-1.6.9 October 7, 2004 1
+1.6.9 October 13, 2004 1
-1.6.9 October 7, 2004 2
+1.6.9 October 13, 2004 2
-1.6.9 October 7, 2004 3
+1.6.9 October 13, 2004 3
-1.6.9 October 7, 2004 4
+1.6.9 October 13, 2004 4
-1.6.9 October 7, 2004 5
+1.6.9 October 13, 2004 5
-1.6.9 October 7, 2004 6
+1.6.9 October 13, 2004 6
-1.6.9 October 7, 2004 7
+1.6.9 October 13, 2004 7
this makes s\bsu\bud\bdo\bo act as a setuid wrapper. This
can be useful on systems that disable some
potentially dangerous functionality when a
- program is run setuid. Note, however, that
- this means that s\bsu\bud\bdo\bo will run with the real
- uid of the invoking user which may allow that
- user to kill s\bsu\bud\bdo\bo before it can log a failure,
- depending on how your OS defines the interac
- tion between signals and setuid processes.
+ program is run setuid. This option is only
+ effective on systems with either the
+ _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
env_reset If set, s\bsu\bud\bdo\bo will reset the environment to
only contain the following variables: HOME,
with the SECURE_PATH option, its value will be
used for the PATH environment variable. Other
variables may be preserved with the _\be_\bn_\bv_\b__\bk_\be_\be_\bp
+ option.
-1.6.9 October 7, 2004 8
+1.6.9 October 13, 2004 8
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- option.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
use_loginclass
If set, s\bsu\bud\bdo\bo will apply the defaults specified
loglinelen Number of characters per line for the file
log. This value is used to decide when to
wrap lines for nicer log files. This has no
+ effect on the syslog log file, only the file
+ log. The default is 80 (use 0 or negate the
-1.6.9 October 7, 2004 9
+1.6.9 October 13, 2004 9
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- effect on the syslog log file, only the file
- log. The default is 80 (use 0 or negate the
option to disable word wrap).
timestamp_timeout
%U expanded to the login name of the user
the command will be run as (defaults
+ to root)
-1.6.9 October 7, 2004 10
+1.6.9 October 13, 2004 10
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- to root)
%h expanded to the local hostname without
the domain name
never Never lecture the user.
+ once Only lecture the user the first time
+ they run s\bsu\bud\bdo\bo.
-1.6.9 October 7, 2004 11
+1.6.9 October 13, 2004 11
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- once Only lecture the user the first time
- they run s\bsu\bud\bdo\bo.
-
always Always lecture the user.
The default value is _\bo_\bn_\bc_\be.
to use the -\b-v\bv flag.
always The user must always enter a password
+ to use the -\b-v\bv flag.
+ The default value is `all'.
-1.6.9 October 7, 2004 12
-
+1.6.9 October 13, 2004 12
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- to use the -\b-v\bv flag.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- The default value is `all'.
listpw This option controls when a password will be
required when a user runs s\bsu\bud\bdo\bo with the -\b-l\bl
dangerous variables from the environment of
any setuid process (such as s\bsu\bud\bdo\bo).
+ env_keep Environment variables to be preserved in the
+ user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option
+ is in effect. This allows fine-grained con
+ trol over the environment s\bsu\bud\bdo\bo-spawned
-1.6.9 October 7, 2004 13
+1.6.9 October 13, 2004 13
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- env_keep Environment variables to be preserved in the
- user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option
- is in effect. This allows fine-grained con
- trol over the environment s\bsu\bud\bdo\bo-spawned pro
- cesses will receive. The argument may be a
+ processes will receive. The argument may be a
double-quoted, space-separated list or a sin
gle value without double-quotes. The list can
be replaced, added to, deleted from, or dis
dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
+ -- but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+ $ sudo -u operator /bin/ls.
-1.6.9 October 7, 2004 14
+1.6.9 October 13, 2004 14
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- -- but only as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- $ sudo -u operator /bin/ls.
It is also possible to override a Runas_Spec later on in
an entry. If we modify the entry like so:
_\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
+ underlying operating system supports it, the NOEXEC tag
+ can be used to prevent a dynamically-linked executable
+ from running further commands itself.
-1.6.9 October 7, 2004 15
+1.6.9 October 13, 2004 15
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
- underlying operating system supports it, the NOEXEC tag
- can be used to prevent a dynamically-linked executable
- from running further commands itself.
-
In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be
and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
"?", "[", and "}".
Note that a forward slash ('/') will n\bno\bot\bt be matched by
+ wildcards used in the pathname. When matching the command
+ line arguments, however, a slash d\bdo\boe\bes\bs get matched by wild
+ cards. This is to make a path like:
+ /usr/bin/*
-1.6.9 October 7, 2004 16
-
+1.6.9 October 13, 2004 16
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- wildcards used in the pathname. When matching the command
- line arguments, however, a slash d\bdo\boe\bes\bs get matched by wild
- cards. This is to make a path like:
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- /usr/bin/*
match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
_\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
preference to your own. Please note that using A\bAL\bLL\bL can be
dangerous since in a command context, it allows the user
+ to run a\ban\bny\by command on the system.
