back-ported from sudo trunk.
--HG--
branch : 1.7
^ChangeLog$
^.*\.man$
+^.*\.man\.sed$
+^.*\.mdoc$
+^.*\.mdoc\.sed$
^varsub$
^zlib/zconf.h$
--with-otp-only
This option is now just an alias for --without-passwd.
- --with-selinux
+ --with-selinux
Enable support for role based access control (RBAC) on
systems that support SELinux.
name as specified by --with-libvas). This option only has
an effect when --with-libvas is specified.
+ --with-man
+ Use the "man" macros for manual pages. By default, mdoc
+ versions of the manuals are installed. This can be used
+ to override configure's test for "nroff -mdoc" support.
+
+ --with-mdoc
+ Use the "mdoc" macros for manual pages. By default, mdoc
+ versions of the manuals are installed. This can be used
+ to override configure's test for "nroff -mdoc" support.
+
The following options are also configurable at runtime:
--with-long-otp-prompt
CC = @CC@
FLEX = @FLEX@
YACC = @YACC@
-NROFF = @NROFFPROG@ -Tascii
LIBTOOL = @LIBTOOL@
AR=@AR@
RANLIB=@RANLIB@
+SED=@SED@
+TR = @TRPROG@
+MANDOC = @MANDOCPROG@
MANCOMPRESS = @MANCOMPRESS@
MANCOMPRESSEXT = @MANCOMPRESSEXT@
mantype = @MANTYPE@
mansectsu = @mansectsu@
mansectform = @mansectform@
-mandirsu = $(mandir)/$(mantype)$(mansectsu)
-mandirform = $(mandir)/$(mantype)$(mansectform)
+mandirsu = $(mandir)/@MANDIRTYPE@$(mansectsu)
+mandirform = $(mandir)/@MANDIRTYPE@$(mansectform)
# User and group ids the installed files should be "owned" by
install_uid = 0
# Pass in paths and uid/gid + OS dependent defined
DEFS = @OSDEFS@ -D_PATH_SUDOERS=\"$(sudoersdir)/sudoers\" -DSUDOERS_UID=$(sudoers_uid) -DSUDOERS_GID=$(sudoers_gid) -DSUDOERS_MODE=$(sudoers_mode)
+# Set to non-empty for development mode
+DEVEL = @DEVEL@
+
#### End of system configuration section. ####
SHELL = @SHELL@
LICENSE Makefile.in NEWS PORTING README README.LDAP \
TROUBLESHOOTING UPGRADE aclocal.m4 aixcrypt.exp config.guess \
config.h.in config.sub configure configure.in def_data.in \
- indent.pro install-sh ltmain.sh m4 mkdefaults mkinstalldirs \
- mkpkg pathnames.h.in pp sample.pam sample.syslog.conf \
- sample.sudoers schema.ActiveDirectory schema.OpenLDAP \
- schema.iPlanet siglist.in sudo.cat sudo.man.in sudo.pod sudo.pp \
- sudo_usage.h.in sudoers.in sudoers.cat sudoers.man.in sudoers.pod \
- sudoers.ldap.cat sudoers.ldap.man.in sudoers.ldap.pod \
- sudoers2ldif sudoreplay.cat sudoreplay.man.in sudoreplay.pod \
- visudo.cat visudo.man.in visudo.pod auth/API sudo.man.pl \
+ fixman.sh fixmdoc.sh indent.pro install-sh ltmain.sh m4 \
+ mkdefaults mkinstalldirs mkpkg pathnames.h.in pp sample.pam \
+ sample.syslog.conf sample.sudoers schema.ActiveDirectory \
+ schema.OpenLDAP schema.iPlanet siglist.in sudo.cat sudo.man.in \
+ sudo.mdoc.in sudo.pp sudo_usage.h.in sudoers.in sudoers.cat \
+ sudoers.man.in sudoers.mdoc.in sudoers.ldap.cat \
+ sudoers.ldap.man.in sudoers.ldap.mdoc.in sudoers2ldif \
+ sudoreplay.cat sudoreplay.man.in sudoreplay.mdoc.in \
+ visudo.cat visudo.man.in visudo.mdoc.in auth/API sudo.man.pl \
sudoers.man.pl $(ZLIB_FILES)
ZLIB_FILES = zlib/adler32.c zlib/compress.c zlib/crc32.c zlib/crc32.h \
INSDEP = $(srcdir)/ins_2001.h $(srcdir)/ins_classic.h $(srcdir)/ins_csops.h \
$(srcdir)/ins_goons.h $(srcdir)/insults.h
-all: $(PROGS)
+DOCS = sudo.$(mantype) visudo.$(mantype) sudoers.$(mantype) \
+ sudoers.ldap.$(mantype) sudoers.$(mantype) \
+ sudoreplay.$(mantype)
+
+DEVDOCS = $(srcdir)/sudo.man.in $(srcdir)/sudo.cat \
+ $(srcdir)/visudo.man.in $(srcdir)/visudo.cat \
+ $(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \
+ $(srcdir)/sudoers.ldap.man.in $(srcdir)/sudoers.ldap.cat \
+ $(srcdir)/sudoers.man.in $(srcdir)/sudoers.cat \
+ $(srcdir)/sudoreplay.man.in $(srcdir)/sudoreplay.cat
+
+all: $(PROGS) $(DEVDOCS) $(DOCS)
.SUFFIXES: .o .c .h .l .y .lo
libsudo_noexec.la: sudo_noexec.lo
$(LIBTOOL) --mode=link $(CC) $(LDFLAGS) -o $@ sudo_noexec.lo -avoid-version -rpath $(noexecdir)
-# Uncomment the following if you want "make distclean" to clean the parser
-@DEV@GENERATED = gram.h gram.c toke.c def_data.c def_data.h getdate
+GENERATED = gram.h gram.c toke.c def_data.c def_data.h getdate.c
-# Uncomment the lines before -@true if you intend to modify gram.y
$(devdir)/gram.c $(devdir)/gram.h: $(srcdir)/gram.y
-@DEV@ $(YACC) -d $(srcdir)/gram.y
-@DEV@ echo "#include <config.h>" > $(devdir)/gram.c
-@DEV@ cat y.tab.c >> $(devdir)/gram.c
-@DEV@ rm -f y.tab.c
-@DEV@ mv -f y.tab.h $(devdir)/gram.h
- -@true
-
-# Uncomment the lines before -@true if you intend to modify toke.l
+ @if [ -n "$(DEVEL)" ]; then \
+ if test "$(srcdir)" = "."; then \
+ gram_y="gram.y"; \
+ else \
+ gram_y="$(srcdir)/gram.y"; \
+ fi; \
+ cmd='$(YACC) -d '"$$gram_y"'; echo "#include <config.h>" > $(devdir)/gram.c; sed "s/^\\(#line .*\\) \"y\\.tab\\.c\"/\1 \"gram.c\"/" y.tab.c >> $(devdir)/gram.c; rm -f y.tab.c; mv -f y.tab.h $(devdir)/gram.h'; \
+ echo "$$cmd"; eval $$cmd; \
+ fi
+
$(devdir)/toke.c: $(srcdir)/toke.l
-@DEV@ $(FLEX) $(srcdir)/toke.l
-@DEV@ echo "#include <config.h>" > $(devdir)/toke.c
-@DEV@ cat lex.yy.c >> $(devdir)/toke.c
-@DEV@ rm -f lex.yy.c
- -@true
+ @if [ -n "$(DEVEL)" ]; then \
+ if test "$(srcdir)" = "."; then \
+ toke_l="toke.l"; \
+ else \
+ toke_l="$(srcdir)/toke.l"; \
+ fi; \
+ cmd='$(FLEX) '"$$toke_l"'; echo "#include <config.h>" > $(devdir)/toke.c; cat lex.yy.c >> $(devdir)/toke.c; rm -f lex.yy.c'; \
+ echo "$$cmd"; eval $$cmd; \
+ fi
-# Uncomment the lines before -@true if you intend to modify getdate.y
$(devdir)/getdate.c: $(srcdir)/getdate.y
-@DEV@ echo "expect 10 shift/reduce conflicts"
-@DEV@ $(YACC) $(srcdir)/getdate.y
-@DEV@ echo "#include <config.h>" > $(devdir)/getdate.c
-@DEV@ cat y.tab.c >> $(devdir)/getdate.c
-@DEV@ rm -f y.tab.c
- -@true
+ @if [ -n "$(DEVEL)" ]; then \
+ echo "expect 10 shift/reduce conflicts"; \
+ if test "$(srcdir)" = "."; then \
+ getdate_y="getdate.y"; \
+ else \
+ getdate_y="$(srcdir)/getdate.y"; \
+ fi; \
+ cmd='$(YACC) '"$$getdate_y"'; echo "#include <config.h>" > $(devdir)/getdate.c; sed "s/^\\(#line .*\\) \"y\\.tab\\.c\"/\1 \"getdate.c\"/" y.tab.c >> $(devdir)/getdate.c; rm -f y.tab.c'; \
+ echo "$$cmd"; eval $$cmd; \
+ fi
-# Uncomment the following if you intend to modify def_data.in
-@DEV@$(devdir)/def_data.h $(devdir)/def_data.c: $(srcdir)/def_data.in
-@DEV@ perl $(srcdir)/mkdefaults -o def_data $(srcdir)/def_data.in
+$(devdir)/def_data.c $(devdir)/def_data.h: $(srcdir)/def_data.in
+ @if [ -n "$(DEVEL)" ]; then \
+ cmd='$(PERL) $(srcdir)/mkdefaults -o $(devdir)/def_data $(srcdir)/def_data.in'; \
+ echo "$$cmd"; eval $$cmd; \
+ fi
siglist.c: mksiglist
./mksiglist > $@
mksiglist: $(srcdir)/mksiglist.c $(srcdir)/mksiglist.h $(srcdir)/missing.h config.h
$(CC) $(CPPFLAGS) $(CFLAGS) $(DEFS) $(srcdir)/mksiglist.c -o $@
-@DEV@$(srcdir)/mksiglist.h: $(srcdir)/siglist.in
-@DEV@ awk 'BEGIN {print "/* public domain */\n"} /^ [A-Z]/ {printf("#ifdef SIG%s\n if (my_sys_siglist[SIG%s] == NULL)\n\tmy_sys_siglist[SIG%s] = \"%s\";\n#endif\n", $$1, $$1, $$1, substr($$0, 13))}' < $(srcdir)/siglist.in > $@
+$(srcdir)/mksiglist.h: $(srcdir)/siglist.in
+ @if [ -n "$(DEVEL)" ]; then \
+ awk 'BEGIN {print "/* public domain */\n"} /^ [A-Z]/ {printf("#ifdef SIG%s\n if (my_sys_siglist[SIG%s] == NULL)\n\tmy_sys_siglist[SIG%s] = \"%s\";\n#endif\n", $$1, $$1, $$1, substr($$0, 13))}' < $(srcdir)/siglist.in > $@; \
+ fi
# Dependencies (not counting auth functions)
aix.o: $(srcdir)/aix.c
zutil.o: $(srcdir)/zlib/zutil.h $(srcdir)/zlib/zlib.h zlib/zconf.h
$(CC) -c -I. -I$(srcdir)/zlib $(CFLAGS) $(PIE_CFLAGS) $(srcdir)/zlib/zutil.c
-@DEV@varsub: $(srcdir)/configure.in
-@DEV@ printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#4#g\ns#@%s@#1m#g\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu > $@; sed -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(srcdir)/configure.in | sed -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@
+varsub: $(srcdir)/configure.in
+ @if [ -n "$(DEVEL)" ]; then \
+ printf 's#@%s@#1#\ns#@%s@#1#\ns#@%s@#1#\ns#@%s@#/etc#g\ns#@%s@#/usr/local#g\ns#@%s@#5#g\ns#@%s@#8#g\ns#@%s@#%s#\n' SEMAN BAMAN LCMAN sysconfdir prefix mansectform mansectsu PACKAGE_VERSION $(VERSION) > $@; \
+ $(SED) -n '/Begin initial values for man page substitution/,/End initial values for man page substitution/{;p;}' $(srcdir)/configure.in | $(SED) -e '/^#/d' -e 's/^/s#@/' -e 's/=[\\"]*/@#/' -e 's/[\\"]*$$/#g/' >> $@; \
+ fi
-@DEV@$(srcdir)/sudo.man.in: $(srcdir)/sudo.pod
-@DEV@ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p $(srcdir)/sudo.man.pl >> $@
+$(srcdir)/sudo.man.in: $(srcdir)/sudo.mdoc.in
+ @if [ -n "$(DEVEL)" ]; then \
+ echo "Generating $@"; \
+ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
+ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
+ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
+ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in\n' >> $@; \
+ $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudo.mdoc.in >> $@; \
+ $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
+ fi
-sudo.man: $(srcdir)/sudo.man.in
- $(SHELL) config.status --file=$@
+sudo.man.sed: $(srcdir)/fixman.sh
+ BAMAN=@BAMAN@ LCMAN=@LCMAN@ SEMAN=@SEMAN@ $(SHELL) $(srcdir)/fixman.sh $@
-@DEV@$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.man.in
-@DEV@ sed -f varsub $(srcdir)/sudo.man.in | $(NROFF) -man > $@
+sudo.man: $(srcdir)/sudo.man.in sudo.man.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
-@DEV@$(srcdir)/visudo.man.in: $(srcdir)/visudo.pod
-@DEV@ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/visudo.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/visudo.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@
+sudo.mdoc.sed: $(srcdir)/fixmdoc.sh
+ BAMAN=@BAMAN@ LCMAN=@LCMAN@ SEMAN=@SEMAN@ $(SHELL) $(srcdir)/fixmdoc.sh $@
-visudo.man: $(srcdir)/visudo.man.in
- $(SHELL) config.status --file=$@
+sudo.mdoc: $(srcdir)/sudo.mdoc.in sudo.mdoc.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
-@DEV@$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.man.in
-@DEV@ sed -f varsub $(srcdir)/visudo.man.in | $(NROFF) -man > $@
+$(srcdir)/sudo.cat: varsub $(srcdir)/sudo.mdoc.in
+ @if [ -n "$(DEVEL)" ]; then \
+ echo "Generating $@"; \
+ $(SED) -f varsub $(srcdir)/sudo.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
+ fi
-@DEV@$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.pod
-@DEV@ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoers.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoers.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" | perl -p $(srcdir)/sudoers.man.pl >> $@
+sudo.cat: $(srcdir)/sudo.cat
+
+$(srcdir)/visudo.man.in: $(srcdir)/visudo.mdoc.in
+ @if [ -n "$(DEVEL)" ]; then \
+ echo "Generating $@"; \
+ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
+ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
+ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
+ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM visudo.mdoc.in\n' >> $@; \
+ $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/visudo.mdoc.in >> $@; \
+ $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/visudo.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "VISUDO" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
+ fi
-sudoers.man: $(srcdir)/sudoers.man.in
- $(SHELL) config.status --file=$@
+visudo.man.sed: $(srcdir)/fixman.sh
+ $(SHELL) $(srcdir)/fixman.sh $@
-@DEV@$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.man.in
-@DEV@ sed -f varsub $(srcdir)/sudoers.man.in | $(NROFF) -man > $@
+visudo.man: $(srcdir)/visudo.man.in visudo.man.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
-@DEV@$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.pod
-@DEV@ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoers.ldap.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectform --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoers.ldap.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@
+visudo.mdoc: $(srcdir)/visudo.mdoc.in
+ (cd $(top_builddir) && $(SHELL) config.status --file=$@)
-sudoers.ldap.man: $(srcdir)/sudoers.ldap.man.in
- $(SHELL) config.status --file=$@
+$(srcdir)/visudo.cat: varsub $(srcdir)/visudo.mdoc.in
+ @if [ -n "$(DEVEL)" ]; then \
+ echo "Generating $@"; \
+ $(SED) -f varsub $(srcdir)/visudo.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
+ fi
-@DEV@$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.man.in
-@DEV@ sed -f varsub $(srcdir)/sudoers.ldap.man.in | $(NROFF) -man > $@
+visudo.cat: $(srcdir)/visudo.cat
+
+$(srcdir)/sudoers.man.in: $(srcdir)/sudoers.mdoc.in
+ @if [ -n "$(DEVEL)" ]; then \
+ echo "Generating $@"; \
+ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
+ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
+ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
+ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in\n' >> $@; \
+ $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoers.mdoc.in >> $@; \
+ $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
+ fi
+
+sudoers.man.sed: $(srcdir)/fixman.sh
+ LCMAN=@LCMAN@ SEMAN=@SEMAN@ $(SHELL) $(srcdir)/fixman.sh $@
+
+sudoers.man: $(srcdir)/sudoers.man.in sudoers.man.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
+
+sudoers.mdoc.sed: $(srcdir)/fixmdoc.sh
+ LCMAN=@LCMAN@ SEMAN=@SEMAN@ $(SHELL) $(srcdir)/fixmdoc.sh $@
+
+sudoers.mdoc: $(srcdir)/sudoers.mdoc.in sudoers.mdoc.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
+
+$(srcdir)/sudoers.cat: varsub $(srcdir)/sudoers.mdoc.in
+ @if [ -n "$(DEVEL)" ]; then \
+ echo "Generating $@"; \
+ $(SED) -f varsub $(srcdir)/sudoers.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
+ fi
+
+sudoers.cat: $(srcdir)/sudoers.cat
+
+$(srcdir)/sudoers.ldap.man.in: $(srcdir)/sudoers.ldap.mdoc.in
+ @if [ -n "$(DEVEL)" ]; then \
+ echo "Generating $@"; \
+ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
+ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
+ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
+ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in\n' >> $@; \
+ $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoers.ldap.mdoc.in >> $@; \
+ $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOERS.LDAP" \)"5"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
+ fi
+
+sudoers.ldap.man.sed: $(srcdir)/fixman.sh
+ $(SHELL) $(srcdir)/fixman.sh $@
-@DEV@$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.pod
-@DEV@ mansectsu=`echo @MANSECTSU@|tr A-Z a-z`; mansectform=`echo @MANSECTFORM@|tr A-Z a-z`; sed -n -e '/^=pod/q' -e 's/^/.\\" /p' $(srcdir)/sudoreplay.pod > $@; pod2man --quotes=none --date="`date '+%B %e, %Y'`" --section=$$mansectsu --release=$(VERSION) --center="MAINTENANCE COMMANDS" $(srcdir)/sudoreplay.pod | sed -e "s/(5)/($$mansectform)/" -e "s/(8)/($$mansectsu)/" -e 's|\\fI\\f\((CW*\)*I@\([^@]*\)\\fI@|\\fI@\2@|g' >> $@
+sudoers.ldap.man: $(srcdir)/sudoers.ldap.man.in sudoers.ldap.man.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
-sudoreplay.man: $(srcdir)/sudoreplay.man.in
- $(SHELL) config.status --file=$@
+sudoers.ldap.mdoc: $(srcdir)/sudoers.ldap.mdoc.in
+ (cd $(top_builddir) && $(SHELL) config.status --file=$@)
+
+$(srcdir)/sudoers.ldap.cat: varsub $(srcdir)/sudoers.ldap.mdoc.in
+ @if [ -n "$(DEVEL)" ]; then \
+ echo "Generating $@"; \
+ $(SED) -f varsub $(srcdir)/sudoers.ldap.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
+ fi
+
+sudoers.ldap.cat: $(srcdir)/sudoers.ldap.cat
+
+$(srcdir)/sudoreplay.man.in: $(srcdir)/sudoreplay.mdoc.in
+ @if [ -n "$(DEVEL)" ]; then \
+ echo "Generating $@"; \
+ mansectsu=`echo @MANSECTSU@|$(TR) A-Z a-z`; \
+ mansectform=`echo @MANSECTFORM@|$(TR) A-Z a-z`; \
+ printf '.\\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!\n' > $@; \
+ printf '.\\" IT IS GENERATED AUTOMATICALLY FROM sudoreplay.mdoc.in\n' >> $@; \
+ $(SED) -n -e '/^.Dd/q' -e '/^\.\\/p' $(srcdir)/sudoreplay.mdoc.in >> $@; \
+ $(SED) -e "s/$$mansectsu/8/g" -e "s/$$mansectform/5/g" $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -Tman | $(SED) -e 's/^\(\.TH "SUDOREPLAY" \)"8"\(.*"\)OpenBSD \(.*\)/\1"'$$mansectsu'"\2\3/' -e "s/(5)/($$mansectform)/g" -e "s/(8)/($$mansectsu)/g" >> $@; \
+ fi
+
+sudoreplay.man.sed: $(srcdir)/fixman.sh
+ $(SHELL) $(srcdir)/fixman.sh $@
+
+sudoreplay.man: $(srcdir)/sudoreplay.man.in sudoreplay.man.sed
+ (cd $(top_builddir) && $(SHELL) config.status --file=-) < $(srcdir)/$@.in | $(SED) -f $@.sed > $@
+
+sudoreplay.mdoc: $(srcdir)/sudoreplay.mdoc.in
+ (cd $(top_builddir) && $(SHELL) config.status --file=$@)
+
+$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.mdoc.in
+ @if [ -n "$(DEVEL)" ]; then \
+ echo "Generating $@"; \
+ $(SED) -f varsub $(srcdir)/sudoreplay.mdoc.in | $(MANDOC) -mdoc | $(SED) -e 's/ OpenBSD \([^ ].* \)/ \1 /' -e 's/(5)/(4)/g' -e 's/(8)/(1m)/g' > $@; \
+ fi
-@DEV@$(srcdir)/sudoreplay.cat: varsub $(srcdir)/sudoreplay.man.in
-@DEV@ sed -f varsub $(srcdir)/sudoreplay.man.in | $(NROFF) -man > $@
+sudoreplay.cat: $(srcdir)/sudoreplay.cat
sudoers: $(srcdir)/sudoers.in
- (cd $(top_builddir) && $(SHELL) config.status --file=plugins/sudoers/$@)
+ (cd $(top_builddir) && $(SHELL) config.status --file=$@)
# The 1.7 branch started Jan 18, 2010
ChangeLog:
YFLAGS
YACC
NROFFPROG
+MANDOCPROG
TRPROG
UNAMEPROG
OTOOL64
SEMAN
LCMAN
BAMAN
-DEV
+DEVEL
SUDOERS_GID
SUDOERS_UID
SUDOERS_MODE
with_askpass
with_libvas
with_libvas_rpath
+with_man
+with_mdoc
enable_authentication
enable_root_mailer
enable_setreuid
(default=libvas.so)
--with-libvas-rpath=PATH
Path to look for libvas in [default=/opt/quest/lib]
+ --with-man manual pages use man macros
+ --with-mdoc manual pages use mdoc macros
--with-selinux enable SELinux support
--with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use
both]
INSTALL_NOEXEC=
devdir='$(srcdir)'
PROGS="sudo visudo"
-: ${MANTYPE='man'}
+: ${MANDIRTYPE='man'}
: ${mansrcdir='.'}
: ${SHLIB_MODE='0644'}
: ${SUDOERS_MODE='0440'}
: ${SUDOERS_UID='0'}
: ${SUDOERS_GID='0'}
-DEV="#"
+DEVEL=
LDAP="#"
REPLAY="#"
BAMAN=0
$as_echo "$as_me: Setting up for development: -Wall, flex, yacc" >&6;}
PROGS="${PROGS} testsudoers"
OSDEFS="${OSDEFS} -DSUDO_DEVEL"
- DEV=""
+ DEVEL="true"
devdir=.
;;
no) ;;
+# Check whether --with-man was given.
+if test "${with_man+set}" = set; then :
+ withval=$with_man; case $with_man in
+ yes) MANTYPE=man
+ ;;
+ no) as_fn_error $? "\"--without-man not supported.\"" "$LINENO" 5
+ ;;
+ *) as_fn_error $? "\"ignoring unknown argument to --with-man: $with_man.\"" "$LINENO" 5
+ ;;
+esac
+fi
+
+
+
+# Check whether --with-mdoc was given.
+if test "${with_mdoc+set}" = set; then :
+ withval=$with_mdoc; case $with_mdoc in
+ yes) MANTYPE=mdoc
+ ;;
+ no) as_fn_error $? "\"--without-mdoc not supported.\"" "$LINENO" 5
+ ;;
+ *) as_fn_error $? "\"ignoring unknown argument to --with-mdoc: $with_mdoc.\"" "$LINENO" 5
+ ;;
+esac
+fi
+
+
+
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether to do user authentication by default" >&5
$as_echo_n "checking whether to do user authentication by default... " >&6; }
# Check whether --enable-authentication was given.
set dummy uname; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_prog_UNAMEPROG+:} false; then :
+if ${ac_cv_path_UNAMEPROG+:} false; then :
$as_echo_n "(cached) " >&6
else
- if test -n "$UNAMEPROG"; then
- ac_cv_prog_UNAMEPROG="$UNAMEPROG" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+ case $UNAMEPROG in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_UNAMEPROG="$UNAMEPROG" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_UNAMEPROG="uname"
+ ac_cv_path_UNAMEPROG="$as_dir/$ac_word$ac_exec_ext"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
IFS=$as_save_IFS
+ test -z "$ac_cv_path_UNAMEPROG" && ac_cv_path_UNAMEPROG="uname"
+ ;;
+esac
fi
-fi
-UNAMEPROG=$ac_cv_prog_UNAMEPROG
+UNAMEPROG=$ac_cv_path_UNAMEPROG
if test -n "$UNAMEPROG"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $UNAMEPROG" >&5
$as_echo "$UNAMEPROG" >&6; }
set dummy tr; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_prog_TRPROG+:} false; then :
+if ${ac_cv_path_TRPROG+:} false; then :
$as_echo_n "(cached) " >&6
else
- if test -n "$TRPROG"; then
- ac_cv_prog_TRPROG="$TRPROG" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+ case $TRPROG in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_TRPROG="$TRPROG" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_TRPROG="tr"
+ ac_cv_path_TRPROG="$as_dir/$ac_word$ac_exec_ext"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
IFS=$as_save_IFS
+ test -z "$ac_cv_path_TRPROG" && ac_cv_path_TRPROG="tr"
+ ;;
+esac
fi
-fi
-TRPROG=$ac_cv_prog_TRPROG
+TRPROG=$ac_cv_path_TRPROG
if test -n "$TRPROG"; then
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $TRPROG" >&5
$as_echo "$TRPROG" >&6; }
fi
-for ac_prog in nroff mandoc
-do
- # Extract the first word of "$ac_prog", so it can be a program name with args.
-set dummy $ac_prog; ac_word=$2
+# Extract the first word of "mandoc", so it can be a program name with args.
+set dummy mandoc; ac_word=$2
{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
$as_echo_n "checking for $ac_word... " >&6; }
-if ${ac_cv_prog_NROFFPROG+:} false; then :
+if ${ac_cv_path_MANDOCPROG+:} false; then :
$as_echo_n "(cached) " >&6
else
- if test -n "$NROFFPROG"; then
- ac_cv_prog_NROFFPROG="$NROFFPROG" # Let the user override the test.
-else
-as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+ case $MANDOCPROG in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_MANDOCPROG="$MANDOCPROG" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
for as_dir in $PATH
do
IFS=$as_save_IFS
test -z "$as_dir" && as_dir=.
for ac_exec_ext in '' $ac_executable_extensions; do
if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
- ac_cv_prog_NROFFPROG="$ac_prog"
+ ac_cv_path_MANDOCPROG="$as_dir/$ac_word$ac_exec_ext"
$as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
break 2
fi
done
IFS=$as_save_IFS
+ test -z "$ac_cv_path_MANDOCPROG" && ac_cv_path_MANDOCPROG="mandoc"
+ ;;
+esac
fi
-fi
-NROFFPROG=$ac_cv_prog_NROFFPROG
-if test -n "$NROFFPROG"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NROFFPROG" >&5
-$as_echo "$NROFFPROG" >&6; }
+MANDOCPROG=$ac_cv_path_MANDOCPROG
+if test -n "$MANDOCPROG"; then
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $MANDOCPROG" >&5
+$as_echo "$MANDOCPROG" >&6; }
else
{ $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
$as_echo "no" >&6; }
fi
- test -n "$NROFFPROG" && break
+if test "$MANDOCPROG" != "mandoc"; then
+ : ${MANTYPE='mdoc'}
+else
+ # Extract the first word of "nroff", so it can be a program name with args.
+set dummy nroff; ac_word=$2
+{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5
+$as_echo_n "checking for $ac_word... " >&6; }
+if ${ac_cv_path_NROFFPROG+:} false; then :
+ $as_echo_n "(cached) " >&6
+else
+ case $NROFFPROG in
+ [\\/]* | ?:[\\/]*)
+ ac_cv_path_NROFFPROG="$NROFFPROG" # Let the user override the test with a path.
+ ;;
+ *)
+ as_save_IFS=$IFS; IFS=$PATH_SEPARATOR
+for as_dir in $PATH
+do
+ IFS=$as_save_IFS
+ test -z "$as_dir" && as_dir=.
+ for ac_exec_ext in '' $ac_executable_extensions; do
+ if { test -f "$as_dir/$ac_word$ac_exec_ext" && $as_test_x "$as_dir/$ac_word$ac_exec_ext"; }; then
+ ac_cv_path_NROFFPROG="$as_dir/$ac_word$ac_exec_ext"
+ $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5
+ break 2
+ fi
done
+ done
+IFS=$as_save_IFS
+ ;;
+esac
+fi
+NROFFPROG=$ac_cv_path_NROFFPROG
if test -n "$NROFFPROG"; then
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $NROFFPROG supports the -c option" >&5
-$as_echo_n "checking whether $NROFFPROG supports the -c option... " >&6; }
-if ${sudo_cv_var_nroff_opt_c+:} false; then :
- $as_echo_n "(cached) " >&6
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: $NROFFPROG" >&5
+$as_echo "$NROFFPROG" >&6; }
else
- if $NROFFPROG -c </dev/null >/dev/null 2>&1; then
- sudo_cv_var_nroff_opt_c=yes
- else
- sudo_cv_var_nroff_opt_c=no
- fi
-
+ { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5
+$as_echo "no" >&6; }
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_nroff_opt_c" >&5
-$as_echo "$sudo_cv_var_nroff_opt_c" >&6; }
- if test "$sudo_cv_var_nroff_opt_c" = "yes"; then
- NROFFPROG="$NROFFPROG -c"
- fi
- { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether $NROFFPROG supports the -Tascii option" >&5
-$as_echo_n "checking whether $NROFFPROG supports the -Tascii option... " >&6; }
-if ${sudo_cv_var_nroff_opt_Tascii+:} false; then :
+
+
+ if test -n "$NROFFPROG"; then
+ test -n "$MANTYPE" && sudo_cv_var_mantype="$MANTYPE"
+ { $as_echo "$as_me:${as_lineno-$LINENO}: checking which macro set to use for manual pages" >&5
+$as_echo_n "checking which macro set to use for manual pages... " >&6; }
+if ${sudo_cv_var_mantype+:} false; then :
$as_echo_n "(cached) " >&6
else
- if $NROFFPROG -Tascii </dev/null >/dev/null 2>&1; then
- sudo_cv_var_nroff_opt_Tascii=yes
- else
- sudo_cv_var_nroff_opt_Tascii=no
- fi
- if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then
- NROFFPROG="$NROFFPROG -Tascii"
- fi
+
+ sudo_cv_var_mantype="man"
+ echo ".Sh NAME" > conftest
+ echo ".Nm sudo" >> conftest
+ echo ".Nd sudo" >> conftest
+ echo ".Sh DESCRIPTION" >> conftest
+ echo "sudo" >> conftest
+ if $NROFFPROG -mdoc conftest >/dev/null 2>&1; then
+ sudo_cv_var_mantype="mdoc"
+ fi
+ rm -f conftest
+
fi
-{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_nroff_opt_Tascii" >&5
-$as_echo "$sudo_cv_var_nroff_opt_Tascii" >&6; }
-else
- MANTYPE="cat"
- mansrcdir='$(srcdir)'
+{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $sudo_cv_var_mantype" >&5
+$as_echo "$sudo_cv_var_mantype" >&6; }
+ MANTYPE="$sudo_cv_var_mantype"
+ else
+ MANTYPE=cat
+ MANDIRTYPE=cat
+ mansrcdir='$(srcdir)'
+ fi
fi
if test -n "$sudo_cv_prev_host"; then
test "$localstatedir" = '${prefix}/var' && localstatedir='$(prefix)/var'
test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
-ac_config_files="$ac_config_files Makefile sudo.man visudo.man sudoers.man sudoers.ldap.man sudoreplay.man sudo_usage.h sudoers"
+ac_config_files="$ac_config_files Makefile sudo_usage.h sudoers"
cat >confcache <<\_ACEOF
# This file is a shell script that caches the results of configure
"zlib/zconf.h") CONFIG_HEADERS="$CONFIG_HEADERS zlib/zconf.h" ;;
"libtool") CONFIG_COMMANDS="$CONFIG_COMMANDS libtool" ;;
"Makefile") CONFIG_FILES="$CONFIG_FILES Makefile" ;;
- "sudo.man") CONFIG_FILES="$CONFIG_FILES sudo.man" ;;
- "visudo.man") CONFIG_FILES="$CONFIG_FILES visudo.man" ;;
- "sudoers.man") CONFIG_FILES="$CONFIG_FILES sudoers.man" ;;
- "sudoers.ldap.man") CONFIG_FILES="$CONFIG_FILES sudoers.ldap.man" ;;
- "sudoreplay.man") CONFIG_FILES="$CONFIG_FILES sudoreplay.man" ;;
"sudo_usage.h") CONFIG_FILES="$CONFIG_FILES sudo_usage.h" ;;
"sudoers") CONFIG_FILES="$CONFIG_FILES sudoers" ;;
AC_SUBST([SUDOERS_MODE])
AC_SUBST([SUDOERS_UID])
AC_SUBST([SUDOERS_GID])
-AC_SUBST([DEV])
+AC_SUBST([DEVEL])
AC_SUBST([BAMAN])
AC_SUBST([LCMAN])
AC_SUBST([SEMAN])
INSTALL_NOEXEC=
devdir='$(srcdir)'
PROGS="sudo visudo"
-: ${MANTYPE='man'}
+: ${MANDIRTYPE='man'}
: ${mansrcdir='.'}
: ${SHLIB_MODE='0644'}
: ${SUDOERS_MODE='0440'}
: ${SUDOERS_UID='0'}
: ${SUDOERS_GID='0'}
-DEV="#"
+DEVEL=
LDAP="#"
REPLAY="#"
BAMAN=0
yes) AC_MSG_NOTICE([Setting up for development: -Wall, flex, yacc])
PROGS="${PROGS} testsudoers"
OSDEFS="${OSDEFS} -DSUDO_DEVEL"
- DEV=""
+ DEVEL="true"
devdir=.
;;
no) ;;
fi
])
+AC_ARG_WITH(man, [AS_HELP_STRING([--with-man], [manual pages use man macros])],
+[case $with_man in
+ yes) MANTYPE=man
+ ;;
+ no) AC_MSG_ERROR(["--without-man not supported."])
+ ;;
+ *) AC_MSG_ERROR(["ignoring unknown argument to --with-man: $with_man."])
+ ;;
+esac])
+
+AC_ARG_WITH(mdoc, [AS_HELP_STRING([--with-mdoc], [manual pages use mdoc macros])],
+[case $with_mdoc in
+ yes) MANTYPE=mdoc
+ ;;
+ no) AC_MSG_ERROR(["--without-mdoc not supported."])
+ ;;
+ *) AC_MSG_ERROR(["ignoring unknown argument to --with-mdoc: $with_mdoc."])
