename which may
+ other aliases. A commandname is a fully qualified file name which may
include shell-style wildcards (see the Wildcards section below). A
- simple filename allows the user to run the command with any arguments
+ simple file name allows the user to run the command with any arguments
+ he/she wishes. However, you may also specify command line arguments
+ (including wildcards). Alternately, you can specify "" to indicate
-1.7.2 September 24, 2009 3
+1.7.3b2 December 19, 2009 3
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- he/she wishes. However, you may also specify command line arguments
- (including wildcards). Alternately, you can specify "" to indicate
that the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A
- directory is a fully qualified pathname ending in a '/'. When you
+ directory is a fully qualified path name ending in a '/'. When you
specify a directory in a Cmnd_List, the user will be able to run any
file within that directory (but not in any subdirectories therein).
to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It
may take command line arguments just as a normal command does.
- D\bDe\bef\bfa\bau\bul\blt\bts\bs
-
+ D\bDe\bef\bfa\bau\bul\blt\bts\bs
Certain configuration options may be changed from their default values
at runtime via one or more Default_Entry lines. These may affect all
users on any host, all users on a specific host, a specific user, a
not exist in a list.
Defaults entries are parsed in the following order: generic, host and
+ user Defaults first, then runas Defaults and finally command defaults.
-
-
-1.7.2 September 24, 2009 4
+ See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
+1.7.3b2 December 19, 2009 4
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- user Defaults first, then runas Defaults and finally command defaults.
- See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
+ U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
(':' Host_List '=' Cmnd_Spec_List)*
The basic structure of a user specification is `who = where (as_whom)
what'. Let's break that down into its constituent parts:
- R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
-
+ R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
A Runas_Spec determines the user and/or the group that a command may be
run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
defined above) separated by a colon (':') and enclosed in a set of
It is also possible to override a Runas_Spec later on in an entry. If
we modify the entry like so:
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+ Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
+ and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
-1.7.2 September 24, 2009 5
+1.7.3b2 December 19, 2009 5
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
- Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
- and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \
/usr/local/bin/minicom
- T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
-
+ T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
A command may have zero or more tags associated with it. There are
eight possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV,
NOSETENV, TRANSCRIPT and NOTRANSCRIPT. Once a tag is set on a Cmnd,
pertain to the current host. This behavior may be overridden via the
verifypw and listpw options.
+ _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
+ operating system supports it, the NOEXEC tag can be used to prevent a
+ dynamically-linked executable from running further commands itself.
-1.7.2 September 24, 2009 6
+1.7.3b2 December 19, 2009 6
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
- operating system supports it, the NOEXEC tag can be used to prevent a
- dynamically-linked executable from running further commands itself.
In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
basis. For more information, see the description of _\bt_\br_\ba_\bn_\bs_\bc_\br_\bi_\bp_\bt in the
"SUDOERS OPTIONS" section below.
- W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
-
+ W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
- used in hostnames, pathnames and command line arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX _\bg_\bl_\bo_\bb(3) and _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
- routines. Note that these are _\bn_\bo_\bt regular expressions.
+ used in host names, path names and command line arguments in the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX _\bg_\bl_\bo_\bb(3) and
+ _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routines. Note that these are _\bn_\bo_\bt regular expressions.
* Matches any set of zero or more characters.
/bin/ls [[\:alpha\:]]*
+ Would match any file name beginning with a letter.
+ Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
+ in the path name. When matching the command line arguments, however, a
+ slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
-
-1.7.2 September 24, 2009 7
+ /usr/bin/*
+1.7.3b2 December 19, 2009 7
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Would match any filename beginning with a letter.
- Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
- in the pathname. When matching the command line arguments, however, a
- slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- /usr/bin/*
match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
- E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
-
+ E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
The following exceptions apply to the above rules:
"" If the empty string "" is the only command line argument in the
_\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
with a\ban\bny\by arguments.
- I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
-
+ I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
file currently being parsed using the #include and #includedir
directives.
A hard limit of 128 nested include files is enforced to prevent include
file loops.
- The filename may include the %h escape, signifying the short form of
- the hostname. I.e., if the machine's hostname is "xerxes", then
+ The file name may include the %h escape, signifying the short form of
+ the host name. I.e., if the machine's host name is "xerxes", then
#include /etc/sudoers.%h
s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
end in ~ or contain a . character to avoid causing problems with
+ package manager or editor temporary/backup files. Files are parsed in
+ sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
+ before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
+ lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
+ in the file names can be used to avoid such problems.
+
+ Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
+ files in a #includedir directory unless one of them contains a syntax
+ error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
-1.7.2 September 24, 2009 8
+1.7.3b2 December 19, 2009 8
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- package manager or editor temporary/backup files. Files are parsed in
- sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
- before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
- lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
- in the file names can be used to avoid such problems.
-
- Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
- files in a #includedir directory unless one of them contains a syntax
- error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -f flag to edit the
files directly.
- O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
-
+ O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
The pound sign ('#') is used to indicate a comment (unless it is part
of a #include directive or unless it occurs in the context of a user
name and is followed by one or more digits, in which case it is treated
characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':', '(', ')') is optional.
The following characters must be escaped with a backslash ('\') when
- used as part of a word (e.g. a username or hostname): '@', '!', '=',
+ used as part of a word (e.g. a user name or host name): '@', '!', '=',
':', ',', '(', ')', '\'.
S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
always_set_home If set, s\bsu\bud\bdo\bo will set the HOME environment variable to
the home directory of the target user (which is root
unless the -\b-u\bu option is used). This effectively means
+ that the -\b-H\bH option is always implied. This flag is _\bo_\bf_\bf
+ by default.
+ authenticate If set, users must authenticate themselves via a
+ password (or other means of authentication) before they
+ may run commands. This default may be overridden via
+ the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
+ default.
+ closefrom_override
+ If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
-1.7.2 September 24, 2009 9
+1.7.3b2 December 19, 2009 9
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- that the -\b-H\bH option is always implied. This flag is _\bo_\bf_\bf
- by default.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- authenticate If set, users must authenticate themselves via a
- password (or other means of authentication) before they
- may run commands. This default may be overridden via
- the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
- default.
- closefrom_override
- If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
overrides the default starting point at which s\bsu\bud\bdo\bo
begins closing open file descriptors. This flag is _\bo_\bf_\bf
by default.
+ compress_transcript
+ If set, and the _\bt_\br_\ba_\bn_\bs_\bc_\br_\bi_\bp_\bt flag is also set, s\bsu\bud\bdo\bo will
+ compress the transcript logs using z\bzl\bli\bib\bb. This flag is
+ _\bo_\bn by default when s\bsu\bud\bdo\bo is compiled with z\bzl\bli\bib\bb support.