+
+ An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
+ operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
+ allows one to exclude certain values. Note, however, that
+ using a ! in conjunction with the built-in ALL alias to
-1.6.9 October 7, 2004 17
+1.6.9 October 13, 2004 17
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- to run a\ban\bny\by command on the system.
-
- An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
- operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
- allows one to exclude certain values. Note, however, that
- using a ! in conjunction with the built-in ALL alias to
allow a user to run "all but a few" commands rarely works
as intended (see SECURITY NOTES below).
Runas_Alias OP = root, operator
Runas_Alias DB = oracle, sybase
+ # Host alias specification
+ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
-
-
-
-1.6.9 October 7, 2004 18
+1.6.9 October 13, 2004 18
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- # Host alias specification
- Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
- SGI = grolsch, dandelion, black :\
- ALPHA = widget, thalamus, foobar :\
- HPPA = boa, nag, python
- Host_Alias CUNETS = 128.138.0.0/255.255.0.0
- Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
- Host_Alias SERVERS = master, mail, www, ns
- Host_Alias CDROM = orion, perseus, hercules
-
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run
any command on any host without authenticating themselves.
+ PARTTIMERS ALL = ALL
+ Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run
+ any command on any host but they must authenticate them
+ selves first (since the entry lacks the NOPASSWD tag).
-1.6.9 October 7, 2004 19
+ jack CSNETS = ALL
+ The user j\bja\bac\bck\bk may run any command on the machines in the
+1.6.9 October 13, 2004 19
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- PARTTIMERS ALL = ALL
- Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run
- any command on any host but they must authenticate them
- selves first (since the entry lacks the NOPASSWD tag).
- jack CSNETS = ALL
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
- The user j\bja\bac\bck\bk may run any command on the machines in the
_\bC_\bS_\bN_\bE_\bT_\bS alias (the networks 128.138.243.0, 128.138.204.0,
and 128.138.242.0). Of those networks, only 128.138.204.0
has an explicit netmask (in CIDR notation) indicating it
+secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the
+ printers as well as add and remove users, so they are
+ allowed to run those commands on all machines.
+ fred ALL = (DB) NOPASSWD: ALL
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
+ Runas_Alias (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
-1.6.9 October 7, 2004 20
-
+ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+1.6.9 October 13, 2004 20
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- printers as well as add and remove users, so they are
- allowed to run those commands on all machines.
- fred ALL = (DB) NOPASSWD: ALL
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB
- Runas_Alias (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except
root but he is not allowed to give _\bs_\bu(1) any flags.
It is generally not effective to "subtract" commands from
ALL using the '!' operator. A user can trivially circum
vent this by copying the desired command to a different
+ name and then executing that. For example:
+ bill ALL = ALL, !SU, !SHELLS
-
-1.6.9 October 7, 2004 21
+ Doesn't really prevent b\bbi\bil\bll\bl from running the commands
+ listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those com
+ mands to a different name, or use a shell escape from an
+ editor or other program. Therefore, these kind of
+ restrictions should be considered advisory at best (and
+ reinforced by policy).
+1.6.9 October 13, 2004 21
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- name and then executing that. For example:
- bill ALL = ALL, !SU, !SHELLS
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Doesn't really prevent b\bbi\bil\bll\bl from running the commands
- listed in _\bS_\bU or _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those com
- mands to a different name, or use a shell escape from an
- editor or other program. Therefore, these kind of
- restrictions should be considered advisory at best (and
- reinforced by policy).
P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
Once s\bsu\bud\bdo\bo executes a program, that program is free to do
File containing dummy exec functions:
then s\bsu\bud\bdo\bo may be able to replace the exec family
-
-
-
-1.6.9 October 7, 2004 22
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
of functions in the standard library with its
own that simply return an error. Unfortunately,
there is no foolproof way to know whether or not
the LD_PRELOAD environment variable. Check your
operating system's manual pages for the dynamic
linker (usually ld.so, ld.so.1, dyld, dld.sl,
+
+
+
+1.6.9 October 13, 2004 22
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
rld, or loader) to see if LD_PRELOAD is sup
ported.
and Linux. See <http://www.systrace.org/> for
more information.
+ Note that restricting shell escapes is not a panacea.
+ Programs running as root are still capable of many poten
+ tially hazardous operations (such as changing or overwrit
+ ing files) that could lead to unintended privilege escala
+ tion. In the specific case of an editor, a safer approach
+ is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+S\bSE\bEE\bE A\bAL\bLS\bSO\bO
+ _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), sudo(1m), visudo(1m)
-1.6.9 October 7, 2004 23
+1.6.9 October 13, 2004 23
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Note that restricting shell escapes is not a panacea.
- Programs running as root are still capable of many poten
- tially hazardous operations (such as changing or overwrit
- ing files) that could lead to unintended privilege escala
- tion. In the specific case of an editor, a safer approach
- is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
-S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), sudo(1m), visudo(1m)
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo
-1.6.9 October 7, 2004 24
+
+
+
+
+
+
+
+
+
+
+1.6.9 October 13, 2004 24
projects / sudo / commitdiff