+ ;;
+esac])
+
dnl
dnl Options for --enable
dnl
dnl
dnl Find programs we use
dnl
-AC_CHECK_PROG(UNAMEPROG, [uname], [uname])
-AC_CHECK_PROG(TRPROG, [tr], [tr])
-AC_CHECK_PROGS(NROFFPROG, [nroff mandoc])
-if test -n "$NROFFPROG"; then
- AC_CACHE_CHECK([whether $NROFFPROG supports the -c option],
- [sudo_cv_var_nroff_opt_c],
- [if $NROFFPROG -c </dev/null >/dev/null 2>&1; then
- sudo_cv_var_nroff_opt_c=yes
- else
- sudo_cv_var_nroff_opt_c=no
- fi]
- )
- if test "$sudo_cv_var_nroff_opt_c" = "yes"; then
- NROFFPROG="$NROFFPROG -c"
- fi
- AC_CACHE_CHECK([whether $NROFFPROG supports the -Tascii option],
- [sudo_cv_var_nroff_opt_Tascii],
- [if $NROFFPROG -Tascii </dev/null >/dev/null 2>&1; then
- sudo_cv_var_nroff_opt_Tascii=yes
- else
- sudo_cv_var_nroff_opt_Tascii=no
- fi]
- if test "$sudo_cv_var_nroff_opt_Tascii" = "yes"; then
- NROFFPROG="$NROFFPROG -Tascii"
- fi
- )
+AC_PATH_PROG(UNAMEPROG, [uname], [uname])
+AC_PATH_PROG(TRPROG, [tr], [tr])
+AC_PATH_PROG(MANDOCPROG, [mandoc], [mandoc])
+if test "$MANDOCPROG" != "mandoc"; then
+ : ${MANTYPE='mdoc'}
else
- MANTYPE="cat"
- mansrcdir='$(srcdir)'
+ AC_PATH_PROG(NROFFPROG, [nroff])
+ if test -n "$NROFFPROG"; then
+ test -n "$MANTYPE" && sudo_cv_var_mantype="$MANTYPE"
+ AC_CACHE_CHECK([which macro set to use for manual pages],
+ [sudo_cv_var_mantype],
+ [
+ sudo_cv_var_mantype="man"
+ echo ".Sh NAME" > conftest
+ echo ".Nm sudo" >> conftest
+ echo ".Nd sudo" >> conftest
+ echo ".Sh DESCRIPTION" >> conftest
+ echo "sudo" >> conftest
+ if $NROFFPROG -mdoc conftest >/dev/null 2>&1; then
+ sudo_cv_var_mantype="mdoc"
+ fi
+ rm -f conftest
+ ]
+ )
+ MANTYPE="$sudo_cv_var_mantype"
+ else
+ MANTYPE=cat
+ MANDIRTYPE=cat
+ mansrcdir='$(srcdir)'
+ fi
fi
dnl
test "$sysconfdir" = '${prefix}/etc' -a X"$with_stow" != X"yes" && sysconfdir='/etc'
dnl
-dnl Substitute into the Makefile and man pages
+dnl Substitute into the Makefile, sudo_usage.h and example sudoers
dnl
-AC_CONFIG_FILES([Makefile sudo.man visudo.man sudoers.man sudoers.ldap.man sudoreplay.man sudo_usage.h sudoers])
+AC_CONFIG_FILES([Makefile sudo_usage.h sudoers])
AC_OUTPUT
dnl
--- /dev/null
+#!/bin/sh
+
+OUTFILE="$1"
+rm -f "$OUTFILE"
+> "$OUTFILE"
+
+# HP-UX friendly header/footer for all man pages
+if [ X"`uname 2>&1`" = X"HP-UX" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ s/^\.TH \("[^"]*"\) \("[^"]*"\) "\([^"]*\)" "\([^"]*\)" \("[^"]*"\)/.TH \1 \2\
+ .ds )H \4\
+ .ds ]W \3/
+EOF
+fi
+
+# Page specific hacks
+case "$OUTFILE" in
+ sudo.man.sed)
+ # Replace "0 minutes" with "unlimited"
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\\fR0\\fR$/ {
+ N
+ s/^\\fR0\\fR\
+ minutes\.$/unlimited./
+ }
+ EOF
+
+ # BSD auth
+ if [ X"$BAMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\[\\fB\\-a\\fR\\ \\fIauth_type\\fR/d
+ /^\\fB\\-a\\fR \\fItype\\fR$/,/^\.TP 12n$/ {
+ /^\.PD$/!d
+ }
+ EOF
+ fi
+
+ # BSD login class
+ if [ X"$LCMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\[\\fB\\-c\\fR\\ \\fIclass\\fR/d
+ /^\\fB\\-c\\fR \\fIclass\\fR$/,/^\.TP 12n$/ {
+ /^\.PD$/!d
+ }
+ EOF
+ fi
+
+ # SELinux
+ if [ X"$SEMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\[\\fB\\-[rt]\\fR\\ \\fI[rt][oy][lp]e\\fR/d
+ /^\\fB\\-[rt]\\fR \\fI[rt][oy][lp]e\\fR$/,/^\.TP 12n$/ {
+ /^\.PD$/!d
+ }
+ EOF
+ fi
+ ;;
+ sudoers.man.sed)
+ # BSD login class
+ if [ X"$LCMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-EOF
+ /^On BSD systems/,/\.$/ {
+ d
+ }
+ /^use_loginclass$/,/^\.TP 18n$/ {
+ /^\.PD$/!d
+ }
+ EOF
+ fi
+
+ # SELinux
+ if [ X"$SEMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-EOF
+ s/SELinux_Spec? //
+ /^SELinux_Spec ::=/ {
+ N
+ d
+ }
+ /^\.SS "SELinux_Spec"/,/^\.SS/{;/^\.SS "[^S][^E][^L]/!d;};
+ /^[rt][oy][lp]e$/,/^\.TP 18n$/ {
+ /^\.PD$/!d
+ }
+ EOF
+ fi
+ ;;
+esac
--- /dev/null
+#!/bin/sh
+
+OUTFILE="$1"
+rm -f "$OUTFILE"
+> "$OUTFILE"
+
+# Page specific hacks
+case "$OUTFILE" in
+ sudo.mdoc.sed)
+ # Replace "0 minutes" with "unlimited"
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\.Li 0$/ {
+ N
+ s/^\.Li 0\nminutes\.$/unlimited./
+ }
+ EOF
+
+ # BSD auth
+ BA_FLAG=
+ if [ X"$BAMAN" != X"1" ]; then
+ BA_FLAG='/^.*\n\.Op Fl a Ar auth_type/{;N;/^.*\n\.Ek$/d;};'
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\.It Fl a Ar type/,/BSD authentication\.$/ {
+ d
+ }
+ EOF
+ fi
+
+ # BSD login class
+ LC_FLAG=
+ if [ X"$LCMAN" != X"1" ]; then
+ LC_FLAG='/^.*\n\.Op Fl c Ar class/{;N;/^.*\n\.Ek$/d;};'
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\.It Fl c Ar class/,/BSD login classes\.$/ {
+ d
+ }
+ /^\.Xr login_cap 3 ,$/d
+ EOF
+ fi
+
+ # SELinux
+ SE_FLAG=
+ if [ X"$SEMAN" != X"1" ]; then
+ SE_FLAG='/^.*\n\.Op Fl r Ar role/{;N;/^.*\n\.Ek$/d;};/^.*\n\.Op Fl t Ar type/{;N;/^.*\n\.Ek$/d;};'
+ cat >>"$OUTFILE" <<-'EOF'
+ /^\.It Fl r Ar role/,/newline character\.$/ {
+ d
+ }
+ /^\.It Fl t Ar type/,/specified role\.$/ {
+ d
+ }
+ EOF
+ fi
+
+ # Unsupported flags must be removed together
+ if [ -n "$BA_FLAG$LC_FLAG$SE_FLAG" ]; then
+ cat >>"$OUTFILE" <<-EOF
+ /^\.Bk -words\$/ {
+ N
+ $BA_FLAG$LC_FLAG$SE_FLAG
+ }
+ EOF
+ fi
+ ;;
+ sudoers.mdoc.sed)
+ # BSD login class
+ if [ X"$LCMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ /^On BSD systems/,/\.$/ {
+ d
+ }
+ /^\.It use_loginclass$/,/^\.It/ {
+ /^\.It [^u][^s][^e][^_][^l]/!d
+ }
+ EOF
+ fi
+
+ # SELinux
+ if [ X"$SEMAN" != X"1" ]; then
+ cat >>"$OUTFILE" <<-'EOF'
+ s/SELinux_Spec? //
+ /^SELinux_Spec ::=/ {
+ N
+ d
+ }
+ /^\.Ss SELinux_Spec/,/^\.Ss/{;/^\.Ss [^S][^E][^L]/!d;};
+ /^\.It [rt][oy][lp]e$/,/^\.It/ {
+ /^\.It [^rt][^oy][^lp][^e]$/!d
+ }
+ EOF
+ fi
+ ;;
+esac
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
+SUDO(1m) System Manager's Manual SUDO(1m)
N\bNA\bAM\bME\bE
- sudo, sudoedit - execute a command as another user
+ s\bsu\bud\bdo\bo, s\bsu\bud\bdo\boe\bed\bdi\bit\bt - execute a command as another user
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-V\bV
-
- s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
- [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd]
-
- s\bsu\bud\bdo\bo -\b-l\bl[\b[l\bl]\b] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
- [-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
-
- s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
- [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be] [-\b-t\bt _\bt_\by_\bp_\be]
- [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] [-\b-i\bi | -\b-s\bs] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
-
- s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-]
- [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be|_\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file ...
+ s\bsu\bud\bdo\bo -\b-h\bh | -\b-K\bK | -\b-k\bk | -\b-L\bL | -\b-V\bV
+ s\bsu\bud\bdo\bo -\b-v\bv [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be | _\b#_\bu_\bi_\bd]
+ s\bsu\bud\bdo\bo -\b-l\bl[_\bl] [-\b-A\bAk\bkn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-U\bU _\bu_\bs_\be_\br _\bn_\ba_\bm_\be] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be | _\b#_\bu_\bi_\bd] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ s\bsu\bud\bdo\bo [-\b-A\bAb\bbE\bEH\bHn\bnP\bPS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs | _\b-]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-r\br _\br_\bo_\bl_\be] [-\b-t\bt _\bt_\by_\bp_\be]
+ [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be | _\b#_\bu_\bi_\bd] [V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be] -\b-i\bi | -\b-s\bs [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-A\bAn\bnS\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-C\bC _\bf_\bd] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs | _\b-]
+ [-\b-g\bg _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be | _\b#_\bg_\bi_\bd] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br _\bn_\ba_\bm_\be | _\b#_\bu_\bi_\bd] file
+ ...
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the superuser or
- another user, as specified in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. The real and effective
- uid and gid are set to match those of the target user as specified in
- the passwd file and the group vector is initialized based on the group
- file (unless the -\b-P\bP option was specified). If the invoking user is
- root or if the target user is the same as the invoking user, no
- password is required. Otherwise, s\bsu\bud\bdo\bo requires that users authenticate
- themselves with a password by default (NOTE: in the default
- configuration this is the user's password, not the root password).
- Once a user has been authenticated, a time stamp is updated and the
- user may then use sudo without a password for a short period of time (5
- minutes unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
-
- When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below), is implied.
-
- s\bsu\bud\bdo\bo determines who is an authorized user by consulting the file
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By running s\bsu\bud\bdo\bo with the -\b-v\bv option, a user can update
- the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd. If a password is required,
- s\bsu\bud\bdo\bo will exit if the user's password is not entered within a
- configurable time limit. The default password prompt timeout is 5
- minutes.
-
- If a user who is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file tries to run a command
- via s\bsu\bud\bdo\bo, mail is sent to the proper authorities, as defined at
- configure time or in the _\bs_\bu_\bd_\bo_\be_\br_\bs file (defaults to root). Note that
- the mail will not be sent if an unauthorized user tries to run sudo
- with the -\b-l\bl or -\b-v\bv option. This allows users to determine for
- themselves whether or not they are allowed to use s\bsu\bud\bdo\bo.
-
- If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment variable is set,
- s\bsu\bud\bdo\bo will use this value to determine who the actual user is. This can
- be used by a user to log commands through sudo even when a root shell
- has been invoked. It also allows the -\b-e\be option to remain useful even
- when being run via a sudo-run script or program. Note however, that
- the sudoers lookup is still done for root, not the user specified by
- SUDO_USER.
-
- s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as well as
- errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By default s\bsu\bud\bdo\bo will log
- via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable at configure time or via the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file.
-
-O\bOP\bPT\bTI\bIO\bON\bNS\bS
- s\bsu\bud\bdo\bo accepts the following command line options:
-
- -A Normally, if s\bsu\bud\bdo\bo requires a password, it will read it from
- the current terminal. If the -\b-A\bA (_\ba_\bs_\bk_\bp_\ba_\bs_\bs) option is
- specified, a (possibly graphical) helper program is
- executed to read the user's password and output the
- password to the standard output. If the SUDO_ASKPASS
- environment variable is set, it specifies the path to the
- helper program. Otherwise, the value specified by the
- _\ba_\bs_\bk_\bp_\ba_\bs_\bs option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4) is used.
-
- -a _\bt_\by_\bp_\be The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use the
- specified authentication type when validating the user, as
- allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system administrator may
- specify a list of sudo-specific authentication methods by
- adding an "auth-sudo" entry in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This
- option is only available on systems that support BSD
- authentication.
-
- -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
- command in the background. Note that if you use the -\b-b\bb
- option you cannot use shell job control to manipulate the
- process.
-
- -C _\bf_\bd Normally, s\bsu\bud\bdo\bo will close all open file descriptors other
- than standard input, standard output and standard error.
- The -\b-C\bC (_\bc_\bl_\bo_\bs_\be _\bf_\br_\bo_\bm) option allows the user to specify a
- starting point above the standard error (file descriptor
- three). Values less than three are not permitted. This
- option is only available if the administrator has enabled
- the _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
-
- -c _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
- command with resources limited by the specified login
- class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name as
- defined in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single '-' character.
- Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the command should
- be run restricted by the default login capabilities for the
- user the command is run as. If the _\bc_\bl_\ba_\bs_\bs argument
- specifies an existing user class, the command must be run
- as root, or the s\bsu\bud\bdo\bo command must be run from a shell that
- is already root. This option is only available on systems
- with BSD login classes.
-
- -E The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
- _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in _\bs_\bu_\bd_\bo_\be_\br_\bs(4)). It is only available when
- either the matching command has the SETENV tag or the
- _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
-
- -e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
- command, the user wishes to edit one or more files. In
- lieu of a command, the string "sudoedit" is used when
- consulting the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is authorized by
- _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
-
- 1. Temporary copies are made of the files to be edited
+ s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the superuser or
+ another user, as specified by the _\bs_\bu_\bd_\bo_\be_\br_\bs file. The real and effective
+ uid and gid are set to match those of the target user, as specified in
+ the password database, and the group vector is initialized based on the
+ group database (unless the -\b-P\bP option was specified). See the _\bC_\bo_\bm_\bm_\ba_\bn_\bd
+ _\bE_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt section below for more details.
+
+ s\bsu\bud\bdo\bo determines who is an authorized user by consulting the file
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By running s\bsu\bud\bdo\bo with the -\b-v\bv option, a user can update the
+ time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd. If authentication is required,
+ s\bsu\bud\bdo\bo will exit if the user's password is not entered within a
+ configurable time limit. The default password prompt timeout is 5
+ minutes.
+
+ When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below), is implied.
+
+ The options are as follows:
+
+ -\b-A\bA Normally, if s\bsu\bud\bdo\bo requires a password, it will read it from
+ the user's terminal. If the -\b-A\bA (_\ba_\bs_\bk_\bp_\ba_\bs_\bs) option is
+ specified, a (possibly graphical) helper program is executed
+ to read the user's password and output the password to the
+ standard output. If the SUDO_ASKPASS environment variable is
+ set, it specifies the path to the helper program. Otherwise,
+ the value specified by the _\ba_\bs_\bk_\bp_\ba_\bs_\bs option in sudoers(4) is
+ used. If no askpass program is available, s\bsu\bud\bdo\bo will exit
+ with an error.
+
+ -\b-a\ba _\bt_\by_\bp_\be The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use the
+ specified authentication type when validating the user, as
+ allowed by _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The system administrator may
+ specify a list of sudo-specific authentication methods by
+ adding an ``auth-sudo'' entry in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. This
+ option is only available on systems that support BSD
+ authentication.
+
+ -\b-b\bb The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
+ command in the background. Note that if you use the -\b-b\bb
+ option you cannot use shell job control to manipulate the
+ process. Most interactive commands will fail to work
+ properly in background mode.
+
+ -\b-C\bC _\bf_\bd Normally, s\bsu\bud\bdo\bo will close all open file descriptors other
+ than standard input, standard output and standard error. The
+ -\b-C\bC (_\bc_\bl_\bo_\bs_\be _\bf_\br_\bo_\bm) option allows the user to specify a starting
+ point above the standard error (file descriptor three).
+ Values less than three are not permitted. This option is
+ only available when the administrator has enabled the
+ _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be option in sudoers(4).
+
+ -\b-c\bc _\bc_\bl_\ba_\bs_\bs The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
+ command with resources limited by the specified login class.
+ The _\bc_\bl_\ba_\bs_\bs argument can be either a class name as defined in
+ _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf, or a single `-' character. Specifying a
+ _\bc_\bl_\ba_\bs_\bs of - indicates that the command should be run
+ restricted by the default login capabilities for the user the
+ command is run as. If the _\bc_\bl_\ba_\bs_\bs argument specifies an
+ existing user class, the command must be run as root, or the
+ s\bsu\bud\bdo\bo command must be run from a shell that is already root.
+ This option is only available on systems with BSD login
+ classes.
+
+ -\b-E\bE The -\b-E\bE (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt) option will override the
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option in sudoers(4). It is only available when
+ either the matching command has the SETENV tag or the _\bs_\be_\bt_\be_\bn_\bv
+ option is set in sudoers(4). s\bsu\bud\bdo\bo will return an error if
+ the -\b-E\bE option is specified and the user does not have
+ permission to preserve the environment.
+
+ -\b-e\be The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of running a
+ command, the user wishes to edit one or more files. In lieu
+ of a command, the string "sudoedit" is used when consulting
+ the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is authorized by _\bs_\bu_\bd_\bo_\be_\br_\bs, the
+ following steps are taken:
+
+ 1. Temporary copies are made of the files to be edited
with the owner set to the invoking user.
- 2. The editor specified by the SUDO_EDITOR, VISUAL or
- EDITOR environment variables is run to edit the
- temporary files. If none of SUDO_EDITOR, VISUAL or
- EDITOR are set, the first program listed in the _\be_\bd_\bi_\bt_\bo_\br
- _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
+ 2. The editor specified by the SUDO_EDITOR, VISUAL or
+ EDITOR environment variables (in that order) is run to
+ edit the temporary files. If none of SUDO_EDITOR,
+ VISUAL or EDITOR are set, the first program listed in
+ the _\be_\bd_\bi_\bt_\bo_\br sudoers(4) option is used.
- 3. If they have been modified, the temporary files are
+ 3. If they have been modified, the temporary files are
copied back to their original location and the
temporary versions are removed.
- If the specified file does not exist, it will be created.
- Note that unlike most commands run by s\bsu\bud\bdo\bo, the editor is
- run with the invoking user's environment unmodified. If,
- for some reason, s\bsu\bud\bdo\bo is unable to update a file with its
- edited version, the user will receive a warning and the
- edited copy will remain in a temporary file.
-
- -g _\bg_\br_\bo_\bu_\bp Normally, s\bsu\bud\bdo\bo sets the primary group to the one specified
- by the passwd database for the user the command is being
- run as (by default, root). The -\b-g\bg (_\bg_\br_\bo_\bu_\bp) option causes
- s\bsu\bud\bdo\bo to run the specified command with the primary group
- set to _\bg_\br_\bo_\bu_\bp. To specify a _\bg_\bi_\bd instead of a _\bg_\br_\bo_\bu_\bp _\bn_\ba_\bm_\be,
- use _\b#_\bg_\bi_\bd. When running commands as a _\bg_\bi_\bd, many shells
- require that the '#' be escaped with a backslash ('\'). If
- no -\b-u\bu option is specified, the command will be run as the
- invoking user (not root). In either case, the primary
- group will be set to _\bg_\br_\bo_\bu_\bp.
-
- -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment variable to
- the homedir of the target user (root by default) as
- specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). The default handling of the HOME
- environment variable depends on _\bs_\bu_\bd_\bo_\be_\br_\bs(4) settings. By
- default, s\bsu\bud\bdo\bo will set HOME if _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be
- are set, or if _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set and the -\b-s\bs option is
- specified on the command line.
-
- -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a short help
- message to the standard output and exit.
-
- -i [command]
- The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
- specified in the _\bp_\ba_\bs_\bs_\bw_\bd(4) entry of the target user as a
- login shell. This means that login-specific resource files
- such as .profile or .login will be read by the shell. If a
- command is specified, it is passed to the shell for
- execution. Otherwise, an interactive shell is executed.
- s\bsu\bud\bdo\bo attempts to change to that user's home directory
- before running the shell. It also initializes the
- environment, leaving _\bD_\bI_\bS_\bP_\bL_\bA_\bY and _\bT_\bE_\bR_\bM unchanged, setting
- _\bH_\bO_\bM_\bE, _\bM_\bA_\bI_\bL, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and _\bP_\bA_\bT_\bH, as well as the
- contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt on Linux and AIX systems. All
- other environment variables are removed.
-
- -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
- the user's time stamp entirely and may not be used in
- conjunction with a command or other option. This option
- does not require a password.
-
- -k When used by itself, the -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo
- invalidates the user's time stamp by setting the time on it
- to the Epoch. The next time s\bsu\bud\bdo\bo is run a password will be
- required. This option does not require a password and was
- added to allow a user to revoke s\bsu\bud\bdo\bo permissions from a
- .logout file.
-
- When used in conjunction with a command or an option that
- may require a password, the -\b-k\bk option will cause s\bsu\bud\bdo\bo to
- ignore the user's time stamp file. As a result, s\bsu\bud\bdo\bo will
- prompt for a password (if one is required by _\bs_\bu_\bd_\bo_\be_\br_\bs) and
- will not update the user's time stamp file.
-
- -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list the parameters that
- may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a short
- description for each. This option will be removed from a
- future version of s\bsu\bud\bdo\bo.
-
- -l[l] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
- If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt) option will list
- the allowed (and forbidden) commands for the invoking user
- (or the user specified by the -\b-U\bU option) on the current
- host. If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is permitted by
- _\bs_\bu_\bd_\bo_\be_\br_\bs, the fully-qualified path to the command is
- displayed along with any command line arguments. If
- _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified but not allowed, s\bsu\bud\bdo\bo will exit with a
- status value of 1. If the -\b-l\bl option is specified with an l\bl
- argument (i.e. -\b-l\bll\bl), or if -\b-l\bl is specified multiple times,
- a longer list format is used.
-
- -n The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from
- prompting the user for a password. If a password is
- required for the command to run, s\bsu\bud\bdo\bo will display an error
- message and exit.
-
- -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
- preserve the invoking user's group vector unaltered. By
- default, s\bsu\bud\bdo\bo will initialize the group vector to the list
- of groups the target user is in. The real and effective
- group IDs, however, are still set to match the target user.
-
- -p _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
- password prompt and use a custom one. The following
- percent (`%') escapes are supported:
-
- %H expanded to the local host name including the domain
- name (on if the machine's host name is fully qualified
- or the _\bf_\bq_\bd_\bn _\bs_\bu_\bd_\bo_\be_\br_\bs option is set)
-
- %h expanded to the local host name without the domain name
-
- %p expanded to the user whose password is being asked for
- (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in
- _\bs_\bu_\bd_\bo_\be_\br_\bs)
-
- %U expanded to the login name of the user the command will
- be run as (defaults to root)
-
- %u expanded to the invoking user's login name
-
- %% two consecutive % characters are collapsed into a
- single % character
-
- The prompt specified by the -\b-p\bp option will override the
- system password prompt on systems that support PAM unless
- the _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
-
- -r _\br_\bo_\bl_\be The -\b-r\br (_\br_\bo_\bl_\be) option causes the new (SELinux) security
- context to have the role specified by _\br_\bo_\bl_\be.
-
- -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
- the standard input instead of the terminal device. The
- password must be followed by a newline character.
-
- -s [command]
- The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the _\bS_\bH_\bE_\bL_\bL
- environment variable if it is set or the shell as specified
- in _\bp_\ba_\bs_\bs_\bw_\bd(4). If a command is specified, it is passed to
- the shell for execution. Otherwise, an interactive shell
- is executed.
-
- -t _\bt_\by_\bp_\be The -\b-t\bt (_\bt_\by_\bp_\be) option causes the new (SELinux) security
- context to have the type specified by _\bt_\by_\bp_\be. If no type is
- specified, the default type is derived from the specified
- role.
-
- -U _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the
- -\b-l\bl option to specify the user whose privileges should be
- listed. Only root or a user with s\bsu\bud\bdo\bo ALL on the current
- host may use this option.
-
- -u _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
- command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
- instead of a _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd. When running commands as
- a _\bu_\bi_\bd, many shells require that the '#' be escaped with a
- backslash ('\'). Note that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option
- is set (see _\bs_\bu_\bd_\bo_\be_\br_\bs(4)) it is not possible to run commands
- with a uid not listed in the password database.
-
- -V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the version
- number and exit. If the invoking user is already root the
- -\b-V\bV option will print out a list of the defaults s\bsu\bud\bdo\bo was
- compiled with as well as the machine's local network
- addresses.
-
- -v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
- user's time stamp, prompting for the user's password if
- necessary. This extends the s\bsu\bud\bdo\bo timeout for another 5
- minutes (or whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but
- does not run a command.
-
- -- The -\b--\b- option indicates that s\bsu\bud\bdo\bo should stop processing
- command line arguments.
-
- Environment variables to be set for the command may also be passed on
- the command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be, e.g.
- L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables passed on the command
- line are subject to the same restrictions as normal environment
- variables with one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in
- _\bs_\bu_\bd_\bo_\be_\br_\bs, the command to be run has the SETENV tag set or the command
- matched is ALL, the user may set variables that would overwise be
- forbidden. See _\bs_\bu_\bd_\bo_\be_\br_\bs(4) for more information.
+ If the specified file does not exist, it will be created.
+ Note that unlike most commands run by _\bs_\bu_\bd_\bo, the editor is run
+ with the invoking user's environment unmodified. If, for
+ some reason, s\bsu\bud\bdo\bo is unable to update a file with its edited
+ version, the user will receive a warning and the edited copy
+ will remain in a temporary file.
+
+ -\b-g\bg _\bg_\br_\bo_\bu_\bp Normally, s\bsu\bud\bdo\bo runs a command with the primary group set to
+ the one specified by the password database for the user the
+ command is being run as (by default, root). The -\b-g\bg (_\bg_\br_\bo_\bu_\bp)
+ option causes s\bsu\bud\bdo\bo to run the command with the primary group
+ set to _\bg_\br_\bo_\bu_\bp instead. To specify a _\bg_\bi_\bd instead of a _\bg_\br_\bo_\bu_\bp
+ _\bn_\ba_\bm_\be, use _\b#_\bg_\bi_\bd. When running commands as a _\bg_\bi_\bd, many shells
+ require that the `#' be escaped with a backslash (`\'). If
+ no -\b-u\bu option is specified, the command will be run as the
+ invoking user (not root). In either case, the primary group
+ will be set to _\bg_\br_\bo_\bu_\bp.
+
+ -\b-H\bH The -\b-H\bH (_\bH_\bO_\bM_\bE) option option sets the HOME environment
+ variable to the home directory of the target user (root by
+ default) as specified by the password database. The default
+ handling of the HOME environment variable depends on
+ sudoers(4) settings. By default, s\bsu\bud\bdo\bo will set HOME if
+ _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be are set, or if _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set
+ and the -\b-s\bs option is specified on the command line.
+
+ -\b-h\bh The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a short help
+ message to the standard output and exit.
+
+ -\b-i\bi [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ The -\b-i\bi (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
+ specified by the password database entry of the target user
+ as a login shell. This means that login-specific resource
+ files such as _\b._\bp_\br_\bo_\bf_\bi_\bl_\be or _\b._\bl_\bo_\bg_\bi_\bn will be read by the shell.
+ If a command is specified, it is passed to the shell for
+ execution via the shell's -\b-c\bc option. If no command is
+ specified, an interactive shell is executed. s\bsu\bud\bdo\bo attempts
+ to change to that user's home directory before running the
+ shell. It also initializes the environment to a minimal set
+ of variables, similar to what is present when a user logs in.
+ The _\bC_\bo_\bm_\bm_\ba_\bn_\bd _\bE_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt section below documents in detail how
+ the -\b-i\bi option affects the environment in which a command is
+ run.
+
+ -\b-K\bK The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option is like -\b-k\bk except that it removes
+ the user's time stamp file entirely and may not be used in
+ conjunction with a command or other option. This option does
+ not require a password.
+
+ -\b-k\bk [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ When used alone, the -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the
+ user's time stamp file. The next time s\bsu\bud\bdo\bo is run a password
+ will be required. This option does not require a password
+ and was added to allow a user to revoke s\bsu\bud\bdo\bo permissions from
+ a _\b._\bl_\bo_\bg_\bo_\bu_\bt file.
+
+ When used in conjunction with a command or an option that may
+ require a password, the -\b-k\bk option will cause s\bsu\bud\bdo\bo to ignore
+ the user's time stamp file. As a result, s\bsu\bud\bdo\bo will prompt
+ for a password (if one is required by _\bs_\bu_\bd_\bo_\be_\br_\bs) and will not
+ update the user's time stamp file.
+
+ -\b-L\bL The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list the parameters that
+ may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a short description
+ for each. This option will be removed from a future version
+ of s\bsu\bud\bdo\bo.
+
+ -\b-l\bl[l\bl] [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ If no _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified, the -\b-l\bl (_\bl_\bi_\bs_\bt) option will list
+ the allowed (and forbidden) commands for the invoking user
+ (or the user specified by the -\b-U\bU option) on the current host.
+ If a _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified and is permitted by _\bs_\bu_\bd_\bo_\be_\br_\bs, the
+ fully-qualified path to the command is displayed along with
+ any command line arguments. If _\bc_\bo_\bm_\bm_\ba_\bn_\bd is specified but not
+ allowed, s\bsu\bud\bdo\bo will exit with a status value of 1. If the -\b-l\bl
+ option is specified with an _\bl argument (i.e. -\b-l\bll\bl), or if -\b-l\bl
+ is specified multiple times, a longer list format is used.
+
+ -\b-n\bn The -\b-n\bn (_\bn_\bo_\bn_\b-_\bi_\bn_\bt_\be_\br_\ba_\bc_\bt_\bi_\bv_\be) option prevents s\bsu\bud\bdo\bo from prompting
+ the user for a password. If a password is required for the
+ command to run, s\bsu\bud\bdo\bo will display an error message and exit.
+
+ -\b-P\bP The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to preserve
+ the invoking user's group vector unaltered. By default, s\bsu\bud\bdo\bo
+ will initialize the group vector to the list of groups the
+ target user is in. The real and effective group IDs,
+ however, are still set to match the target user.
+
+ -\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the default
+ password prompt and use a custom one. The following percent
+ (`%') escapes are supported:
+
+ %H expanded to the host name including the domain name (on
+ if the machine's host name is fully qualified or the _\bf_\bq_\bd_\bn
+ option is set in sudoers(4))
+
+ %h expanded to the local host name without the domain name
+
+ %p expanded to the name of the user whose password is being
+ requested (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw, and _\br_\bu_\bn_\ba_\bs_\bp_\bw
+ flags in sudoers(4))
+
+ %U expanded to the login name of the user the command will
+ be run as (defaults to root unless the -\b-u\bu option is also
+ specified)
+
+ %u expanded to the invoking user's login name
+
+ %% two consecutive `%' characters are collapsed into a
+ single `%' character
+
+ The prompt specified by the -\b-p\bp option will override the
+ system password prompt on systems that support PAM unless the
+ _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be flag is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+ -\b-r\br _\br_\bo_\bl_\be The -\b-r\br (_\br_\bo_\bl_\be) option causes the new (SELinux) security
+ context to have the role specified by _\br_\bo_\bl_\be.
+
+ -\b-S\bS The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password from
+ the standard input instead of the terminal device. The
+ password must be followed by a newline character.
+
+ -\b-s\bs [_\bc_\bo_\bm_\bm_\ba_\bn_\bd]
+ The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the SHELL
+ environment variable if it is set or the shell as specified
+ in the password database. If a command is specified, it is
+ passed to the shell for execution via the shell's -\b-c\bc option.
+ If no command is specified, an interactive shell is executed.
+
+ -\b-t\bt _\bt_\by_\bp_\be The -\b-t\bt (_\bt_\by_\bp_\be) option causes the new (SELinux) security
+ context to have the type specified by _\bt_\by_\bp_\be. If no type is
+ specified, the default type is derived from the specified
+ role.
+
+ -\b-U\bU _\bu_\bs_\be_\br The -\b-U\bU (_\bo_\bt_\bh_\be_\br _\bu_\bs_\be_\br) option is used in conjunction with the -\b-l\bl
+ option to specify the user whose privileges should be listed.
+ Only root or a user with the ALL privilege on the current
+ host may use this option.
+
+ -\b-u\bu _\bu_\bs_\be_\br The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified command
+ as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd instead of a
+ _\bu_\bs_\be_\br _\bn_\ba_\bm_\be, _\b#_\bu_\bi_\bd. When running commands as a _\bu_\bi_\bd, many shells
+ require that the `#' be escaped with a backslash (`\'). Note
+ that if the _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw Defaults option is set (see sudoers(4)),
+ it is not possible to run commands with a uid not listed in
+ the password database.
+
+ -\b-V\bV The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print its version
+ string and exit. If the invoking user is already root the -\b-V\bV
+ option will display the arguments passed to configure when
+ s\bsu\bud\bdo\bo was built as well a list of the defaults s\bsu\bud\bdo\bo was
+ compiled with as well as the machine's local network
+ addresses.
+
+ -\b-v\bv When given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update the
+ user's time stamp file, authenticating the user's password if
+ necessary. This extends the s\bsu\bud\bdo\bo timeout for another 5
+ minutes (or whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs) but
+ does not run a command.
+
+ -\b--\b- The -\b--\b- option indicates that s\bsu\bud\bdo\bo should stop processing
+ command line arguments.
+
+ Environment variables to be set for the command may also be passed on the
+ command line in the form of V\bVA\bAR\bR=_\bv_\ba_\bl_\bu_\be, e.g.
+ L\bLD\bD_\b_L\bLI\bIB\bBR\bRA\bAR\bRY\bY_\b_P\bPA\bAT\bTH\bH=_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bp_\bk_\bg_\b/_\bl_\bi_\bb. Variables passed on the command line
+ are subject to the same restrictions as normal environment variables with
+ one important exception. If the _\bs_\be_\bt_\be_\bn_\bv option is set in _\bs_\bu_\bd_\bo_\be_\br_\bs, the
+ command to be run has the SETENV tag set or the command matched is ALL,
+ the user may set variables that would otherwise be forbidden. See
+ sudoers(4) for more information.
+
+ A\bAu\but\bth\bhe\ben\bnt\bti\bic\bca\bat\bti\bio\bon\bn a\ban\bnd\bd L\bLo\bog\bgg\bgi\bin\bng\bg
+ s\bsu\bud\bdo\bo requires that most users authenticate themselves by default. A
+ password is not required if the invoking user is root, if the target user
+ is the same as the invoking user, or if the authentication has been
+ disabled for the user or command in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. Unlike su(1), when
+ s\bsu\bud\bdo\bo requires authentication, it validates the invoking user's
+ credentials, not the target user's (or root's) credentials. This can be
+ changed via the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw Defaults entries in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+ If a user who is not listed in _\bs_\bu_\bd_\bo_\be_\br_\bs tries to run a command via s\bsu\bud\bdo\bo,
+ mail is sent to the proper authorities. The address used for such mail
+ is configurable via the _\bm_\ba_\bi_\bl_\bt_\bo _\bs_\bu_\bd_\bo_\be_\br_\bs Defaults entry and defaults to
+ root.
+
+ Note that mail will not be sent if an unauthorized user tries to run s\bsu\bud\bdo\bo
+ with the -\b-l\bl or -\b-v\bv option. This allows users to determine for themselves
+ whether or not they are allowed to use s\bsu\bud\bdo\bo.
+
+ If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment variable is set, its
+ value will be used to determine who the actual user is. This can be used
+ by a user to log commands through s\bsu\bud\bdo\bo even when a root shell has been
+ invoked. It also allows the -\b-e\be option to remain useful even when invoked
+ via a sudo-run script or program. Note, however, that the _\bs_\bu_\bd_\bo_\be_\br_\bs lookup
+ is still done for root, not the user specified by SUDO_USER.
+
+ s\bsu\bud\bdo\bo uses time stamp files for credential caching. Once a user has been
+ authenticated, the time stamp is updated and the user may then use sudo
+ without a password for a short period of time (5 minutes unless
+ overridden by the _\bt_\bi_\bm_\be_\bo_\bu_\bt option). By default, s\bsu\bud\bdo\bo uses a tty-based
+ time stamp which means that there is a separate time stamp for each of a
+ user's login sessions. The _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option can be disabled to force
+ the use of a single time stamp for all of a user's sessions.
+
+ s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as well as
+ errors) to syslog(3), a log file, or both. By default, s\bsu\bud\bdo\bo will log via
+ syslog(3) but this is changeable via the _\bs_\by_\bs_\bl_\bo_\bg and _\bl_\bo_\bg_\bf_\bi_\bl_\be Defaults
+ settings.
+
+ s\bsu\bud\bdo\bo also supports logging a command's input and output streams. I/O
+ logging is not on by default but can be enabled using the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt and
+ _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt Defaults flags as well as the LOG_INPUT and LOG_OUTPUT command
+ tags.
+
+ C\bCo\bom\bmm\bma\ban\bnd\bd E\bEn\bnv\bvi\bir\bro\bon\bnm\bme\ben\bnt\bt
+ Since environment variables can influence program behavior, s\bsu\bud\bdo\bo provides
+ a means to restrict which variables from the user's environment are
+ inherited by the command to be run. There are two distinct ways _\bs_\bu_\bd_\bo_\be_\br_\bs
+ can be configured to handle with environment variables.
+
+ By default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is enabled. This causes commands to be
+ executed with a new, minimal environment. On AIX (and Linux systems
+ without PAM), the environment is initialized with the contents of the
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt file. On BSD systems, if the _\bu_\bs_\be_\b__\bl_\bo_\bg_\bi_\bn_\bc_\bl_\ba_\bs_\bs option is
+ enabled, the environment is initialized based on the _\bp_\ba_\bt_\bh and _\bs_\be_\bt_\be_\bn_\bv
+ settings in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The new environment contains the TERM,
+ PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
+ addition to variables from the invoking process permitted by the
+ _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp options. This is effectively a whitelist for
+ environment variables.
+
+ If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled, any variables not
+ explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are inherited
+ from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave
+ like a blacklist. Since it is not possible to blacklist all potentially
+ dangerous environment variables, use of the default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is
+ encouraged.
+
+ In all cases, environment variables with a value beginning with () are
+ removed as they could be interpreted as b\bba\bas\bsh\bh functions. The list of
+ environment variables that s\bsu\bud\bdo\bo allows or denies is contained in the
+ output of ``sudo -V'' when run as root.
+
+ Note that the dynamic linker on most operating systems will remove
+ variables that can control dynamic linking from the environment of setuid
+ executables, including s\bsu\bud\bdo\bo. Depending on the operating system this may
+ include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and others.
+ These type of variables are removed from the environment before s\bsu\bud\bdo\bo even
+ begins execution and, as such, it is not possible for s\bsu\bud\bdo\bo to preserve
+ them.
+
+ As a special case, if s\bsu\bud\bdo\bo's -\b-i\bi option (initial login) is specified, s\bsu\bud\bdo\bo
+ will initialize the environment regardless of the value of _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt.