+
env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
VISUAL environment variables before falling back on the
default editor list. Note that this may create a
variable. This flag is _\bo_\bn by default.
fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
- style globbing when matching pathnames. However, since
- it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a long
- time to complete for some patterns, especially when the
- pattern references a network file system that is
- mounted on demand (automounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option
- causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function, which does
- not access the file system to do its matching. The
- disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is unable to match
- relative pathnames such as _\b._\b/_\bl_\bs or _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This
- flag is _\bo_\bf_\bf by default.
-
- fqdn Set this flag if you want to put fully qualified
- hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost
- you would use myhost.mydomain.edu. You may still use
- the short form if you wish (and even mix the two).
- Beware that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS
- lookups which may make s\bsu\bud\bdo\bo unusable if DNS stops
- working (for example if the machine is not plugged into
+ style globbing when matching path names. However,
+ since it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a
+ long time to complete for some patterns, especially
+ when the pattern references a network file system that
+ is mounted on demand (automounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
+ option causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function,
+ which does not access the file system to do its
+ matching. The disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is
+ unable to match relative path names such as _\b._\b/_\bl_\bs or
+ _\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This flag is _\bo_\bf_\bf by default.
+
+ fqdn Set this flag if you want to put fully qualified host
+ names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e., instead of myhost you
+ would use myhost.mydomain.edu. You may still use the
+ short form if you wish (and even mix the two). Beware
+ that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS lookups
+ which may make s\bsu\bud\bdo\bo unusable if DNS stops working (for
+ example if the machine is not plugged into the
+ network). Also note that you must use the host's
+ official name as DNS knows it. That is, you may not
+ use a host alias (CNAME entry) due to performance
+ issues and the fact that there is no way to get all
+ aliases from DNS. If your machine's host name (as
+ returned by the hostname command) is already fully
-1.7.2 September 24, 2009 10
+1.7.3b2 December 19, 2009 10
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- the network). Also note that you must use the host's
- official name as DNS knows it. That is, you may not
- use a host alias (CNAME entry) due to performance
- issues and the fact that there is no way to get all
- aliases from DNS. If your machine's hostname (as
- returned by the hostname command) is already fully
qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
_\bo_\bf_\bf by default.
insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
incorrect password. This flag is _\bo_\bf_\bf by default.
- log_host If set, the hostname will be logged in the (non-syslog)
- s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
+ log_host If set, the host name will be logged in the (non-
+ syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
log_year If set, the four-digit year will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
allowed to run commands on the current host. This flag
is _\bo_\bf_\bf by default.
+ mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ invoking user is allowed to use s\bsu\bud\bdo\bo but the command
+ they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
+ entry or is explicitly denied. This flag is _\bo_\bf_\bf by
+ default.
-1.7.2 September 24, 2009 11
+1.7.3b2 December 19, 2009 11
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
- invoking user is allowed to use s\bsu\bud\bdo\bo but the command
- they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
- entry or is explicitly denied. This flag is _\bo_\bf_\bf by
- default.
mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
run from a login session and not via other means such
as _\bc_\br_\bo_\bn(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
+ default.
+
+ root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
+ this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
+ get a root shell by doing something like "sudo sudo
+ /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
-1.7.2 September 24, 2009 12
+1.7.3b2 December 19, 2009 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- default.
-
- root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
- this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
- get a root shell by doing something like "sudo sudo
- /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
will also prevent root and from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
security; it exists purely for historical reasons.
stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
effective UIDs are set to the target user (root by
+ default). This option changes that behavior such that
+ the real UID is left as the invoking user's UID. In
+ other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
+ This can be useful on systems that disable some
+ potentially dangerous functionality when a program is
+ run setuid. This option is only effective on systems
-1.7.2 September 24, 2009 13
+1.7.3b2 December 19, 2009 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- default). This option changes that behavior such that
- the real UID is left as the invoking user's UID. In
- other words, this makes s\bsu\bud\bdo\bo act as a setuid wrapper.
- This can be useful on systems that disable some
- potentially dangerous functionality when a program is
- run setuid. This option is only effective on systems
with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
This flag is _\bo_\bf_\bf by default.
targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
specified by the -\b-u\bu option (defaults to root) instead
- of the password of the invoking user. Note that this
- precludes the use of a uid not listed in the passwd
- database as an argument to the -\b-u\bu option. This flag is
- _\bo_\bf_\bf by default.
+ of the password of the invoking user. In addition, the
+ timestamp file name will include the target user's
+ name. Note that this flag precludes the use of a uid
+ not listed in the passwd database as an argument to the
+ -\b-u\bu option. This flag is _\bo_\bf_\bf by default.
transcript If set, s\bsu\bud\bdo\bo will log a transcript of the command being
run, similar to the _\bs_\bc_\br_\bi_\bp_\bt(1) command. In this mode
use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
target user's login class if one exists. Only
available if s\bsu\bud\bdo\bo is configured with the
+ --with-logincap option. This flag is _\bo_\bf_\bf by default.
+ visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
+ enter a password but it is not possible to disable echo
+ on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
-1.7.2 September 24, 2009 14
+1.7.3b2 December 19, 2009 14
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- --with-logincap option. This flag is _\bo_\bf_\bf by default.
- visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
- enter a password but it is not possible to disable echo
- on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
will prompt for a password even when it would be
visible on the screen. This makes it possible to run
things like "rsh somehost sudo ls" since _\br_\bs_\bh(1) does
the option to disable word wrap).
passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
- out. The default is 5; set this to 0 for no password
+ out. The timeout may include a fractional component if
+ minute granularity is insufficient, for example 2.5.
+ The default is 5; set this to 0 for no password
timeout.
timestamp_timeout
Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
- for a passwd again. The default is 5. Set this to 0
- to always prompt for a password. If set to a value
- less than 0 the user's timestamp will never expire.
- This can be used to allow users to create or delete
- their own timestamps via sudo -v and sudo -k
+ for a passwd again. The timeout may include a
+ fractional component if minute granularity is
+ insufficient, for example 2.5. The default is 5. Set
+ this to 0 to always prompt for a password. If set to a
+ value less than 0 the user's timestamp will never
+ expire. This can be used to allow users to create or
+ delete their own timestamps via sudo -v and sudo -k
respectively.
umask Umask to use when running the command. Negate this
-1.7.2 September 24, 2009 15
+
+1.7.3b2 December 19, 2009 15
your system.
mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
- %h will expand to the hostname of the machine. Default
- is *** SECURITY information for %h ***.
+ %h will expand to the host name of the machine.
