-December 30, 2001 1.6.4 1
+January 13, 2002 1.6.4 1
-December 30, 2001 1.6.4 2
+January 13, 2002 1.6.4 2
-December 30, 2001 1.6.4 3
+January 13, 2002 1.6.4 3
-December 30, 2001 1.6.4 4
+January 13, 2002 1.6.4 4
-December 30, 2001 1.6.4 5
+January 13, 2002 1.6.4 5
-December 30, 2001 1.6.4 6
+January 13, 2002 1.6.4 6
-December 30, 2001 1.6.4 7
+January 13, 2002 1.6.4 7
this makes s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo act as a setuid wrapper. This
can be useful on systems that disable some
potentially dangerous functionality when a
- program is run setuid.
+ program is run setuid. Note, however, that
+ this means that sudo will run with the real
+ uid of the invoking user which may allow that
+ user to kill s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo before it can log a failure,
+ depending on how your OS defines the interac
+ tion between signals and setuid processes.
env_reset If set, s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo will reset the environment to
only contain the following variables: HOME,
I\bI\bI\bIn\bn\bn\bnt\bt\bt\bte\be\be\beg\bg\bg\bge\be\be\ber\br\br\brs\bs\bs\bs t\bt\bt\bth\bh\bh\bha\ba\ba\bat\bt\bt\bt c\bc\bc\bca\ba\ba\ban\bn\bn\bn b\bb\bb\bbe\be\be\be u\bu\bu\bus\bs\bs\bse\be\be\bed\bd\bd\bd i\bi\bi\bin\bn\bn\bn a\ba\ba\ba b\bb\bb\bbo\bo\bo\boo\bo\bo\bol\bl\bl\ble\be\be\bea\ba\ba\ban\bn\bn\bn c\bc\bc\bco\bo\bo\bon\bn\bn\bnt\bt\bt\bte\be\be\bex\bx\bx\bxt\bt\bt\bt:
- loglinelen Number of characters per line for the file
- log. This value is used to decide when to
- wrap lines for nicer log files. This has no
- effect on the syslog log file, only the file
- log. The default is 80 (use 0 or negate the
-December 30, 2001 1.6.4 8
+January 13, 2002 1.6.4 8
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ loglinelen Number of characters per line for the file
+ log. This value is used to decide when to
+ wrap lines for nicer log files. This has no
+ effect on the syslog log file, only the file
+ log. The default is 80 (use 0 or negate the
option to disable word wrap).
timestamp_timeout
flag is not specified on the command line.
This defaults to root.
- syslog_goodpri
- Syslog priority to use when user authenticates
- successfully. Defaults to notice.
-
-
-December 30, 2001 1.6.4 9
+January 13, 2002 1.6.4 9
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ syslog_goodpri
+ Syslog priority to use when user authenticates
+ successfully. Defaults to notice.
+
syslog_badpri
Syslog priority to use when user authenticates
unsuccessfully. Defaults to alert.
any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs
entries for the current host must have
- the NOPASSWD flag set to avoid enter
- ing a password.
-
- never The user need never enter a password
- to use the -\b-\b-\b-v\bv\bv\bv flag.
+ the NOPASSWD flag set to avoid
-December 30, 2001 1.6.4 10
+January 13, 2002 1.6.4 10
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ entering a password.
+
+ never The user need never enter a password
+ to use the -\b-\b-\b-v\bv\bv\bv flag.
+
always The user must always enter a password
to use the -\b-\b-\b-v\bv\bv\bv flag.
abled by using the =, +=, -=, and ! operators
respectively. The default list of environment
variable to remove is printed when s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo is run
- by root with the _\b-_\bV option.
- env_keep Environment variables to be preserved in the
- user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option
- is in effect. This allows fine-grained
-
-December 30, 2001 1.6.4 11
+January 13, 2002 1.6.4 11
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
- control over the environment s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo-spawned pro
+ by root with the _\b-_\bV option.
+
+ env_keep Environment variables to be preserved in the
+ user's environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option
+ is in effect. This allows fine-grained con
+ trol over the environment s\bs\bs\bsu\bu\bu\bud\bd\bd\bdo\bo\bo\bo-spawned pro
cesses will receive. The argument may be a
double-quoted, space-separated list or a sin
gle value without double-quotes. The list can
The user d\bd\bd\bdg\bg\bg\bgb\bb\bb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
-- but only as o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br. E.g.,
- sudo -u operator /bin/ls.