+ The DISPLAY, PATH and TERM variables remain unchanged; HOME, MAIL, SHELL,
+ USER, and LOGNAME are set based on the target user. On AIX (and Linux
+ systems without PAM), the contents of _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt are also included.
+ On BSD systems, if the _\bu_\bs_\be_\b__\bl_\bo_\bg_\bi_\bn_\bc_\bl_\ba_\bs_\bs option is enabled, the _\bp_\ba_\bt_\bh and
+ _\bs_\be_\bt_\be_\bn_\bv variables in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf are also applied. All other
+ environment variables are removed.
+
+ Finally, if the _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option is defined, any variables present in that
+ file will be set to their specified values as long as they would not
+ conflict with an existing environment variable.
E\bEX\bXI\bIT\bT V\bVA\bAL\bLU\bUE\bE
- Upon successful execution of a program, the exit status from s\bsu\bud\bdo\bo will
- simply be the exit status of the program that was executed.
-
- Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is a
- configuration/permission problem or if s\bsu\bud\bdo\bo cannot execute the given
- command. In the latter case the error string is printed to stderr. If
- s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one or more entries in the user's PATH an error is
- printed on stderr. (If the directory does not exist or if it is not
- really a directory, the entry is ignored and no error is printed.)
- This should not happen under normal circumstances. The most common
- reason for _\bs_\bt_\ba_\bt(2) to return "permission denied" is if you are running
- an automounter and one of the directories in your PATH is on a machine
- that is currently unreachable.
+ Upon successful execution of a program, the exit status from _\bs_\bu_\bd_\bo will
+ simply be the exit status of the program that was executed.
+
+ Otherwise, s\bsu\bud\bdo\bo exits with a value of 1 if there is a
+ configuration/permission problem or if s\bsu\bud\bdo\bo cannot execute the given
+ command. In the latter case the error string is printed to the standard
+ error. If s\bsu\bud\bdo\bo cannot stat(2) one or more entries in the user's PATH, an
+ error is printed on stderr. (If the directory does not exist or if it is
+ not really a directory, the entry is ignored and no error is printed.)
+ This should not happen under normal circumstances. The most common
+ reason for stat(2) to return ``permission denied'' is if you are running
+ an automounter and one of the directories in your PATH is on a machine
+ that is currently unreachable.
+
+L\bLO\bOG\bG F\bFO\bOR\bRM\bMA\bAT\bT
+ s\bsu\bud\bdo\bo can log events using either syslog(3) or a simple log file. In each
+ case the log format is almost identical.
+
+ A\bAc\bcc\bce\bep\bpt\bte\bed\bd c\bco\bom\bmm\bma\ban\bnd\bd l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
+ Commands that sudo runs are logged using the following format (split into
+ multiple lines for readability):
+
+ date hostname progname: username : TTY=ttyname ; PWD=cwd ; \
+ USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \
+ ENV=env_vars COMMAND=command
+
+ Where the fields are as follows:
+
+ date The date the command was run. Typically, this is in the
+ format ``MMM, DD, HH:MM:SS''. If logging via syslog(3),
+ the actual date format is controlled by the syslog daemon.
+ If logging to a file and the _\bl_\bo_\bg_\b__\by_\be_\ba_\br option is enabled,
+ the date will also include the year.
+
+ hostname The name of the host s\bsu\bud\bdo\bo was run on. This field is only
+ present when logging via syslog(3).
+
+ progname The name of the program, usually _\bs_\bu_\bd_\bo or _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt. This
+ field is only present when logging via syslog(3).
+
+ username The login name of the user who ran s\bsu\bud\bdo\bo.
+
+ ttyname The short name of the terminal (e.g. ``console'',
+ ``tty01'', or ``pts/0'') s\bsu\bud\bdo\bo was run on, or ``unknown'' if
+ there was no terminal present.
+
+ cwd The current working directory that s\bsu\bud\bdo\bo was run in.
+
+ runasuser The user the command was run as.
+
+ runasgroup The group the command was run as if one was specified on
+ the command line.
+
+ logid An I/O log identifier that can be used to replay the
+ command's output. This is only present when the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt
+ or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option is enabled.
+
+ env_vars A list of environment variables specified on the command
+ line, if specified.
+
+ command The actual command that was executed.
+
+ Messages are logged using the locale specified by _\bs_\bu_\bd_\bo_\be_\br_\bs_\b__\bl_\bo_\bc_\ba_\bl_\be, which
+ defaults to the ``C'' locale.
+
+ D\bDe\ben\bni\bie\bed\bd c\bco\bom\bmm\bma\ban\bnd\bd l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
+ If the user is not allowed to run the command, the reason for the denial
+ will follow the user name. Possible reasons include:
+
+ user NOT in sudoers
+ The user is not listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+
+ user NOT authorized on host
+ The user is listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file but is not allowed to run
+ commands on the host.
+
+ command not allowed
+ The user is listed in the _\bs_\bu_\bd_\bo_\be_\br_\bs file for the host but they are not
+ allowed to run the specified command.
+
+ 3 incorrect password attempts
+ The user failed to enter their password after 3 tries. The actual
+ number of tries will vary based on the number of failed attempts and
+ the value of the _\bp_\ba_\bs_\bs_\bw_\bd_\b__\bt_\br_\bi_\be_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs option.
+
+ a password is required
+ The -\b-n\bn option was specified but a password was required.
+
+ sorry, you are not allowed to set the following environment variables
+ The user specified environment variables on the command line that were
+ not allowed by _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+ E\bEr\brr\bro\bor\br l\blo\bog\bg e\ben\bnt\btr\bri\bie\bes\bs
+ If an error occurs, s\bsu\bud\bdo\bo will log a message and, in most cases, send a
+ message to the administrator via email. Possible errors include:
+
+ parse error in /etc/sudoers near line N
+ s\bsu\bud\bdo\bo encountered an error when parsing the specified file. In some
+ cases, the actual error may be one line above or below the line number
+ listed, depending on the type of error.
+
+ problem with defaults entries
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file contains one or more unknown Defaults settings. This
+ does not prevent s\bsu\bud\bdo\bo from running, but the _\bs_\bu_\bd_\bo_\be_\br_\bs file should be
+ checked using v\bvi\bis\bsu\bud\bdo\bo.
+
+ timestamp owner (username): No such user
+ The time stamp directory owner, as specified by the _\bt_\bi_\bm_\be_\bs_\bt_\ba_\bm_\bp_\bo_\bw_\bn_\be_\br
+ setting, could not be found in the password database.
+
+ unable to open/read /etc/sudoers
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file could not be opened for reading. This can happen
+ when the _\bs_\bu_\bd_\bo_\be_\br_\bs file is located on a remote file system that maps
+ user ID 0 to a different value. Normally, s\bsu\bud\bdo\bo tries to open _\bs_\bu_\bd_\bo_\be_\br_\bs
+ using group permissions to avoid this problem.
+
+ unable to stat /etc/sudoers
+ The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file is missing.
+
+ /etc/sudoers is not a regular file
+ The _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file exists but is not a regular file or symbolic
+ link.
+
+ /etc/sudoers is owned by uid N, should be 0
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file has the wrong owner.
+
+ /etc/sudoers is world writable
+ The permissions on the _\bs_\bu_\bd_\bo_\be_\br_\bs file allow all users to write to it.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file must not be world-writable, the default file mode is
+ 0440 (readable by owner and group, writable by none).
+
+ /etc/sudoers is owned by gid N, should be 1
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file has the wrong group ownership.
+
+ unable to open /var/adm/sudo/username/ttyname
+ _\bs_\bu_\bd_\bo_\be_\br_\bs was unable to read or create the user's time stamp file.
+
+ unable to write to /var/adm/sudo/username/ttyname
+ _\bs_\bu_\bd_\bo_\be_\br_\bs was unable to write to the user's time stamp file.
+
+ unable to mkdir to /var/adm/sudo/username
+ _\bs_\bu_\bd_\bo_\be_\br_\bs was unable to create the user's time stamp directory.
+
+ N\bNo\bot\bte\bes\bs o\bon\bn l\blo\bog\bgg\bgi\bin\bng\bg v\bvi\bia\ba s\bsy\bys\bsl\blo\bog\bg
+ By default, _\bs_\bu_\bd_\bo_\be_\br_\bs logs messages via syslog(3). The _\bd_\ba_\bt_\be, _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be, and
+ _\bp_\br_\bo_\bg_\bn_\ba_\bm_\be fields are added by the syslog daemon, not _\bs_\bu_\bd_\bo_\be_\br_\bs itself. As
+ such, they may vary in format on different systems.
+
+ On most systems, syslog(3) has a relatively small log buffer. To prevent
+ the command line arguments from being truncated, s\bsu\bud\bdo\bo will split up log
+ messages that are larger than 960 characters (not including the date,
+ hostname, and the string ``sudo''). When a message is split, additional
+ parts will include the string ``(command continued)'' after the user name
+ and before the continued command line arguments.
+
+ N\bNo\bot\bte\bes\bs o\bon\bn l\blo\bog\bgg\bgi\bin\bng\bg t\bto\bo a\ba f\bfi\bil\ble\be
+ If the _\bl_\bo_\bg_\bf_\bi_\bl_\be option is set, _\bs_\bu_\bd_\bo_\be_\br_\bs will log to a local file, such as
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo. When logging to a file, _\bs_\bu_\bd_\bo_\be_\br_\bs uses a format similar to
+ syslog(3), with a few important differences:
+
+ 1. The _\bp_\br_\bo_\bg_\bn_\ba_\bm_\be and _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be fields are not present.
+
+ 2. If the _\bl_\bo_\bg_\b__\by_\be_\ba_\br _\bs_\bu_\bd_\bo_\be_\br_\bs option is enabled, the date will also
+ include the year.
+
+ 3. Lines that are longer than _\bl_\bo_\bg_\bl_\bi_\bn_\be_\bl_\be_\bn characters (80 by default) are
+ word-wrapped and continued on the next line with a four character
+ indent. This makes entries easier to read for a human being, but
+ makes it more difficult to use grep(1) on the log files. If the
+ _\bl_\bo_\bg_\bl_\bi_\bn_\be_\bl_\be_\bn _\bs_\bu_\bd_\bo_\be_\br_\bs option is set to 0 (or negated with a `!'), word
+ wrap will be disabled.
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- s\bsu\bud\bdo\bo tries to be safe when executing external commands.
-
- There are two distinct ways to deal with environment variables. By
- default, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt _\bs_\bu_\bd_\bo_\be_\br_\bs option is enabled. This causes commands
- to be executed with a new, minimal environment containing. On AIX (and
- Linux systems without PAM), the environment is initialized with the
- contents of the _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt file. On BSD systems, if the
- _\bu_\bs_\be_\b__\bl_\bo_\bg_\bi_\bn_\bc_\bl_\ba_\bs_\bs option is enabled, the environment is initialized based
- on the _\bp_\ba_\bt_\bh and _\bs_\be_\bt_\be_\bn_\bv settings in _\b/_\be_\bt_\bc_\b/_\bl_\bo_\bg_\bi_\bn_\b._\bc_\bo_\bn_\bf. The new
- environment contains the TERM, PATH, HOME, MAIL, SHELL, LOGNAME, USER,
- USERNAME and SUDO_* variables in addition to variables from the
- invoking process permitted by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bk_\be_\be_\bp options. This
- is effectively a whitelist for environment variables.
-
- If, however, the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is disabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, any variables
- not explicitly denied by the _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be options are
- inherited from the invoking process. In this case, _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk and
- _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be behave like a blacklist. Since it is not possible to
- blacklist all potentially dangerous environment variables, use of the
- default _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt behavior is encouraged.
-
- In all cases, environment variables with a value beginning with () are
- removed as they could be interpreted as b\bba\bas\bsh\bh functions. The list of
- environment variables that s\bsu\bud\bdo\bo allows or denies is contained in the
- output of sudo -V when run as root.
-
- Note that the dynamic linker on most operating systems will remove
- variables that can control dynamic linking from the environment of
- setuid executables, including s\bsu\bud\bdo\bo. Depending on the operating system
- this may include _RLD*, DYLD_*, LD_*, LDR_*, LIBPATH, SHLIB_PATH, and
- others. These type of variables are removed from the environment
- before s\bsu\bud\bdo\bo even begins execution and, as such, it is not possible for
- s\bsu\bud\bdo\bo to preserve them.
-
- To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting
- current directory) last when searching for a command in the user's PATH
- (if one or both are in the PATH). Note, however, that the actual PATH
- environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
- program that s\bsu\bud\bdo\bo executes.
-
- s\bsu\bud\bdo\bo will check the ownership of its time stamp directory
- (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo by default) and ignore the directory's contents if it is
- not owned by root or if it is writable by a user other than root. On
- systems that allow non-root users to give away files via _\bc_\bh_\bo_\bw_\bn(2), if
- the time stamp directory is located in a directory writable by anyone
- (e.g., _\b/_\bt_\bm_\bp), it is possible for a user to create the time stamp
- directory before s\bsu\bud\bdo\bo is run. However, because s\bsu\bud\bdo\bo checks the
- ownership and mode of the directory and its contents, the only damage
- that can be done is to "hide" files by putting them in the time stamp
- dir. This is unlikely to happen since once the time stamp dir is owned
- by root and inaccessible by any other user, the user placing files
- there would be unable to get them back out. To get around this issue
- you can use a directory that is not world-writable for the time stamps
- (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or create _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo with the
- appropriate owner (root) and permissions (0700) in the system startup
- files.
-
- s\bsu\bud\bdo\bo will not honor time stamps set far in the future. Timestamps with
- a date greater than current_time + 2 * TIMEOUT will be ignored and sudo
- will log and complain. This is done to keep a user from creating
- his/her own time stamp with a bogus date on systems that allow users to
- give away files.
-
- On systems where the boot time is available, s\bsu\bud\bdo\bo will also not honor
- time stamps from before the machine booted.
-
- Since time stamp files live in the file system, they can outlive a
- user's login session. As a result, a user may be able to login, run a
- command with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run
- s\bsu\bud\bdo\bo without authenticating so long as the time stamp file's
- modification time is within 5 minutes (or whatever the timeout is set
- to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs option is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, the
- time stamp has per-tty granularity but still may outlive the user's
- session. On Linux systems where the devpts filesystem is used, Solaris
- systems with the devices filesystem, as well as other systems that
- utilize a devfs filesystem that monotonically increase the inode number
- of devices as they are created (such as Mac OS X), s\bsu\bud\bdo\bo is able to
- determine when a tty-based time stamp file is stale and will ignore it.
- Administrators should not rely on this feature as it is not universally
- available.
-
- Please note that s\bsu\bud\bdo\bo will normally only log the command it explicitly
- runs. If a user runs a command such as sudo su or sudo sh, subsequent
- commands run from that shell will _\bn_\bo_\bt be logged, nor will s\bsu\bud\bdo\bo's access
- control affect them. The same is true for commands that offer shell
- escapes (including most editors). Because of this, care must be taken
- when giving users access to commands via s\bsu\bud\bdo\bo to verify that the
- command does not inadvertently give the user an effective root shell.
- For more information, please see the PREVENTING SHELL ESCAPES section
- in _\bs_\bu_\bd_\bo_\be_\br_\bs(4).
+ s\bsu\bud\bdo\bo tries to be safe when executing external commands.
+
+ To prevent command spoofing, s\bsu\bud\bdo\bo checks "." and "" (both denoting
+ current directory) last when searching for a command in the user's PATH
+ (if one or both are in the PATH). Note, however, that the actual PATH
+ environment variable is _\bn_\bo_\bt modified and is passed unchanged to the
+ program that s\bsu\bud\bdo\bo executes.
+
+ s\bsu\bud\bdo\bo will check the ownership of its time stamp directory (_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo
+ by default) and ignore the directory's contents if it is not owned by
+ root or if it is writable by a user other than root. On systems that
+ allow non-root users to give away files via chown(2), if the time stamp
+ directory is located in a world-writable directory (e.g., _\b/_\bt_\bm_\bp), it is
+ possible for a user to create the time stamp directory before s\bsu\bud\bdo\bo is
+ run. However, because s\bsu\bud\bdo\bo checks the ownership and mode of the
+ directory and its contents, the only damage that can be done is to
+ ``hide'' files by putting them in the time stamp dir. This is unlikely
+ to happen since once the time stamp dir is owned by root and inaccessible
+ by any other user, the user placing files there would be unable to get
+ them back out.
+
+ s\bsu\bud\bdo\bo will not honor time stamps set far in the future. Time stamps with
+ a date greater than current_time + 2 * TIMEOUT will be ignored and sudo
+ will log and complain. This is done to keep a user from creating his/her
+ own time stamp with a bogus date on systems that allow users to give away
+ files if the time stamp directory is located in a world-writable
+ directory.
+
+ On systems where the boot time is available, s\bsu\bud\bdo\bo will ignore time stamps
+ that date from before the machine booted.
+
+ Since time stamp files live in the file system, they can outlive a user's
+ login session. As a result, a user may be able to login, run a command
+ with s\bsu\bud\bdo\bo after authenticating, logout, login again, and run s\bsu\bud\bdo\bo without
+ authenticating so long as the time stamp file's modification time is
+ within 5 minutes (or whatever the timeout is set to in _\bs_\bu_\bd_\bo_\be_\br_\bs). When
+ the _\bt_\bt_\by_\b__\bt_\bi_\bc_\bk_\be_\bt_\bs _\bs_\bu_\bd_\bo_\be_\br_\bs option is enabled, the time stamp has per-tty
+ granularity but still may outlive the user's session. On Linux systems
+ where the devpts filesystem is used, Solaris systems with the devices
+ filesystem, as well as other systems that utilize a devfs filesystem that
+ monotonically increase the inode number of devices as they are created
+ (such as Mac OS X), s\bsu\bud\bdo\bo is able to determine when a tty-based time stamp
+ file is stale and will ignore it. Administrators should not rely on this
+ feature as it is not universally available.
+
+ Please note that s\bsu\bud\bdo\bo will normally only log the command it explicitly
+ runs. If a user runs a command such as sudo su or sudo sh, subsequent
+ commands run from that shell are not subject to s\bsu\bud\bdo\bo's security policy.
+ The same is true for commands that offer shell escapes (including most
+ editors). If I/O logging is enabled, subsequent commands will have their
+ input and/or output logged, but there will not be traditional logs for
+ those commands. Because of this, care must be taken when giving users
+ access to commands via s\bsu\bud\bdo\bo to verify that the command does not
+ inadvertently give the user an effective root shell. For more
+ information, please see the _\bP_\bR_\bE_\bV_\bE_\bN_\bT_\bI_\bN_\bG _\bS_\bH_\bE_\bL_\bL _\bE_\bS_\bC_\bA_\bP_\bE_\bS section in
+ sudoers(4).
+
+ To prevent the disclosure of potentially sensitive information, s\bsu\bud\bdo\bo
+ disables core dumps by default while it is executing (they are re-enabled
+ for the command that is run).
+
+ For information on the security implications of _\bs_\bu_\bd_\bo_\be_\br_\bs entries, please
+ see the _\bS_\bE_\bC_\bU_\bR_\bI_\bT_\bY _\bN_\bO_\bT_\bE_\bS section in sudoers(4).
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
- s\bsu\bud\bdo\bo utilizes the following environment variables:
+ s\bsu\bud\bdo\bo utilizes the following environment variables:
- EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
- SUDO_EDITOR nor VISUAL is set.
+ EDITOR Default editor to use in -\b-e\be (sudoedit) mode if neither
+ SUDO_EDITOR nor VISUAL is set.
- MAIL In -\b-i\bi mode or when _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, set
- to the mail spool of the target user.
+ MAIL In -\b-i\bi mode or when _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is enabled in _\bs_\bu_\bd_\bo_\be_\br_\bs, set
+ to the mail spool of the target user.
- HOME Set to the home directory of the target user if -\b-i\bi or
- -\b-H\bH are specified, _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be are set
- in _\bs_\bu_\bd_\bo_\be_\br_\bs, or when the -\b-s\bs option is specified and
- _\bs_\be_\bt_\b__\bh_\bo_\bm_\be is set in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ HOME Set to the home directory of the target user if -\b-i\bi or -\b-H\bH
+ are specified, _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt or _\ba_\bl_\bw_\ba_\by_\bs_\b__\bs_\be_\bt_\b__\bh_\bo_\bm_\be are set in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs, or when the -\b-s\bs option is specified and _\bs_\be_\bt_\b__\bh_\bo_\bm_\be
+ is set in _\bs_\bu_\bd_\bo_\be_\br_\bs.
- PATH Set to a sane value if the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh sudoers option
- is set.
+ PATH Set to a sane value if the _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh option is set in
+ the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
- SHELL Used to determine shell to run with -\b-s\bs option.
+ SHELL Used to determine shell to run with -\b-s\bs option.
- SUDO_ASKPASS Specifies the path to a helper program used to read the
- password if no terminal is available or if the -\b-A\bA
- option is specified.
+ SUDO_ASKPASS Specifies the path to a helper program used to read the
+ password if no terminal is available or if the -\b-A\bA option
+ is specified.
- SUDO_COMMAND Set to the command run by sudo.
+ SUDO_COMMAND Set to the command run by sudo.
- SUDO_EDITOR Default editor to use in -\b-e\be (sudoedit) mode.
+ SUDO_EDITOR Default editor to use in -\b-e\be (sudoedit) mode.
- SUDO_GID Set to the group ID of the user who invoked sudo.
+ SUDO_GID Set to the group ID of the user who invoked sudo.
- SUDO_PROMPT Used as the default password prompt.
+ SUDO_PROMPT Used as the default password prompt.
- SUDO_PS1 If set, PS1 will be set to its value for the program
- being run.
+ SUDO_PS1 If set, PS1 will be set to its value for the program
+ being run.
- SUDO_UID Set to the user ID of the user who invoked sudo.
+ SUDO_UID Set to the user ID of the user who invoked sudo.
- SUDO_USER Set to the login of the user who invoked sudo.
+ SUDO_USER Set to the login name of the user who invoked sudo.
- USER Set to the target user (root unless the -\b-u\bu option is
- specified).
+ USER Set to the target user (root unless the -\b-u\bu option is
+ specified).
- VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
- SUDO_EDITOR is not set.
+ VISUAL Default editor to use in -\b-e\be (sudoedit) mode if
+ SUDO_EDITOR is not set.
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo Directory containing time stamps
+ _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo Directory containing time stamps
- _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on AIX and
+ _\b/_\be_\bt_\bc_\b/_\be_\bn_\bv_\bi_\br_\bo_\bn_\bm_\be_\bn_\bt Initial environment for -\b-i\bi mode on AIX and
Linux systems
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Note: the following examples assume suitable _\bs_\bu_\bd_\bo_\be_\br_\bs(4) entries.
+ Note: the following examples assume suitable sudoers(4) entries.
- To get a file listing of an unreadable directory:
+ To get a file listing of an unreadable directory:
- $ sudo ls /usr/local/protected
+ $ sudo ls /usr/local/protected
- To list the home directory of user yaz on a machine where the file
- system holding ~yaz is not exported as root:
+ To list the home directory of user yaz on a machine where the file system
+ holding ~yaz is not exported as root:
- $ sudo -u yaz ls ~yaz
+ $ sudo -u yaz ls ~yaz
- To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
+ To edit the _\bi_\bn_\bd_\be_\bx_\b._\bh_\bt_\bm_\bl file as user www:
- $ sudo -u www vi ~www/htdocs/index.html
+ $ sudo -u www vi ~www/htdocs/index.html
- To view system logs only accessible to root and users in the adm group:
+ To view system logs only accessible to root and users in the adm group:
- $ sudo -g adm view /var/log/syslog
+ $ sudo -g adm view /var/log/syslog
- To run an editor as jim with a different primary group:
+ To run an editor as jim with a different primary group:
- $ sudo -u jim -g audio vi ~jim/sound.txt
+ $ sudo -u jim -g audio vi ~jim/sound.txt
- To shutdown a machine:
+ To shut down a machine:
- $ sudo shutdown -r +15 "quick reboot"
+ $ sudo shutdown -r +15 "quick reboot"
- To make a usage listing of the directories in the /home partition.
- Note that this runs the commands in a sub-shell to make the cd and file
- redirection work.
+ To make a usage listing of the directories in the /home partition. Note
+ that this runs the commands in a sub-shell to make the cd and file
+ redirection work.
- $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+ $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bp_\ba_\bs_\bs_\bw_\bd(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5),
- _\bv_\bi_\bs_\bu_\bd_\bo(1m)
+ grep(1), su(1), stat(2), login_cap(3), passwd(4), sudoers(4),
+ sudoreplay(1m), visudo(1m)
+
+H\bHI\bIS\bST\bTO\bOR\bRY\bY
+ See the HISTORY file in the s\bsu\bud\bdo\bo distribution
+ (http://www.sudo.ws/sudo/history.html) for a brief history of sudo.
A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists
- of code written primarily by:
+ Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists of
+ code written primarily by:
- Todd C. Miller
+ Todd C. Miller
- See the HISTORY file in the s\bsu\bud\bdo\bo distribution or visit
- http://www.sudo.ws/sudo/history.html for a short history of s\bsu\bud\bdo\bo.
+ See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
+ (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
+ people who have contributed to s\bsu\bud\bdo\bo.
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- There is no easy way to prevent a user from gaining a root shell if
- that user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many
- programs (such as editors) allow the user to run commands via shell
- escapes, thus avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is
- possible to prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
- See the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual for details.
+ There is no easy way to prevent a user from gaining a root shell if that
+ user is allowed to run arbitrary commands via s\bsu\bud\bdo\bo. Also, many programs
+ (such as editors) allow the user to run commands via shell escapes, thus
+ avoiding s\bsu\bud\bdo\bo's checks. However, on most systems it is possible to
+ prevent shell escapes with s\bsu\bud\bdo\bo '\b' s\bs _\bn_\bo_\be_\bx_\be_\bc functionality. See the
+ sudoers(4) manual for details.
- It is not meaningful to run the cd command directly via sudo, e.g.,
+ It is not meaningful to run the cd command directly via sudo, e.g.,
- $ sudo cd /usr/local/protected
+ $ sudo cd /usr/local/protected
- since when the command exits the parent process (your shell) will still
- be the same. Please see the EXAMPLES section for more information.
+ since when the command exits the parent process (your shell) will still
+ be the same. Please see the _\bE_\bX_\bA_\bM_\bP_\bL_\bE_\bS section for more information.
- If users have sudo ALL there is nothing to prevent them from creating
- their own program that gives them a root shell regardless of any '!'
- elements in the user specification.
-
- Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that
- make setuid shell scripts unsafe on some operating systems (if your OS
- has a /dev/fd/ directory, setuid shell scripts are generally safe).
+ Running shell scripts via s\bsu\bud\bdo\bo can expose the same kernel bugs that make
+ setuid shell scripts unsafe on some operating systems (if your OS has a
+ /dev/fd/ directory, setuid shell scripts are generally safe).
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
+ archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of
- merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
- http://www.sudo.ws/sudo/license.html for complete details.
-
-
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
+ complete details.
-1.7.10 July 12, 2012 SUDO(1m)
+Sudo 1.7.10 July 10, 2012 Sudo 1.7.10
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2010
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
-.\"
+.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
+.\" IT IS GENERATED AUTOMATICALLY FROM sudo.mdoc.in
+.\"
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
-.\"
+.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
+.\"
.\" Sponsored in part by the Defense Advanced Research Projects
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
-.\"
-.nr SL @SEMAN@
-.nr BA @BAMAN@
-.nr LC @LCMAN@
-.nr PT @password_timeout@
-.\"
-.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
-. ds C`
-. ds C'
-'br\}
-.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD. Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
-..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
-..
-.\}
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "SUDO @mansectsu@"
-.TH SUDO @mansectsu@ "July 12, 2012" "1.7.10" "MAINTENANCE COMMANDS"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
+.TH "SUDO" "@mansectsu@" "July 10, 2012" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
+.if n .ad l
.SH "NAME"
-sudo, sudoedit \- execute a command as another user
+\fBsudo\fR,
+\fBsudoedit\fR
+\- execute a command as another user
.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-\&\fBsudo\fR \fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR
-.PP
-\&\fBsudo\fR \fB\-v\fR [\fB\-AknS\fR]
-.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
-[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-[\fB\-u\fR\ \fIusername\fR|\fI#uid\fR]
-.PP
-\&\fBsudo\fR \fB\-l[l]\fR [\fB\-AknS\fR]
-.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
-[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-[\fB\-U\fR\ \fIuser\ name\fR] [\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] [\fIcommand\fR]
-.PP
-\&\fBsudo\fR [\fB\-AbEHnPS\fR]
-.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
+.HP 5n
+\fBsudo\fR
+\fB\-h\fR | \fB\-K\fR | \fB\-k\fR | \fB\-L\fR | \fB\-V\fR
+.PD 0
+.HP 5n
+\fBsudo\fR
+\fB\-v\fR
+[\fB\-AknS\fR]
+[\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR]
+[\fB\-p\fR\ \fIprompt\fR]
+[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR]
+.br
+.HP 5n
+\fBsudo\fR
+\fB\-l\fR[\fIl\fR]
+[\fB\-AknS\fR]
+[\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR]
+[\fB\-p\fR\ \fIprompt\fR]
+[\fB\-U\fR\ \fIuser\ name\fR]
+[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR]
+[\fIcommand\fR]
+.br
+.HP 5n
+\fBsudo\fR
+[\fB\-AbEHnPS\fR]
+[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
-.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
-[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-.if \n(SL [\fB\-r\fR\ \fIrole\fR] [\fB\-t\fR\ \fItype\fR]
-[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR]
-[\fB\s-1VAR\s0\fR=\fIvalue\fR] [\fB\-i\fR\ |\ \fB\-s\fR] [\fIcommand\fR]
-.PP
-\&\fBsudoedit\fR [\fB\-AnS\fR]
-.if \n(BA [\fB\-a\fR\ \fIauth_type\fR]
+[\fB\-c\fR\ \fIclass\fR\ |\ \fI-\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR]
+[\fB\-p\fR\ \fIprompt\fR]
+[\fB\-r\fR\ \fIrole\fR]
+[\fB\-t\fR\ \fItype\fR]
+[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR]
+[\fBVAR\fR=\fIvalue\fR]
+\fB\-i\fR\ |\ \fB\-s\fR
+[\fIcommand\fR]
+.br
+.HP 9n
+\fBsudoedit\fR
+[\fB\-AnS\fR]
+[\fB\-a\fR\ \fIauth_type\fR]
[\fB\-C\fR\ \fIfd\fR]
-.if \n(LC [\fB\-c\fR\ \fIclass\fR|\fI\-\fR]
-[\fB\-g\fR\ \fIgroup\ name\fR|\fI#gid\fR] [\fB\-p\fR\ \fIprompt\fR]
-[\fB\-u\fR\ \fIuser\ name\fR|\fI#uid\fR] file ...
+[\fB\-c\fR\ \fIclass\fR\ |\ \fI-\fR]
+[\fB\-g\fR\ \fIgroup\ name\fR\ |\ \fI#gid\fR]
+[\fB\-p\fR\ \fIprompt\fR]
+[\fB\-u\fR\ \fIuser\ name\fR\ |\ \fI#uid\fR]
+file ...
+.PD
.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-\&\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the
-superuser or another user, as specified in the \fIsudoers\fR file.
+\fBsudo\fR
+allows a permitted user to execute a
+\fIcommand\fR
+as the superuser or another user, as specified by the
+\fIsudoers\fR
+file.
The real and effective uid and gid are set to match those of the
-target user as specified in the passwd file and the group vector
-is initialized based on the group file (unless the \fB\-P\fR option was
-specified). If the invoking user is root or if the target user is
-the same as the invoking user, no password is required. Otherwise,
-\&\fBsudo\fR requires that users authenticate themselves with a password
-by default (\s-1NOTE:\s0 in the default configuration this is the user's
-password, not the root password). Once a user has been authenticated,
-a time stamp is updated and the user may then use sudo without a
-password for a short period of time (\f(CW\*(C`@timeout@\*(C'\fR minutes unless
-overridden in \fIsudoers\fR).
-.PP
-When invoked as \fBsudoedit\fR, the \fB\-e\fR option (described below),
-is implied.
-.PP
-\&\fBsudo\fR determines who is an authorized user by consulting the file
-\&\fI@sysconfdir@/sudoers\fR. By running \fBsudo\fR with the \fB\-v\fR option,
-a user can update the time stamp without running a \fIcommand\fR. If
-a password is required, \fBsudo\fR will exit if the user's password
-is not entered within a configurable time limit. The default
-password prompt timeout is
-.ie \n(PT \f(CW\*(C`@password_timeout@\*(C'\fR minutes.
-.el unlimited.
-.PP
-If a user who is not listed in the \fIsudoers\fR file tries to run a
-command via \fBsudo\fR, mail is sent to the proper authorities, as
-defined at configure time or in the \fIsudoers\fR file (defaults to
-\&\f(CW\*(C`@mailto@\*(C'\fR). Note that the mail will not be sent if an unauthorized
-user tries to run sudo with the \fB\-l\fR or \fB\-v\fR option. This allows
-users to determine for themselves whether or not they are allowed
-to use \fBsudo\fR.
-.PP
-If \fBsudo\fR is run by root and the \f(CW\*(C`SUDO_USER\*(C'\fR environment variable
-is set, \fBsudo\fR will use this value to determine who the actual
-user is. This can be used by a user to log commands through sudo
-even when a root shell has been invoked. It also allows the \fB\-e\fR
-option to remain useful even when being run via a sudo-run script or
-program. Note however, that the sudoers lookup is still done for
-root, not the user specified by \f(CW\*(C`SUDO_USER\*(C'\fR.
-.PP
-\&\fBsudo\fR can log both successful and unsuccessful attempts (as well
-as errors) to \fIsyslog\fR\|(3), a log file, or both. By default \fBsudo\fR
-will log via \fIsyslog\fR\|(3) but this is changeable at configure time
-or via the \fIsudoers\fR file.
-.SH "OPTIONS"
-.IX Header "OPTIONS"
-\&\fBsudo\fR accepts the following command line options:
-.IP "\-A" 12
-.IX Item "-A"
-Normally, if \fBsudo\fR requires a password, it will read it from the
-current terminal. If the \fB\-A\fR (\fIaskpass\fR) option is specified,
-a (possibly graphical) helper program is executed to read the
-user's password and output the password to the standard output. If
-the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR environment variable is set, it specifies the
-path to the helper program. Otherwise, the value specified by the
-\&\fIaskpass\fR option in \fIsudoers\fR\|(@mansectform@) is used.
-.if \n(BA \{\
-.IP "\-a \fItype\fR" 12
-.IX Item "-a type"
-The \fB\-a\fR (\fIauthentication type\fR) option causes \fBsudo\fR to use the
-specified authentication type when validating the user, as allowed
-by \fI/etc/login.conf\fR. The system administrator may specify a list
-of sudo-specific authentication methods by adding an \*(L"auth-sudo\*(R"
-entry in \fI/etc/login.conf\fR. This option is only available on systems
-that support \s-1BSD\s0 authentication.
-\}
-.IP "\-b" 12
-.IX Item "-b"
-The \fB\-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given
-command in the background. Note that if you use the \fB\-b\fR
+target user, as specified in the password database, and the group
+vector is initialized based on the group database (unless the
+\fB\-P\fR
+option was specified).
+See the
+\fICommand Environment\fR
+section below for more details.
+.PP
+\fBsudo\fR
+determines who is an authorized user by consulting the file
+\fI@sysconfdir@/sudoers\fR.
+By running
+\fBsudo\fR
+with the
+\fB\-v\fR
+option, a user can update the time stamp without running a
+\fIcommand\fR.
+If authentication is required,
+\fBsudo\fR
+will exit if the user's password is not entered within a configurable
+time limit.
+The default password prompt timeout is
+\fR@password_timeout@\fR
+minutes.
+.PP
+When invoked as
+\fBsudoedit\fR,
+the
+\fB\-e\fR
+option (described below), is implied.
+.PP
+The options are as follows:
+.TP 12n
+\fB\-A\fR
+Normally, if
+\fBsudo\fR
+requires a password, it will read it from the user's terminal.
+If the
+\fB\-A\fR (\fIaskpass\fR)
+option is specified, a (possibly graphical) helper program is
+executed to read the user's password and output the password to the
+standard output.
+If the
+\fRSUDO_ASKPASS\fR
+environment variable is set, it specifies the path to the helper
+program.
+Otherwise, the value specified by the
+\fIaskpass\fR
+option in
+sudoers(@mansectform@)
+is used.
+If no askpass program is available,
+\fBsudo\fR
+will exit with an error.
+.TP 12n
+\fB\-a\fR \fItype\fR
+The
+\fB\-a\fR (\fIauthentication type\fR)
+option causes
+\fBsudo\fR
+to use the specified authentication type when validating the user,
+as allowed by
+\fI/etc/login.conf\fR.
+The system administrator may specify a list of sudo-specific
+authentication methods by adding an
+``auth-sudo''
+entry in
+\fI/etc/login.conf\fR.
+This option is only available on systems that support BSD authentication.
+.TP 12n
+\fB\-b\fR
+The
+\fB\-b\fR (\fIbackground\fR)
+option tells
+\fBsudo\fR
+to run the given command in the background.
+Note that if you use the
+\fB\-b\fR
option you cannot use shell job control to manipulate the process.
-.IP "\-C \fIfd\fR" 12
-.IX Item "-C fd"
-Normally, \fBsudo\fR will close all open file descriptors other than
-standard input, standard output and standard error. The \fB\-C\fR
-(\fIclose from\fR) option allows the user to specify a starting point
-above the standard error (file descriptor three). Values less than
-three are not permitted. This option is only available if the
-administrator has enabled the \fIclosefrom_override\fR option in
-\&\fIsudoers\fR\|(@mansectform@).