+ Default is *** SECURITY information for %h ***.
noexec_file Path to a shared library containing dummy versions of
the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b) library functions
environment variable. The following percent (`%')
escapes are supported:
- %H expanded to the local hostname including the domain
- name (on if the machine's hostname is fully
+ %H expanded to the local host name including the
+ domain name (on if the machine's host name is fully
qualified or the _\bf_\bq_\bd_\bn option is set)
- %h expanded to the local hostname without the domain
+ %h expanded to the local host name without the domain
name
%p expanded to the user whose password is being asked
-1.7.2 September 24, 2009 16
+1.7.3b2 December 19, 2009 16
-1.7.2 September 24, 2009 17
+1.7.3b2 December 19, 2009 17
is if you want to have the "root path" be separate from the
"user path." Users in the group specified by the
_\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
- option is @secure_path@ by default.
+ option is not set by default.
syslog Syslog facility if syslog is being used for logging (negate
-1.7.2 September 24, 2009 18
+1.7.3b2 December 19, 2009 18
-1.7.2 September 24, 2009 19
+1.7.3b2 December 19, 2009 19
-1.7.2 September 24, 2009 20
+1.7.3b2 December 19, 2009 20
-1.7.2 September 24, 2009 21
+1.7.3b2 December 19, 2009 21
The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
- multiple usernames on the command line.
+ multiple user names on the command line.
bob SPARC = (OP) ALL : SGI = (OP) ALL
-1.7.2 September 24, 2009 22
+1.7.3b2 December 19, 2009 22
-1.7.2 September 24, 2009 23
+1.7.3b2 December 19, 2009 23
-1.7.2 September 24, 2009 24
+1.7.3b2 December 19, 2009 24
syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
When using netgroups of machines (as opposed to users), if you store
- fully qualified hostnames in the netgroup (as is usually the case), you
- either need to have the machine's hostname be fully qualified as
+ fully qualified host name in the netgroup (as is usually the case), you
+ either need to have the machine's host name be fully qualified as
returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
B\bBU\bUG\bGS\bS
-1.7.2 September 24, 2009 25
+1.7.3b2 December 19, 2009 25
Cmnd_Alias that is referenced by multiple users, one can create a
sudoRole that contains the commands and assign multiple users to it.
- S\bSU\bUD\bDO\bOe\ber\brs\bs L\bLD\bDA\bAP\bP c\bco\bon\bnt\bta\bai\bin\bne\ber\br
-
+ S\bSU\bUD\bDO\bOe\ber\brs\bs L\bLD\bDA\bAP\bP c\bco\bon\bnt\bta\bai\bin\bne\ber\br
The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers LDAP
container.
Sudo first looks for the cn=default entry in the SUDOers container. If
+ found, the multi-valued sudoOption attribute is parsed in the same
-1.7.2 June 11, 2009 1
+1.7.3b2 December 19, 2009 1
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- found, the multi-valued sudoOption attribute is parsed in the same
manner as a global Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following
example, the SSH_AUTH_SOCK variable will be preserved in the
environment for all users.
-1.7.2 June 11, 2009 2
+
+1.7.3b2 December 19, 2009 2
sudoHost: ALL
sudoCommand: ALL
- A\bAn\bna\bat\bto\bom\bmy\by o\bof\bf L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs l\blo\boo\bok\bku\bup\bp
-
+ A\bAn\bna\bat\bto\bom\bmy\by o\bof\bf L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs l\blo\boo\bok\bku\bup\bp
When looking up a sudoer using LDAP there are only two or three LDAP
queries per invocation. The first query is to parse the global
options. The second is to match against the user's name and the groups
third query returns all entries containing user netgroups and checks to
see if the user belongs to any of them.
- D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
-
+ D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
There are some subtle differences in the way sudoers is handled once in
LDAP. Probably the biggest is that according to the RFC, LDAP ordering
is arbitrary and you cannot expect that Attributes and Entries are
objectClass: top
cn: role2
sudoUser: puddles
+ sudoHost: ALL
+ sudoCommand: !/bin/sh
-1.7.2 June 11, 2009 3
+1.7.3b2 December 19, 2009 3
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- sudoHost: ALL
- sudoCommand: !/bin/sh
sudoCommand: ALL
Another difference is that negations on the Host, User or Runas are
sudoHost: ALL
sudoHost: !web01
- S\bSu\bud\bdo\boe\ber\brs\bs S\bSc\bch\bhe\bem\bma\ba
-
+ S\bSu\bud\bdo\boe\ber\brs\bs S\bSc\bch\bhe\bem\bma\ba
In order to use s\bsu\bud\bdo\bo's LDAP support, the s\bsu\bud\bdo\bo schema must be installed
on your LDAP server. In addition, be sure to index the 'sudoUser'
attribute.
The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included in the EXAMPLES
section.
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
-
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
As such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo
U\bUR\bRI\bI ldap[s]://[hostname[:port]] ...
Specifies a whitespace-delimited list of one or more URIs
+ describing the LDAP server(s) to connect to. The _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be
+ either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS
+ (SSL) encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389
+ for ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
-1.7.2 June 11, 2009 4
+1.7.3b2 December 19, 2009 4
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- describing the LDAP server(s) to connect to. The _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be
- either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS
- (SSL) encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389
- for ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Only systems using the OpenSSL
libraries support the mixing of ldap:// and ldaps:// URIs. The
Netscape-derived libraries used on most commercial versions of Unix
identity. By default, most LDAP servers will allow anonymous
access.
+ B\bBI\bIN\bND\bDP\bPW\bW secret
+ The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
+ LDAP operations. This is typically used in conjunction with the
+ B\bBI\bIN\bND\bDD\bDN\bN parameter.
-1.7.2 June 11, 2009 5
+1.7.3b2 December 19, 2009 5
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- B\bBI\bIN\bND\bDP\bPW\bW secret
- The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
- LDAP operations. This is typically used in conjunction with the
- B\bBI\bIN\bND\bDD\bDN\bN parameter.
-
R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN DN
The R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing privileged LDAP
used to authenticate the client to the LDAP server. The
certificate type depends on the LDAP libraries used.
+ OpenLDAP:
+ tls_cert /etc/ssl/client_cert.pem
+ Netscape-derived:
-1.7.2 June 11, 2009 6
+1.7.3b2 December 19, 2009 6
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- OpenLDAP:
- tls_cert /etc/ssl/client_cert.pem
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
- Netscape-derived:
tls_cert /var/ldap/cert7.db
When using Netscape-derived libraries, this file may also contain
The path to the Kerberos 5 credential cache to use when
authenticating with the remote server.
+ See the ldap.conf entry in the EXAMPLES section.