- It is also possible to override a Runas_Spec later on in
- an entry. If we modify the entry like so:
+January 13, 2002 1.6.4 12
-December 30, 2001 1.6.4 12
+sudoers(4) MAINTENANCE COMMANDS sudoers(4)
-sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ sudo -u operator /bin/ls.
+ It is also possible to override a Runas_Spec later on in
+ an entry. If we modify the entry like so:
dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
[...] Matches any character in the specified range.
- [!...] Matches any character n\bn\bn\bno\bo\bo\bot\bt\bt\bt in the specified range.
-
- \x For any character "x", evaluates to "x". This is
- used to escape special characters such as: "*",
- "?", "[", and "}".
-December 30, 2001 1.6.4 13
+January 13, 2002 1.6.4 13
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ [!...] Matches any character n\bn\bn\bno\bo\bo\bot\bt\bt\bt in the specified range.
+
+ \x For any character "x", evaluates to "x". This is
+ used to escape special characters such as: "*",
+ "?", "[", and "}".
+
Note that a forward slash ('/') will n\bn\bn\bno\bo\bo\bot\bt\bt\bt be matched by
wildcards used in the pathname. When matching the command
line arguments, however, as slash d\bd\bd\bdo\bo\bo\boe\be\be\bes\bs\bs\bs get matched by
syntactic characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':',
'(', ')') is optional.
- The following characters must be escaped with a backslash
- ('\') when used as part of a word (e.g. a username or
- hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
-E\bE\bE\bEX\bX\bX\bXA\bA\bA\bAM\bM\bM\bMP\bP\bP\bPL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
- Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
-
-December 30, 2001 1.6.4 14
+January 13, 2002 1.6.4 14
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ The following characters must be escaped with a backslash
+ ('\') when used as part of a word (e.g. a username or
+ hostname): '@', '!', '=', ':', ',', '(', ')', '\'.
+
+E\bE\bE\bEX\bX\bX\bXA\bA\bA\bAM\bM\bM\bMP\bP\bP\bPL\bL\bL\bLE\bE\bE\bES\bS\bS\bS
+ Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
these are a bit contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
# User alias specification
Defaults:millert !authenticate
Defaults@SERVERS log_year, logfile=/var/log/sudo.log
- The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter
- mines who may run what.
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
+January 13, 2002 1.6.4 15
-December 30, 2001 1.6.4 15
+sudoers(4) MAINTENANCE COMMANDS sudoers(4)
-sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter
+ mines who may run what.
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
We let r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt and any user in group w\bw\bw\bwh\bh\bh\bhe\be\be\bee\be\be\bel\bl\bl\bl run any command on
any host as any user.
bob SPARC = (OP) ALL : SGI = (OP) ALL
- The user b\bb\bb\bbo\bo\bo\bob\bb\bb\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
- machines as any user listed in the _\bO_\bP Runas_Alias (r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt
- and o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br).
- jim +biglab = ALL
+January 13, 2002 1.6.4 16
-December 30, 2001 1.6.4 16
+sudoers(4) MAINTENANCE COMMANDS sudoers(4)
-sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ The user b\bb\bb\bbo\bo\bo\bob\bb\bb\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
+ machines as any user listed in the _\bO_\bP Runas_Alias (r\br\br\bro\bo\bo\boo\bo\bo\bot\bt\bt\bt
+ and o\bo\bo\bop\bp\bp\bpe\be\be\ber\br\br\bra\ba\ba\bat\bt\bt\bto\bo\bo\bor\br\br\br).
+ jim +biglab = ALL
The user j\bj\bj\bji\bi\bi\bim\bm\bm\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb
netgroup. S\bS\bS\bSu\bu\bu\bud\bd\bd\bdo\bo\bo\bo knows that "biglab" is a netgroup due to
(will, wendy, and wim), may run any command as user www
(which owns the web pages) or simply _\bs_\bu(1) to www.
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
-
- Any user may mount or unmount a CD-ROM on the machines in
- the CDROM Host_Alias (orion, perseus, hercules) without
- entering a password. This is a bit tedious for users to
-December 30, 2001 1.6.4 17
+January 13, 2002 1.6.4 17
sudoers(4) MAINTENANCE COMMANDS sudoers(4)
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+
+ Any user may mount or unmount a CD-ROM on the machines in
+ the CDROM Host_Alias (orion, perseus, hercules) without
+ entering a password. This is a bit tedious for users to
type, so it is a prime candidate for encapsulating in a
shell script.
-
-
-
-
-
-
-December 30, 2001 1.6.4 18
+January 13, 2002 1.6.4 18
projects / sudo / commitdiff