-.if \n(LC \{\
-.IP "\-c \fIclass\fR" 12
-.IX Item "-c class"
-The \fB\-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command
-with resources limited by the specified login class. The \fIclass\fR
-argument can be either a class name as defined in \fI/etc/login.conf\fR,
-or a single '\-' character. Specifying a \fIclass\fR of \f(CW\*(C`\-\*(C'\fR indicates
-that the command should be run restricted by the default login
-capabilities for the user the command is run as. If the \fIclass\fR
+Most interactive commands will fail to work properly in background
+mode.
+.TP 12n
+\fB\-C\fR \fIfd\fR
+Normally,
+\fBsudo\fR
+will close all open file descriptors other than standard input,
+standard output and standard error.
+The
+\fB\-C\fR (\fIclose from\fR)
+option allows the user to specify a starting point above the standard
+error (file descriptor three).
+Values less than three are not permitted.
+This option is only available when the administrator has enabled the
+\fIclosefrom_override\fR
+option in
+sudoers(@mansectform@).
+.TP 12n
+\fB\-c\fR \fIclass\fR
+The
+\fB\-c\fR (\fIclass\fR)
+option causes
+\fBsudo\fR
+to run the specified command with resources limited by the specified
+login class.
+The
+\fIclass\fR
+argument can be either a class name as defined in
+\fI/etc/login.conf\fR,
+or a single
+`\-'
+character.
+Specifying a
+\fIclass\fR
+of
+\fR-\fR
+indicates that the command should be run restricted by the default
+login capabilities for the user the command is run as.
+If the
+\fIclass\fR
argument specifies an existing user class, the command must be run
-as root, or the \fBsudo\fR command must be run from a shell that is already
-root. This option is only available on systems with \s-1BSD\s0 login classes.
-\}
-.IP "\-E" 12
-.IX Item "-E"
-The \fB\-E\fR (\fIpreserve\fR \fIenvironment\fR) option will override the
-\&\fIenv_reset\fR option in \fIsudoers\fR\|(@mansectform@)). It is only
-available when either the matching command has the \f(CW\*(C`SETENV\*(C'\fR tag
-or the \fIsetenv\fR option is set in \fIsudoers\fR\|(@mansectform@).
-.IP "\-e" 12
-.IX Item "-e"
-The \fB\-e\fR (\fIedit\fR) option indicates that, instead of running
-a command, the user wishes to edit one or more files. In lieu
-of a command, the string \*(L"sudoedit\*(R" is used when consulting
-the \fIsudoers\fR file. If the user is authorized by \fIsudoers\fR
+as root, or the
+\fBsudo\fR
+command must be run from a shell that is already root.
+This option is only available on systems with BSD login classes.
+.TP 12n
+\fB\-E\fR
+The
+\fB\-E\fR (\fIpreserve environment\fR)
+option will override the
+\fIenv_reset\fR
+option in
+sudoers(@mansectform@).
+It is only available when either the matching command has the
+\fRSETENV\fR
+tag or the
+\fIsetenv\fR
+option is set in
+sudoers(@mansectform@).
+\fBsudo\fR
+will return an error if the
+\fB\-E\fR
+option is specified and the user does not have permission to preserve
+the environment.
+.TP 12n
+\fB\-e\fR
+The
+\fB\-e\fR (\fIedit\fR)
+option indicates that, instead of running a command, the user wishes
+to edit one or more files.
+In lieu of a command, the string "sudoedit" is used when consulting the
+\fIsudoers\fR
+file.
+If the user is authorized by
+\fIsudoers\fR,
the following steps are taken:
-.RS 12
-.IP "1." 4
+.RS
+.TP 5n
+1.
Temporary copies are made of the files to be edited with the owner
set to the invoking user.
-.IP "2." 4
-The editor specified by the \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR
-environment variables is run to edit the temporary files. If none
-of \f(CW\*(C`SUDO_EDITOR\*(C'\fR, \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR are set, the first program
-listed in the \fIeditor\fR \fIsudoers\fR variable is used.
-.IP "3." 4
+.TP 5n
+2.
+The editor specified by the
+\fRSUDO_EDITOR\fR,
+\fRVISUAL\fR
+or
+\fREDITOR\fR
+environment variables (in that order) is run to edit the temporary files.
+If none of
+\fRSUDO_EDITOR\fR,
+\fRVISUAL\fR
+or
+\fREDITOR\fR
+are set, the first program listed in the
+\fIeditor\fR
+sudoers(@mansectform@)
+option is used.
+.TP 5n
+3.
If they have been modified, the temporary files are copied back to
their original location and the temporary versions are removed.
+.PP
+If the specified file does not exist, it will be created.
+Note that unlike most commands run by
+\fIsudo\fR,
+the editor is run with the invoking user's environment unmodified.
+If, for some reason,
+\fBsudo\fR
+is unable to update a file with its edited version, the user will
+receive a warning and the edited copy will remain in a temporary
+file.
+.PP
.RE
-.RS 12
-.Sp
-If the specified file does not exist, it will be created. Note
-that unlike most commands run by \fBsudo\fR, the editor is run with
-the invoking user's environment unmodified. If, for some reason,
-\&\fBsudo\fR is unable to update a file with its edited version, the
-user will receive a warning and the edited copy will remain in a
-temporary file.
-.RE
-.IP "\-g \fIgroup\fR" 12
-.IX Item "-g group"
-Normally, \fBsudo\fR sets the primary group to the one specified by
-the passwd database for the user the command is being run as (by
-default, root). The \fB\-g\fR (\fIgroup\fR) option causes \fBsudo\fR to run
-the specified command with the primary group set to \fIgroup\fR. To
-specify a \fIgid\fR instead of a \fIgroup name\fR, use \fI#gid\fR. When
-running commands as a \fIgid\fR, many shells require that the '#' be
-escaped with a backslash ('\e'). If no \fB\-u\fR option is specified,
-the command will be run as the invoking user (not root). In either
-case, the primary group will be set to \fIgroup\fR.
-.IP "\-H" 12
-.IX Item "-H"
-The \fB\-H\fR (\fI\s-1HOME\s0\fR) option sets the \f(CW\*(C`HOME\*(C'\fR environment variable
-to the homedir of the target user (root by default) as specified
-in \fIpasswd\fR\|(@mansectform@). The default handling of the \f(CW\*(C`HOME\*(C'\fR environment
-variable depends on \fIsudoers\fR\|(@mansectform@) settings. By default, \fBsudo\fR
-will set \f(CW\*(C`HOME\*(C'\fR if \fIenv_reset\fR or \fIalways_set_home\fR are set, or
-if \fIset_home\fR is set and the \fB\-s\fR option is specified on the
-command line.
-.IP "\-h" 12
-.IX Item "-h"
-The \fB\-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a short help message
-to the standard output and exit.
-.IP "\-i [command]" 12
-.IX Item "-i [command]"
-The \fB\-i\fR (\fIsimulate initial login\fR) option runs the shell specified
-in the \fIpasswd\fR\|(@mansectform@) entry of the target user as a login shell. This
-means that login-specific resource files such as \f(CW\*(C`.profile\*(C'\fR or
-\&\f(CW\*(C`.login\*(C'\fR will be read by the shell. If a command is specified,
-it is passed to the shell for execution. Otherwise, an interactive
-shell is executed. \fBsudo\fR attempts to change to that user's home
-directory before running the shell. It also initializes the
-environment, leaving \fI\s-1DISPLAY\s0\fR and \fI\s-1TERM\s0\fR unchanged, setting
-\&\fI\s-1HOME\s0\fR, \fI\s-1MAIL\s0\fR, \fI\s-1SHELL\s0\fR, \fI\s-1USER\s0\fR, \fI\s-1LOGNAME\s0\fR, and \fI\s-1PATH\s0\fR, as well as
-the contents of \fI/etc/environment\fR on Linux and \s-1AIX\s0 systems.
-All other environment variables are removed.
-.IP "\-K" 12
-.IX Item "-K"
-The \fB\-K\fR (sure \fIkill\fR) option is like \fB\-k\fR except that it removes
-the user's time stamp entirely and may not be used in conjunction
-with a command or other option. This option does not require a
-password.
-.IP "\-k" 12
-.IX Item "-k"
-When used by itself, the \fB\-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates
-the user's time stamp by setting the time on it to the Epoch. The
-next time \fBsudo\fR is run a password will be required. This option
-does not require a password and was added to allow a user to revoke
-\&\fBsudo\fR permissions from a .logout file.
-.Sp
+.PD 0
+.TP 12n
+\fB\-g\fR \fIgroup\fR
+Normally,
+\fBsudo\fR
+runs a command with the primary group set to the one specified by
+the password database for the user the command is being run as (by
+default, root).
+The
+\fB\-g\fR (\fIgroup\fR)
+option causes
+\fBsudo\fR
+to run the command with the primary group set to
+\fIgroup\fR
+instead.
+To specify a
+\fIgid\fR
+instead of a
+\fIgroup name\fR,
+use
+\fI#gid\fR.
+When running commands as a
+\fIgid\fR,
+many shells require that the
+`#'
+be escaped with a backslash
+(`\e').
+If no
+\fB\-u\fR
+option is specified, the command will be run as the invoking user
+(not root).
+In either case, the primary group will be set to
+\fIgroup\fR.
+.PD
+.TP 12n
+\fB\-H\fR
+The
+\fB\-H\fR (\fIHOME\fR)
+option option sets the
+\fRHOME\fR
+environment variable to the home directory of the target user (root
+by default) as specified by the password database.
+The default handling of the
+\fRHOME\fR
+environment variable depends on
+sudoers(@mansectform@)
+settings.
+By default,
+\fBsudo\fR
+will set
+\fRHOME\fR
+if
+\fIenv_reset\fR
+or
+\fIalways_set_home\fR
+are set, or if
+\fIset_home\fR
+is set and the
+\fB\-s\fR
+option is specified on the command line.
+.TP 12n
+\fB\-h\fR
+The
+\fB\-h\fR (\fIhelp\fR)
+option causes
+\fBsudo\fR
+to print a short help message to the standard output and exit.
+.TP 12n
+\fB\-i\fR [\fIcommand\fR]
+The
+\fB\-i\fR (\fIsimulate initial login\fR)
+option runs the shell specified by the password database entry of
+the target user as a login shell.
+This means that login-specific resource files such as
+\fI.profile\fR
+or
+\fI.login\fR
+will be read by the shell.
+If a command is specified, it is passed to the shell for execution
+via the shell's
+\fB\-c\fR
+option.
+If no command is specified, an interactive shell is executed.
+\fBsudo\fR
+attempts to change to that user's home directory before running the
+shell.
+It also initializes the environment to a minimal
+set of variables, similar to what is present when a user logs in.
+The
+\fICommand Environment\fR
+section below documents in detail how the
+\fB\-i\fR
+option affects the environment in which a command is run.
+.TP 12n
+\fB\-K\fR
+The
+\fB\-K\fR (sure \fIkill\fR)
+option is like
+\fB\-k\fR
+except that it removes the user's time stamp file entirely and
+may not be used in conjunction with a command or other option.
+This option does not require a password.
+.TP 12n
+\fB\-k\fR [\fIcommand\fR]
+When used alone, the
+\fB\-k\fR (\fIkill\fR)
+option to
+\fBsudo\fR
+invalidates the user's time stamp file.
+The next time
+\fBsudo\fR
+is run a password will be required.
+This option does not require a password and was added to allow a
+user to revoke
+\fBsudo\fR
+permissions from a
+\fI.logout\fR
+file.
+.sp
When used in conjunction with a command or an option that may require
-a password, the \fB\-k\fR option will cause \fBsudo\fR to ignore the user's
-time stamp file. As a result, \fBsudo\fR will prompt for a password
-(if one is required by \fIsudoers\fR) and will not update the user's
-time stamp file.
-.IP "\-L" 12
-.IX Item "-L"
-The \fB\-L\fR (\fIlist\fR defaults) option will list the parameters that
-may be set in a \fIDefaults\fR line along with a short description for
-each. This option will be removed from a future version of \fBsudo\fR.
-.IP "\-l[l] [\fIcommand\fR]" 12
-.IX Item "-l[l] [command]"
-If no \fIcommand\fR is specified, the \fB\-l\fR (\fIlist\fR) option will list
-the allowed (and forbidden) commands for the invoking user (or the
-user specified by the \fB\-U\fR option) on the current host. If a
-\&\fIcommand\fR is specified and is permitted by \fIsudoers\fR, the
-fully-qualified path to the command is displayed along with any
-command line arguments. If \fIcommand\fR is specified but not allowed,
-\&\fBsudo\fR will exit with a status value of 1. If the \fB\-l\fR option is
-specified with an \fBl\fR argument (i.e. \fB\-ll\fR), or if \fB\-l\fR
+a password, the
+\fB\-k\fR
+option will cause
+\fBsudo\fR
+to ignore the user's time stamp file.
+As a result,
+\fBsudo\fR
+will prompt for a password (if one is required by
+\fIsudoers\fR)
+and will not update the user's time stamp file.
+.TP 12n
+\fB\-L\fR
+The
+\fB\-L\fR (\fIlist\fR defaults)
+option will list the parameters that
+may be set in a
+\fIDefaults\fR
+line along with a short description for each.
+This option will be removed from a future version of
+\fBsudo\fR.
+.TP 12n
+\fB\-l\fR[\fBl\fR] [\fIcommand\fR]
+If no
+\fIcommand\fR
+is specified, the
+\fB\-l\fR (\fIlist\fR)
+option will list the allowed (and forbidden) commands for the
+invoking user (or the user specified by the
+\fB\-U\fR
+option) on the current host.
+If a
+\fIcommand\fR
+is specified and is permitted by
+\fIsudoers\fR,
+the fully-qualified
+path to the command is displayed along with any command line
+arguments.
+If
+\fIcommand\fR
+is specified but not allowed,
+\fBsudo\fR
+will exit with a status value of 1.
+If the
+\fB\-l\fR
+option is specified with an
+\fIl\fR
+argument
+(i.e.\& \fB\-ll\fR),
+or if
+\fB\-l\fR
is specified multiple times, a longer list format is used.
-.IP "\-n" 12
-.IX Item "-n"
-The \fB\-n\fR (\fInon-interactive\fR) option prevents \fBsudo\fR from prompting
-the user for a password. If a password is required for the command
-to run, \fBsudo\fR will display an error message and exit.
-.IP "\-P" 12
-.IX Item "-P"
-The \fB\-P\fR (\fIpreserve\fR \fIgroup vector\fR) option causes \fBsudo\fR to
-preserve the invoking user's group vector unaltered. By default,
-\&\fBsudo\fR will initialize the group vector to the list of groups the
-target user is in. The real and effective group IDs, however, are
-still set to match the target user.
-.IP "\-p \fIprompt\fR" 12
-.IX Item "-p prompt"
-The \fB\-p\fR (\fIprompt\fR) option allows you to override the default
-password prompt and use a custom one. The following percent (`\f(CW\*(C`%\*(C'\fR')
+.TP 12n
+\fB\-n\fR
+The
+\fB\-n\fR (\fInon-interactive\fR)
+option prevents
+\fBsudo\fR
+from prompting the user for a password.
+If a password is required for the command to run,
+\fBsudo\fR
+will display an error message and exit.
+.TP 12n
+\fB\-P\fR
+The
+\fB\-P\fR (\fIpreserve group vector\fR)
+option causes
+\fBsudo\fR
+to preserve the invoking user's group vector unaltered.
+By default,
+\fBsudo\fR
+will initialize the group vector to the list of groups the
+target user is in.
+The real and effective group IDs, however, are still set to match
+the target user.
+.TP 12n
+\fB\-p\fR \fIprompt\fR
+The
+\fB\-p\fR (\fIprompt\fR)
+option allows you to override the default password prompt and use
+a custom one.
+The following percent
+(`%')
escapes are supported:
-.RS 12
-.ie n .IP "%H" 4
-.el .IP "\f(CW%H\fR" 4
-.IX Item "%H"
-expanded to the local host name including the domain name
-(on if the machine's host name is fully qualified or the \fIfqdn\fR
-\&\fIsudoers\fR option is set)
-.ie n .IP "%h" 4
-.el .IP "\f(CW%h\fR" 4
-.IX Item "%h"
+.RS
+.TP 4n
+\fR%H\fR
+expanded to the host name including the domain name (on if the
+machine's host name is fully qualified or the
+\fIfqdn\fR
+option is set in
+sudoers(@mansectform@))
+.TP 4n
+\fR%h\fR
expanded to the local host name without the domain name
-.ie n .IP "%p" 4
-.el .IP "\f(CW%p\fR" 4
-.IX Item "%p"
-expanded to the user whose password is being asked for (respects the
-\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
-.ie n .IP "%U" 4
-.el .IP "\f(CW%U\fR" 4
-.IX Item "%U"
-expanded to the login name of the user the command will
-be run as (defaults to root)
-.ie n .IP "%u" 4
-.el .IP "\f(CW%u\fR" 4
-.IX Item "%u"
+.TP 4n
+\fR%p\fR
+expanded to the name of the user whose password is being requested
+(respects the
+\fIrootpw\fR,
+\fItargetpw\fR,
+and
+\fIrunaspw\fR
+flags in
+sudoers(@mansectform@))
+.TP 4n
+\fR\&%U\fR
+expanded to the login name of the user the command will be run as
+(defaults to root unless the
+\fB\-u\fR
+option is also specified)
+.TP 4n
+\fR%u\fR
expanded to the invoking user's login name
-.ie n .IP "\*(C`%%\*(C'" 4
-.el .IP "\f(CW\*(C`%%\*(C'\fR" 4
-.IX Item "%%"
-two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
-.RE
-.RS 12
-.Sp
-The prompt specified by the \fB\-p\fR option will override the system
-password prompt on systems that support \s-1PAM\s0 unless the
-\&\fIpassprompt_override\fR flag is disabled in \fIsudoers\fR.
+.TP 4n
+\fR%%\fR
+two consecutive
+`%'
+characters are collapsed into a single
+`%'
+character
+.PP
+The prompt specified by the
+\fB\-p\fR
+option will override the system password prompt on systems that
+support PAM unless the
+\fIpassprompt_override\fR
+flag is disabled in
+\fIsudoers\fR.
+.PP
.RE
-.if \n(SL \{\
-.IP "\-r \fIrole\fR" 12
-.IX Item "-r role"
-The \fB\-r\fR (\fIrole\fR) option causes the new (SELinux) security context to
-have the role specified by \fIrole\fR.
-\}
-.IP "\-S" 12
-.IX Item "-S"
-The \fB\-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from
-the standard input instead of the terminal device. The password must
-be followed by a newline character.
-.IP "\-s [command]" 12
-.IX Item "-s [command]"
-The \fB\-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR
-environment variable if it is set or the shell as specified in
-\&\fIpasswd\fR\|(@mansectform@). If a command is specified, it is passed to the shell
-for execution. Otherwise, an interactive shell is executed.
-.if \n(SL \{\
-.IP "\-t \fItype\fR" 12
-.IX Item "-t type"
-The \fB\-t\fR (\fItype\fR) option causes the new (SELinux) security context to
-have the type specified by \fItype\fR. If no type is specified, the default
-type is derived from the specified role.
-\}
-.IP "\-U \fIuser\fR" 12
-.IX Item "-U user"
-The \fB\-U\fR (\fIother user\fR) option is used in conjunction with the \fB\-l\fR
-option to specify the user whose privileges should be listed. Only
-root or a user with \fBsudo\fR \f(CW\*(C`ALL\*(C'\fR on the current host may use this
+.PD 0
+.TP 12n
+\fB\-r\fR \fIrole\fR
+The
+\fB\-r\fR (\fIrole\fR)
+option causes the new (SELinux) security context to have the role
+specified by
+\fIrole\fR.
+.PD
+.TP 12n
+\fB\-S\fR
+The
+\fB\-S\fR (\fIstdin\fR)
+option causes
+\fBsudo\fR
+to read the password from the standard input instead of the terminal
+device.
+The password must be followed by a newline character.
+.TP 12n
+\fB\-s\fR [\fIcommand\fR]
+The
+\fB\-s\fR (\fIshell\fR)
+option runs the shell specified by the
+\fRSHELL\fR
+environment variable if it is set or the shell as specified in the
+password database.
+If a command is specified, it is passed to the shell for execution
+via the shell's
+\fB\-c\fR
option.
-.IP "\-u \fIuser\fR" 12
-.IX Item "-u user"
-The \fB\-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified
-command as a user other than \fIroot\fR. To specify a \fIuid\fR instead
-of a \fIuser name\fR, use \fI#uid\fR. When running commands as a \fIuid\fR,
-many shells require that the '#' be escaped with a backslash ('\e').
-Note that if the \fItargetpw\fR Defaults option is set (see \fIsudoers\fR\|(@mansectform@))
+If no command is specified, an interactive shell is executed.
+.TP 12n
+\fB\-t\fR \fItype\fR
+The
+\fB\-t\fR (\fItype\fR)
+option causes the new (SELinux) security context to have the type
+specified by
+\fItype\fR.
+If no type is specified, the default type is derived from the
+specified role.
+.TP 12n
+\fB\-U\fR \fIuser\fR
+The
+\fB\-U\fR (\fIother user\fR)
+option is used in conjunction with the
+\fB\-l\fR
+option to specify the user whose privileges should be listed.
+Only root or a user with the
+\fRALL\fR
+privilege on the current host may use this option.
+.TP 12n
+\fB\-u\fR \fIuser\fR
+The
+\fB\-u\fR (\fIuser\fR)
+option causes
+\fBsudo\fR
+to run the specified command as a user other than
+\fIroot\fR.
+To specify a
+\fIuid\fR
+instead of a
+\fIuser name\fR,
+\fI#uid\fR.
+When running commands as a
+\fIuid\fR,
+many shells require that the
+`#'
+be escaped with a backslash
+(`\e').
+Note that if the
+\fItargetpw\fR
+Defaults option is set (see
+sudoers(@mansectform@)),
it is not possible to run commands with a uid not listed in the
password database.
-.IP "\-V" 12
-.IX Item "-V"
-The \fB\-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the version
-number and exit. If the invoking user is already root the \fB\-V\fR
-option will print out a list of the defaults \fBsudo\fR was compiled
-with as well as the machine's local network addresses.
-.IP "\-v" 12
-.IX Item "-v"
-If given the \fB\-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the
-user's time stamp, prompting for the user's password if necessary.
-This extends the \fBsudo\fR timeout for another \f(CW\*(C`@timeout@\*(C'\fR minutes
-(or whatever the timeout is set to in \fIsudoers\fR) but does not run
-a command.
-.IP "\-\-" 12
-The \fB\-\-\fR option indicates that \fBsudo\fR should stop processing command
-line arguments.
+.TP 12n
+\fB\-V\fR
+The
+\fB\-V\fR (\fIversion\fR)
+option causes
+\fBsudo\fR
+to print its version string and exit.
+If the invoking user is already root the
+\fB\-V\fR
+option will display the arguments passed to configure when
+\fBsudo\fR
+was built as well a list of the defaults
+\fBsudo\fR
+was compiled with as well as the machine's local network addresses.
+.TP 12n
+\fB\-v\fR
+When given the
+\fB\-v\fR (\fIvalidate\fR)
+option,
+\fBsudo\fR
+will update the user's time stamp file, authenticating the user's
+password if necessary.
+This extends the
+\fBsudo\fR
+timeout for another
+\fR@timeout@\fR
+minutes (or whatever the timeout is set to in
+\fIsudoers\fR)
+but does not run a command.
+.TP 12n
+\fB\--\fR
+The
+\fB\--\fR
+option indicates that
+\fBsudo\fR
+should stop processing command line arguments.
.PP
Environment variables to be set for the command may also be passed
-on the command line in the form of \fB\s-1VAR\s0\fR=\fIvalue\fR, e.g.
-\&\fB\s-1LD_LIBRARY_PATH\s0\fR=\fI/usr/local/pkg/lib\fR. Variables passed on the
-command line are subject to the same restrictions as normal environment
-variables with one important exception. If the \fIsetenv\fR option
-is set in \fIsudoers\fR, the command to be run has the \f(CW\*(C`SETENV\*(C'\fR tag
-set or the command matched is \f(CW\*(C`ALL\*(C'\fR, the user may set variables
-that would overwise be forbidden. See \fIsudoers\fR\|(@mansectform@) for more information.
-.SH "EXIT VALUE"
-.IX Header "EXIT VALUE"
-Upon successful execution of a program, the exit status from \fBsudo\fR
-will simply be the exit status of the program that was executed.
+on the command line in the form of
+\fBVAR\fR=\fIvalue\fR,
+e.g.\&
+\fBLD_LIBRARY_PATH\fR=\fI/usr/local/pkg/lib\fR.
+Variables passed on the command line are subject to the same
+restrictions as normal environment variables with one important
+exception.
+If the
+\fIsetenv\fR
+option is set in
+\fIsudoers\fR,
+the command to be run has the
+\fRSETENV\fR
+tag set or the command matched is
+\fRALL\fR,
+the user may set variables that would otherwise be forbidden.
+See
+sudoers(@mansectform@)
+for more information.
+.SS "Authentication and Logging"
+\fBsudo\fR
+requires that most users authenticate themselves by default.
+A password is not required
+if the invoking user is root, if the target user is the same as the
+invoking user, or if the authentication has been disabled for the
+user or command in the
+\fIsudoers\fR
+file.
+Unlike
+su(1),
+when
+\fBsudo\fR
+requires
+authentication, it validates the invoking user's credentials, not
+the target user's (or root's) credentials.
+This can be changed via
+the
+\fIrootpw\fR,
+\fItargetpw\fR
+and
+\fIrunaspw\fR
+Defaults entries in
+\fIsudoers\fR.
.PP
-Otherwise, \fBsudo\fR quits with an exit value of 1 if there is a
-configuration/permission problem or if \fBsudo\fR cannot execute the
-given command. In the latter case the error string is printed to
-stderr. If \fBsudo\fR cannot \fIstat\fR\|(2) one or more entries in the user's
-\&\f(CW\*(C`PATH\*(C'\fR an error is printed on stderr. (If the directory does not
-exist or if it is not really a directory, the entry is ignored and
-no error is printed.) This should not happen under normal
-circumstances. The most common reason for \fIstat\fR\|(2) to return
-\&\*(L"permission denied\*(R" is if you are running an automounter and one
-of the directories in your \f(CW\*(C`PATH\*(C'\fR is on a machine that is currently
-unreachable.
-.SH "SECURITY NOTES"
-.IX Header "SECURITY NOTES"
-\&\fBsudo\fR tries to be safe when executing external commands.
-.PP
-There are two distinct ways to deal with environment variables. By
-default, the \fIenv_reset\fR \fIsudoers\fR option is enabled. This causes
-commands to be executed with a new, minimal environment containing.
-On \s-1AIX\s0 (and Linux systems without \s-1PAM\s0), the environment is initialized
-with the contents of the \fI/etc/environment\fR file. On \s-1BSD\s0 systems,
-if the \fIuse_loginclass\fR option is enabled, the environment is
-initialized based on the \fIpath\fR and \fIsetenv\fR settings in
-\&\fI/etc/login.conf\fR. The new environment contains the \f(CW\*(C`TERM\*(C'\fR,
-\&\f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR, \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR
-and \f(CW\*(C`SUDO_*\*(C'\fR variables in addition to variables from the invoking
-process permitted by the \fIenv_check\fR and \fIenv_keep\fR options. This
-is effectively a whitelist for environment variables.
-.PP
-If, however, the \fIenv_reset\fR option is disabled in \fIsudoers\fR, any
-variables not explicitly denied by the \fIenv_check\fR and \fIenv_delete\fR
-options are inherited from the invoking process. In this case,
-\&\fIenv_check\fR and \fIenv_delete\fR behave like a blacklist. Since it
-is not possible to blacklist all potentially dangerous environment
-variables, use of the default \fIenv_reset\fR behavior is encouraged.
+If a user who is not listed in
+\fIsudoers\fR
+tries to run a command via
+\fBsudo\fR,
+mail is sent to the proper authorities.
+The address
+used for such mail is configurable via the
+\fImailto\fR
+\fIsudoers\fR
+Defaults entry and defaults to
+\fR@mailto@\fR.
+.PP
+Note that mail will not be sent if an unauthorized user tries to
+run
+\fBsudo\fR
+with the
+\fB\-l\fR
+or
+\fB\-v\fR
+option.
+This allows users to
+determine for themselves whether or not they are allowed to use
+\fBsudo\fR.
+.PP
+If
+\fBsudo\fR
+is run by root and the
+\fRSUDO_USER\fR
+environment variable
+is set, its value will be used to determine who the actual user is.
+This can be used by a user to log commands
+through
+\fBsudo\fR
+even when a root shell has been invoked.
+It also
+allows the
+\fB\-e\fR
+option to remain useful even when invoked via a
+sudo-run script or program.
+Note, however, that the
+\fIsudoers\fR
+lookup is still done for root, not the user specified by
+\fRSUDO_USER\fR.
+.PP
+\fBsudo\fR
+uses time stamp files for credential caching.
+Once a
+user has been authenticated, the time stamp is updated and the user
+may then use sudo without a password for a short period of time
+(\fR@timeout@\fR
+minutes unless overridden by the
+\fItimeout\fR
+option)
+\&.
+By default,
+\fBsudo\fR
+uses a tty-based time stamp which means that
+there is a separate time stamp for each of a user's login sessions.
+The
+\fItty_tickets\fR
+option can be disabled to force the use of a
+single time stamp for all of a user's sessions.
+.PP
+\fBsudo\fR
+can log both successful and unsuccessful attempts (as well
+as errors) to
+syslog(3),
+a log file, or both.
+By default,
+\fBsudo\fR
+will log via
+syslog(3)
+but this is changeable via the
+\fIsyslog\fR
+and
+\fIlogfile\fR
+Defaults settings.
+.PP
+\fBsudo\fR
+also supports logging a command's input and output
+streams.
+I/O logging is not on by default but can be enabled using
+the
+\fIlog_input\fR
+and
+\fIlog_output\fR
+Defaults flags as well as the
+\fRLOG_INPUT\fR
+and
+\fRLOG_OUTPUT\fR
+command tags.
+.SS "Command Environment"
+Since environment variables can influence program behavior,
+\fBsudo\fR
+provides a means to restrict which variables from the user's
+environment are inherited by the command to be run.
+There are two
+distinct ways
+\fIsudoers\fR
+can be configured to handle with environment variables.
+.PP
+By default, the
+\fIenv_reset\fR
+option is enabled.
+This causes commands
+to be executed with a new, minimal environment.
+On AIX (and Linux
+systems without PAM), the environment is initialized with the
+contents of the
+\fI/etc/environment\fR
+file.
+On BSD systems, if the
+\fIuse_loginclass\fR
+option is enabled, the environment is initialized
+based on the
+\fIpath\fR
+and
+\fIsetenv\fR
+settings in
+\fI/etc/login.conf\fR.
+The new environment contains the
+\fRTERM\fR,
+\fRPATH\fR,
+\fRHOME\fR,
+\fRMAIL\fR,
+\fRSHELL\fR,
+\fRLOGNAME\fR,
+\fRUSER\fR,
+\fRUSERNAME\fR
+and
+\fRSUDO_*\fR
+variables
+in addition to variables from the invoking process permitted by the
+\fIenv_check\fR
+and
+\fIenv_keep\fR
+options.
+This is effectively a whitelist
+for environment variables.
+.PP
+If, however, the
+\fIenv_reset\fR
+option is disabled, any variables not
+explicitly denied by the
+\fIenv_check\fR
+and
+\fIenv_delete\fR
+options are
+inherited from the invoking process.
+In this case,
+\fIenv_check\fR
+and
+\fIenv_delete\fR
+behave like a blacklist.
+Since it is not possible
+to blacklist all potentially dangerous environment variables, use
+of the default
+\fIenv_reset\fR
+behavior is encouraged.
.PP
In all cases, environment variables with a value beginning with
-\&\f(CW\*(C`()\*(C'\fR are removed as they could be interpreted as \fBbash\fR functions.
-The list of environment variables that \fBsudo\fR allows or denies is
-contained in the output of \f(CW\*(C`sudo \-V\*(C'\fR when run as root.
+\fR()\fR
+are removed as they could be interpreted as
+\fBbash\fR
+functions.
+The list of environment variables that
+\fBsudo\fR
+allows or denies is
+contained in the output of
+``\fRsudo -V\fR''
+when run as root.
.PP
Note that the dynamic linker on most operating systems will remove
variables that can control dynamic linking from the environment of
-setuid executables, including \fBsudo\fR. Depending on the operating
-system this may include \f(CW\*(C`_RLD*\*(C'\fR, \f(CW\*(C`DYLD_*\*(C'\fR, \f(CW\*(C`LD_*\*(C'\fR, \f(CW\*(C`LDR_*\*(C'\fR,
-\&\f(CW\*(C`LIBPATH\*(C'\fR, \f(CW\*(C`SHLIB_PATH\*(C'\fR, and others. These type of variables are
-removed from the environment before \fBsudo\fR even begins execution
-and, as such, it is not possible for \fBsudo\fR to preserve them.
-.PP
-To prevent command spoofing, \fBsudo\fR checks \*(L".\*(R" and "" (both denoting
-current directory) last when searching for a command in the user's
-\&\s-1PATH\s0 (if one or both are in the \s-1PATH\s0). Note, however, that the
-actual \f(CW\*(C`PATH\*(C'\fR environment variable is \fInot\fR modified and is passed
-unchanged to the program that \fBsudo\fR executes.
-.PP
-\&\fBsudo\fR will check the ownership of its time stamp directory
-(\fI@timedir@\fR by default) and ignore the directory's contents if
-it is not owned by root or if it is writable by a user other than
-root. On systems that allow non-root users to give away files via
-\&\fIchown\fR\|(2), if the time stamp directory is located in a directory
-writable by anyone (e.g., \fI/tmp\fR), it is possible for a user to
-create the time stamp directory before \fBsudo\fR is run. However,
-because \fBsudo\fR checks the ownership and mode of the directory and
-its contents, the only damage that can be done is to \*(L"hide\*(R" files
-by putting them in the time stamp dir. This is unlikely to happen
-since once the time stamp dir is owned by root and inaccessible by
-any other user, the user placing files there would be unable to get
-them back out. To get around this issue you can use a directory
-that is not world-writable for the time stamps (\fI/var/adm/sudo\fR for
-instance) or create \fI@timedir@\fR with the appropriate owner (root)
-and permissions (0700) in the system startup files.
-.PP
-\&\fBsudo\fR will not honor time stamps set far in the future.
-Timestamps with a date greater than current_time + 2 * \f(CW\*(C`TIMEOUT\*(C'\fR
-will be ignored and sudo will log and complain. This is done to
-keep a user from creating his/her own time stamp with a bogus
-date on systems that allow users to give away files.
-.PP
-On systems where the boot time is available, \fBsudo\fR will also not
-honor time stamps from before the machine booted.
+setuid executables, including
+\fBsudo\fR.
+Depending on the operating
+system this may include
+\fR_RLD*\fR,
+\fRDYLD_*\fR,
+\fRLD_*\fR,
+\fRLDR_*\fR,
+\fRLIBPATH\fR,
+\fRSHLIB_PATH\fR,
+and others.
+These type of variables are
+removed from the environment before
+\fBsudo\fR
+even begins execution
+and, as such, it is not possible for
+\fBsudo\fR
+to preserve them.
+.PP
+As a special case, if
+\fBsudo\fR's
+\fB\-i\fR
+option (initial login) is
+specified,
+\fBsudo\fR
+will initialize the environment regardless
+of the value of
+\fIenv_reset\fR.
+The
+\fRDISPLAY\fR,
+\fRPATH\fR
+and
+\fRTERM\fR
+variables remain unchanged;
+\fRHOME\fR,
+\fRMAIL\fR,
+\fRSHELL\fR,
+\fRUSER\fR,
+and
+\fRLOGNAME\fR
+are set based on the target user.
+On AIX (and Linux
+systems without PAM), the contents of
+\fI/etc/environment\fR
+are also
+included.
+On BSD systems, if the
+\fIuse_loginclass\fR
+option is
+enabled, the
+\fIpath\fR
+and
+\fIsetenv\fR
+variables in
+\fI/etc/login.conf\fR
+are also applied.
+All other environment variables are removed.
+.PP
+Finally, if the
+\fIenv_file\fR
+option is defined, any variables present
+in that file will be set to their specified values as long as they
+would not conflict with an existing environment variable.
+.SH "EXIT VALUE"
+Upon successful execution of a program, the exit status from
+\fIsudo\fR
+will simply be the exit status of the program that was executed.
+.PP
+Otherwise,
+\fBsudo\fR
+exits with a value of 1 if there is a configuration/permission
+problem or if
+\fBsudo\fR
+cannot execute the given command.
+In the latter case the error string is printed to the standard error.
+If
+\fBsudo\fR
+cannot
+stat(2)
+one or more entries in the user's
+\fRPATH\fR,
+an error is printed on stderr.
+(If the directory does not exist or if it is not really a directory,
+the entry is ignored and no error is printed.)
+This should not happen under normal circumstances.
+The most common reason for
+stat(2)
+to return
+``permission denied''
+is if you are running an automounter and one of the directories in
+your
+\fRPATH\fR
+is on a machine that is currently unreachable.
+.SH "LOG FORMAT"
+\fBsudo\fR
+can log events using either
+syslog(3)
+or a simple log file.
+In each case the log format is almost identical.
+.SS "Accepted command log entries"
+Commands that sudo runs are logged using the following format (split
+into multiple lines for readability):
+.nf
+.sp
+.RS 4n
+date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
+ USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
+ ENV=env_vars COMMAND=command
+.RE
+.fi
+.PP
+Where the fields are as follows:
+.TP 14n
+date
+The date the command was run.
+Typically, this is in the format
+``MMM, DD, HH:MM:SS''.