-1.7.2 June 11, 2009 7
+1.7.3b2 December 19, 2009 7
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- See the ldap.conf entry in the EXAMPLES section.
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
Unless it is disabled at build time, s\bsu\bud\bdo\bo consults the Name Service
Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order.
Sudo looks for a line beginning with sudoers: and uses this to
Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
operating system does not use an nsswitch.conf file.
- C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bne\bet\bts\bsv\bvc\bc.\b.c\bco\bon\bnf\bf
-
+ C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bne\bet\bts\bsv\bvc\bc.\b.c\bco\bon\bnf\bf
On AIX systems, the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is consulted instead of
_\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf. s\bsu\bud\bdo\bo simply treats _\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf as a variant of
_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the
To treat LDAP as authoratative and only use the local sudoers file if
the user is not present in LDAP, use:
+ sudoers = ldap = auth, files
+ Note that in the above example, the auth qualfier only affects user
-1.7.2 June 11, 2009 8
+1.7.3b2 December 19, 2009 8
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- sudoers = ldap = auth, files
+SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
+
- Note that in the above example, the auth qualfier only affects user
lookups; both LDAP and _\bs_\bu_\bd_\bo_\be_\br_\bs will be queried for Defaults entries.
If the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
_\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf determines sudoers source order on AIX
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
-
+ E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
# Either specify one or more URIs or one or more host:port pairs.
# If neither is specified sudo will default to localhost, port 389.
#
#
# LDAP protocol version, defaults to 3
#ldap_version 3
+ #
+ # Define if you want to use an encrypted LDAP connection.
+ # Typically, you must also set the port to 636 (ldaps).
+ #ssl on
-1.7.2 June 11, 2009 9
+1.7.3b2 December 19, 2009 9
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- #
- # Define if you want to use an encrypted LDAP connection.
- # Typically, you must also set the port to 636 (ldaps).
- #ssl on
#
# Define if you want to use port 389 and switch to
# encryption before the bind credentials are sent.
# SDK will prevent specific file names from working. For this reason
# it is suggested that tls_cert and tls_key be set to a directory,
# not a file name.
+ #
+ # The certificate database specified by tls_cert may contain CA certs
+ # and/or the client's cert. If the client's cert is included, tls_key
+ # should be specified as well.
-1.7.2 June 11, 2009 10
+1.7.3b2 December 19, 2009 10
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- #
- # The certificate database specified by tls_cert may contain CA certs
- # and/or the client's cert. If the client's cert is included, tls_key
- # should be specified as well.
# For backward compatibility, "sslpath" may be used in place of tls_cert.
#tls_cert /var/ldap
#tls_key /var/ldap
#
# If using SASL authentication for LDAP (OpenSSL)
# use_sasl yes
- # sasl_auth_id <SASL username>
+ # sasl_auth_id <SASL user name>
# rootuse_sasl yes
- # rootsasl_auth_id <SASL username for root access>
+ # rootsasl_auth_id <SASL user name for root access>
# sasl_secprops none
# krb5_ccname /etc/.ldapcache
- S\bSu\bud\bdo\bo s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
-
+ S\bSu\bud\bdo\bo s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
The following schema is in OpenLDAP format. Simply copy it to the
schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba), add the proper include
line in slapd.conf and restart s\bsl\bla\bap\bpd\bd.
EQUALITY caseExactIA5Match
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+ attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-1.7.2 June 11, 2009 11
+1.7.3b2 December 19, 2009 11
SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
- attributetype ( 1.3.6.1.4.1.15953.9.1.6
- NAME 'sudoRunAsUser'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 1.3.6.1.4.1.15953.9.1.7
NAME 'sudoRunAsGroup'
-1.7.2 June 11, 2009 12
+
+
+
+
+
+1.7.3b2 December 19, 2009 12
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
.\" $Sudo$
-.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
+.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.\" ========================================================================
.\"
.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "June 11, 2009" "1.7.2" "MAINTENANCE COMMANDS"
+.TH SUDOERS.LDAP @mansectform@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
a Cmnd_Alias that is referenced by multiple users, one can create
a sudoRole that contains the commands and assign multiple users
to it.
-.Sh "SUDOers \s-1LDAP\s0 container"
+.SS "SUDOers \s-1LDAP\s0 container"
.IX Subsection "SUDOers LDAP container"
The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
container.
\& sudoHost: ALL
\& sudoCommand: ALL
.Ve
-.Sh "Anatomy of \s-1LDAP\s0 sudoers lookup"
+.SS "Anatomy of \s-1LDAP\s0 sudoers lookup"
.IX Subsection "Anatomy of LDAP sudoers lookup"
When looking up a sudoer using \s-1LDAP\s0 there are only two or three
\&\s-1LDAP\s0 queries per invocation. The first query is to parse the global
in this query too.) If no match is returned for the user's name
and groups, a third query returns all entries containing user
netgroups and checks to see if the user belongs to any of them.
-.Sh "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
+.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
.IX Subsection "Differences between LDAP and non-LDAP sudoers"
There are some subtle differences in the way sudoers is handled
once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0,
\& sudoHost: ALL
\& sudoHost: !web01
.Ve
-.Sh "Sudoers Schema"
+.SS "Sudoers Schema"
.IX Subsection "Sudoers Schema"
In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
installed on your \s-1LDAP\s0 server. In addition, be sure to index the
.PP
The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
section.
-.Sh "Configuring ldap.conf"
+.SS "Configuring ldap.conf"
.IX Subsection "Configuring ldap.conf"
Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
with the remote server.
.PP
See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
-.Sh "Configuring nsswitch.conf"
+.SS "Configuring nsswitch.conf"
.IX Subsection "Configuring nsswitch.conf"
Unless it is disabled at build time, \fBsudo\fR consults the Name
Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR
.PP
Note that \fI@nsswitch_conf@\fR is supported even when the underlying
operating system does not use an nsswitch.conf file.
-.Sh "Configuring netsvc.conf"
+.SS "Configuring netsvc.conf"
.IX Subsection "Configuring netsvc.conf"
On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of
\&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a
determines sudoers source order on \s-1AIX\s0
.SH "EXAMPLES"
.IX Header "EXAMPLES"
-.Sh "Example ldap.conf"
+.SS "Example ldap.conf"
.IX Subsection "Example ldap.conf"
.Vb 10
\& # Either specify one or more URIs or one or more host:port pairs.