+If logging via
+syslog(3),
+the actual date format is controlled by the syslog daemon.
+If logging to a file and the
+\fIlog_year\fR
+option is enabled,
+the date will also include the year.
+.TP 14n
+hostname
+The name of the host
+\fBsudo\fR
+was run on.
+This field is only present when logging via
+syslog(3).
+.TP 14n
+progname
+The name of the program, usually
+\fIsudo\fR
+or
+\fIsudoedit\fR.
+This field is only present when logging via
+syslog(3).
+.TP 14n
+username
+The login name of the user who ran
+\fBsudo\fR.
+.TP 14n
+ttyname
+The short name of the terminal (e.g.\&
+``console'',
+``tty01'',
+or
+``pts/0'')
+\fBsudo\fR
+was run on, or
+``unknown''
+if there was no terminal present.
+.TP 14n
+cwd
+The current working directory that
+\fBsudo\fR
+was run in.
+.TP 14n
+runasuser
+The user the command was run as.
+.TP 14n
+runasgroup
+The group the command was run as if one was specified on the command line.
+.TP 14n
+logid
+An I/O log identifier that can be used to replay the command's output.
+This is only present when the
+\fIlog_input\fR
+or
+\fIlog_output\fR
+option is enabled.
+.TP 14n
+env_vars
+A list of environment variables specified on the command line,
+if specified.
+.TP 14n
+command
+The actual command that was executed.
+.PP
+Messages are logged using the locale specified by
+\fIsudoers_locale\fR,
+which defaults to the
+``\fRC\fR''
+locale.
+.SS "Denied command log entries"
+If the user is not allowed to run the command, the reason for the denial
+will follow the user name.
+Possible reasons include:
+.TP 3n
+user NOT in sudoers
+The user is not listed in the
+\fIsudoers\fR
+file.
+.TP 3n
+user NOT authorized on host
+The user is listed in the
+\fIsudoers\fR
+file but is not allowed to run commands on the host.
+.TP 3n
+command not allowed
+The user is listed in the
+\fIsudoers\fR
+file for the host but they are not allowed to run the specified command.
+.TP 3n
+3 incorrect password attempts
+The user failed to enter their password after 3 tries.
+The actual number of tries will vary based on the number of
+failed attempts and the value of the
+\fIpasswd_tries\fR
+\fIsudoers\fR
+option.
+.TP 3n
+a password is required
+The
+\fB\-n\fR
+option was specified but a password was required.
+.TP 3n
+sorry, you are not allowed to set the following environment variables
+The user specified environment variables on the command line that
+were not allowed by
+\fIsudoers\fR.
+.SS "Error log entries"
+If an error occurs,
+\fBsudo\fR
+will log a message and, in most cases, send a message to the
+administrator via email.
+Possible errors include:
+.TP 3n
+parse error in @sysconfdir@/sudoers near line N
+\fBsudo\fR
+encountered an error when parsing the specified file.
+In some cases, the actual error may be one line above or below the
+line number listed, depending on the type of error.
+.TP 3n
+problem with defaults entries
+The
+\fIsudoers\fR
+file contains one or more unknown Defaults settings.
+This does not prevent
+\fBsudo\fR
+from running, but the
+\fIsudoers\fR
+file should be checked using
+\fBvisudo\fR.
+.TP 3n
+timestamp owner (username): \&No such user
+The time stamp directory owner, as specified by the
+\fItimestampowner\fR
+setting, could not be found in the password database.
+.TP 3n
+unable to open/read @sysconfdir@/sudoers
+The
+\fIsudoers\fR
+file could not be opened for reading.
+This can happen when the
+\fIsudoers\fR
+file is located on a remote file system that maps user ID 0 to
+a different value.
+Normally,
+\fBsudo\fR
+tries to open
+\fIsudoers\fR
+using group permissions to avoid this problem.
+.TP 3n
+unable to stat @sysconfdir@/sudoers
+The
+\fI@sysconfdir@/sudoers\fR
+file is missing.
+.TP 3n
+@sysconfdir@/sudoers is not a regular file
+The
+\fI@sysconfdir@/sudoers\fR
+file exists but is not a regular file or symbolic link.
+.TP 3n
+@sysconfdir@/sudoers is owned by uid N, should be 0
+The
+\fIsudoers\fR
+file has the wrong owner.
+.TP 3n
+@sysconfdir@/sudoers is world writable
+The permissions on the
+\fIsudoers\fR
+file allow all users to write to it.
+The
+\fIsudoers\fR
+file must not be world-writable, the default file mode
+is 0440 (readable by owner and group, writable by none).
+.TP 3n
+@sysconfdir@/sudoers is owned by gid N, should be 1
+The
+\fIsudoers\fR
+file has the wrong group ownership.
+.TP 3n
+unable to open @timedir@/username/ttyname
+\fIsudoers\fR
+was unable to read or create the user's time stamp file.
+.TP 3n
+unable to write to @timedir@/username/ttyname
+\fIsudoers\fR
+was unable to write to the user's time stamp file.
+.TP 3n
+unable to mkdir to @timedir@/username
+\fIsudoers\fR
+was unable to create the user's time stamp directory.
+.SS "Notes on logging via syslog"
+By default,
+\fIsudoers\fR
+logs messages via
+syslog(3).
+The
+\fIdate\fR,
+\fIhostname\fR,
+and
+\fIprogname\fR
+fields are added by the syslog daemon, not
+\fIsudoers\fR
+itself.
+As such, they may vary in format on different systems.
+.PP
+On most systems,
+syslog(3)
+has a relatively small log buffer.
+To prevent the command line arguments from being truncated,
+\fBsudo\fR
+will split up log messages that are larger than 960 characters
+(not including the date, hostname, and the string
+``sudo'').
+When a message is split, additional parts will include the string
+``(command continued)''
+after the user name and before the continued command line arguments.
+.SS "Notes on logging to a file"
+If the
+\fIlogfile\fR
+option is set,
+\fIsudoers\fR
+will log to a local file, such as
+\fI/var/log/sudo\fR.
+When logging to a file,
+\fIsudoers\fR
+uses a format similar to
+syslog(3),
+with a few important differences:
+.TP 5n
+1.
+The
+\fIprogname\fR
+and
+\fIhostname\fR
+fields are not present.
+.TP 5n
+2.
+If the
+\fIlog_year\fR
+\fIsudoers\fR
+option is enabled,
+the date will also include the year.
+.TP 5n
+3.
+Lines that are longer than
+\fIloglinelen\fR
+characters (80 by default) are word-wrapped and continued on the
+next line with a four character indent.
+This makes entries easier to read for a human being, but makes it
+more difficult to use
+grep(1)
+on the log files.
+If the
+\fIloglinelen\fR
+\fIsudoers\fR
+option is set to 0 (or negated with a
+`\&!'),
+word wrap will be disabled.
+.SH "SECURITY NOTES"
+\fBsudo\fR
+tries to be safe when executing external commands.
+.PP
+To prevent command spoofing,
+\fBsudo\fR
+checks "." and "" (both denoting current directory) last when
+searching for a command in the user's
+\fRPATH\fR
+(if one or both are in the
+\fRPATH\fR).
+Note, however, that the actual
+\fRPATH\fR
+environment variable is
+\fInot\fR
+modified and is passed unchanged to the program that
+\fBsudo\fR
+executes.
+.PP
+\fBsudo\fR
+will check the ownership of its time stamp directory
+(\fI@timedir@\fR
+by default)
+and ignore the directory's contents if it is not owned by root or
+if it is writable by a user other than root.
+On systems that allow non-root users to give away files via
+chown(2),
+if the time stamp directory is located in a world-writable
+directory (e.g.\&,
+\fI/tmp\fR),
+it is possible for a user to create the time stamp directory before
+\fBsudo\fR
+is run.
+However, because
+\fBsudo\fR
+checks the ownership and mode of the directory and its
+contents, the only damage that can be done is to
+``hide''
+files by putting them in the time stamp dir.
+This is unlikely to happen since once the time stamp dir is owned by root
+and inaccessible by any other user, the user placing files there would be
+unable to get them back out.
+.PP
+\fBsudo\fR
+will not honor time stamps set far in the future.
+Time stamps with a date greater than current_time + 2 *
+\fRTIMEOUT\fR
+will be ignored and sudo will log and complain.
+This is done to keep a user from creating his/her own time stamp with a
+bogus date on systems that allow users to give away files if the time
+stamp directory is located in a world-writable directory.
+.PP
+On systems where the boot time is available,
+\fBsudo\fR
+will ignore time stamps that date from before the machine booted.
.PP
Since time stamp files live in the file system, they can outlive a
-user's login session. As a result, a user may be able to login,
-run a command with \fBsudo\fR after authenticating, logout, login
-again, and run \fBsudo\fR without authenticating so long as the time
-stamp file's modification time is within \f(CW\*(C`@timeout@\*(C'\fR minutes (or
-whatever the timeout is set to in \fIsudoers\fR). When the \fItty_tickets\fR
-option is enabled in \fIsudoers\fR, the time stamp has per-tty granularity
-but still may outlive the user's session. On Linux systems where
-the devpts filesystem is used, Solaris systems with the devices
-filesystem, as well as other systems that utilize a devfs filesystem
-that monotonically increase the inode number of devices as they are
-created (such as Mac \s-1OS\s0 X), \fBsudo\fR is able to determine when a
-tty-based time stamp file is stale and will ignore it. Administrators
-should not rely on this feature as it is not universally available.
-.PP
-Please note that \fBsudo\fR will normally only log the command it
-explicitly runs. If a user runs a command such as \f(CW\*(C`sudo su\*(C'\fR or
-\&\f(CW\*(C`sudo sh\*(C'\fR, subsequent commands run from that shell will \fInot\fR be
-logged, nor will \fBsudo\fR's access control affect them. The same
-is true for commands that offer shell escapes (including most
-editors). Because of this, care must be taken when giving users
-access to commands via \fBsudo\fR to verify that the command does not
-inadvertently give the user an effective root shell. For more
-information, please see the \f(CW\*(C`PREVENTING SHELL ESCAPES\*(C'\fR section in
-\&\fIsudoers\fR\|(@mansectform@).
+user's login session.
+As a result, a user may be able to login, run a command with
+\fBsudo\fR
+after authenticating, logout, login again, and run
+\fBsudo\fR
+without authenticating so long as the time stamp file's modification
+time is within
+\fR@timeout@\fR
+minutes (or whatever the timeout is set to in
+\fIsudoers\fR).
+When the
+\fItty_tickets\fR
+\fIsudoers\fR
+option is enabled, the time stamp has per-tty granularity but still
+may outlive the user's session.
+On Linux systems where the devpts filesystem is used, Solaris systems
+with the devices filesystem, as well as other systems that utilize a
+devfs filesystem that monotonically increase the inode number of devices
+as they are created (such as Mac OS X),
+\fBsudo\fR
+is able to determine when a tty-based time stamp file is stale and will
+ignore it.
+Administrators should not rely on this feature as it is not universally
+available.
+.PP
+Please note that
+\fBsudo\fR
+will normally only log the command it explicitly runs.
+If a user runs a command such as
+\fRsudo su\fR
+or
+\fRsudo sh\fR,
+subsequent commands run from that shell are not subject to
+\fBsudo\fR's
+security policy.
+The same is true for commands that offer shell escapes (including
+most editors).
+If I/O logging is enabled, subsequent commands will have their input and/or
+output logged, but there will not be traditional logs for those commands.
+Because of this, care must be taken when giving users access to commands via
+\fBsudo\fR
+to verify that the command does not inadvertently give the user an
+effective root shell.
+For more information, please see the
+\fIPREVENTING SHELL ESCAPES\fR
+section in
+sudoers(@mansectform@).
+.PP
+To prevent the disclosure of potentially sensitive information,
+\fBsudo\fR
+disables core dumps by default while it is executing (they are
+re-enabled for the command that is run).
+.PP
+For information on the security implications of
+\fIsudoers\fR
+entries, please see the
+\fISECURITY NOTES\fR
+section in
+sudoers(@mansectform@).
.SH "ENVIRONMENT"
-.IX Header "ENVIRONMENT"
-\&\fBsudo\fR utilizes the following environment variables:
-.ie n .IP "\*(C`EDITOR\*(C'" 16
-.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16
-.IX Item "EDITOR"
-Default editor to use in \fB\-e\fR (sudoedit) mode if neither \f(CW\*(C`SUDO_EDITOR\*(C'\fR
-nor \f(CW\*(C`VISUAL\*(C'\fR is set.
-.ie n .IP "\*(C`MAIL\*(C'" 16
-.el .IP "\f(CW\*(C`MAIL\*(C'\fR" 16
-.IX Item "MAIL"
-In \fB\-i\fR mode or when \fIenv_reset\fR is enabled in \fIsudoers\fR, set
-to the mail spool of the target user.
-.ie n .IP "\*(C`HOME\*(C'" 16
-.el .IP "\f(CW\*(C`HOME\*(C'\fR" 16
-.IX Item "HOME"
-Set to the home directory of the target user if \fB\-i\fR or \fB\-H\fR are
-specified, \fIenv_reset\fR or \fIalways_set_home\fR are set in \fIsudoers\fR,
-or when the \fB\-s\fR option is specified and \fIset_home\fR is set in
-\&\fIsudoers\fR.
-.ie n .IP "\*(C`PATH\*(C'" 16
-.el .IP "\f(CW\*(C`PATH\*(C'\fR" 16
-.IX Item "PATH"
-Set to a sane value if the \fIsecure_path\fR sudoers option is set.
-.ie n .IP "\*(C`SHELL\*(C'" 16
-.el .IP "\f(CW\*(C`SHELL\*(C'\fR" 16
-.IX Item "SHELL"
-Used to determine shell to run with \fB\-s\fR option.
-.ie n .IP "\*(C`SUDO_ASKPASS\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_ASKPASS\*(C'\fR" 16
-.IX Item "SUDO_ASKPASS"
+\fBsudo\fR
+utilizes the following environment variables:
+.TP 17n
+\fREDITOR\fR
+Default editor to use in
+\fB\-e\fR
+(sudoedit) mode if neither
+\fRSUDO_EDITOR\fR
+nor
+\fRVISUAL\fR
+is set.
+.TP 17n
+\fRMAIL\fR
+In
+\fB\-i\fR
+mode or when
+\fIenv_reset\fR
+is enabled in
+\fIsudoers\fR,
+set to the mail spool of the target user.
+.TP 17n
+\fRHOME\fR
+Set to the home directory of the target user if
+\fB\-i\fR
+or
+\fB\-H\fR
+are specified,
+\fIenv_reset\fR
+or
+\fIalways_set_home\fR
+are set in
+\fIsudoers\fR,
+or when the
+\fB\-s\fR
+option is specified and
+\fIset_home\fR
+is set in
+\fIsudoers\fR.
+.TP 17n
+\fRPATH\fR
+Set to a sane value if the
+\fIsecure_path\fR
+option is set in the
+\fIsudoers\fR
+file.
+.TP 17n
+\fRSHELL\fR
+Used to determine shell to run with
+\fB\-s\fR
+option.
+.TP 17n
+\fRSUDO_ASKPASS\fR
Specifies the path to a helper program used to read the password
-if no terminal is available or if the \fB\-A\fR option is specified.
-.ie n .IP "\*(C`SUDO_COMMAND\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_COMMAND\*(C'\fR" 16
-.IX Item "SUDO_COMMAND"
+if no terminal is available or if the
+\fB\-A\fR
+option is specified.
+.TP 17n
+\fRSUDO_COMMAND\fR
Set to the command run by sudo.
-.ie n .IP "\*(C`SUDO_EDITOR\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_EDITOR\*(C'\fR" 16
-.IX Item "SUDO_EDITOR"
-Default editor to use in \fB\-e\fR (sudoedit) mode.
-.ie n .IP "\*(C`SUDO_GID\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_GID\*(C'\fR" 16
-.IX Item "SUDO_GID"
-Set to the group \s-1ID\s0 of the user who invoked sudo.
-.ie n .IP "\*(C`SUDO_PROMPT\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_PROMPT\*(C'\fR" 16
-.IX Item "SUDO_PROMPT"
+.TP 17n
+\fRSUDO_EDITOR\fR
+Default editor to use in
+\fB\-e\fR
+(sudoedit) mode.
+.TP 17n
+\fRSUDO_GID\fR
+Set to the group ID of the user who invoked sudo.
+.TP 17n
+\fRSUDO_PROMPT\fR
Used as the default password prompt.
-.ie n .IP "\*(C`SUDO_PS1\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_PS1\*(C'\fR" 16
-.IX Item "SUDO_PS1"
-If set, \f(CW\*(C`PS1\*(C'\fR will be set to its value for the program being run.
-.ie n .IP "\*(C`SUDO_UID\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_UID\*(C'\fR" 16
-.IX Item "SUDO_UID"
-Set to the user \s-1ID\s0 of the user who invoked sudo.
-.ie n .IP "\*(C`SUDO_USER\*(C'" 16
-.el .IP "\f(CW\*(C`SUDO_USER\*(C'\fR" 16
-.IX Item "SUDO_USER"
-Set to the login of the user who invoked sudo.
-.ie n .IP "\*(C`USER\*(C'" 16
-.el .IP "\f(CW\*(C`USER\*(C'\fR" 16
-.IX Item "USER"
-Set to the target user (root unless the \fB\-u\fR option is specified).
-.ie n .IP "\*(C`VISUAL\*(C'" 16
-.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16
-.IX Item "VISUAL"
-Default editor to use in \fB\-e\fR (sudoedit) mode if \f(CW\*(C`SUDO_EDITOR\*(C'\fR
+.TP 17n
+\fRSUDO_PS1\fR
+If set,
+\fRPS1\fR
+will be set to its value for the program being run.
+.TP 17n
+\fRSUDO_UID\fR
+Set to the user ID of the user who invoked sudo.
+.TP 17n
+\fRSUDO_USER\fR
+Set to the login name of the user who invoked sudo.
+.TP 17n
+\fRUSER\fR
+Set to the target user (root unless the
+\fB\-u\fR
+option is specified).
+.TP 17n
+\fRVISUAL\fR
+Default editor to use in
+\fB\-e\fR
+(sudoedit) mode if
+\fRSUDO_EDITOR\fR
is not set.
.SH "FILES"
-.IX Header "FILES"
-.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
-.el .IP "\fI@sysconfdir@/sudoers\fR" 24
-.IX Item "@sysconfdir@/sudoers"
+.TP 26n
+\fI@sysconfdir@/sudoers\fR
List of who can run what
-.ie n .IP "\fI@timedir@\fR" 24
-.el .IP "\fI@timedir@\fR" 24
-.IX Item "@timedir@"
+.TP 26n
+\fI@timedir@\fR
Directory containing time stamps
-.IP "\fI/etc/environment\fR" 24
-.IX Item "/etc/environment"
-Initial environment for \fB\-i\fR mode on \s-1AIX\s0 and Linux systems
+.TP 26n
+\fI/etc/environment\fR
+Initial environment for
+\fB\-i\fR
+mode on AIX and Linux systems
.SH "EXAMPLES"
-.IX Header "EXAMPLES"
-Note: the following examples assume suitable \fIsudoers\fR\|(@mansectform@) entries.
+Note: the following examples assume suitable
+sudoers(@mansectform@)
+entries.
.PP
To get a file listing of an unreadable directory:
+.nf
+.sp
+.RS 6n
+$ sudo ls /usr/local/protected
+.RE
+.fi
.PP
-.Vb 1
-\& $ sudo ls /usr/local/protected
-.Ve
-.PP
-To list the home directory of user yaz on a machine where the
-file system holding ~yaz is not exported as root:
-.PP
-.Vb 1
-\& $ sudo \-u yaz ls ~yaz
-.Ve
-.PP
-To edit the \fIindex.html\fR file as user www:
-.PP
-.Vb 1
-\& $ sudo \-u www vi ~www/htdocs/index.html
-.Ve
+To list the home directory of user yaz on a machine where the file
+system holding ~yaz is not exported as root:
+.nf
+.sp
+.RS 6n
+$ sudo -u yaz ls ~yaz
+.RE
+.fi
.PP
-To view system logs only accessible to root and users in the adm group:
+To edit the
+\fIindex.html\fR
+file as user www:
+.nf
+.sp
+.RS 6n
+$ sudo -u www vi ~www/htdocs/index.html
+.RE
+.fi
.PP
-.Vb 1
-\& $ sudo \-g adm view /var/log/syslog
-.Ve
+To view system logs only accessible to root and users in the adm
+group:
+.nf
+.sp
+.RS 6n
+$ sudo -g adm view /var/log/syslog
+.RE
+.fi
.PP
To run an editor as jim with a different primary group:
+.nf
+.sp
+.RS 6n
+$ sudo -u jim -g audio vi ~jim/sound.txt
+.RE
+.fi
.PP
-.Vb 1
-\& $ sudo \-u jim \-g audio vi ~jim/sound.txt
-.Ve
-.PP
-To shutdown a machine:
-.PP
-.Vb 1
-\& $ sudo shutdown \-r +15 "quick reboot"
-.Ve
-.PP
-To make a usage listing of the directories in the /home
-partition. Note that this runs the commands in a sub-shell
-to make the \f(CW\*(C`cd\*(C'\fR and file redirection work.
+To shut down a machine:
+.nf
+.sp
+.RS 6n
+$ sudo shutdown -r +15 "quick reboot"
+.RE
+.fi
.PP
-.Vb 1
-\& $ sudo sh \-c "cd /home ; du \-s * | sort \-rn > USAGE"
-.Ve
+To make a usage listing of the directories in the /home partition.
+Note that this runs the commands in a sub-shell to make the
+\fRcd\fR
+and file redirection work.
+.nf
+.sp
+.RS 6n
+$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+.RE
+.fi
.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIgrep\fR\|(1), \fIsu\fR\|(1), \fIstat\fR\|(2),
-.if \n(LC \&\fIlogin_cap\fR\|(3),
-\&\fIpasswd\fR\|(@mansectform@), \fIsudoers\fR\|(5), \fIvisudo\fR\|(@mansectsu@)
+grep(1),
+su(1),
+stat(2),
+login_cap(3),
+passwd(@mansectform@),
+sudoers(@mansectform@),
+sudoreplay(@mansectsu@),
+visudo(@mansectsu@)
+.SH "HISTORY"
+See the HISTORY file in the
+\fBsudo\fR
+distribution (http://www.sudo.ws/sudo/history.html) for a brief
+history of sudo.
.SH "AUTHORS"
-.IX Header "AUTHORS"
-Many people have worked on \fBsudo\fR over the years; this
-version consists of code written primarily by:
-.PP
-.Vb 1
-\& Todd C. Miller
-.Ve
+Many people have worked on
+\fBsudo\fR
+over the years; this version consists of code written primarily by:
+.sp
+.RS 6n
+Todd C. Miller
+.RE
.PP
-See the \s-1HISTORY\s0 file in the \fBsudo\fR distribution or visit
-http://www.sudo.ws/sudo/history.html for a short history
-of \fBsudo\fR.
+See the CONTRIBUTORS file in the
+\fBsudo\fR
+distribution (http://www.sudo.ws/sudo/contributors.html) for an
+exhaustive list of people who have contributed to
+\fBsudo\fR.
.SH "CAVEATS"
-.IX Header "CAVEATS"
There is no easy way to prevent a user from gaining a root shell
-if that user is allowed to run arbitrary commands via \fBsudo\fR.
+if that user is allowed to run arbitrary commands via
+\fBsudo\fR.
Also, many programs (such as editors) allow the user to run commands
-via shell escapes, thus avoiding \fBsudo\fR's checks. However, on
-most systems it is possible to prevent shell escapes with \fBsudo\fR's
-\&\fInoexec\fR functionality. See the \fIsudoers\fR\|(@mansectform@) manual
-for details.
-.PP
-It is not meaningful to run the \f(CW\*(C`cd\*(C'\fR command directly via sudo, e.g.,
+via shell escapes, thus avoiding
+\fBsudo\fR's
+checks.
+However, on most systems it is possible to prevent shell escapes with
+\fBsudo ' s\fR
+\fInoexec\fR
+functionality.
+See the
+sudoers(@mansectform@)
+manual for details.
.PP
-.Vb 1
-\& $ sudo cd /usr/local/protected
-.Ve
+It is not meaningful to run the
+\fRcd\fR
+command directly via sudo, e.g.,
+.nf
+.sp
+.RS 6n
+$ sudo cd /usr/local/protected
+.RE
+.fi
.PP
since when the command exits the parent process (your shell) will
-still be the same. Please see the \s-1EXAMPLES\s0 section for more information.
-.PP
-If users have sudo \f(CW\*(C`ALL\*(C'\fR there is nothing to prevent them from
-creating their own program that gives them a root shell regardless
-of any '!' elements in the user specification.
+still be the same.
+Please see the
+\fIEXAMPLES\fR
+section for more information.
.PP
-Running shell scripts via \fBsudo\fR can expose the same kernel bugs that
-make setuid shell scripts unsafe on some operating systems (if your \s-1OS\s0
-has a /dev/fd/ directory, setuid shell scripts are generally safe).
+Running shell scripts via
+\fBsudo\fR
+can expose the same kernel bugs that make setuid shell scripts
+unsafe on some operating systems (if your OS has a /dev/fd/ directory,
+setuid shell scripts are generally safe).
.SH "BUGS"
-.IX Header "BUGS"
-If you feel you have found a bug in \fBsudo\fR, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
+If you feel you have found a bug in
+\fBsudo\fR,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
-.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
-.IX Header "DISCLAIMER"
-\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
-file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
-for complete details.
+\fBsudo\fR
+is provided
+``AS IS''
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+\fBsudo\fR
+or http://www.sudo.ws/sudo/license.html for complete details.
--- /dev/null
+.\"
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Sponsored in part by the Defense Advanced Research Projects
+.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
+.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
+.\"
+.Dd July 10, 2012
+.Dt SUDO @mansectsu@
+.Os Sudo @PACKAGE_VERSION@
+.Sh NAME
+.Nm sudo ,
+.Nm sudoedit
+.Nd execute a command as another user
+.Sh SYNOPSIS
+.Nm sudo
+.Fl h No | Fl K No | Fl k No | Fl L No | Fl V
+.Nm sudo
+.Fl v
+.Op Fl AknS
+.Bk -words
+.Op Fl a Ar auth_type
+.Ek
+.Bk -words
+.Op Fl g Ar group name No | Ar #gid
+.Ek
+.Bk -words
+.Op Fl p Ar prompt
+.Ek
+.Bk -words
+.Op Fl u Ar user name No | Ar #uid
+.Ek
+.Nm sudo
+.Fl l Ns Op Ar l
+.Op Fl AknS
+.Bk -words
+.Op Fl a Ar auth_type
+.Ek
+.Bk -words
+.Op Fl g Ar group name No | Ar #gid
+.Ek
+.Bk -words
+.Op Fl p Ar prompt
+.Ek
+.Bk -words
+.Op Fl U Ar user name
+.Ek
+.Bk -words
+.Op Fl u Ar user name No | Ar #uid
+.Ek
+.Op Ar command
+.Nm sudo
+.Op Fl AbEHnPS
+.Bk -words
+.Op Fl a Ar auth_type
+.Ek
+.Bk -words
+.Op Fl C Ar fd
+.Ek
+.Bk -words
+.Op Fl c Ar class No | Ar -
+.Ek
+.Bk -words
+.Op Fl g Ar group name No | Ar #gid
+.Ek
+.Bk -words
+.Op Fl p Ar prompt
+.Ek
+.Bk -words
+.Op Fl r Ar role
+.Ek
+.Bk -words
+.Op Fl t Ar type
+.Ek
+.Bk -words
+.Op Fl u Ar user name No | Ar #uid
+.Ek
+.Bk -words
+.Op Sy VAR Ns = Ns Ar value
+.Ek
+.Bk -words
+.Fl i No | Fl s
+.Ek
+.Op Ar command
+.Nm sudoedit
+.Op Fl AnS
+.Bk -words
+.Op Fl a Ar auth_type
+.Ek
+.Bk -words
+.Op Fl C Ar fd
+.Ek
+.Bk -words
+.Op Fl c Ar class No | Ar -
+.Ek
+.Bk -words
+.Op Fl g Ar group name No | Ar #gid
+.Ek
+.Bk -words
+.Op Fl p Ar prompt
+.Ek
+.Bk -words
+.Op Fl u Ar user name No | Ar #uid
+.Ek
+.Bk -words
+file ...
+.Ek
+.Sh DESCRIPTION
+.Nm sudo
+allows a permitted user to execute a
+.Ar command
+as the superuser or another user, as specified by the
+.Em sudoers
+file.
+The real and effective uid and gid are set to match those of the
+target user, as specified in the password database, and the group
+vector is initialized based on the group database (unless the
+.Fl P
+option was specified).
+See the
+.Sx Command Environment
+section below for more details.
+.Pp
+.Nm sudo
+determines who is an authorized user by consulting the file
+.Pa @sysconfdir@/sudoers .
+By running
+.Nm sudo
+with the
+.Fl v
+option, a user can update the time stamp without running a
+.Ar command .
+If authentication is required,
+.Nm sudo
+will exit if the user's password is not entered within a configurable
+time limit.
+The default password prompt timeout is
+.Li @password_timeout@
+minutes.
+.Pp
+When invoked as
+.Nm sudoedit ,
+the
+.Fl e
+option (described below), is implied.
+.Pp
+The options are as follows:
+.Bl -tag -width Fl
+.It Fl A
+Normally, if
+.Nm sudo
+requires a password, it will read it from the user's terminal.
+If the
+.Fl A No ( Em askpass Ns No )
+option is specified, a (possibly graphical) helper program is
+executed to read the user's password and output the password to the
+standard output.
+If the
+.Ev SUDO_ASKPASS
+environment variable is set, it specifies the path to the helper
+program.
+Otherwise, the value specified by the
+.Em askpass
+option in
+.Xr sudoers @mansectform@
+is used.
+If no askpass program is available,
+.Nm sudo
+will exit with an error.
+.It Fl a Ar type
+The
+.Fl a No ( Em "authentication type" Ns No )
+option causes
+.Nm sudo
+to use the specified authentication type when validating the user,
+as allowed by
+.Pa /etc/login.conf .
+The system administrator may specify a list of sudo-specific
+authentication methods by adding an
+.Dq auth-sudo
+entry in
+.Pa /etc/login.conf .
+This option is only available on systems that support BSD authentication.
+.It Fl b
+The
+.Fl b No ( Em background Ns No )
+option tells
+.Nm sudo
+to run the given command in the background.
+Note that if you use the
+.Fl b
+option you cannot use shell job control to manipulate the process.
+Most interactive commands will fail to work properly in background
+mode.
+.It Fl C Ar fd
+Normally,
+.Nm sudo
+will close all open file descriptors other than standard input,
+standard output and standard error.
+The
+.Fl C No ( Em close from Ns No )
+option allows the user to specify a starting point above the standard
+error (file descriptor three).
+Values less than three are not permitted.
+This option is only available when the administrator has enabled the
+.Em closefrom_override
+option in
+.Xr sudoers @mansectform@ .
+.It Fl c Ar class
+The
+.Fl c No ( Em class Ns No )
+option causes
+.Nm sudo
+to run the specified command with resources limited by the specified
+login class.
+The
+.Em class
+argument can be either a class name as defined in
+.Pa /etc/login.conf ,
+or a single
+.Ql \-
+character.
+Specifying a
+.Ar class
+of
+.Li -
+indicates that the command should be run restricted by the default
+login capabilities for the user the command is run as.
+If the
+.Ar class
+argument specifies an existing user class, the command must be run
+as root, or the
+.Nm sudo
+command must be run from a shell that is already root.
+This option is only available on systems with BSD login classes.
+.It Fl E
+The
+.Fl E No ( Em preserve environment Ns No )
+option will override the
+.Em env_reset
+option in
+.Xr sudoers @mansectform@ .
+It is only available when either the matching command has the
+.Li SETENV
+tag or the
+.Em setenv
+option is set in
+.Xr sudoers @mansectform@ .
+.Nm sudo
+will return an error if the
+.Fl E
+option is specified and the user does not have permission to preserve
+the environment.
+.It Fl e
+The
+.Fl e No ( Em edit Ns No )
+option indicates that, instead of running a command, the user wishes
+to edit one or more files.
+In lieu of a command, the string "sudoedit" is used when consulting the
+.Em sudoers
+file.
+If the user is authorized by
+.Em sudoers ,
+the following steps are taken:
+.Bl -enum -offset 4
+.It
+Temporary copies are made of the files to be edited with the owner
+set to the invoking user.
+.It
+The editor specified by the
+.Ev SUDO_EDITOR ,
+.Ev VISUAL
+or
+.Ev EDITOR
+environment variables (in that order) is run to edit the temporary files.
+If none of
+.Ev SUDO_EDITOR ,
+.Ev VISUAL
+or
+.Ev EDITOR
+are set, the first program listed in the
+.Em editor
+.Xr sudoers @mansectform@
+option is used.
+.It
+If they have been modified, the temporary files are copied back to
+their original location and the temporary versions are removed.
+.El
+.Pp
+If the specified file does not exist, it will be created.
+Note that unlike most commands run by
+.Em sudo ,
+the editor is run with the invoking user's environment unmodified.
+If, for some reason,
+.Nm sudo
+is unable to update a file with its edited version, the user will
+receive a warning and the edited copy will remain in a temporary
+file.
+.It Fl g Ar group
+Normally,
+.Nm sudo
+runs a command with the primary group set to the one specified by
+the password database for the user the command is being run as (by
+default, root).
+The
+.Fl g No ( Em group Ns No )
+option causes
+.Nm sudo
+to run the command with the primary group set to
+.Ar group
+instead.
+To specify a
+.Em gid
+instead of a
+.Em "group name" ,
+use
+.Em #gid .
+When running commands as a
+.Em gid ,
+many shells require that the
+.Ql #
+be escaped with a backslash
+.Pq Ql \e .
+If no
+.Fl u
+option is specified, the command will be run as the invoking user
+(not root).
+In either case, the primary group will be set to
+.Em group .
+.It Fl H
+The
+.Fl H No ( Em HOME Ns No )
+option option sets the
+.Ev HOME
+environment variable to the home directory of the target user (root
+by default) as specified by the password database.
+The default handling of the
+.Ev HOME
+environment variable depends on
+.Xr sudoers @mansectform@
+settings.
+By default,
+.Nm sudo
+will set
+.Ev HOME
+if
+.Em env_reset
+or
+.Em always_set_home
+are set, or if
+.Em set_home
+is set and the
+.Fl s
+option is specified on the command line.
+.It Fl h
+The
+.Fl h No ( Em help Ns No )
+option causes
+.Nm sudo
+to print a short help message to the standard output and exit.
+.It Fl i Op Ar command
+The
+.Fl i No ( Em simulate initial login Ns No )
+option runs the shell specified by the password database entry of
+the target user as a login shell.
+This means that login-specific resource files such as
+.Pa .profile
+or
+.Pa .login
+will be read by the shell.
+If a command is specified, it is passed to the shell for execution
+via the shell's
+.Fl c
+option.
+If no command is specified, an interactive shell is executed.
+.Nm sudo
+attempts to change to that user's home directory before running the
+shell.
+It also initializes the environment to a minimal
+set of variables, similar to what is present when a user logs in.
+The
+.Sx Command Environment
+section below documents in detail how the
+.Fl i
+option affects the environment in which a command is run.
+.It Fl K
+The
+.Fl K No ( sure Em kill Ns No )
+option is like
+.Fl k
+except that it removes the user's time stamp file entirely and
+may not be used in conjunction with a command or other option.
+This option does not require a password.
+.It Fl k Op Ar command
+When used alone, the
+.Fl k No ( Em kill Ns No )
+option to
+.Nm sudo
+invalidates the user's time stamp file.
+The next time
+.Nm sudo
+is run a password will be required.
+This option does not require a password and was added to allow a
+user to revoke
+.Nm sudo
+permissions from a
+.Pa .logout
+file.
+.Pp
+When used in conjunction with a command or an option that may require
+a password, the
+.Fl k
+option will cause
+.Nm sudo
+to ignore the user's time stamp file.
+As a result,
+.Nm sudo
+will prompt for a password (if one is required by
+.Em sudoers )
+and will not update the user's time stamp file.
+.It Fl L
+The
+.Fl L No ( Em list No defaults Ns )
+option will list the parameters that
+may be set in a
+.Em Defaults
+line along with a short description for each.
+This option will be removed from a future version of
+.Nm sudo .
+.It Fl l Ns Oo Sy l Oc Op Ar command
+If no
+.Ar command
+is specified, the
+.Fl l No ( Em list Ns No )
+option will list the allowed (and forbidden) commands for the
+invoking user (or the user specified by the
+.Fl U
+option) on the current host.
+If a
+.Ar command
+is specified and is permitted by
+.Em sudoers ,
+the fully-qualified
+path to the command is displayed along with any command line
+arguments.
+If
+.Ar command
+is specified but not allowed,
+.Nm sudo
+will exit with a status value of 1.
+If the
+.Fl l
+option is specified with an
+.Ar l
+argument
+.Pq i.e.\& Fl ll ,
+or if
+.Fl l
+is specified multiple times, a longer list format is used.
+.It Fl n
+The
+.Fl n No ( Em non-interactive Ns No )
+option prevents
+.Nm sudo
+from prompting the user for a password.
+If a password is required for the command to run,
+.Nm sudo
+will display an error message and exit.
+.It Fl P
+The
+.Fl P No ( Em preserve group vector Ns No )
+option causes
+.Nm sudo
+to preserve the invoking user's group vector unaltered.
+By default,
+.Nm sudo
+will initialize the group vector to the list of groups the
+target user is in.
+The real and effective group IDs, however, are still set to match
+the target user.
+.It Fl p Ar prompt
+The
+.Fl p No ( Em prompt Ns No )
+option allows you to override the default password prompt and use
+a custom one.