\& #
\& # If using SASL authentication for LDAP (OpenSSL)
\& # use_sasl yes
-\& # sasl_auth_id <SASL username>
+\& # sasl_auth_id <SASL user name>
\& # rootuse_sasl yes
-\& # rootsasl_auth_id <SASL username for root access>
+\& # rootsasl_auth_id <SASL user name for root access>
\& # sasl_secprops none
\& # krb5_ccname /etc/.ldapcache
.Ve
-.Sh "Sudo schema for OpenLDAP"
+.SS "Sudo schema for OpenLDAP"
.IX Subsection "Sudo schema for OpenLDAP"
The following schema is in OpenLDAP format. Simply copy it to the
schema directory (e.g. \fI/etc/openldap/schema\fR), add the proper
#
# If using SASL authentication for LDAP (OpenSSL)
# use_sasl yes
- # sasl_auth_id <SASL username>
+ # sasl_auth_id <SASL user name>
# rootuse_sasl yes
- # rootsasl_auth_id <SASL username for root access>
+ # rootsasl_auth_id <SASL user name for root access>
# sasl_secprops none
# krb5_ccname /etc/.ldapcache
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" $Sudo$
-.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
+.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.\" ========================================================================
.\"
.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "September 24, 2009" "1.7.2" "MAINTENANCE COMMANDS"
+.TH SUDOERS @mansectform@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
fairly simple, and the definitions below are annotated.
-.Sh "Quick guide to \s-1EBNF\s0"
+.SS "Quick guide to \s-1EBNF\s0"
.IX Subsection "Quick guide to EBNF"
\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
Parentheses may be used to group symbols together. For clarity,
we will use single quotes ('') to designate what is a verbatim character
string (as opposed to a symbol name).
-.Sh "Aliases"
+.SS "Aliases"
.IX Subsection "Aliases"
There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
\& User_List ::= User |
\& User \*(Aq,\*(Aq User_List
\&
-\& User ::= \*(Aq!\*(Aq* username |
+\& User ::= \*(Aq!\*(Aq* user name |
\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
\& \*(Aq!\*(Aq* User_Alias
.Ve
.PP
-A \f(CW\*(C`User_List\*(C'\fR is made up of one or more usernames, uids (prefixed
+A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, uids (prefixed
with '#'), system groups (prefixed with '%'), netgroups (prefixed
with '+') and \f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with
zero or more '!' operators. An odd number of '!' operators negate
the value of the item; an even number just cancel each other out.
.PP
-A \f(CW\*(C`username\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR and \f(CW\*(C`nonunix_groups\*(C'\fR may
+A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR or \f(CW\*(C`nonunix_group\*(C'\fR may
be enclosed in double quotes to avoid the need for escaping special
characters. Alternately, special characters may be specified in
escaped hex mode, e.g. \ex20 for space.
\& Runas_List ::= Runas_Member |
\& Runas_Member \*(Aq,\*(Aq Runas_List
\&
-\& Runas_Member ::= \*(Aq!\*(Aq* username |
+\& Runas_Member ::= \*(Aq!\*(Aq* user name |
\& \*(Aq!\*(Aq* \*(Aq#\*(Aquid |
\& \*(Aq!\*(Aq* \*(Aq%\*(Aqgroup |
\& \*(Aq!\*(Aq* +netgroup |
.PP
A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
-usernames and groups are matched as strings. In other words, two
+user names and groups are matched as strings. In other words, two
users (groups) with the same uid (gid) are considered to be distinct.
-If you wish to match all usernames with the same uid (e.g.\ root
+If you wish to match all user names with the same uid (e.g.\ root
and toor), you can use a uid instead (#0 in the example given).
.PP
.Vb 2
\& Host_List ::= Host |
\& Host \*(Aq,\*(Aq Host_List
\&
-\& Host ::= \*(Aq!\*(Aq* hostname |
+\& Host ::= \*(Aq!\*(Aq* host name |
\& \*(Aq!\*(Aq* ip_addr |
\& \*(Aq!\*(Aq* network(/netmask)? |
\& \*(Aq!\*(Aq* \*(Aq+\*(Aqnetgroup |
\& \*(Aq!\*(Aq* Host_Alias
.Ve
.PP
-A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more hostnames, \s-1IP\s0 addresses,
+A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses,
network numbers, netgroups (prefixed with '+') and other aliases.
Again, the value of an item may be negated with the '!' operator.
If you do not specify a netmask along with the network number,
interfaces, the corresponding netmask will be used. The netmask
may be specified either in standard \s-1IP\s0 address notation
(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
-or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A hostname may
+or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
include shell-style wildcards (see the Wildcards section below),
-but unless the \f(CW\*(C`hostname\*(C'\fR command on your machine returns the fully
-qualified hostname, you'll need to use the \fIfqdn\fR option for
+but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
+qualified host name, you'll need to use the \fIfqdn\fR option for
wildcards to be useful.
.PP
.Vb 2
\& Cmnd_List ::= Cmnd |
\& Cmnd \*(Aq,\*(Aq Cmnd_List
\&
-\& commandname ::= filename |
-\& filename args |
-\& filename \*(Aq""\*(Aq
+\& commandname ::= file name |
+\& file name args |
+\& file name \*(Aq""\*(Aq
\&
\& Cmnd ::= \*(Aq!\*(Aq* commandname |
\& \*(Aq!\*(Aq* directory |
.Ve
.PP
A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
-aliases. A commandname is a fully qualified filename which may include
+aliases. A commandname is a fully qualified file name which may include
shell-style wildcards (see the Wildcards section below). A simple
-filename allows the user to run the command with any arguments he/she
+file name allows the user to run the command with any arguments he/she
wishes. However, you may also specify command line arguments (including
wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
may only be run \fBwithout\fR command line arguments. A directory is a
-fully qualified pathname ending in a '/'. When you specify a directory
+fully qualified path name ending in a '/'. When you specify a directory
in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
(but not in any subdirectories therein).
.PP
is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
as \fBsudoedit\fR). It may take command line arguments just as
a normal command does.
-.Sh "Defaults"
+.SS "Defaults"
.IX Subsection "Defaults"
Certain configuration options may be changed from their default
values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
defaults.
.PP
See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
-.Sh "User Specification"
+.SS "User Specification"
.IX Subsection "User Specification"
.Vb 2
\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
.PP
The basic structure of a user specification is `who = where (as_whom)
what'. Let's break that down into its constituent parts:
-.Sh "Runas_Spec"
+.SS "Runas_Spec"
.IX Subsection "Runas_Spec"
A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu, \e
\& /usr/local/bin/minicom
.Ve
-.Sh "Tag_Spec"
+.SS "Tag_Spec"
.IX Subsection "Tag_Spec"
A command may have zero or more tags associated with it. There are
eight possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
These tags override the value of the \fItranscript\fR option on a
per-command basis. For more information, see the description of
\&\fItranscript\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
-.Sh "Wildcards"
+.SS "Wildcards"
.IX Subsection "Wildcards"
\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
-to be used in hostnames, pathnames and command line arguments in
+to be used in host names, path names and command line arguments in
the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
\&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
regular expressions.
\& /bin/ls [[\e:alpha\e:]]*
.Ve
.PP
-Would match any filename beginning with a letter.
+Would match any file name beginning with a letter.
.PP
Note that a forward slash ('/') will \fBnot\fR be matched by
-wildcards used in the pathname. When matching the command
+wildcards used in the path name. When matching the command
line arguments, however, a slash \fBdoes\fR get matched by
wildcards. This is to make a path like:
.PP
.Ve
.PP
match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
-.Sh "Exceptions to wildcard rules"
+.SS "Exceptions to wildcard rules"
.IX Subsection "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
.ie n .IP """""" 8
If the empty string \f(CW""\fR is the only command line argument in the
\&\fIsudoers\fR entry it means that command is not allowed to be run
with \fBany\fR arguments.
-.Sh "Including other files from within sudoers"
+.SS "Including other files from within sudoers"
.IX Subsection "Including other files from within sudoers"
It is possible to include other \fIsudoers\fR files from within the
\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and
themselves include other files. A hard limit of 128 nested include
files is enforced to prevent include file loops.
.PP
-The filename may include the \f(CW%h\fR escape, signifying the short form
-of the hostname. I.e., if the machine's hostname is \*(L"xerxes\*(R", then
+The file name may include the \f(CW%h\fR escape, signifying the short form
+of the host name. I.e., if the machine's host name is \*(L"xerxes\*(R", then
.PP
\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
.PP
edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
contains a syntax error. It is still possible to run \fBvisudo\fR
with the \f(CW\*(C`\-f\*(C'\fR flag to edit the files directly.
-.Sh "Other special characters and reserved words"
+.SS "Other special characters and reserved words"
.IX Subsection "Other special characters and reserved words"
The pound sign ('#') is used to indicate a comment (unless it is
part of a #include directive or unless it occurs in the context of
characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
.PP
The following characters must be escaped with a backslash ('\e') when
-used as part of a word (e.g.\ a username or hostname):
+used as part of a word (e.g.\ a user name or host name):
\&'@', '!', '=', ':', ',', '(', ')', '\e'.
.SH "SUDOERS OPTIONS"
.IX Header "SUDOERS OPTIONS"
If set, the user may use \fBsudo\fR's \fB\-C\fR option which
overrides the default starting point at which \fBsudo\fR begins
closing open file descriptors. This flag is \fIoff\fR by default.
+.IP "compress_transcript" 16
+.IX Item "compress_transcript"
+If set, and the \fItranscript\fR flag is also set, \fBsudo\fR will compress
+the transcript logs using \fBzlib\fR. This flag is \fIon\fR by default
+when \fBsudo\fR is compiled with \fBzlib\fR support.
.IP "env_editor" 16
.IX Item "env_editor"
If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
.IP "fast_glob" 16
.IX Item "fast_glob"
Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
-globbing when matching pathnames. However, since it accesses the
+globbing when matching path names. However, since it accesses the
file system, \fIglob\fR\|(3) can take a long time to complete for some
patterns, especially when the pattern references a network file
system that is mounted on demand (automounted). The \fIfast_glob\fR
option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
not access the file system to do its matching. The disadvantage
-of \fIfast_glob\fR is that it is unable to match relative pathnames
+of \fIfast_glob\fR is that it is unable to match relative path names
such as \fI./ls\fR or \fI../bin/ls\fR. This flag is \fIoff\fR by default.
.IP "fqdn" 16
.IX Item "fqdn"
-Set this flag if you want to put fully qualified hostnames in the
+Set this flag if you want to put fully qualified host names in the
\&\fIsudoers\fR file. I.e., instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
you must use the host's official name as \s-1DNS\s0 knows it. That is,
you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
issues and the fact that there is no way to get all aliases from
-\&\s-1DNS\s0. If your machine's hostname (as returned by the \f(CW\*(C`hostname\*(C'\fR
+\&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR
command) is already fully qualified you shouldn't need to set
\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
.IP "ignore_dot" 16
password. This flag is \fI@insults@\fR by default.
.IP "log_host" 16
.IX Item "log_host"
-If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file.
+If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
This flag is \fIoff\fR by default.
.IP "log_year" 16
.IX Item "log_year"
function. This flag is \fIoff\fR by default.
.IP "targetpw" 16
.IX Item "targetpw"
-If set, \fBsudo\fR will prompt for the password of the user specified by
-the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password of the
-invoking user. Note that this precludes the use of a uid not listed
-in the passwd database as an argument to the \fB\-u\fR option.
-This flag is \fIoff\fR by default.
+If set, \fBsudo\fR will prompt for the password of the user specified
+by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
+of the invoking user. In addition, the timestamp file name will
+include the target user's name. Note that this flag precludes the
+use of a uid not listed in the passwd database as an argument to
+the \fB\-u\fR option. This flag is \fIoff\fR by default.
.IP "transcript" 16
.IX Item "transcript"
If set, \fBsudo\fR will log a transcript of the command being run,
.IP "passwd_timeout" 16
.IX Item "passwd_timeout"
Number of minutes before the \fBsudo\fR password prompt times out.
-The default is \f(CW\*(C`@password_timeout@\*(C'\fR; set this to \f(CW0\fR for no password timeout.
+The timeout may include a fractional component if minute granularity
+is insufficient, for example \f(CW2.5\fR. The default is \f(CW\*(C`@password_timeout@\*(C'\fR;
+set this to \f(CW0\fR for no password timeout.
.IP "timestamp_timeout" 16
.IX Item "timestamp_timeout"
Number of minutes that can elapse before \fBsudo\fR will ask for a
-passwd again. The default is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always
-prompt for a password.
+passwd again. The timeout may include a fractional component if
+minute granularity is insufficient, for example \f(CW2.5\fR. The default
+is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password.
If set to a value less than \f(CW0\fR the user's timestamp will never
expire. This can be used to allow users to create or delete their
own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
.IP "mailsub" 16
.IX Item "mailsub"
Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
-will expand to the hostname of the machine.
+will expand to the host name of the machine.
Default is \f(CW\*(C`@mailsub@\*(C'\fR.
.IP "noexec_file" 16
.IX Item "noexec_file"
.ie n .IP "%H" 4
.el .IP "\f(CW%H\fR" 4
.IX Item "%H"
-expanded to the local hostname including the domain name
-(on if the machine's hostname is fully qualified or the \fIfqdn\fR
+expanded to the local host name including the domain name
+(on if the machine's host name is fully qualified or the \fIfqdn\fR
option is set)
.ie n .IP "%h" 4
.el .IP "\f(CW%h\fR" 4
.IX Item "%h"
-expanded to the local hostname without the domain name
+expanded to the local host name without the domain name
.ie n .IP "%p" 4
.el .IP "\f(CW%p\fR" 4
.IX Item "%p"
.PP
The user \fBpete\fR is allowed to change anyone's password except for
root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
-does not take multiple usernames on the command line.