+The following percent
+.Pq Ql %
+escapes are supported:
+.Bl -tag -width 2n
+.It Li %H
+expanded to the host name including the domain name (on if the
+machine's host name is fully qualified or the
+.Em fqdn
+option is set in
+.Xr sudoers @mansectform@ )
+.It Li %h
+expanded to the local host name without the domain name
+.It Li %p
+expanded to the name of the user whose password is being requested
+(respects the
+.Em rootpw ,
+.Em targetpw ,
+and
+.Em runaspw
+flags in
+.Xr sudoers @mansectform@ )
+.It Li \&%U
+expanded to the login name of the user the command will be run as
+(defaults to root unless the
+.Fl u
+option is also specified)
+.It Li %u
+expanded to the invoking user's login name
+.It Li %%
+two consecutive
+.Ql %
+characters are collapsed into a single
+.Ql %
+character
+.El
+.Pp
+The prompt specified by the
+.Fl p
+option will override the system password prompt on systems that
+support PAM unless the
+.Em passprompt_override
+flag is disabled in
+.Em sudoers .
+.It Fl r Ar role
+The
+.Fl r No ( Em role Ns No )
+option causes the new (SELinux) security context to have the role
+specified by
+.Ar role .
+.It Fl S
+The
+.Fl S ( Em stdin Ns No )
+option causes
+.Nm sudo
+to read the password from the standard input instead of the terminal
+device.
+The password must be followed by a newline character.
+.It Fl s Op Ar command
+The
+.Fl s ( Em shell Ns No )
+option runs the shell specified by the
+.Ev SHELL
+environment variable if it is set or the shell as specified in the
+password database.
+If a command is specified, it is passed to the shell for execution
+via the shell's
+.Fl c
+option.
+If no command is specified, an interactive shell is executed.
+.It Fl t Ar type
+The
+.Fl t ( Em type Ns No )
+option causes the new (SELinux) security context to have the type
+specified by
+.Ar type .
+If no type is specified, the default type is derived from the
+specified role.
+.It Fl U Ar user
+The
+.Fl U ( Em other user Ns No )
+option is used in conjunction with the
+.Fl l
+option to specify the user whose privileges should be listed.
+Only root or a user with the
+.Li ALL
+privilege on the current host may use this option.
+.It Fl u Ar user
+The
+.Fl u ( Em user Ns No )
+option causes
+.Nm sudo
+to run the specified command as a user other than
+.Em root .
+To specify a
+.Em uid
+instead of a
+.Em user name ,
+.Em #uid .
+When running commands as a
+.Em uid ,
+many shells require that the
+.Ql #
+be escaped with a backslash
+.Pq Ql \e .
+Note that if the
+.Em targetpw
+Defaults option is set (see
+.Xr sudoers @mansectform@ ) ,
+it is not possible to run commands with a uid not listed in the
+password database.
+.It Fl V
+The
+.Fl V ( Em version Ns No )
+option causes
+.Nm sudo
+to print its version string and exit.
+If the invoking user is already root the
+.Fl V
+option will display the arguments passed to configure when
+.Nm sudo
+was built as well a list of the defaults
+.Nm sudo
+was compiled with as well as the machine's local network addresses.
+.It Fl v
+When given the
+.Fl v ( Em validate Ns No )
+option,
+.Nm sudo
+will update the user's time stamp file, authenticating the user's
+password if necessary.
+This extends the
+.Nm sudo
+timeout for another
+.Li @timeout@
+minutes (or whatever the timeout is set to in
+.Em sudoers )
+but does not run a command.
+.It Fl -
+The
+.Fl -
+option indicates that
+.Nm sudo
+should stop processing command line arguments.
+.El
+.Pp
+Environment variables to be set for the command may also be passed
+on the command line in the form of
+.Sy VAR Ns No = Ns Em value ,
+e.g.\&
+.Sy LD_LIBRARY_PATH Ns No = Ns Em /usr/local/pkg/lib .
+Variables passed on the command line are subject to the same
+restrictions as normal environment variables with one important
+exception.
+If the
+.Em setenv
+option is set in
+.Em sudoers ,
+the command to be run has the
+.Li SETENV
+tag set or the command matched is
+.Li ALL ,
+the user may set variables that would otherwise be forbidden.
+See
+.Xr sudoers @mansectform@
+for more information.
+.Ss Authentication and Logging
+.Nm sudo
+requires that most users authenticate themselves by default.
+A password is not required
+if the invoking user is root, if the target user is the same as the
+invoking user, or if the authentication has been disabled for the
+user or command in the
+.Em sudoers
+file.
+Unlike
+.Xr su 1 ,
+when
+.Nm sudo
+requires
+authentication, it validates the invoking user's credentials, not
+the target user's (or root's) credentials.
+This can be changed via
+the
+.Em rootpw ,
+.Em targetpw
+and
+.Em runaspw
+Defaults entries in
+.Em sudoers .
+.Pp
+If a user who is not listed in
+.Em sudoers
+tries to run a command via
+.Nm sudo ,
+mail is sent to the proper authorities.
+The address
+used for such mail is configurable via the
+.Em mailto
+.Em sudoers
+Defaults entry and defaults to
+.Li @mailto@ .
+.Pp
+Note that mail will not be sent if an unauthorized user tries to
+run
+.Nm sudo
+with the
+.Fl l
+or
+.Fl v
+option.
+This allows users to
+determine for themselves whether or not they are allowed to use
+.Nm sudo .
+.Pp
+If
+.Nm sudo
+is run by root and the
+.Ev SUDO_USER
+environment variable
+is set, its value will be used to determine who the actual user is.
+This can be used by a user to log commands
+through
+.Nm sudo
+even when a root shell has been invoked.
+It also
+allows the
+.Fl e
+option to remain useful even when invoked via a
+sudo-run script or program.
+Note, however, that the
+.Em sudoers
+lookup is still done for root, not the user specified by
+.Ev SUDO_USER .
+.Pp
+.Nm sudo
+uses time stamp files for credential caching.
+Once a
+user has been authenticated, the time stamp is updated and the user
+may then use sudo without a password for a short period of time
+.Po
+.Li @timeout@
+minutes unless overridden by the
+.Em timeout
+option
+.Pc .
+By default,
+.Nm sudo
+uses a tty-based time stamp which means that
+there is a separate time stamp for each of a user's login sessions.
+The
+.Em tty_tickets
+option can be disabled to force the use of a
+single time stamp for all of a user's sessions.
+.Pp
+.Nm sudo
+can log both successful and unsuccessful attempts (as well
+as errors) to
+.Xr syslog 3 ,
+a log file, or both.
+By default,
+.Nm sudo
+will log via
+.Xr syslog 3
+but this is changeable via the
+.Em syslog
+and
+.Em logfile
+Defaults settings.
+.Pp
+.Nm sudo
+also supports logging a command's input and output
+streams.
+I/O logging is not on by default but can be enabled using
+the
+.Em log_input
+and
+.Em log_output
+Defaults flags as well as the
+.Li LOG_INPUT
+and
+.Li LOG_OUTPUT
+command tags.
+.Ss Command Environment
+Since environment variables can influence program behavior,
+.Nm sudo
+provides a means to restrict which variables from the user's
+environment are inherited by the command to be run.
+There are two
+distinct ways
+.Em sudoers
+can be configured to handle with environment variables.
+.Pp
+By default, the
+.Em env_reset
+option is enabled.
+This causes commands
+to be executed with a new, minimal environment.
+On AIX (and Linux
+systems without PAM), the environment is initialized with the
+contents of the
+.Pa /etc/environment
+file.
+On BSD systems, if the
+.Em use_loginclass
+option is enabled, the environment is initialized
+based on the
+.Em path
+and
+.Em setenv
+settings in
+.Pa /etc/login.conf .
+The new environment contains the
+.Ev TERM ,
+.Ev PATH ,
+.Ev HOME ,
+.Ev MAIL ,
+.Ev SHELL ,
+.Ev LOGNAME ,
+.Ev USER ,
+.Ev USERNAME
+and
+.Ev SUDO_*
+variables
+in addition to variables from the invoking process permitted by the
+.Em env_check
+and
+.Em env_keep
+options.
+This is effectively a whitelist
+for environment variables.
+.Pp
+If, however, the
+.Em env_reset
+option is disabled, any variables not
+explicitly denied by the
+.Em env_check
+and
+.Em env_delete
+options are
+inherited from the invoking process.
+In this case,
+.Em env_check
+and
+.Em env_delete
+behave like a blacklist.
+Since it is not possible
+to blacklist all potentially dangerous environment variables, use
+of the default
+.Em env_reset
+behavior is encouraged.
+.Pp
+In all cases, environment variables with a value beginning with
+.Li ()
+are removed as they could be interpreted as
+.Sy bash
+functions.
+The list of environment variables that
+.Nm sudo
+allows or denies is
+contained in the output of
+.Dq Li sudo -V
+when run as root.
+.Pp
+Note that the dynamic linker on most operating systems will remove
+variables that can control dynamic linking from the environment of
+setuid executables, including
+.Nm sudo .
+Depending on the operating
+system this may include
+.Ev _RLD* ,
+.Ev DYLD_* ,
+.Ev LD_* ,
+.Ev LDR_* ,
+.Ev LIBPATH ,
+.Ev SHLIB_PATH ,
+and others.
+These type of variables are
+removed from the environment before
+.Nm sudo
+even begins execution
+and, as such, it is not possible for
+.Nm sudo
+to preserve them.
+.Pp
+As a special case, if
+.Nm sudo Ns No 's
+.Fl i
+option (initial login) is
+specified,
+.Nm sudo
+will initialize the environment regardless
+of the value of
+.Em env_reset .
+The
+.Ev DISPLAY ,
+.Ev PATH
+and
+.Ev TERM
+variables remain unchanged;
+.Ev HOME ,
+.Ev MAIL ,
+.Ev SHELL ,
+.Ev USER ,
+and
+.Ev LOGNAME
+are set based on the target user.
+On AIX (and Linux
+systems without PAM), the contents of
+.Pa /etc/environment
+are also
+included.
+On BSD systems, if the
+.Em use_loginclass
+option is
+enabled, the
+.Em path
+and
+.Em setenv
+variables in
+.Pa /etc/login.conf
+are also applied.
+All other environment variables are removed.
+.Pp
+Finally, if the
+.Em env_file
+option is defined, any variables present
+in that file will be set to their specified values as long as they
+would not conflict with an existing environment variable.
+.Sh EXIT VALUE
+Upon successful execution of a program, the exit status from
+.Em sudo
+will simply be the exit status of the program that was executed.
+.Pp
+Otherwise,
+.Nm sudo
+exits with a value of 1 if there is a configuration/permission
+problem or if
+.Nm sudo
+cannot execute the given command.
+In the latter case the error string is printed to the standard error.
+If
+.Nm sudo
+cannot
+.Xr stat 2
+one or more entries in the user's
+.Ev PATH ,
+an error is printed on stderr.
+(If the directory does not exist or if it is not really a directory,
+the entry is ignored and no error is printed.)
+This should not happen under normal circumstances.
+The most common reason for
+.Xr stat 2
+to return
+.Dq permission denied
+is if you are running an automounter and one of the directories in
+your
+.Ev PATH
+is on a machine that is currently unreachable.
+.Sh LOG FORMAT
+.Nm sudo
+can log events using either
+.Xr syslog 3
+or a simple log file.
+In each case the log format is almost identical.
+.Ss Accepted command log entries
+Commands that sudo runs are logged using the following format (split
+into multiple lines for readability):
+.Bd -literal -offset 4n
+date hostname progname: username : TTY=ttyname ; PWD=cwd ; \e
+ USER=runasuser ; GROUP=runasgroup ; TSID=logid ; \e
+ ENV=env_vars COMMAND=command
+.Ed
+.Pp
+Where the fields are as follows:
+.Bl -tag -width 12n
+.It date
+The date the command was run.
+Typically, this is in the format
+.Dq MMM, DD, HH:MM:SS .
+If logging via
+.Xr syslog 3 ,
+the actual date format is controlled by the syslog daemon.
+If logging to a file and the
+.Em log_year
+option is enabled,
+the date will also include the year.
+.It hostname
+The name of the host
+.Nm sudo
+was run on.
+This field is only present when logging via
+.Xr syslog 3 .
+.It progname
+The name of the program, usually
+.Em sudo
+or
+.Em sudoedit .
+This field is only present when logging via
+.Xr syslog 3 .
+.It username
+The login name of the user who ran
+.Nm sudo .
+.It ttyname
+The short name of the terminal (e.g.\&
+.Dq console ,
+.Dq tty01 ,
+or
+.Dq pts/0 )
+.Nm sudo
+was run on, or
+.Dq unknown
+if there was no terminal present.
+.It cwd
+The current working directory that
+.Nm sudo
+was run in.
+.It runasuser
+The user the command was run as.
+.It runasgroup
+The group the command was run as if one was specified on the command line.
+.It logid
+An I/O log identifier that can be used to replay the command's output.
+This is only present when the
+.Em log_input
+or
+.Em log_output
+option is enabled.
+.It env_vars
+A list of environment variables specified on the command line,
+if specified.
+.It command
+The actual command that was executed.
+.El
+.Pp
+Messages are logged using the locale specified by
+.Em sudoers_locale ,
+which defaults to the
+.Dq Li C
+locale.
+.Ss Denied command log entries
+If the user is not allowed to run the command, the reason for the denial
+will follow the user name.
+Possible reasons include:
+.Bl -tag -width 4
+.It user NOT in sudoers
+The user is not listed in the
+.Em sudoers
+file.
+.It user NOT authorized on host
+The user is listed in the
+.Em sudoers
+file but is not allowed to run commands on the host.
+.It command not allowed
+The user is listed in the
+.Em sudoers
+file for the host but they are not allowed to run the specified command.
+.It 3 incorrect password attempts
+The user failed to enter their password after 3 tries.
+The actual number of tries will vary based on the number of
+failed attempts and the value of the
+.Em passwd_tries
+.Em sudoers
+option.
+.It a password is required
+The
+.Fl n
+option was specified but a password was required.
+.It sorry, you are not allowed to set the following environment variables
+The user specified environment variables on the command line that
+were not allowed by
+.Em sudoers .
+.El
+.Ss Error log entries
+If an error occurs,
+.Nm sudo
+will log a message and, in most cases, send a message to the
+administrator via email.
+Possible errors include:
+.Bl -tag -width 4
+.It parse error in @sysconfdir@/sudoers near line N
+.Nm sudo
+encountered an error when parsing the specified file.
+In some cases, the actual error may be one line above or below the
+line number listed, depending on the type of error.
+.It problem with defaults entries
+The
+.Em sudoers
+file contains one or more unknown Defaults settings.
+This does not prevent
+.Nm sudo
+from running, but the
+.Em sudoers
+file should be checked using
+.Nm visudo .
+.It timestamp owner (username): \&No such user
+The time stamp directory owner, as specified by the
+.Em timestampowner
+setting, could not be found in the password database.
+.It unable to open/read @sysconfdir@/sudoers
+The
+.Em sudoers
+file could not be opened for reading.
+This can happen when the
+.Em sudoers
+file is located on a remote file system that maps user ID 0 to
+a different value.
+Normally,
+.Nm sudo
+tries to open
+.Em sudoers
+using group permissions to avoid this problem.
+.It unable to stat @sysconfdir@/sudoers
+The
+.Pa @sysconfdir@/sudoers
+file is missing.
+.It @sysconfdir@/sudoers is not a regular file
+The
+.Pa @sysconfdir@/sudoers
+file exists but is not a regular file or symbolic link.
+.It @sysconfdir@/sudoers is owned by uid N, should be 0
+The
+.Em sudoers
+file has the wrong owner.
+.It @sysconfdir@/sudoers is world writable
+The permissions on the
+.Em sudoers
+file allow all users to write to it.
+The
+.Em sudoers
+file must not be world-writable, the default file mode
+is 0440 (readable by owner and group, writable by none).
+.It @sysconfdir@/sudoers is owned by gid N, should be 1
+The
+.Em sudoers
+file has the wrong group ownership.
+.It unable to open @timedir@/username/ttyname
+.Em sudoers
+was unable to read or create the user's time stamp file.
+.It unable to write to @timedir@/username/ttyname
+.Em sudoers
+was unable to write to the user's time stamp file.
+.It unable to mkdir to @timedir@/username
+.Em sudoers
+was unable to create the user's time stamp directory.
+.El
+.Ss Notes on logging via syslog
+By default,
+.Em sudoers
+logs messages via
+.Xr syslog 3 .
+The
+.Em date ,
+.Em hostname ,
+and
+.Em progname
+fields are added by the syslog daemon, not
+.Em sudoers
+itself.
+As such, they may vary in format on different systems.
+.Pp
+On most systems,
+.Xr syslog 3
+has a relatively small log buffer.
+To prevent the command line arguments from being truncated,
+.Nm sudo
+will split up log messages that are larger than 960 characters
+(not including the date, hostname, and the string
+.Dq sudo ) .
+When a message is split, additional parts will include the string
+.Dq Pq command continued
+after the user name and before the continued command line arguments.
+.Ss Notes on logging to a file
+If the
+.Em logfile
+option is set,
+.Em sudoers
+will log to a local file, such as
+.Pa /var/log/sudo .
+When logging to a file,
+.Em sudoers
+uses a format similar to
+.Xr syslog 3 ,
+with a few important differences:
+.Bl -enum
+.It
+The
+.Em progname
+and
+.Em hostname
+fields are not present.
+.It
+If the
+.Em log_year
+.Em sudoers
+option is enabled,
+the date will also include the year.
+.It
+Lines that are longer than
+.Em loglinelen
+characters (80 by default) are word-wrapped and continued on the
+next line with a four character indent.
+This makes entries easier to read for a human being, but makes it
+more difficult to use
+.Xr grep 1
+on the log files.
+If the
+.Em loglinelen
+.Em sudoers
+option is set to 0 (or negated with a
+.Ql \&! ) ,
+word wrap will be disabled.
+.El
+.Sh SECURITY NOTES
+.Nm sudo
+tries to be safe when executing external commands.
+.Pp
+To prevent command spoofing,
+.Nm sudo
+checks "." and "" (both denoting current directory) last when
+searching for a command in the user's
+.Ev PATH
+(if one or both are in the
+.Ev PATH ) .
+Note, however, that the actual
+.Ev PATH
+environment variable is
+.Em not
+modified and is passed unchanged to the program that
+.Nm sudo
+executes.
+.Pp
+.Nm sudo
+will check the ownership of its time stamp directory
+.Po
+.Pa @timedir@
+by default
+.Pc
+and ignore the directory's contents if it is not owned by root or
+if it is writable by a user other than root.
+On systems that allow non-root users to give away files via
+.Xr chown 2 ,
+if the time stamp directory is located in a world-writable
+directory (e.g.\&,
+.Pa /tmp ) ,
+it is possible for a user to create the time stamp directory before
+.Nm sudo
+is run.
+However, because
+.Nm sudo
+checks the ownership and mode of the directory and its
+contents, the only damage that can be done is to
+.Dq hide
+files by putting them in the time stamp dir.
+This is unlikely to happen since once the time stamp dir is owned by root
+and inaccessible by any other user, the user placing files there would be
+unable to get them back out.
+.Pp
+.Nm sudo
+will not honor time stamps set far in the future.
+Time stamps with a date greater than current_time + 2 *
+.Li TIMEOUT
+will be ignored and sudo will log and complain.
+This is done to keep a user from creating his/her own time stamp with a
+bogus date on systems that allow users to give away files if the time
+stamp directory is located in a world-writable directory.
+.Pp
+On systems where the boot time is available,
+.Nm sudo
+will ignore time stamps that date from before the machine booted.
+.Pp
+Since time stamp files live in the file system, they can outlive a
+user's login session.
+As a result, a user may be able to login, run a command with
+.Nm sudo
+after authenticating, logout, login again, and run
+.Nm sudo
+without authenticating so long as the time stamp file's modification
+time is within
+.Li @timeout@
+minutes (or whatever the timeout is set to in
+.Em sudoers ) .
+When the
+.Em tty_tickets
+.Em sudoers
+option is enabled, the time stamp has per-tty granularity but still
+may outlive the user's session.
+On Linux systems where the devpts filesystem is used, Solaris systems
+with the devices filesystem, as well as other systems that utilize a
+devfs filesystem that monotonically increase the inode number of devices
+as they are created (such as Mac OS X),
+.Nm sudo
+is able to determine when a tty-based time stamp file is stale and will
+ignore it.
+Administrators should not rely on this feature as it is not universally
+available.
+.Pp
+Please note that
+.Nm sudo
+will normally only log the command it explicitly runs.
+If a user runs a command such as
+.Li sudo su
+or
+.Li sudo sh ,
+subsequent commands run from that shell are not subject to
+.Nm sudo Ns No 's
+security policy.
+The same is true for commands that offer shell escapes (including
+most editors).
+If I/O logging is enabled, subsequent commands will have their input and/or
+output logged, but there will not be traditional logs for those commands.
+Because of this, care must be taken when giving users access to commands via
+.Nm sudo
+to verify that the command does not inadvertently give the user an
+effective root shell.
+For more information, please see the
+.Em PREVENTING SHELL ESCAPES
+section in
+.Xr sudoers @mansectform@ .
+.Pp
+To prevent the disclosure of potentially sensitive information,
+.Nm sudo
+disables core dumps by default while it is executing (they are
+re-enabled for the command that is run).
+.Pp
+For information on the security implications of
+.Em sudoers
+entries, please see the
+.Em SECURITY NOTES
+section in
+.Xr sudoers @mansectform@ .
+.Sh ENVIRONMENT
+.Nm sudo
+utilizes the following environment variables:
+.Bl -tag -width 15n
+.It Ev EDITOR
+Default editor to use in
+.Fl e
+(sudoedit) mode if neither
+.Ev SUDO_EDITOR
+nor
+.Ev VISUAL
+is set.
+.It Ev MAIL
+In
+.Fl i
+mode or when
+.Em env_reset
+is enabled in
+.Em sudoers ,
+set to the mail spool of the target user.
+.It Ev HOME
+Set to the home directory of the target user if
+.Fl i
+or
+.Fl H
+are specified,
+.Em env_reset
+or
+.Em always_set_home
+are set in
+.Em sudoers ,
+or when the
+.Fl s
+option is specified and
+.Em set_home
+is set in
+.Em sudoers .
+.It Ev PATH
+Set to a sane value if the
+.Em secure_path
+option is set in the
+.Em sudoers
+file.
+.It Ev SHELL
+Used to determine shell to run with
+.Fl s
+option.
+.It Ev SUDO_ASKPASS
+Specifies the path to a helper program used to read the password
+if no terminal is available or if the
+.Fl A
+option is specified.
+.It Ev SUDO_COMMAND
+Set to the command run by sudo.
+.It Ev SUDO_EDITOR
+Default editor to use in
+.Fl e
+(sudoedit) mode.
+.It Ev SUDO_GID
+Set to the group ID of the user who invoked sudo.
+.It Ev SUDO_PROMPT
+Used as the default password prompt.
+.It Ev SUDO_PS1
+If set,
+.Ev PS1
+will be set to its value for the program being run.
+.It Ev SUDO_UID
+Set to the user ID of the user who invoked sudo.
+.It Ev SUDO_USER
+Set to the login name of the user who invoked sudo.
+.It Ev USER
+Set to the target user (root unless the
+.Fl u
+option is specified).
+.It Ev VISUAL
+Default editor to use in
+.Fl e
+(sudoedit) mode if
+.Ev SUDO_EDITOR
+is not set.
+.El
+.Sh FILES
+.Bl -tag -width 24n
+.It Pa @sysconfdir@/sudoers
+List of who can run what
+.It Pa @timedir@
+Directory containing time stamps
+.It Pa /etc/environment
+Initial environment for
+.Fl i
+mode on AIX and Linux systems
+.El
+.Sh EXAMPLES
+Note: the following examples assume suitable
+.Xr sudoers 5
+entries.
+.Pp
+To get a file listing of an unreadable directory:
+.Bd -literal -offset indent
+$ sudo ls /usr/local/protected
+.Ed
+.Pp
+To list the home directory of user yaz on a machine where the file
+system holding ~yaz is not exported as root:
+.Bd -literal -offset indent
+$ sudo -u yaz ls ~yaz
+.Ed
+.Pp
+To edit the
+.Pa index.html
+file as user www:
+.Bd -literal -offset indent
+$ sudo -u www vi ~www/htdocs/index.html
+.Ed
+.Pp
+To view system logs only accessible to root and users in the adm
+group:
+.Bd -literal -offset indent
+$ sudo -g adm view /var/log/syslog
+.Ed
+.Pp
+To run an editor as jim with a different primary group:
+.Bd -literal -offset indent
+$ sudo -u jim -g audio vi ~jim/sound.txt
+.Ed
+.Pp
+To shut down a machine:
+.Bd -literal -offset indent
+$ sudo shutdown -r +15 "quick reboot"
+.Ed
+.Pp
+To make a usage listing of the directories in the /home partition.
+Note that this runs the commands in a sub-shell to make the
+.Li cd
+and file redirection work.
+.Bd -literal -offset indent
+$ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
+.Ed
+.Sh SEE ALSO
+.Xr grep 1 ,
+.Xr su 1 ,
+.Xr stat 2 ,
+.Xr login_cap 3 ,
+.Xr passwd @mansectform@ ,
+.Xr sudoers @mansectform@ ,
+.Xr sudoreplay @mansectsu@ ,
+.Xr visudo @mansectsu@
+.Sh HISTORY
+See the HISTORY file in the
+.Nm sudo
+distribution (http://www.sudo.ws/sudo/history.html) for a brief
+history of sudo.
+.Sh AUTHORS
+Many people have worked on
+.Nm sudo
+over the years; this version consists of code written primarily by:
+.Bd -ragged -offset indent
+Todd C. Miller
+.Ed
+.Pp
+See the CONTRIBUTORS file in the
+.Nm sudo
+distribution (http://www.sudo.ws/sudo/contributors.html) for an
+exhaustive list of people who have contributed to
+.Nm sudo .
+.Sh CAVEATS
+There is no easy way to prevent a user from gaining a root shell
+if that user is allowed to run arbitrary commands via
+.Nm sudo .
+Also, many programs (such as editors) allow the user to run commands
+via shell escapes, thus avoiding
+.Nm sudo Ns No 's
+checks.
+However, on most systems it is possible to prevent shell escapes with
+.Nm sudo ' s
+.Em noexec
+functionality.
+See the
+.Xr sudoers @mansectform@
+manual for details.
+.Pp
+It is not meaningful to run the
+.Li cd
+command directly via sudo, e.g.,
+.Bd -literal -offset indent
+$ sudo cd /usr/local/protected
+.Ed
+.Pp
+since when the command exits the parent process (your shell) will
+still be the same.
+Please see the
+.Sx EXAMPLES
+section for more information.
+.Pp
+Running shell scripts via
+.Nm sudo
+can expose the same kernel bugs that make setuid shell scripts
+unsafe on some operating systems (if your OS has a /dev/fd/ directory,
+setuid shell scripts are generally safe).
+.Sh BUGS
+If you feel you have found a bug in
+.Nm sudo ,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
+.Sh SUPPORT
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+.Sh DISCLAIMER
+.Nm sudo
+is provided
+.Dq AS IS
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+.Nm sudo
+or http://www.sudo.ws/sudo/license.html for complete details.
+++ /dev/null
-Copyright (c) 1994-1996, 1998-2005, 2007-2010
- Todd C. Miller <Todd.Miller@courtesan.com>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-Sponsored in part by the Defense Advanced Research Projects
-Agency (DARPA) and Air Force Research Laboratory, Air Force
-Materiel Command, USAF, under agreement number F39502-99-1-0512.
-
-=pod
-
-=head1 NAME
-
-sudo, sudoedit - execute a command as another user
-
-=head1 SYNOPSIS
-
-B<sudo> B<-h> | B<-K> | B<-k> | B<-L> | B<-V>
-
-B<sudo> B<-v> [B<-AknS>]
-S<[B<-a> I<auth_type>]>
-S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
-S<[B<-u> I<username>|I<#uid>]>
-
-B<sudo> B<-l[l]> [B<-AknS>]
-S<[B<-a> I<auth_type>]>
-S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
-S<[B<-U> I<user name>]> S<[B<-u> I<user name>|I<#uid>]> [I<command>]
-
-B<sudo> [B<-AbEHnPS>]
-S<[B<-a> I<auth_type>]>
-S<[B<-C> I<fd>]>
-S<[B<-c> I<class>|I<->]>
-S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
-S<[B<-r> I<role>]> S<[B<-t> I<type>]>
-S<[B<-u> I<user name>|I<#uid>]>
-S<[B<VAR>=I<value>]> S<[B<-i> | B<-s>]> [I<command>]
-
-B<sudoedit> [B<-AnS>]
-S<[B<-a> I<auth_type>]>
-S<[B<-C> I<fd>]>
-S<[B<-c> I<class>|I<->]>
-S<[B<-g> I<group name>|I<#gid>]> S<[B<-p> I<prompt>]>
-S<[B<-u> I<user name>|I<#uid>]> file ...
-
-=head1 DESCRIPTION
-
-B<sudo> allows a permitted user to execute a I<command> as the
-superuser or another user, as specified in the I<sudoers> file.
-The real and effective uid and gid are set to match those of the
-target user as specified in the passwd file and the group vector
-is initialized based on the group file (unless the B<-P> option was
-specified). If the invoking user is root or if the target user is
-the same as the invoking user, no password is required. Otherwise,
-B<sudo> requires that users authenticate themselves with a password
-by default (NOTE: in the default configuration this is the user's
-password, not the root password). Once a user has been authenticated,
-a time stamp is updated and the user may then use sudo without a
-password for a short period of time (C<@timeout@> minutes unless
-overridden in I<sudoers>).
-
-When invoked as B<sudoedit>, the B<-e> option (described below),
-is implied.
-
-B<sudo> determines who is an authorized user by consulting the file
-F<@sysconfdir@/sudoers>. By running B<sudo> with the B<-v> option,
-a user can update the time stamp without running a I<command>. If
-a password is required, B<sudo> will exit if the user's password
-is not entered within a configurable time limit. The default
-password prompt timeout is C<@password_timeout@> minutes.
-
-If a user who is not listed in the I<sudoers> file tries to run a
-command via B<sudo>, mail is sent to the proper authorities, as
-defined at configure time or in the I<sudoers> file (defaults to
-C<@mailto@>). Note that the mail will not be sent if an unauthorized
-user tries to run sudo with the B<-l> or B<-v> option. This allows
-users to determine for themselves whether or not they are allowed
-to use B<sudo>.
-
-If B<sudo> is run by root and the C<SUDO_USER> environment variable
-is set, B<sudo> will use this value to determine who the actual
-user is. This can be used by a user to log commands through sudo
-even when a root shell has been invoked. It also allows the B<-e>
-option to remain useful even when being run via a sudo-run script or
-program. Note however, that the sudoers lookup is still done for
-root, not the user specified by C<SUDO_USER>.
-
-B<sudo> can log both successful and unsuccessful attempts (as well
-as errors) to syslog(3), a log file, or both. By default B<sudo>
-will log via syslog(3) but this is changeable at configure time
-or via the I<sudoers> file.
-
-=head1 OPTIONS
-
-B<sudo> accepts the following command line options:
-
-=over 12
-
-=item -A
-
-Normally, if B<sudo> requires a password, it will read it from the
-current terminal. If the B<-A> (I<askpass>) option is specified,
-a (possibly graphical) helper program is executed to read the
-user's password and output the password to the standard output. If
-the C<SUDO_ASKPASS> environment variable is set, it specifies the
-path to the helper program. Otherwise, the value specified by the
-I<askpass> option in L<sudoers(5)> is used.
-
-=item -a I<type>
-
-The B<-a> (I<authentication type>) option causes B<sudo> to use the
-specified authentication type when validating the user, as allowed
-by F</etc/login.conf>. The system administrator may specify a list
-of sudo-specific authentication methods by adding an "auth-sudo"
-entry in F</etc/login.conf>. This option is only available on systems
-that support BSD authentication.
-
-=item -b
-
-The B<-b> (I<background>) option tells B<sudo> to run the given
-command in the background. Note that if you use the B<-b>
-option you cannot use shell job control to manipulate the process.
-
-=item -C I<fd>
-
-Normally, B<sudo> will close all open file descriptors other than
-standard input, standard output and standard error. The B<-C>
-(I<close from>) option allows the user to specify a starting point
-above the standard error (file descriptor three). Values less than
-three are not permitted. This option is only available if the
-administrator has enabled the I<closefrom_override> option in
-L<sudoers(5)>.
-
-=item -c I<class>
-
-The B<-c> (I<class>) option causes B<sudo> to run the specified command
-with resources limited by the specified login class. The I<class>
-argument can be either a class name as defined in F</etc/login.conf>,
-or a single '-' character. Specifying a I<class> of C<-> indicates
-that the command should be run restricted by the default login
-capabilities for the user the command is run as. If the I<class>
-argument specifies an existing user class, the command must be run
-as root, or the B<sudo> command must be run from a shell that is already
-root. This option is only available on systems with BSD login classes.
-
-=item -E
-
-The B<-E> (I<preserve> I<environment>) option will override the
-I<env_reset> option in L<sudoers(5)>). It is only
-available when either the matching command has the C<SETENV> tag
-or the I<setenv> option is set in L<sudoers(5)>.
-
-=item -e
-
-The B<-e> (I<edit>) option indicates that, instead of running
-a command, the user wishes to edit one or more files. In lieu
-of a command, the string "sudoedit" is used when consulting
-the I<sudoers> file. If the user is authorized by I<sudoers>
-the following steps are taken:
-
-=over 4
-
-=item 1.
-
-Temporary copies are made of the files to be edited with the owner
-set to the invoking user.
-
-=item 2.
-
-The editor specified by the C<SUDO_EDITOR>, C<VISUAL> or C<EDITOR>
-environment variables is run to edit the temporary files. If none
-of C<SUDO_EDITOR>, C<VISUAL> or C<EDITOR> are set, the first program
-listed in the I<editor> I<sudoers> variable is used.
-
-=item 3.
-
-If they have been modified, the temporary files are copied back to
-their original location and the temporary versions are removed.
-
-=back
-
-If the specified file does not exist, it will be created. Note
-that unlike most commands run by B<sudo>, the editor is run with
-the invoking user's environment unmodified. If, for some reason,
-B<sudo> is unable to update a file with its edited version, the
-user will receive a warning and the edited copy will remain in a
-temporary file.
-
-=item -g I<group>
-
-Normally, B<sudo> sets the primary group to the one specified by
-the passwd database for the user the command is being run as (by
-default, root). The B<-g> (I<group>) option causes B<sudo> to run
-the specified command with the primary group set to I<group>. To
-specify a I<gid> instead of a I<group name>, use I<#gid>. When
-running commands as a I<gid>, many shells require that the '#' be
-escaped with a backslash ('\'). If no B<-u> option is specified,
-the command will be run as the invoking user (not root). In either
-case, the primary group will be set to I<group>.
-
-=item -H
-
-The B<-H> (I<HOME>) option sets the C<HOME> environment variable
-to the homedir of the target user (root by default) as specified
-in passwd(5). The default handling of the C<HOME> environment
-variable depends on L<sudoers(5)> settings. By default, B<sudo>
-will set C<HOME> if I<env_reset> or I<always_set_home> are set, or
-if I<set_home> is set and the B<-s> option is specified on the
-command line.
-
-=item -h
-
-The B<-h> (I<help>) option causes B<sudo> to print a short help message
-to the standard output and exit.
-
-=item -i [command]
-
-The B<-i> (I<simulate initial login>) option runs the shell specified
-in the L<passwd(5)> entry of the target user as a login shell. This
-means that login-specific resource files such as C<.profile> or
-C<.login> will be read by the shell. If a command is specified,
-it is passed to the shell for execution. Otherwise, an interactive
-shell is executed. B<sudo> attempts to change to that user's home
-directory before running the shell. It also initializes the
-environment, leaving I<DISPLAY> and I<TERM> unchanged, setting
-I<HOME>, I<MAIL>, I<SHELL>, I<USER>, I<LOGNAME>, and I<PATH>, as well as
-the contents of F</etc/environment> on Linux and AIX systems.
-All other environment variables are removed.
-
-=item -K
-
-The B<-K> (sure I<kill>) option is like B<-k> except that it removes
-the user's time stamp entirely and may not be used in conjunction
-with a command or other option. This option does not require a
-password.
-
-=item -k
-
-When used by itself, the B<-k> (I<kill>) option to B<sudo> invalidates
-the user's time stamp by setting the time on it to the Epoch. The
-next time B<sudo> is run a password will be required. This option
-does not require a password and was added to allow a user to revoke
-B<sudo> permissions from a .logout file.
-
-When used in conjunction with a command or an option that may require
-a password, the B<-k> option will cause B<sudo> to ignore the user's
-time stamp file. As a result, B<sudo> will prompt for a password
-(if one is required by I<sudoers>) and will not update the user's
-time stamp file.
-
-=item -L
-
-The B<-L> (I<list> defaults) option will list the parameters that
-may be set in a I<Defaults> line along with a short description for
-each. This option will be removed from a future version of B<sudo>.
-
-=item -l[l] [I<command>]
-
-If no I<command> is specified, the B<-l> (I<list>) option will list
-the allowed (and forbidden) commands for the invoking user (or the
-user specified by the B<-U> option) on the current host. If a
-I<command> is specified and is permitted by I<sudoers>, the
-fully-qualified path to the command is displayed along with any
-command line arguments. If I<command> is specified but not allowed,
-B<sudo> will exit with a status value of 1. If the B<-l> option is
-specified with an B<l> argument (i.e. B<-ll>), or if B<-l>
-is specified multiple times, a longer list format is used.
-
-=item -n
-
-The B<-n> (I<non-interactive>) option prevents B<sudo> from prompting
-the user for a password. If a password is required for the command
-to run, B<sudo> will display an error message and exit.