+does not take multiple user names on the command line.
.PP
.Vb 1
\& bob SPARC = (OP) ALL : SGI = (OP) ALL
will not run with a syntactically incorrect \fIsudoers\fR file.
.PP
When using netgroups of machines (as opposed to users), if you
-store fully qualified hostnames in the netgroup (as is usually the
-case), you either need to have the machine's hostname be fully qualified
+store fully qualified host name in the netgroup (as is usually the
+case), you either need to have the machine's host name be fully qualified
as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
\&\fIsudoers\fR.
.SH "BUGS"
User_List ::= User |
User ',' User_List
- User ::= '!'* username |
+ User ::= '!'* user name |
'!'* '#'uid |
'!'* '%'group |
'!'* '+'netgroup |
'!'* '%:'nonunix_group |
'!'* User_Alias
-A C<User_List> is made up of one or more usernames, uids (prefixed
+A C<User_List> is made up of one or more user names, uids (prefixed
with '#'), system groups (prefixed with '%'), netgroups (prefixed
with '+') and C<User_Alias>es. Each list item may be prefixed with
zero or more '!' operators. An odd number of '!' operators negate
the value of the item; an even number just cancel each other out.
-A C<username>, C<group>, C<netgroup> and C<nonunix_groups> may
+A C<user name>, C<group>, C<netgroup> or C<nonunix_group> may
be enclosed in double quotes to avoid the need for escaping special
characters. Alternately, special characters may be specified in
escaped hex mode, e.g. \x20 for space.
Runas_List ::= Runas_Member |
Runas_Member ',' Runas_List
- Runas_Member ::= '!'* username |
+ Runas_Member ::= '!'* user name |
'!'* '#'uid |
'!'* '%'group |
'!'* +netgroup |
A C<Runas_List> is similar to a C<User_List> except that instead
of C<User_Alias>es it can contain C<Runas_Alias>es. Note that
-usernames and groups are matched as strings. In other words, two
+user names and groups are matched as strings. In other words, two
users (groups) with the same uid (gid) are considered to be distinct.
-If you wish to match all usernames with the same uid (e.g.E<nbsp>root
+If you wish to match all user names with the same uid (e.g.E<nbsp>root
and toor), you can use a uid instead (#0 in the example given).
Host_List ::= Host |
Host ',' Host_List
- Host ::= '!'* hostname |
+ Host ::= '!'* host name |
'!'* ip_addr |
'!'* network(/netmask)? |
'!'* '+'netgroup |
'!'* Host_Alias
-A C<Host_List> is made up of one or more hostnames, IP addresses,
+A C<Host_List> is made up of one or more host names, IP addresses,
network numbers, netgroups (prefixed with '+') and other aliases.
Again, the value of an item may be negated with the '!' operator.
If you do not specify a netmask along with the network number,
interfaces, the corresponding netmask will be used. The netmask
may be specified either in standard IP address notation
(e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
-or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A hostname may
+or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A host name may
include shell-style wildcards (see the L<Wildcards> section below),
-but unless the C<hostname> command on your machine returns the fully
-qualified hostname, you'll need to use the I<fqdn> option for
+but unless the C<host name> command on your machine returns the fully
+qualified host name, you'll need to use the I<fqdn> option for
wildcards to be useful.
Cmnd_List ::= Cmnd |
wishes. However, you may also specify command line arguments (including
wildcards). Alternately, you can specify C<""> to indicate that the command
may only be run B<without> command line arguments. A directory is a
-fully qualified pathname ending in a '/'. When you specify a directory
+fully qualified path name ending in a '/'. When you specify a directory
in a C<Cmnd_List>, the user will be able to run any file within that directory
(but not in any subdirectories therein).
=head2 Wildcards
B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
-to be used in hostnames, pathnames and command line arguments in
+to be used in host names, path names and command line arguments in
the I<sudoers> file. Wildcard matching is done via the B<POSIX>
L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not>
regular expressions.
Would match any file name beginning with a letter.
Note that a forward slash ('/') will B<not> be matched by
-wildcards used in the pathname. When matching the command
+wildcards used in the path name. When matching the command
line arguments, however, a slash B<does> get matched by
wildcards. This is to make a path like:
files is enforced to prevent include file loops.
The file name may include the C<%h> escape, signifying the short form
-of the hostname. I.e., if the machine's hostname is "xerxes", then
+of the host name. I.e., if the machine's host name is "xerxes", then
C<#include /etc/sudoers.%h>
characters in a I<User Specification> ('=', ':', '(', ')') is optional.
The following characters must be escaped with a backslash ('\') when
-used as part of a word (e.g.E<nbsp>a username or hostname):
+used as part of a word (e.g.E<nbsp>a user name or host name):
'@', '!', '=', ':', ',', '(', ')', '\'.
=head1 SUDOERS OPTIONS
=item fast_glob
Normally, B<sudo> uses the L<glob(3)> function to do shell-style
-globbing when matching pathnames. However, since it accesses the
+globbing when matching path names. However, since it accesses the
file system, L<glob(3)> can take a long time to complete for some
patterns, especially when the pattern references a network file
system that is mounted on demand (automounted). The I<fast_glob>
option causes B<sudo> to use the L<fnmatch(3)> function, which does
not access the file system to do its matching. The disadvantage
-of I<fast_glob> is that it is unable to match relative pathnames
+of I<fast_glob> is that it is unable to match relative path names
such as F<./ls> or F<../bin/ls>. This flag is I<off> by default.
=item fqdn
-Set this flag if you want to put fully qualified hostnames in the
+Set this flag if you want to put fully qualified host names in the
I<sudoers> file. I.e., instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
you must use the host's official name as DNS knows it. That is,
you may not use a host alias (C<CNAME> entry) due to performance
issues and the fact that there is no way to get all aliases from
-DNS. If your machine's hostname (as returned by the C<hostname>
+DNS. If your machine's host name (as returned by the C<hostname>
command) is already fully qualified you shouldn't need to set
I<fqdn>. This flag is I<@fqdn@> by default.
=item log_host
-If set, the hostname will be logged in the (non-syslog) B<sudo> log file.
+If set, the host name will be logged in the (non-syslog) B<sudo> log file.
This flag is I<off> by default.