-
-=item -P
-
-The B<-P> (I<preserve> I<group vector>) option causes B<sudo> to
-preserve the invoking user's group vector unaltered. By default,
-B<sudo> will initialize the group vector to the list of groups the
-target user is in. The real and effective group IDs, however, are
-still set to match the target user.
-
-=item -p I<prompt>
-
-The B<-p> (I<prompt>) option allows you to override the default
-password prompt and use a custom one. The following percent (`C<%>')
-escapes are supported:
-
-=over 4
-
-=item C<%H>
-
-expanded to the local host name including the domain name
-(on if the machine's host name is fully qualified or the I<fqdn>
-I<sudoers> option is set)
-
-=item C<%h>
-
-expanded to the local host name without the domain name
-
-=item C<%p>
-
-expanded to the user whose password is being asked for (respects the
-I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
-
-=item C<%U>
-
-expanded to the login name of the user the command will
-be run as (defaults to root)
-
-=item C<%u>
-
-expanded to the invoking user's login name
-
-=item C<%%>
-
-two consecutive C<%> characters are collapsed into a single C<%> character
-
-=back
-
-The prompt specified by the B<-p> option will override the system
-password prompt on systems that support PAM unless the
-I<passprompt_override> flag is disabled in I<sudoers>.
-
-=item -r I<role>
-
-The B<-r> (I<role>) option causes the new (SELinux) security context to
-have the role specified by I<role>.
-
-=item -S
-
-The B<-S> (I<stdin>) option causes B<sudo> to read the password from
-the standard input instead of the terminal device. The password must
-be followed by a newline character.
-
-=item -s [command]
-
-The B<-s> (I<shell>) option runs the shell specified by the I<SHELL>
-environment variable if it is set or the shell as specified in
-L<passwd(5)>. If a command is specified, it is passed to the shell
-for execution. Otherwise, an interactive shell is executed.
-
-=item -t I<type>
-
-The B<-t> (I<type>) option causes the new (SELinux) security context to
-have the type specified by I<type>. If no type is specified, the default
-type is derived from the specified role.
-
-=item -U I<user>
-
-The B<-U> (I<other user>) option is used in conjunction with the B<-l>
-option to specify the user whose privileges should be listed. Only
-root or a user with B<sudo> C<ALL> on the current host may use this
-option.
-
-=item -u I<user>
-
-The B<-u> (I<user>) option causes B<sudo> to run the specified
-command as a user other than I<root>. To specify a I<uid> instead
-of a I<user name>, use I<#uid>. When running commands as a I<uid>,
-many shells require that the '#' be escaped with a backslash ('\').
-Note that if the I<targetpw> Defaults option is set (see L<sudoers(5)>)
-it is not possible to run commands with a uid not listed in the
-password database.
-
-=item -V
-
-The B<-V> (I<version>) option causes B<sudo> to print the version
-number and exit. If the invoking user is already root the B<-V>
-option will print out a list of the defaults B<sudo> was compiled
-with as well as the machine's local network addresses.
-
-=item -v
-
-If given the B<-v> (I<validate>) option, B<sudo> will update the
-user's time stamp, prompting for the user's password if necessary.
-This extends the B<sudo> timeout for another C<@timeout@> minutes
-(or whatever the timeout is set to in I<sudoers>) but does not run
-a command.
-
-=item --
-
-The B<--> option indicates that B<sudo> should stop processing command
-line arguments.
-
-=back
-
-Environment variables to be set for the command may also be passed
-on the command line in the form of B<VAR>=I<value>, e.g.
-B<LD_LIBRARY_PATH>=I</usr/local/pkg/lib>. Variables passed on the
-command line are subject to the same restrictions as normal environment
-variables with one important exception. If the I<setenv> option
-is set in I<sudoers>, the command to be run has the C<SETENV> tag
-set or the command matched is C<ALL>, the user may set variables
-that would overwise be forbidden. See L<sudoers(5)> for more information.
-
-=head1 EXIT VALUE
-
-Upon successful execution of a program, the exit status from B<sudo>
-will simply be the exit status of the program that was executed.
-
-Otherwise, B<sudo> quits with an exit value of 1 if there is a
-configuration/permission problem or if B<sudo> cannot execute the
-given command. In the latter case the error string is printed to
-stderr. If B<sudo> cannot L<stat(2)> one or more entries in the user's
-C<PATH> an error is printed on stderr. (If the directory does not
-exist or if it is not really a directory, the entry is ignored and
-no error is printed.) This should not happen under normal
-circumstances. The most common reason for L<stat(2)> to return
-"permission denied" is if you are running an automounter and one
-of the directories in your C<PATH> is on a machine that is currently
-unreachable.
-
-=head1 SECURITY NOTES
-
-B<sudo> tries to be safe when executing external commands.
-
-There are two distinct ways to deal with environment variables. By
-default, the I<env_reset> I<sudoers> option is enabled. This causes
-commands to be executed with a new, minimal environment containing.
-On AIX (and Linux systems without PAM), the environment is initialized
-with the contents of the F</etc/environment> file. On BSD systems,
-if the I<use_loginclass> option is enabled, the environment is
-initialized based on the I<path> and I<setenv> settings in
-F</etc/login.conf>. The new environment contains the C<TERM>,
-C<PATH>, C<HOME>, C<MAIL>, C<SHELL>, C<LOGNAME>, C<USER>, C<USERNAME>
-and C<SUDO_*> variables in addition to variables from the invoking
-process permitted by the I<env_check> and I<env_keep> options. This
-is effectively a whitelist for environment variables.
-
-If, however, the I<env_reset> option is disabled in I<sudoers>, any
-variables not explicitly denied by the I<env_check> and I<env_delete>
-options are inherited from the invoking process. In this case,
-I<env_check> and I<env_delete> behave like a blacklist. Since it
-is not possible to blacklist all potentially dangerous environment
-variables, use of the default I<env_reset> behavior is encouraged.
-
-In all cases, environment variables with a value beginning with
-C<()> are removed as they could be interpreted as B<bash> functions.
-The list of environment variables that B<sudo> allows or denies is
-contained in the output of C<sudo -V> when run as root.
-
-Note that the dynamic linker on most operating systems will remove
-variables that can control dynamic linking from the environment of
-setuid executables, including B<sudo>. Depending on the operating
-system this may include C<_RLD*>, C<DYLD_*>, C<LD_*>, C<LDR_*>,
-C<LIBPATH>, C<SHLIB_PATH>, and others. These type of variables are
-removed from the environment before B<sudo> even begins execution
-and, as such, it is not possible for B<sudo> to preserve them.
-
-To prevent command spoofing, B<sudo> checks "." and "" (both denoting
-current directory) last when searching for a command in the user's
-PATH (if one or both are in the PATH). Note, however, that the
-actual C<PATH> environment variable is I<not> modified and is passed
-unchanged to the program that B<sudo> executes.
-
-B<sudo> will check the ownership of its time stamp directory
-(F<@timedir@> by default) and ignore the directory's contents if
-it is not owned by root or if it is writable by a user other than
-root. On systems that allow non-root users to give away files via
-L<chown(2)>, if the time stamp directory is located in a directory
-writable by anyone (e.g., F</tmp>), it is possible for a user to
-create the time stamp directory before B<sudo> is run. However,
-because B<sudo> checks the ownership and mode of the directory and
-its contents, the only damage that can be done is to "hide" files
-by putting them in the time stamp dir. This is unlikely to happen
-since once the time stamp dir is owned by root and inaccessible by
-any other user, the user placing files there would be unable to get
-them back out. To get around this issue you can use a directory
-that is not world-writable for the time stamps (F</var/adm/sudo> for
-instance) or create F<@timedir@> with the appropriate owner (root)
-and permissions (0700) in the system startup files.
-
-B<sudo> will not honor time stamps set far in the future.
-Timestamps with a date greater than current_time + 2 * C<TIMEOUT>
-will be ignored and sudo will log and complain. This is done to
-keep a user from creating his/her own time stamp with a bogus
-date on systems that allow users to give away files.
-
-On systems where the boot time is available, B<sudo> will also not
-honor time stamps from before the machine booted.
-
-Since time stamp files live in the file system, they can outlive a
-user's login session. As a result, a user may be able to login,
-run a command with B<sudo> after authenticating, logout, login
-again, and run B<sudo> without authenticating so long as the time
-stamp file's modification time is within C<@timeout@> minutes (or
-whatever the timeout is set to in I<sudoers>). When the I<tty_tickets>
-option is enabled in I<sudoers>, the time stamp has per-tty granularity
-but still may outlive the user's session. On Linux systems where
-the devpts filesystem is used, Solaris systems with the devices
-filesystem, as well as other systems that utilize a devfs filesystem
-that monotonically increase the inode number of devices as they are
-created (such as Mac OS X), B<sudo> is able to determine when a
-tty-based time stamp file is stale and will ignore it. Administrators
-should not rely on this feature as it is not universally available.
-
-Please note that B<sudo> will normally only log the command it
-explicitly runs. If a user runs a command such as C<sudo su> or
-C<sudo sh>, subsequent commands run from that shell will I<not> be
-logged, nor will B<sudo>'s access control affect them. The same
-is true for commands that offer shell escapes (including most
-editors). Because of this, care must be taken when giving users
-access to commands via B<sudo> to verify that the command does not
-inadvertently give the user an effective root shell. For more
-information, please see the C<PREVENTING SHELL ESCAPES> section in
-L<sudoers(5)>.
-
-=head1 ENVIRONMENT
-
-B<sudo> utilizes the following environment variables:
-
-=over 16
-
-=item C<EDITOR>
-
-Default editor to use in B<-e> (sudoedit) mode if neither C<SUDO_EDITOR>
-nor C<VISUAL> is set.
-
-=item C<MAIL>
-
-In B<-i> mode or when I<env_reset> is enabled in I<sudoers>, set
-to the mail spool of the target user.
-
-=item C<HOME>
-
-Set to the home directory of the target user if B<-i> or B<-H> are
-specified, I<env_reset> or I<always_set_home> are set in I<sudoers>,
-or when the B<-s> option is specified and I<set_home> is set in
-I<sudoers>.
-
-=item C<PATH>
-
-Set to a sane value if the I<secure_path> sudoers option is set.
-
-=item C<SHELL>
-
-Used to determine shell to run with B<-s> option.
-
-=item C<SUDO_ASKPASS>
-
-Specifies the path to a helper program used to read the password
-if no terminal is available or if the B<-A> option is specified.
-
-=item C<SUDO_COMMAND>
-
-Set to the command run by sudo.
-
-=item C<SUDO_EDITOR>
-
-Default editor to use in B<-e> (sudoedit) mode.
-
-=item C<SUDO_GID>
-
-Set to the group ID of the user who invoked sudo.
-
-=item C<SUDO_PROMPT>
-
-Used as the default password prompt.
-
-=item C<SUDO_PS1>
-
-If set, C<PS1> will be set to its value for the program being run.
-
-=item C<SUDO_UID>
-
-Set to the user ID of the user who invoked sudo.
-
-=item C<SUDO_USER>
-
-Set to the login of the user who invoked sudo.
-
-=item C<USER>
-
-Set to the target user (root unless the B<-u> option is specified).
-
-=item C<VISUAL>
-
-Default editor to use in B<-e> (sudoedit) mode if C<SUDO_EDITOR>
-is not set.
-
-=back
-
-=head1 FILES
-
-=over 24
-
-=item F<@sysconfdir@/sudoers>
-
-List of who can run what
-
-=item F<@timedir@>
-
-Directory containing time stamps
-
-=item F</etc/environment>
-
-Initial environment for B<-i> mode on AIX and Linux systems
-
-=back
-
-=head1 EXAMPLES
-
-Note: the following examples assume suitable L<sudoers(5)> entries.
-
-To get a file listing of an unreadable directory:
-
- $ sudo ls /usr/local/protected
-
-To list the home directory of user yaz on a machine where the
-file system holding ~yaz is not exported as root:
-
- $ sudo -u yaz ls ~yaz
-
-To edit the F<index.html> file as user www:
-
- $ sudo -u www vi ~www/htdocs/index.html
-
-To view system logs only accessible to root and users in the adm group:
-
- $ sudo -g adm view /var/log/syslog
-
-To run an editor as jim with a different primary group:
-
- $ sudo -u jim -g audio vi ~jim/sound.txt
-
-To shutdown a machine:
-
- $ sudo shutdown -r +15 "quick reboot"
-
-To make a usage listing of the directories in the /home
-partition. Note that this runs the commands in a sub-shell
-to make the C<cd> and file redirection work.
-
- $ sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
-
-=head1 SEE ALSO
-
-L<grep(1)>, L<su(1)>, L<stat(2)>,
-L<login_cap(3)>,
-L<passwd(5)>, L<sudoers(5)>, L<visudo(8)>
-
-=head1 AUTHORS
-
-Many people have worked on B<sudo> over the years; this
-version consists of code written primarily by:
-
- Todd C. Miller
-
-See the HISTORY file in the B<sudo> distribution or visit
-http://www.sudo.ws/sudo/history.html for a short history
-of B<sudo>.
-
-=head1 CAVEATS
-
-There is no easy way to prevent a user from gaining a root shell
-if that user is allowed to run arbitrary commands via B<sudo>.
-Also, many programs (such as editors) allow the user to run commands
-via shell escapes, thus avoiding B<sudo>'s checks. However, on
-most systems it is possible to prevent shell escapes with B<sudo>'s
-I<noexec> functionality. See the L<sudoers(5)> manual
-for details.
-
-It is not meaningful to run the C<cd> command directly via sudo, e.g.,
-
- $ sudo cd /usr/local/protected
-
-since when the command exits the parent process (your shell) will
-still be the same. Please see the EXAMPLES section for more information.
-
-If users have sudo C<ALL> there is nothing to prevent them from
-creating their own program that gives them a root shell regardless
-of any '!' elements in the user specification.
-
-Running shell scripts via B<sudo> can expose the same kernel bugs that
-make setuid shell scripts unsafe on some operating systems (if your OS
-has a /dev/fd/ directory, setuid shell scripts are generally safe).
-
-=head1 BUGS
-
-If you feel you have found a bug in B<sudo>, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
-
-=head1 SUPPORT
-
-Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
-search the archives.
-
-=head1 DISCLAIMER
-
-B<sudo> is provided ``AS IS'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the LICENSE
-file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
-for complete details.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
+SUDOERS(4) Programmer's Manual SUDOERS(4)
N\bNA\bAM\bME\bE
- sudoers - list of which users may execute what
+ s\bsu\bud\bdo\boe\ber\brs\bs - list of which users may execute what
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases
- (basically variables) and user specifications (which specify who may
- run what).
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file is composed of two types of entries: aliases (basically
+ variables) and user specifications (which specify who may run what).
- When multiple entries match for a user, they are applied in order.
- Where there are multiple matches, the last match is used (which is not
- necessarily the most specific match).
+ When multiple entries match for a user, they are applied in order. Where
+ there are multiple matches, the last match is used (which is not
+ necessarily the most specific match).
- The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended Backus-Naur
- Form (EBNF). Don't despair if you don't know what EBNF is; it is
- fairly simple, and the definitions below are annotated.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs grammar will be described below in Extended Backus-Naur Form
+ (EBNF). Don't despair if you are unfamiliar with EBNF; it is fairly
+ simple, and the definitions below are annotated.
Q\bQu\bui\bic\bck\bk g\bgu\bui\bid\bde\be t\bto\bo E\bEB\bBN\bNF\bF
- EBNF is a concise and exact way of describing the grammar of a
- language. Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
+ EBNF is a concise and exact way of describing the grammar of a language.
+ Each EBNF definition is made up of _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be_\bs. E.g.,
- symbol ::= definition | alternate1 | alternate2 ...
+ symbol ::= definition | alternate1 | alternate2 ...
- Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a grammar for
- the language. EBNF also contains the following operators, which many
- readers will recognize from regular expressions. Do not, however,
- confuse them with "wildcard" characters, which have different meanings.
+ Each _\bp_\br_\bo_\bd_\bu_\bc_\bt_\bi_\bo_\bn _\br_\bu_\bl_\be references others and thus makes up a grammar for
+ the language. EBNF also contains the following operators, which many
+ readers will recognize from regular expressions. Do not, however,
+ confuse them with ``wildcard'' characters, which have different meanings.
- ? Means that the preceding symbol (or group of symbols) is optional.
+ ? Means that the preceding symbol (or group of symbols) is optional.
That is, it may appear once or not at all.
- * Means that the preceding symbol (or group of symbols) may appear
+ * Means that the preceding symbol (or group of symbols) may appear
zero or more times.
- + Means that the preceding symbol (or group of symbols) may appear
+ + Means that the preceding symbol (or group of symbols) may appear
one or more times.
- Parentheses may be used to group symbols together. For clarity, we
- will use single quotes ('') to designate what is a verbatim character
- string (as opposed to a symbol name).
+ Parentheses may be used to group symbols together. For clarity, we will
+ use single quotes ('') to designate what is a verbatim character string
+ (as opposed to a symbol name).
A\bAl\bli\bia\bas\bse\bes\bs
- There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias
- and Cmnd_Alias.
+ There are four kinds of aliases: User_Alias, Runas_Alias, Host_Alias and
+ Cmnd_Alias.
- Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
- 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
- 'Host_Alias' Host_Alias (':' Host_Alias)* |
- 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
-
- User_Alias ::= NAME '=' User_List
-
- Runas_Alias ::= NAME '=' Runas_List
-
- Host_Alias ::= NAME '=' Host_List
-
- Cmnd_Alias ::= NAME '=' Cmnd_List
-
- NAME ::= [A-Z]([A-Z][0-9]_)*
-
- Each _\ba_\bl_\bi_\ba_\bs definition is of the form
-
- Alias_Type NAME = item1, item2, ...
-
- where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias, Host_Alias, or
- Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
- underscore characters ('_'). A NAME m\bmu\bus\bst\bt start with an uppercase
- letter. It is possible to put several alias definitions of the same
- type on a single line, joined by a colon (':'). E.g.,
-
- Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
-
- The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member follow.
-
- User_List ::= User |
- User ',' User_List
-
- User ::= '!'* user name |
- '!'* #uid |
- '!'* %group |
- '!'* %#gid |
- '!'* +netgroup |
- '!'* %:nonunix_group |
- '!'* %:#nonunix_gid |
- '!'* User_Alias
-
- A User_List is made up of one or more user names, user ids (prefixed
- with '#'), system group names and ids (prefixed with '%' and '%#'
- respectively), netgroups (prefixed with '+'), non-Unix group names and
- IDs (prefixed with '%:' and '%:#' respectively) and User_Aliases. Each
- list item may be prefixed with zero or more '!' operators. An odd
- number of '!' operators negate the value of the item; an even number
- just cancel each other out.
-
- A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid
- may be enclosed in double quotes to avoid the need for escaping special
- characters. Alternately, special characters may be specified in
- escaped hex mode, e.g. \x20 for space. When using double quotes, any
- prefix characters must be included inside the quotes.
-
- The nonunix_group and nonunix_gid syntax depends on the underlying
- implementation. For instance, the QAS AD backend supports the
- following formats:
-
- o Group in the same domain: "%:Group Name"
-
- o Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
-
- o Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
-
- Note that quotes around group names are optional. Unquoted strings
- must use a backslash (\) to escape spaces and special characters. See
- "Other special characters and reserved words" for a list of characters
- that need to be escaped.
-
- Runas_List ::= Runas_Member |
- Runas_Member ',' Runas_List
-
- Runas_Member ::= '!'* user name |
- '!'* #uid |
- '!'* %group |
- '!'* %#gid |
- '!'* %:nonunix_group |
- '!'* %:#nonunix_gid |
- '!'* +netgroup |
- '!'* Runas_Alias
-
- A Runas_List is similar to a User_List except that instead of
- User_Aliases it can contain Runas_Aliases. Note that user names and
- groups are matched as strings. In other words, two users (groups) with
- the same uid (gid) are considered to be distinct. If you wish to match
- all user names with the same uid (e.g. root and toor), you can use a
- uid instead (#0 in the example given).
-
- Host_List ::= Host |
- Host ',' Host_List
-
- Host ::= '!'* host name |
- '!'* ip_addr |
- '!'* network(/netmask)? |
- '!'* +netgroup |
- '!'* Host_Alias
-
- A Host_List is made up of one or more host names, IP addresses, network
- numbers, netgroups (prefixed with '+') and other aliases. Again, the
- value of an item may be negated with the '!' operator. If you do not
- specify a netmask along with the network number, s\bsu\bud\bdo\bo will query each
- of the local host's network interfaces and, if the network number
- corresponds to one of the hosts's network interfaces, the corresponding
- netmask will be used. The netmask may be specified either in standard
- IP address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or
- CIDR notation (number of bits, e.g. 24 or 64). A host name may include
- shell-style wildcards (see the Wildcards section below), but unless the
- host name command on your machine returns the fully qualified host
- name, you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful.
- Note s\bsu\bud\bdo\bo only inspects actual network interfaces; this means that IP
- address 127.0.0.1 (localhost) will never match. Also, the host name
- "localhost" will only match if that is the actual host name, which is
- usually only the case for non-networked systems.
-
- Cmnd_List ::= Cmnd |
- Cmnd ',' Cmnd_List
-
- commandname ::= file name |
- file name args |
- file name '""'
-
- Cmnd ::= '!'* commandname |
- '!'* directory |
- '!'* "sudoedit" |
- '!'* Cmnd_Alias
-
- A Cmnd_List is a list of one or more commandnames, directories, and
- other aliases. A commandname is a fully qualified file name which may
- include shell-style wildcards (see the Wildcards section below). A
- simple file name allows the user to run the command with any arguments
- he/she wishes. However, you may also specify command line arguments
- (including wildcards). Alternately, you can specify "" to indicate
- that the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A
- directory is a fully qualified path name ending in a '/'. When you
- specify a directory in a Cmnd_List, the user will be able to run any
- file within that directory (but not in any subdirectories therein).
-
- If a Cmnd has associated command line arguments, then the arguments in
- the Cmnd must match exactly those given by the user on the command line
- (or match the wildcards if there are any). Note that the following
- characters must be escaped with a '\' if they are used in command
- arguments: ',', ':', '=', '\'. The special command "sudoedit" is used
- to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It
- may take command line arguments just as a normal command does.
+ Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
+ 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
+ 'Host_Alias' Host_Alias (':' Host_Alias)* |
+ 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
+
+ User_Alias ::= NAME '=' User_List
+
+ Runas_Alias ::= NAME '=' Runas_List
+
+ Host_Alias ::= NAME '=' Host_List
+
+ Cmnd_Alias ::= NAME '=' Cmnd_List
+
+ NAME ::= [A-Z]([A-Z][0-9]_)*
+
+ Each _\ba_\bl_\bi_\ba_\bs definition is of the form
+
+ Alias_Type NAME = item1, item2, ...
+
+ where _\bA_\bl_\bi_\ba_\bs_\b__\bT_\by_\bp_\be is one of User_Alias, Runas_Alias, Host_Alias, or
+ Cmnd_Alias. A NAME is a string of uppercase letters, numbers, and
+ underscore characters (`_'). A NAME m\bmu\bus\bst\bt start with an uppercase letter.
+ It is possible to put several alias definitions of the same type on a
+ single line, joined by a colon (`:'). E.g.,
+
+ Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
+
+ The definitions of what constitutes a valid _\ba_\bl_\bi_\ba_\bs member follow.
+
+ User_List ::= User |
+ User ',' User_List
+
+ User ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* User_Alias
+
+ A User_List is made up of one or more user names, user ids (prefixed with
+ `#'), system group names and ids (prefixed with `%' and `%#'
+ respectively), netgroups (prefixed with `+'), non-Unix group names and
+ IDs (prefixed with `%:' and `%:#' respectively) and User_Aliases. Each
+ list item may be prefixed with zero or more `!' operators. An odd number
+ of `!' operators negate the value of the item; an even number just cancel
+ each other out.
+
+ A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may
+ be enclosed in double quotes to avoid the need for escaping special
+ characters. Alternately, special characters may be specified in escaped
+ hex mode, e.g. \x20 for space. When using double quotes, any prefix
+ characters must be included inside the quotes.
+
+ The actual nonunix_group and nonunix_gid syntax depends on the underlying
+ implementation. For instance, the QAS AD backend supports the following
+ formats:
+
+ o\bo Group in the same domain: "%:Group Name"
+
+ o\bo Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
+
+ o\bo Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
+
+ Note that quotes around group names are optional. Unquoted strings must
+ use a backslash (`\') to escape spaces and special characters. See _\bO_\bt_\bh_\be_\br
+ _\bs_\bp_\be_\bc_\bi_\ba_\bl _\bc_\bh_\ba_\br_\ba_\bc_\bt_\be_\br_\bs _\ba_\bn_\bd _\br_\be_\bs_\be_\br_\bv_\be_\bd _\bw_\bo_\br_\bd_\bs for a list of characters that need
+ to be escaped.
+
+ Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
+
+ Runas_Member ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* +netgroup |
+ '!'* Runas_Alias
+
+ A Runas_List is similar to a User_List except that instead of
+ User_Aliases it can contain Runas_Aliases. Note that user names and
+ groups are matched as strings. In other words, two users (groups) with
+ the same uid (gid) are considered to be distinct. If you wish to match
+ all user names with the same uid (e.g. root and toor), you can use a uid
+ instead (#0 in the example given).
+
+ Host_List ::= Host |
+ Host ',' Host_List
+
+ Host ::= '!'* host name |
+ '!'* ip_addr |
+ '!'* network(/netmask)? |
+ '!'* +netgroup |
+ '!'* Host_Alias
+
+ A Host_List is made up of one or more host names, IP addresses, network
+ numbers, netgroups (prefixed with `+') and other aliases. Again, the
+ value of an item may be negated with the `!' operator. If you do not
+ specify a netmask along with the network number, s\bsu\bud\bdo\bo will query each of
+ the local host's network interfaces and, if the network number
+ corresponds to one of the hosts's network interfaces, the corresponding
+ netmask will be used. The netmask may be specified either in standard IP
+ address notation (e.g. 255.255.255.0 or ffff:ffff:ffff:ffff::), or CIDR
+ notation (number of bits, e.g. 24 or 64). A host name may include shell-
+ style wildcards (see the _\bW_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs section below), but unless the host
+ name command on your machine returns the fully qualified host name,
+ you'll need to use the _\bf_\bq_\bd_\bn option for wildcards to be useful. Note that
+ s\bsu\bud\bdo\bo only inspects actual network interfaces; this means that IP address
+ 127.0.0.1 (localhost) will never match. Also, the host name
+ ``localhost'' will only match if that is the actual host name, which is
+ usually only the case for non-networked systems.
+
+ Cmnd_List ::= Cmnd |
+ Cmnd ',' Cmnd_List
+
+ command name ::= file name |
+ file name args |
+ file name '""'
+
+ Cmnd ::= '!'* command name |
+ '!'* directory |
+ '!'* "sudoedit" |
+ '!'* Cmnd_Alias
+
+ A Cmnd_List is a list of one or more command names, directories, and
+ other aliases. A command name is a fully qualified file name which may
+ include shell-style wildcards (see the _\bW_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs section below). A
+ simple file name allows the user to run the command with any arguments
+ he/she wishes. However, you may also specify command line arguments
+ (including wildcards). Alternately, you can specify "" to indicate that
+ the command may only be run w\bwi\bit\bth\bho\bou\but\bt command line arguments. A directory
+ is a fully qualified path name ending in a `/'. When you specify a
+ directory in a Cmnd_List, the user will be able to run any file within
+ that directory (but not in any sub-directories therein).
+
+ If a Cmnd has associated command line arguments, then the arguments in
+ the Cmnd must match exactly those given by the user on the command line
+ (or match the wildcards if there are any). Note that the following
+ characters must be escaped with a `\' if they are used in command
+ arguments: `,', `:', `=', `\'. The special command ``sudoedit'' is used
+ to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be option (or as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may
+ take command line arguments just as a normal command does.
D\bDe\bef\bfa\bau\bul\blt\bts\bs
- Certain configuration options may be changed from their default values
- at runtime via one or more Default_Entry lines. These may affect all
- users on any host, all users on a specific host, a specific user, a
- specific command, or commands being run as a specific user. Note that
- per-command entries may not include command line arguments. If you
- need to specify arguments, define a Cmnd_Alias and reference that
- instead.
-
- Default_Type ::= 'Defaults' |
- 'Defaults' '@' Host_List |
- 'Defaults' ':' User_List |
- 'Defaults' '!' Cmnd_List |
- 'Defaults' '>' Runas_List
-
- Default_Entry ::= Default_Type Parameter_List
-
- Parameter_List ::= Parameter |
- Parameter ',' Parameter_List
-
- Parameter ::= Parameter '=' Value |
- Parameter '+=' Value |
- Parameter '-=' Value |
- '!'* Parameter
-
- Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
- implicitly boolean and can be turned off via the '!' operator. Some
- integer, string and list parameters may also be used in a boolean
- context to disable them. Values may be enclosed in double quotes ("")
- when they contain multiple words. Special characters may be escaped
- with a backslash (\).
-
- Lists have two additional assignment operators, += and -=. These
- operators are used to add to and delete from a list respectively. It
- is not an error to use the -= operator to remove an element that does
- not exist in a list.
-
- Defaults entries are parsed in the following order: generic, host and
- user Defaults first, then runas Defaults and finally command defaults.
-
- See "SUDOERS OPTIONS" for a list of supported Defaults parameters.
+ Certain configuration options may be changed from their default values at
+ run-time via one or more Default_Entry lines. These may affect all users
+ on any host, all users on a specific host, a specific user, a specific
+ command, or commands being run as a specific user. Note that per-command
+ entries may not include command line arguments. If you need to specify
+ arguments, define a Cmnd_Alias and reference that instead.
+
+ Default_Type ::= 'Defaults' |
+ 'Defaults' '@' Host_List |
+ 'Defaults' ':' User_List |
+ 'Defaults' '!' Cmnd_List |
+ 'Defaults' '>' Runas_List
+
+ Default_Entry ::= Default_Type Parameter_List
+
+ Parameter_List ::= Parameter |
+ Parameter ',' Parameter_List
+
+ Parameter ::= Parameter '=' Value |
+ Parameter '+=' Value |
+ Parameter '-=' Value |
+ '!'* Parameter
+
+ Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or l\bli\bis\bst\bts\bs. Flags are
+ implicitly boolean and can be turned off via the `!' operator. Some
+ integer, string and list parameters may also be used in a boolean context
+ to disable them. Values may be enclosed in double quotes ("") when they
+ contain multiple words. Special characters may be escaped with a
+ backslash (`\').
+
+ Lists have two additional assignment operators, += and -=. These
+ operators are used to add to and delete from a list respectively. It is
+ not an error to use the -= operator to remove an element that does not
+ exist in a list.
+
+ Defaults entries are parsed in the following order: generic, host and
+ user Defaults first, then runas Defaults and finally command defaults.
+
+ See _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS for a list of supported Defaults parameters.
U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
- User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
- (':' Host_List '=' Cmnd_Spec_List)*
+ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
+ (':' Host_List '=' Cmnd_Spec_List)*
+
+ Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
- Cmnd_Spec_List ::= Cmnd_Spec |
- Cmnd_Spec ',' Cmnd_Spec_List
+ Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
- Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+ Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
- Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
+ SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
- SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
+ Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
- Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
- 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
- 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
+ Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
+ 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
- A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
- what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt,
- but this can be changed on a per-command basis.
+ A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may run (and as
+ what user) on specified hosts. By default, commands are run as r\bro\boo\bot\bt, but
+ this can be changed on a per-command basis.
- The basic structure of a user specification is `who where = (as_whom)
- what'. Let's break that down into its constituent parts:
+ The basic structure of a user specification is ``who where = (as_whom)
+ what''. Let's break that down into its constituent parts:
R\bRu\bun\bna\bas\bs_\b_S\bSp\bpe\bec\bc
- A Runas_Spec determines the user and/or the group that a command may be
- run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
- defined above) separated by a colon (':') and enclosed in a set of
- parentheses. The first Runas_List indicates which users the command
- may be run as via s\bsu\bud\bdo\bo's -\b-u\bu option. The second defines a list of
- groups that can be specified via s\bsu\bud\bdo\bo's -\b-g\bg option. If both Runas_Lists
- are specified, the command may be run with any combination of users and
- groups listed in their respective Runas_Lists. If only the first is
- specified, the command may be run as any user in the list but no -\b-g\bg
- option may be specified. If the first Runas_List is empty but the
- second is specified, the command may be run as the invoking user with
- the group set to any listed in the Runas_List. If no Runas_Spec is
- specified the command may be run as r\bro\boo\bot\bt and no group may be specified.
+ A Runas_Spec determines the user and/or the group that a command may be
+ run as. A fully-specified Runas_Spec consists of two Runas_Lists (as
+ defined above) separated by a colon (`:') and enclosed in a set of
+ parentheses. The first Runas_List indicates which users the command may
+ be run as via s\bsu\bud\bdo\bo's -\b-u\bu option. The second defines a list of groups that
+ can be specified via s\bsu\bud\bdo\bo's -\b-g\bg option. If both Runas_Lists are
+ specified, the command may be run with any combination of users and
+ groups listed in their respective Runas_Lists. If only the first is
+ specified, the command may be run as any user in the list but no -\b-g\bg
+ option may be specified. If the first Runas_List is empty but the second
+ is specified, the command may be run as the invoking user with the group
+ set to any listed in the Runas_List. If no Runas_Spec is specified the
+ command may be run as r\bro\boo\bot\bt and no group may be specified.
- A Runas_Spec sets the default for the commands that follow it. What
- this means is that for the entry:
+ A Runas_Spec sets the default for the commands that follow it. What this
+ means is that for the entry:
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+ dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
- The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm -- but only
- as o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
+ The user d\bdg\bgb\bb may run _\b/_\bb_\bi_\bn_\b/_\bl_\bs, _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm--but only as
+ o\bop\bpe\ber\bra\bat\bto\bor\br. E.g.,
- $ sudo -u operator /bin/ls
+ $ sudo -u operator /bin/ls
- It is also possible to override a Runas_Spec later on in an entry. If
- we modify the entry like so:
+ It is also possible to override a Runas_Spec later on in an entry. If we
+ modify the entry like so:
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+ dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
- Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
- and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
+ Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br, but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl
+ and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
- We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
- group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
+ We can extend this to allow d\bdg\bgb\bb to run /bin/ls with either the user or
+ group set to o\bop\bpe\ber\bra\bat\bto\bor\br:
- dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
- /usr/bin/lprm
+ dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
+ /usr/bin/lprm
- Note that while the group portion of the Runas_Spec permits the user to
- run as command with that group, it does not force the user to do so.
- If no group is specified on the command line, the command will run with
- the group listed in the target user's password database entry. The
- following would all be permitted by the sudoers entry above:
+ Note that while the group portion of the Runas_Spec permits the user to
+ run as command with that group, it does not force the user to do so. If
+ no group is specified on the command line, the command will run with the
+ group listed in the target user's password database entry. The following
+ would all be permitted by the sudoers entry above:
- $ sudo -u operator /bin/ls
- $ sudo -u operator -g operator /bin/ls
- $ sudo -g operator /bin/ls
+ $ sudo -u operator /bin/ls
+ $ sudo -u operator -g operator /bin/ls
+ $ sudo -g operator /bin/ls
- In the following example, user t\btc\bcm\bm may run commands that access a modem
- device file with the dialer group.
+ In the following example, user t\btc\bcm\bm may run commands that access a modem
+ device file with the dialer group.
- tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
- /usr/local/bin/minicom
+ tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
+ /usr/local/bin/minicom
- Note that in this example only the group will be set, the command still
- runs as user t\btc\bcm\bm. E.g.
+ Note that in this example only the group will be set, the command still
+ runs as user t\btc\bcm\bm. E.g.
- $ sudo -g dialer /usr/bin/cu
+ $ sudo -g dialer /usr/bin/cu
- Multiple users and groups may be present in a Runas_Spec, in which case
- the user may select any combination of users and groups via the -\b-u\bu and
- -\b-g\bg options. In this example:
+ Multiple users and groups may be present in a Runas_Spec, in which case
+ the user may select any combination of users and groups via the -\b-u\bu and -\b-g\bg
+ options. In this example:
- alan ALL = (root, bin : operator, system) ALL
+ alan ALL = (root, bin : operator, system) ALL
- user a\bal\bla\ban\bn may run any command as either user root or bin, optionally
- setting the group to operator or system.
+ user a\bal\bla\ban\bn may run any command as either user root or bin, optionally
+ setting the group to operator or system.
S\bSE\bEL\bLi\bin\bnu\bux\bx_\b_S\bSp\bpe\bec\bc
- On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
- SELinux role and/or type associated with a command. If a role or type
- is specified with the command it will override any default values
- specified in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line,
- however, will supercede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ On systems with SELinux support, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally have an
+ SELinux role and/or type associated with a command. If a role or type is
+ specified with the command it will override any default values specified
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs. A role or type specified on the command line, however, will
+ supersede the values in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+ S\bSo\bol\bla\bar\bri\bis\bs_\b_P\bPr\bri\biv\bv_\b_S\bSp\bpe\bec\bc
+ On Solaris systems, _\bs_\bu_\bd_\bo_\be_\br_\bs entries may optionally specify Solaris
+ privilege set and/or limit privilege set associated with a command. If
+ privileges or limit privileges are specified with the command it will
+ override any default values specified in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+
+ A privilege set is a comma-separated list of privilege names. The
+ ppriv(1) command can be used to list all privileges known to the system.
+ For example:
+
+ $ ppriv -l
+
+ In addition, there are several ``special'' privilege strings:
+
+ none the empty set
+
+ all the set of all privileges
+
+ zone the set of all privileges available in the current zone
+
+ basic the default set of privileges normal users are granted at login
+ time
+
+ Privileges can be excluded from a set by prefixing the privilege name
+ with either an `!' or `-' character.