=item log_year
=item mailsub
Subject of the mail sent to the I<mailto> user. The escape C<%h>
-will expand to the hostname of the machine.
+will expand to the host name of the machine.
Default is C<@mailsub@>.
=item noexec_file
=item C<%H>
-expanded to the local hostname including the domain name
-(on if the machine's hostname is fully qualified or the I<fqdn>
+expanded to the local host name including the domain name
+(on if the machine's host name is fully qualified or the I<fqdn>
option is set)
=item C<%h>
-expanded to the local hostname without the domain name
+expanded to the local host name without the domain name
=item C<%p>
The user B<pete> is allowed to change anyone's password except for
root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
-does not take multiple usernames on the command line.
+does not take multiple user names on the command line.
bob SPARC = (OP) ALL : SGI = (OP) ALL
will not run with a syntactically incorrect I<sudoers> file.
When using netgroups of machines (as opposed to users), if you
-store fully qualified hostnames in the netgroup (as is usually the
-case), you either need to have the machine's hostname be fully qualified
+store fully qualified host name in the netgroup (as is usually the
+case), you either need to have the machine's host name be fully qualified
as returned by the C<hostname> command or use the I<fqdn> option in
I<sudoers>.
-1.7.2 October 6, 2009 1
+1.7.3b2 December 19, 2009 1
specified without the _\b/_\bd_\be_\bv_\b/ prefix, e.g. _\bt_\bt_\by_\b0_\b1
instead of _\b/_\bd_\be_\bv_\b/_\bt_\bt_\by_\b0_\b1.
- user _\bu_\bs_\be_\br_\bn_\ba_\bm_\be
+ user _\bu_\bs_\be_\br _\bn_\ba_\bm_\be
Evaluates to true if the ID matches a command run
- by _\bu_\bs_\be_\br_\bn_\ba_\bm_\be.
+ by _\bu_\bs_\be_\br _\bn_\ba_\bm_\be.
Predicates may be abbreviated to the shortest unique string
(currently all predicates may be shortened to a single
-1.7.2 October 6, 2009 2
+1.7.3b2 December 19, 2009 2
-1.7.2 October 6, 2009 3
+1.7.3b2 December 19, 2009 3
-1.7.2 October 6, 2009 4
+1.7.3b2 December 19, 2009 4
-1.7.2 October 6, 2009 5
+1.7.3b2 December 19, 2009 5
.\" ========================================================================
.\"
.IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "October 6, 2009" "1.7.2" "MAINTENANCE COMMANDS"
+.TH SUDOREPLAY @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Evaluates to true if the command was run on the specified terminal
device. The \fItty\fR should be specified without the \fI/dev/\fR prefix,
e.g. \fItty01\fR instead of \fI/dev/tty01\fR.
-.IP "user \fIusername\fR" 8
-.IX Item "user username"
-Evaluates to true if the \s-1ID\s0 matches a command run by \fIusername\fR.
+.IP "user \fIuser name\fR" 8
+.IX Item "user user name"
+Evaluates to true if the \s-1ID\s0 matches a command run by \fIuser name\fR.
.RE
.RS 12
.Sp
device. The I<tty> should be specified without the F</dev/> prefix,
e.g. F<tty01> instead of F</dev/tty01>.
-=item user I<username>
+=item user I<user name>
-Evaluates to true if the ID matches a command run by I<username>.
+Evaluates to true if the ID matches a command run by I<user name>.
=back
-1.7.2 June 11, 2009 1
+1.7.3b2 December 19, 2009 1
-s Enable s\bst\btr\bri\bic\bct\bt checking of the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If an alias is
used before it is defined, v\bvi\bis\bsu\bud\bdo\bo will consider this a
parse error. Note that it is not possible to differentiate
- between an alias and a hostname or username that consists
+ between an alias and a host name or user name that consists
solely of uppercase letters, digits, and the underscore
('_') character.
Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
Either you are trying to use an undeclare
- {User,Runas,Host,Cmnd}_Alias or you have a user or hostname listed
+ {User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
that consists solely of uppercase letters, digits, and the
underscore ('_') character. In the latter case, you can ignore the
warnings (s\bsu\bud\bdo\bo will not complain). In -\b-s\bs (strict) mode these are
-1.7.2 June 11, 2009 2
+1.7.3b2 December 19, 2009 2
-1.7.2 June 11, 2009 3
+1.7.3b2 December 19, 2009 3
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
.\" $Sudo$
-.\" Automatically generated by Pod::Man 2.16 (Pod::Simple 3.05)
+.\" Automatically generated by Pod::Man 2.22 (Pod::Simple 3.07)
.\"
.\" Standard preamble:
.\" ========================================================================
-.de Sh \" Subsection heading
-.br
-.if t .Sp
-.ne 5
-.PP
-\fB\\$1\fR
-.PP
-..
.de Sp \" Vertical space (when we can't use .PP)
.if t .sp .5v
.if n .sp
.el .ds Aq '
.\"
.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and index
+.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
.\" entries marked with X<> in POD. Of course, you'll have to process the
.\" output yourself in some meaningful fashion.
.ie \nF \{\
.\" ========================================================================
.\"
.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "June 11, 2009" "1.7.2" "MAINTENANCE COMMANDS"
+.TH VISUDO @mansectsu@ "December 19, 2009" "1.7.3b2" "MAINTENANCE COMMANDS"
.\" For nroff, turn off justification. Always turn off hyphenation; it makes
.\" way too many mistakes in technical documents.
.if n .ad l
Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is
used before it is defined, \fBvisudo\fR will consider this a parse
error. Note that it is not possible to differentiate between an
-alias and a hostname or username that consists solely of uppercase
+alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore ('_') character.
.IP "\-V" 12
.IX Item "-V"
.IP "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" 4
.IX Item "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined"
Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
-or you have a user or hostname listed that consists solely of
+or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore ('_') character. In
the latter case, you can ignore the warnings (\fBsudo\fR will not
complain). In \fB\-s\fR (strict) mode these are errors, not warnings.
Enable B<strict> checking of the I<sudoers> file. If an alias is
used before it is defined, B<visudo> will consider this a parse
error. Note that it is not possible to differentiate between an
-alias and a hostname or username that consists solely of uppercase
+alias and a host name or user name that consists solely of uppercase
letters, digits, and the underscore ('_') character.
=item -V
=item Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
Either you are trying to use an undeclare {User,Runas,Host,Cmnd}_Alias
-or you have a user or hostname listed that consists solely of
+or you have a user or host name listed that consists solely of
uppercase letters, digits, and the underscore ('_') character. In
the latter case, you can ignore the warnings (B<sudo> will not
complain). In B<-s> (strict) mode these are errors, not warnings.
projects / sudo / commitdiff