T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
- A command may have zero or more tags associated with it. There are ten
- possible tag values, NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
- LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set
- on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag
- unless it is overridden by the opposite tag (in other words, PASSWD
- overrides NOPASSWD and NOEXEC overrides EXEC).
+ A command may have zero or more tags associated with it. There are ten
+ possible tag values: NOPASSWD, PASSWD, NOEXEC, EXEC, SETENV, NOSETENV,
+ LOG_INPUT, NOLOG_INPUT, LOG_OUTPUT and NOLOG_OUTPUT. Once a tag is set
+ on a Cmnd, subsequent Cmnds in the Cmnd_Spec_List, inherit the tag unless
+ it is overridden by the opposite tag (in other words, PASSWD overrides
+ NOPASSWD and NOEXEC overrides EXEC).
- _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
+ _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
- By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself
- before running a command. This behavior can be modified via the
- NOPASSWD tag. Like a Runas_Spec, the NOPASSWD tag sets a default for
- the commands that follow it in the Cmnd_Spec_List. Conversely, the
- PASSWD tag can be used to reverse things. For example:
+ By default, s\bsu\bud\bdo\bo requires that a user authenticate him or herself before
+ running a command. This behavior can be modified via the NOPASSWD tag.
+ Like a Runas_Spec, the NOPASSWD tag sets a default for the commands that
+ follow it in the Cmnd_Spec_List. Conversely, the PASSWD tag can be used
+ to reverse things. For example:
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+ ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
- would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm
- as r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we
- only want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry
- would be:
+ would allow the user r\bra\bay\by to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl, _\b/_\bb_\bi_\bn_\b/_\bl_\bs, and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as
+ r\bro\boo\bot\bt on the machine rushmore without authenticating himself. If we only
+ want r\bra\bay\by to be able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry would
+ be:
- ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
- Note, however, that the PASSWD tag has no effect on users who are in
- the group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
+ Note, however, that the PASSWD tag has no effect on users who are in the
+ group specified by the _\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option.
- By default, if the NOPASSWD tag is applied to any of the entries for a
- user on the current host, he or she will be able to run sudo -l without
- a password. Additionally, a user may only run sudo -v without a
- password if the NOPASSWD tag is present for all a user's entries that
- pertain to the current host. This behavior may be overridden via the
- verifypw and listpw options.
+ By default, if the NOPASSWD tag is applied to any of the entries for a
+ user on the current host, he or she will be able to run ``sudo -l''
+ without a password. Additionally, a user may only run ``sudo -v''
+ without a password if the NOPASSWD tag is present for all a user's
+ entries that pertain to the current host. This behavior may be
+ overridden via the _\bv_\be_\br_\bi_\bf_\by_\bp_\bw and _\bl_\bi_\bs_\bt_\bp_\bw options.
- _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+ _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
- If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
- operating system supports it, the NOEXEC tag can be used to prevent a
- dynamically-linked executable from running further commands itself.
+ If s\bsu\bud\bdo\bo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the underlying
+ operating system supports it, the NOEXEC tag can be used to prevent a
+ dynamically-linked executable from running further commands itself.
- In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
- _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
- See the "PREVENTING SHELL ESCAPES" section below for more details on
- how NOEXEC works and whether or not it will work on your system.
+ See the _\bP_\br_\be_\bv_\be_\bn_\bt_\bi_\bn_\bg _\bS_\bh_\be_\bl_\bl _\bE_\bs_\bc_\ba_\bp_\be_\bs section below for more details on how
+ NOEXEC works and whether or not it will work on your system.
- _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
+ _\bS_\bE_\bT_\bE_\bN_\bV _\ba_\bn_\bd _\bN_\bO_\bS_\bE_\bT_\bE_\bN_\bV
- These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
- basis. Note that if SETENV has been set for a command, the user may
- disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
- Additionally, environment variables set on the command line are not
- subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set
- variables in this manner. If the command matched is A\bAL\bLL\bL, the SETENV
- tag is implied for that command; this default may be overridden by use
- of the NOSETENV tag.
+ These tags override the value of the _\bs_\be_\bt_\be_\bn_\bv option on a per-command
+ basis. Note that if SETENV has been set for a command, the user may
+ disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the command line via the -\b-E\bE option.
+ Additionally, environment variables set on the command line are not
+ subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
+ _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be allowed to set variables
+ in this manner. If the command matched is A\bAL\bLL\bL, the SETENV tag is implied
+ for that command; this default may be overridden by use of the NOSETENV
+ tag.
- _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
+ _\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bI_\bN_\bP_\bU_\bT
- These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
- basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
- "SUDOERS OPTIONS" section below.
+ These tags override the value of the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt in the
+ _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
- _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
+ _\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT _\ba_\bn_\bd _\bN_\bO_\bL_\bO_\bG_\b__\bO_\bU_\bT_\bP_\bU_\bT
- These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
- basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
- "SUDOERS OPTIONS" section below.
+ These tags override the value of the _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt option on a per-command
+ basis. For more information, see the description of _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt in the
+ _\bS_\bU_\bD_\bO_\bE_\bR_\bS _\bO_\bP_\bT_\bI_\bO_\bN_\bS section below.
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs
- s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
- used in host names, path names and command line arguments in the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX _\bg_\bl_\bo_\bb(3) and
- _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) routines. Note that these are _\bn_\bo_\bt regular expressions.
+ s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs (aka meta or glob characters) to be
+ used in host names, path names and command line arguments in the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file. Wildcard matching is done via the P\bPO\bOS\bSI\bIX\bX glob(3) and fnmatch(3)
+ routines. Note that these are _\bn_\bo_\bt regular expressions.
+
+ * Matches any set of zero or more characters.
+
+ ? Matches any single character.
+
+ [...] Matches any character in the specified range.
+
+ [!...] Matches any character n\bno\bot\bt in the specified range.
- * Matches any set of zero or more characters.
+ \x For any character `x', evaluates to `x'. This is used to
+ escape special characters such as: `*', `?', `[', and `]'.
- ? Matches any single character.
+ POSIX character classes may also be used if your system's glob(3) and
+ fnmatch(3) functions support them. However, because the `:' character
+ has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
- [...] Matches any character in the specified range.
+ /bin/ls [[:alpha:]]*
- [!...] Matches any character n\bno\bot\bt in the specified range.
+ Would match any file name beginning with a letter.
- \x For any character "x", evaluates to "x". This is used to
- escape special characters such as: "*", "?", "[", and "]".
+ Note that a forward slash (`/') will n\bno\bot\bt be matched by wildcards used in
+ the path name. This is to make a path like:
- POSIX character classes may also be used if your system's _\bg_\bl_\bo_\bb(3) and
- _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) functions support them. However, because the ':' character
- has special meaning in _\bs_\bu_\bd_\bo_\be_\br_\bs, it must be escaped. For example:
+ /usr/bin/*
- /bin/ls [[\:alpha\:]]*
+ match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
- Would match any file name beginning with a letter.
+ When matching the command line arguments, however, a slash d\bdo\boe\bes\bs get
+ matched by wildcards since command line arguments may contain arbitrary
+ strings and not just path names.
- Note that a forward slash ('/') will n\bno\bot\bt be matched by wildcards used
- in the path name. When matching the command line arguments, however, a
- slash d\bdo\boe\bes\bs get matched by wildcards. This is to make a path like:
+ Wildcards in command line arguments should be used with care. Because
+ command line arguments are matched as a single, concatenated string, a
+ wildcard such as `?' or `*' can match multiple words. For example, while
+ a sudoers entry like:
- /usr/bin/*
+ %operator ALL = /bin/cat /var/log/messages*
- match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
+ will allow command like:
+
+ $ sudo cat /var/log/messages.1
+
+ It will also allow:
+
+ $ sudo cat /var/log/messages /etc/shadow
+
+ which is probably not what was intended.
E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs
- The following exceptions apply to the above rules:
+ The following exceptions apply to the above rules:
- "" If the empty string "" is the only command line argument in the
+ "" If the empty string "" is the only command line argument in the
_\bs_\bu_\bd_\bo_\be_\br_\bs entry it means that command is not allowed to be run
with a\ban\bny\by arguments.
+ sudoedit Command line arguments to the _\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt built-in command should
+ always be path names, so a forward slash (`/') will not be
+ matched by a wildcard.
+
I\bIn\bnc\bcl\blu\bud\bdi\bin\bng\bg o\bot\bth\bhe\ber\br f\bfi\bil\ble\bes\bs f\bfr\bro\bom\bm w\bwi\bit\bth\bhi\bin\bn s\bsu\bud\bdo\boe\ber\brs\bs
- It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
- file currently being parsed using the #include and #includedir
- directives.
+ It is possible to include other _\bs_\bu_\bd_\bo_\be_\br_\bs files from within the _\bs_\bu_\bd_\bo_\be_\br_\bs
+ file currently being parsed using the #include and #includedir
+ directives.
- This can be used, for example, to keep a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in
- addition to a local, per-machine file. For the sake of this example
- the site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will
- be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from within
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
+ This can be used, for example, to keep a site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs file in
+ addition to a local, per-machine file. For the sake of this example the
+ site-wide _\bs_\bu_\bd_\bo_\be_\br_\bs will be _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs and the per-machine one will be
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. To include _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl from within
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs we would use the following line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs:
- #include /etc/sudoers.local
+ #include /etc/sudoers.local
- When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
- file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching
- the end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
- processed. Files that are included may themselves include other files.
- A hard limit of 128 nested include files is enforced to prevent include
- file loops.
+ When s\bsu\bud\bdo\bo reaches this line it will suspend processing of the current
+ file (_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs) and switch to _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl. Upon reaching the
+ end of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl, the rest of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be processed.
+ Files that are included may themselves include other files. A hard limit
+ of 128 nested include files is enforced to prevent include file loops.
- If the path to the include file is not fully-qualified (does not begin
- with a /), it must be located in the same directory as the sudoers file
- it was included from. For example, if _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs contains the line:
+ If the path to the include file is not fully-qualified (does not begin
+ with a `/', it must be located in the same directory as the sudoers file
+ it was included from. For example, if _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs contains the line:
- #include sudoers.local
+ #include sudoers.local
- the file that will be included is _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl.
+ the file that will be included is _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bl_\bo_\bc_\ba_\bl.
- The file name may also include the %h escape, signifying the short form
- of the host name. In other words, if the machine's host name is
- "xerxes", then
+ The file name may also include the %h escape, signifying the short form
+ of the host name. In other words, if the machine's host name is
+ ``xerxes'', then
- #include /etc/sudoers.%h
+ #include /etc/sudoers.%h
- will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
+ will cause s\bsu\bud\bdo\bo to include the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bx_\be_\br_\bx_\be_\bs.
- The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
- the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of
- package installation. For example, given:
+ The #includedir directive can be used to create a _\bs_\bu_\bd_\bo_\b._\bd directory that
+ the system package manager can drop _\bs_\bu_\bd_\bo_\be_\br_\bs rules into as part of package
+ installation. For example, given:
- #includedir /etc/sudoers.d
+ #includedir /etc/sudoers.d
- s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that
- end in ~ or contain a . character to avoid causing problems with
- package manager or editor temporary/backup files. Files are parsed in
- sorted lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed
- before _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is
- lexical, not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes
- in the file names can be used to avoid such problems.
+ s\bsu\bud\bdo\bo will read each file in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd, skipping file names that end
+ in `~' or contain a `.' character to avoid causing problems with package
+ manager or editor temporary/backup files. Files are parsed in sorted
+ lexical order. That is, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b0_\b1_\b__\bf_\bi_\br_\bs_\bt will be parsed before
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Be aware that because the sorting is lexical,
+ not numeric, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b__\bw_\bh_\bo_\bo_\bp_\bs would be loaded a\baf\bft\bte\ber\br
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bd_\b/_\b1_\b0_\b__\bs_\be_\bc_\bo_\bn_\bd. Using a consistent number of leading zeroes in
+ the file names can be used to avoid such problems.
- Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
- files in a #includedir directory unless one of them contains a syntax
- error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -\b-f\bf flag to edit the
- files directly.
+ Note that unlike files included via #include, v\bvi\bis\bsu\bud\bdo\bo will not edit the
+ files in a #includedir directory unless one of them contains a syntax
+ error. It is still possible to run v\bvi\bis\bsu\bud\bdo\bo with the -\b-f\bf flag to edit the
+ files directly.
O\bOt\bth\bhe\ber\br s\bsp\bpe\bec\bci\bia\bal\bl c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs a\ban\bnd\bd r\bre\bes\bse\ber\brv\bve\bed\bd w\bwo\bor\brd\bds\bs
- The pound sign ('#') is used to indicate a comment (unless it is part
- of a #include directive or unless it occurs in the context of a user
- name and is followed by one or more digits, in which case it is treated
- as a uid). Both the comment character and any text after it, up to the
- end of the line, are ignored.
-
- The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
- succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
- User_Alias, Runas_Alias, or Host_Alias. You should not try to define
- your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
- preference to your own. Please note that using A\bAL\bLL\bL can be dangerous
- since in a command context, it allows the user to run a\ban\bny\by command on
- the system.
-
- An exclamation point ('!') can be used as a logical _\bn_\bo_\bt operator both
- in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This allows one to exclude certain
- values. Note, however, that using a ! in conjunction with the built-in
- ALL alias to allow a user to run "all but a few" commands rarely works
- as intended (see SECURITY NOTES below).
-
- Long lines can be continued with a backslash ('\') as the last
- character on the line.
-
- Whitespace between elements in a list as well as special syntactic
- characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn ('=', ':', '(', ')') is optional.
-
- The following characters must be escaped with a backslash ('\') when
- used as part of a word (e.g. a user name or host name): '!', '=', ':',
- ',', '(', ')', '\'.
+ The pound sign (`#') is used to indicate a comment (unless it is part of
+ a #include directive or unless it occurs in the context of a user name
+ and is followed by one or more digits, in which case it is treated as a
+ uid). Both the comment character and any text after it, up to the end of
+ the line, are ignored.
+
+ The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always causes a match to
+ succeed. It can be used wherever one might otherwise use a Cmnd_Alias,
+ User_Alias, Runas_Alias, or Host_Alias. You should not try to define
+ your own _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
+ preference to your own. Please note that using A\bAL\bLL\bL can be dangerous
+ since in a command context, it allows the user to run a\ban\bny\by command on the
+ system.
+
+ An exclamation point (`!') can be used as a logical _\bn_\bo_\bt operator both in
+ an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This allows one to exclude certain
+ values. Note, however, that using a `!' in conjunction with the built-in
+ A\bAL\bLL\bL alias to allow a user to run ``all but a few'' commands rarely works
+ as intended (see _\bS_\bE_\bC_\bU_\bR_\bI_\bT_\bY _\bN_\bO_\bT_\bE_\bS below).
+
+ Long lines can be continued with a backslash (`\') as the last character
+ on the line.
+
+ White space between elements in a list as well as special syntactic
+ characters in a _\bU_\bs_\be_\br _\bS_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn (`=', `:', `(', `)') is optional.
+
+ The following characters must be escaped with a backslash (`\') when used
+ as part of a word (e.g. a user name or host name): `!', `=', `:', `,',
+ `(', `)', `\'.
S\bSU\bUD\bDO\bOE\bER\bRS\bS O\bOP\bPT\bTI\bIO\bON\bNS\bS
- s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
- earlier. A list of all supported Defaults parameters, grouped by type,
- are listed below.
+ s\bsu\bud\bdo\bo's behavior can be modified by Default_Entry lines, as explained
+ earlier. A list of all supported Defaults parameters, grouped by type,
+ are listed below.
- B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
+ B\bBo\boo\bol\ble\bea\ban\bn F\bFl\bla\bag\bgs\bs:
- always_set_home If enabled, s\bsu\bud\bdo\bo will set the HOME environment variable
+ always_set_home If enabled, s\bsu\bud\bdo\bo will set the HOME environment variable
to the home directory of the target user (which is root
unless the -\b-u\bu option is used). This effectively means
that the -\b-H\bH option is always implied. Note that HOME
HOME is present in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This flag is _\bo_\bf_\bf
by default.
- authenticate If set, users must authenticate themselves via a
+ authenticate If set, users must authenticate themselves via a
password (or other means of authentication) before they
may run commands. This default may be overridden via
the PASSWD and NOPASSWD tags. This flag is _\bo_\bn by
default.
- closefrom_override
+ closefrom_override
If set, the user may use s\bsu\bud\bdo\bo's -\b-C\bC option which
overrides the default starting point at which s\bsu\bud\bdo\bo
begins closing open file descriptors. This flag is _\bo_\bf_\bf
by default.
- compress_io If set, and s\bsu\bud\bdo\bo is configured to log a command's input
+ compress_io If set, and s\bsu\bud\bdo\bo is configured to log a command's input
or output, the I/O logs will be compressed using z\bzl\bli\bib\bb.
This flag is _\bo_\bn by default when s\bsu\bud\bdo\bo is compiled with
z\bzl\bli\bib\bb support.
- env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
+ env_editor If set, v\bvi\bis\bsu\bud\bdo\bo will use the value of the EDITOR or
VISUAL environment variables before falling back on the
default editor list. Note that this may create a
security hole as it allows the user to run any
use the EDITOR or VISUAL if they match a value
specified in editor. This flag is _\bo_\bf_\bf by default.
- env_reset If set, s\bsu\bud\bdo\bo will run the command in a minimal
+ env_reset If set, s\bsu\bud\bdo\bo will run the command in a minimal
environment containing the TERM, PATH, HOME, MAIL,
SHELL, LOGNAME, USER, USERNAME and SUDO_* variables.
Any variables in the caller's environment that match
the PATH environment variable. This flag is _\bo_\bn by
default.
- fast_glob Normally, s\bsu\bud\bdo\bo uses the _\bg_\bl_\bo_\bb(3) function to do shell-
+ fast_glob Normally, s\bsu\bud\bdo\bo uses the glob(3) function to do shell-
style globbing when matching path names. However,
- since it accesses the file system, _\bg_\bl_\bo_\bb(3) can take a
+ since it accesses the file system, glob(3) can take a
long time to complete for some patterns, especially
when the pattern references a network file system that
- is mounted on demand (automounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
- option causes s\bsu\bud\bdo\bo to use the _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3) function,
+ is mounted on demand (auto mounted). The _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
+ option causes s\bsu\bud\bdo\bo to use the fnmatch(3) function,
which does not access the file system to do its
matching. The disadvantage of _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is that it is
unable to match relative path names such as _\b._\b/_\bl_\bs or
_\b._\b._\b/_\bb_\bi_\bn_\b/_\bl_\bs. This has security implications when path
names that include globbing characters are used with
- the negation operator, '!', as such rules can be
+ the negation operator, `!', as such rules can be
trivially bypassed. As such, this option should not be
used when _\bs_\bu_\bd_\bo_\be_\br_\bs contains rules that contain negated
path names which include globbing characters. This
flag is _\bo_\bf_\bf by default.
- fqdn Set this flag if you want to put fully qualified host
- names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. In other words, instead of
- myhost you would use myhost.mydomain.edu. You may
- still use the short form if you wish (and even mix the
- two). Beware that turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to
- make DNS lookups which may make s\bsu\bud\bdo\bo unusable if DNS
- stops working (for example if the machine is not
- plugged into the network). Also note that you must use
- the host's official name as DNS knows it. That is, you
- may not use a host alias (CNAME entry) due to
- performance issues and the fact that there is no way to
- get all aliases from DNS. If your machine's host name
- (as returned by the hostname command) is already fully
- qualified you shouldn't need to set _\bf_\bq_\bd_\bn. This flag is
- _\bo_\bf_\bf by default.
+ fqdn Set this flag if you want to put fully qualified host
+ names in the _\bs_\bu_\bd_\bo_\be_\br_\bs file when the local host name (as
+ returned by the hostname command) does not contain the
+ domain name. In other words, instead of myhost you
+ would use myhost.mydomain.edu. You may still use the
+ short form if you wish (and even mix the two). This
+ option is only effective when the ``canonical'' host
+ name, as returned by the g\bge\bet\bta\bad\bdd\bdr\bri\bin\bnf\bfo\bo() or
+ g\bge\bet\bth\bho\bos\bst\btb\bby\byn\bna\bam\bme\be() function, is a fully-qualified domain
+ name. This is usually the case when the system is
+ configured to use DNS for host name resolution.
+
+ If the system is configured to use the _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\bs file
+ in preference to DNS, the ``canonical'' host name may
+ not be fully-qualified. The order that sources are
+ queried for hosts name resolution is usually specified
+ in the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf,
+ _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\b._\bc_\bo_\bn_\bf, or, in some cases, _\b/_\be_\bt_\bc_\b/_\br_\be_\bs_\bo_\bl_\bv_\b._\bc_\bo_\bn_\bf
+ file. In the _\b/_\be_\bt_\bc_\b/_\bh_\bo_\bs_\bt_\bs file, the first host name of
+ the entry is considered to be the ``canonical'' name;
+ subsequent names are aliases that are not used by
+ s\bsu\bud\bdo\boe\ber\brs\bs. For example, the following hosts file line
+ for the machine ``xyzzy'' has the fully-qualified
+ domain name as the ``canonical'' host name, and the
+ short version as an alias.
+
+ 192.168.1.1 xyzzy.sudo.ws xyzzy
+
+ If the machine's hosts file entry is not formatted
+ properly, the _\bf_\bq_\bd_\bn option will not be effective if it
+ is queried before DNS.
+
+ Beware that when using DNS for host name resolution,
+ turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\boe\ber\brs\bs to make DNS lookups
+ which renders s\bsu\bud\bdo\bo unusable if DNS stops working (for
+ example if the machine is disconnected from the
+ network). Also note that just like with the hosts
+ file, you must use the ``canonical'' name as DNS knows
+ it. That is, you may not use a host alias (CNAME
+ entry) due to performance issues and the fact that
+ there is no way to get all aliases from DNS.
+
+ This flag is _\bo_\bf_\bf by default.
- ignore_dot If set, s\bsu\bud\bdo\bo will ignore "." or "" (current dir) in the
- PATH environment variable; the PATH itself is not
- modified. This flag is _\bo_\bf_\bf by default.
+ ignore_dot If set, s\bsu\bud\bdo\bo will ignore "." or "" (both denoting
+ current directory) in the PATH environment variable;
+ the PATH itself is not modified. This flag is _\bo_\bf_\bf by
+ default.
- ignore_local_sudoers
+ ignore_local_sudoers
If set via LDAP, parsing of _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs will be
skipped. This is intended for Enterprises that wish to
prevent the usage of local sudoers files so that only
LDAP is used. This thwarts the efforts of rogue
operators who would attempt to add roles to
_\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. When this option is present,
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs does not even need to exist. Since this
option tells s\bsu\bud\bdo\bo how to behave when no specific LDAP
entries have been matched, this sudoOption is only
meaningful for the cn=defaults section. This flag is
_\bo_\bf_\bf by default.
- insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
+ insults If set, s\bsu\bud\bdo\bo will insult users when they enter an
incorrect password. This flag is _\bo_\bf_\bf by default.
- log_host If set, the host name will be logged in the (non-
+ log_host If set, the host name will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
- log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log_input If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
log all user input. If the standard input is not
connected to the user's tty, due to I/O redirection or
because the command is part of a pipeline, that input
Input is logged to the directory specified by the
_\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
unique session ID that is included in the normal s\bsu\bud\bdo\bo
- log line, prefixed with "TSID=".
+ log line, prefixed with ``TSID=''.
Note that user input may contain sensitive information
such as passwords (even if they are not echoed to the
unencrypted. In most cases, logging the command output
via _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt is all that is required.
- log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
+ log_output If set, s\bsu\bud\bdo\bo will run the command in a _\bp_\bs_\be_\bu_\bd_\bo _\bt_\bt_\by and
log all output that is sent to the screen, similar to
- the _\bs_\bc_\br_\bi_\bp_\bt(1) command. If the standard output or
+ the script(1) command. If the standard output or
standard error is not connected to the user's tty, due
to I/O redirection or because the command is part of a
pipeline, that output is also captured and stored in
Output is logged to the directory specified by the
_\bi_\bo_\bl_\bo_\bg_\b__\bd_\bi_\br option (_\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo by default) using a
unique session ID that is included in the normal s\bsu\bud\bdo\bo
- log line, prefixed with "TSID=".
+ log line, prefixed with ``TSID=''.
- Output logs may be viewed with the _\bs_\bu_\bd_\bo_\br_\be_\bp_\bl_\ba_\by(1m)
+ Output logs may be viewed with the sudoreplay(1m)
utility, which can also be used to list or search the
available logs.
- log_year If set, the four-digit year will be logged in the (non-
+ log_year If set, the four-digit year will be logged in the (non-
syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf by default.
- long_otp_prompt When validating with a One Time Password (OTP) scheme
+ long_otp_prompt When validating with a One Time Password (OTP) scheme
such as S\bS/\b/K\bKe\bey\by or O\bOP\bPI\bIE\bE, a two-line prompt is used to
make it easier to cut and paste the challenge to a
local window. It's not as pretty as the default but
some people find it more convenient. This flag is _\bo_\bf_\bf
by default.
- mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
+ mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a users runs
s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
- mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
- does not enter the correct password. This flag is _\bo_\bf_\bf
- by default.
+ mail_badpass Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user if the user running s\bsu\bud\bdo\bo
+ does not enter the correct password. If the command
+ the user is attempting to run is not permitted by
+ _\bs_\bu_\bd_\bo_\be_\br_\bs and one of the _\bm_\ba_\bi_\bl_\b__\ba_\bl_\bw_\ba_\by_\bs, _\bm_\ba_\bi_\bl_\b__\bn_\bo_\b__\bh_\bo_\bs_\bt,
+ _\bm_\ba_\bi_\bl_\b__\bn_\bo_\b__\bp_\be_\br_\bm_\bs or _\bm_\ba_\bi_\bl_\b__\bn_\bo_\b__\bu_\bs_\be_\br flags are set, this flag
+ will have no effect. This flag is _\bo_\bf_\bf by default.
- mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ mail_no_host If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
invoking user exists in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, but is not
allowed to run commands on the current host. This flag
is _\bo_\bf_\bf by default.
- mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ mail_no_perms If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
invoking user is allowed to use s\bsu\bud\bdo\bo but the command
they are trying is not listed in their _\bs_\bu_\bd_\bo_\be_\br_\bs file
entry or is explicitly denied. This flag is _\bo_\bf_\bf by
default.
- mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
+ mail_no_user If set, mail will be sent to the _\bm_\ba_\bi_\bl_\bt_\bo user if the
invoking user is not in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. This flag is
_\bo_\bn by default.
- noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
+ noexec If set, all commands run via s\bsu\bud\bdo\bo will behave as if the
NOEXEC tag has been set, unless overridden by a EXEC
tag. See the description of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as
- well as the "PREVENTING SHELL ESCAPES" section at the
- end of this manual. This flag is _\bo_\bf_\bf by default.
+ well as the _\bP_\br_\be_\bv_\be_\bn_\bt_\bi_\bn_\bg _\bS_\bh_\be_\bl_\bl _\bE_\bs_\bc_\ba_\bp_\be_\bs section at the end
+ of this manual. This flag is _\bo_\bf_\bf by default.
- path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
+ path_info Normally, s\bsu\bud\bdo\bo will tell the user when a command could
not be found in their PATH environment variable. Some
sites may wish to disable this as it could be used to
gather information on the location of executables that
not allowed to run it, which can be confusing. This
flag is _\bo_\bn by default.
- passprompt_override
+ passprompt_override
The password prompt specified by _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will
normally only be used if the password prompt provided
- by systems such as PAM matches the string "Password:".
- If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set, _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always
- be used. This flag is _\bo_\bf_\bf by default.
+ by systems such as PAM matches the string
+ ``Password:''. If _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt_\b__\bo_\bv_\be_\br_\br_\bi_\bd_\be is set,
+ _\bp_\ba_\bs_\bs_\bp_\br_\bo_\bm_\bp_\bt will always be used. This flag is _\bo_\bf_\bf by
+ default.
- preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
+ preserve_groups By default, s\bsu\bud\bdo\bo will initialize the group vector to
the list of groups the target user is in. When
_\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's existing group
vector is left unaltered. The real and effective group
IDs, however, are still set to match the target user.
This flag is _\bo_\bf_\bf by default.
- pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
+ pwfeedback By default, s\bsu\bud\bdo\bo reads the password like most other
Unix programs, by turning off echo until the user hits
the return (or enter) key. Some users become confused
by this as it appears to them that s\bsu\bud\bdo\bo has hung at
able to determine the length of the password being
entered. This flag is _\bo_\bf_\bf by default.
- requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
+ requiretty If set, s\bsu\bud\bdo\bo will only run when the user is logged in
to a real tty. When this flag is set, s\bsu\bud\bdo\bo can only be
run from a login session and not via other means such
- as _\bc_\br_\bo_\bn(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
+ as cron(1m) or cgi-bin scripts. This flag is _\bo_\bf_\bf by
default.
- root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
- this prevents users from "chaining" s\bsu\bud\bdo\bo commands to
- get a root shell by doing something like "sudo sudo
- /bin/sh". Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
+ root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Disabling
+ this prevents users from ``chaining'' s\bsu\bud\bdo\bo commands to
+ get a root shell by doing something like ``sudo sudo
+ /bin/sh''. Note, however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo
will also prevent root from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
Disabling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
security; it exists purely for historical reasons.
This flag is _\bo_\bn by default.
- rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
+ rootpw If set, s\bsu\bud\bdo\bo will prompt for the root password instead
of the password of the invoking user. This flag is _\bo_\bf_\bf
by default.
- runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option (defaults to root)
instead of the password of the invoking user. This
flag is _\bo_\bf_\bf by default.
- set_home If enabled and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the
+ set_home If enabled and s\bsu\bud\bdo\bo is invoked with the -\b-s\bs option the
HOME environment variable will be set to the home
directory of the target user (which is root unless the
-\b-u\bu option is used). This effectively makes the -\b-s\bs
_\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt is disabled or HOME is present in the
_\be_\bn_\bv_\b__\bk_\be_\be_\bp list. This flag is _\bo_\bf_\bf by default.
- set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and USERNAME
+ set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME, USER and USERNAME
environment variables to the name of the target user
(usually root unless the -\b-u\bu option is given). However,
since some programs (including the RCS revision control
disabled, entries in the _\be_\bn_\bv_\b__\bk_\be_\be_\bp list will override
the value of _\bs_\be_\bt_\b__\bl_\bo_\bg_\bn_\ba_\bm_\be. This flag is _\bo_\bn by default.
- setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
- command line. Additionally, environment variables set
- via the command line are not subject to the
- restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk, _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or
- _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users should be
- allowed to set variables in this manner. This flag is
- _\bo_\bf_\bf by default.
+ setenv Allow the user to disable the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option from the
+ command line via the -\b-E\bE option. Additionally,
+ environment variables set via the command line are not
+ subject to the restrictions imposed by _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk,
+ _\be_\bn_\bv_\b__\bd_\be_\bl_\be_\bt_\be, or _\be_\bn_\bv_\b__\bk_\be_\be_\bp. As such, only trusted users
+ should be allowed to set variables in this manner.
+ This flag is _\bo_\bf_\bf by default.
- shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
+ shell_noargs If set and s\bsu\bud\bdo\bo is invoked with no arguments it acts as
if the -\b-s\bs option had been given. That is, it runs a
shell as root (the shell is determined by the SHELL
environment variable if it is set, falling back on the
shell listed in the invoking user's /etc/passwd entry
if not). This flag is _\bo_\bf_\bf by default.
- stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
+ stay_setuid Normally, when s\bsu\bud\bdo\bo executes a command the real and
effective UIDs are set to the target user (root by
default). This option changes that behavior such that
the real UID is left as the invoking user's UID. In
This can be useful on systems that disable some
potentially dangerous functionality when a program is
run setuid. This option is only effective on systems
- with either the _\bs_\be_\bt_\br_\be_\bu_\bi_\bd_\b(_\b) or _\bs_\be_\bt_\br_\be_\bs_\bu_\bi_\bd_\b(_\b) function.
- This flag is _\bo_\bf_\bf by default.
+ that support either the setreuid(2) or setresuid(2)
+ system call. This flag is _\bo_\bf_\bf by default.
- targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
+ targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of the user
specified by the -\b-u\bu option (defaults to root) instead
of the password of the invoking user. In addition, the
- timestamp file name will include the target user's
+ time stamp file name will include the target user's
name. Note that this flag precludes the use of a uid
not listed in the passwd database as an argument to the
-\b-u\bu option. This flag is _\bo_\bf_\bf by default.
- tty_tickets If set, users must authenticate on a per-tty basis.
+ tty_tickets If set, users must authenticate on a per-tty basis.
With this flag enabled, s\bsu\bud\bdo\bo will use a file named for
the tty the user is logged in on in the user's time
stamp directory. If disabled, the time stamp of the
directory is used instead. This flag is _\bo_\bn by default.
- umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
+ umask_override If set, s\bsu\bud\bdo\bo will set the umask as specified by _\bs_\bu_\bd_\bo_\be_\br_\bs
without modification. This makes it possible to
specify a more permissive umask in _\bs_\bu_\bd_\bo_\be_\br_\bs than the
user's own umask and matches historical behavior. If
be the union of the user's umask and what is specified
in _\bs_\bu_\bd_\bo_\be_\br_\bs. This flag is _\bo_\bf_\bf by default.
- use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
+ use_loginclass If set, s\bsu\bud\bdo\bo will apply the defaults specified for the
target user's login class if one exists. Only
available if s\bsu\bud\bdo\bo is configured with the
--with-logincap option. This flag is _\bo_\bf_\bf by default.
- use_pty If set, s\bsu\bud\bdo\bo will run the command in a pseudo-pty even
+ use_pty If set, s\bsu\bud\bdo\bo will run the command in a pseudo-pty even
if no I/O logging is being gone. A malicious program
run under s\bsu\bud\bdo\bo could conceivably fork a background
process that retains to the user's terminal device
after the main program has finished executing. Use of
- this option will make that impossible.
+ this option will make that impossible. This flag is
+ _\bo_\bf_\bf by default.
- visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
+ visiblepw By default, s\bsu\bud\bdo\bo will refuse to run if the user must
enter a password but it is not possible to disable echo
on the terminal. If the _\bv_\bi_\bs_\bi_\bb_\bl_\be_\bp_\bw flag is set, s\bsu\bud\bdo\bo
will prompt for a password even when it would be
visible on the screen. This makes it possible to run
- things like "ssh somehost sudo ls" since by default,
- _\bs_\bs_\bh(1) does not allocate a tty when running a command.
+ things like ``ssh somehost sudo ls'' since by default,
+ ssh(1) does not allocate a tty when running a command.
This flag is _\bo_\bf_\bf by default.
- I\bIn\bnt\bte\beg\bge\ber\brs\bs:
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs:
- closefrom Before it executes a command, s\bsu\bud\bdo\bo will close all open
+ closefrom Before it executes a command, s\bsu\bud\bdo\bo will close all open
file descriptors other than standard input, standard
output and standard error (ie: file descriptors 0-2).
The _\bc_\bl_\bo_\bs_\be_\bf_\br_\bo_\bm option can be used to specify a different
file descriptor at which to start closing. The default
is 3.
- passwd_tries The number of tries a user gets to enter his/her
+ passwd_tries The number of tries a user gets to enter his/her
password before s\bsu\bud\bdo\bo logs the failure and exits. The
default is 3.
- I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- loglinelen Number of characters per line for the file log. This
+ loglinelen Number of characters per line for the file log. This
value is used to decide when to wrap lines for nicer
log files. This has no effect on the syslog log file,
only the file log. The default is 80 (use 0 or negate
the option to disable word wrap).
- passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
+ passwd_timeout Number of minutes before the s\bsu\bud\bdo\bo password prompt times
out, or 0 for no timeout. The timeout may include a
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5.
- timestamp_timeout
+ timestamp_timeout
Number of minutes that can elapse before s\bsu\bud\bdo\bo will ask
for a passwd again. The timeout may include a
fractional component if minute granularity is
insufficient, for example 2.5. The default is 5. Set
this to 0 to always prompt for a password. If set to a
- value less than 0 the user's timestamp will never
+ value less than 0 the user's time stamp will never
expire. This can be used to allow users to create or
- delete their own timestamps via sudo -v and sudo -k
- respectively.
+ delete their own time stamps via ``sudo -v'' and ``sudo
+ -k'' respectively.
- umask Umask to use when running the command. Negate this
+ umask Umask to use when running the command. Negate this
option or set it to 0777 to preserve the user's umask.
The actual umask that is used will be the union of the
user's umask and the value of the _\bu_\bm_\ba_\bs_\bk option, which
defaults to 0022. This guarantees that s\bsu\bud\bdo\bo never
- lowers the umask when running a command. Note on
+ lowers the umask when running a command. Note: on
systems that use PAM, the default PAM configuration may
specify its own umask which will override the value set
in _\bs_\bu_\bd_\bo_\be_\br_\bs.
- S\bSt\btr\bri\bin\bng\bgs\bs:
+ S\bSt\btr\bri\bin\bng\bgs\bs:
- badpass_message Message that is displayed if a user enters an incorrect
+ badpass_message Message that is displayed if a user enters an incorrect
password. The default is Sorry, try again. unless
insults are enabled.
- editor A colon (':') separated list of editors allowed to be
+ editor A colon (`:') separated list of editors allowed to be
used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will choose the editor that
matches the user's EDITOR environment variable if
possible, or the first editor in the list that exists
- and is executable. The default is "vi".
+ and is executable. The default is _\bv_\bi.
- iolog_dir The directory in which to store input/output logs when
+ iolog_dir The directory in which to store input/output logs when
the _\bl_\bo_\bg_\b__\bi_\bn_\bp_\bu_\bt or _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt options are enabled or when
the LOG_INPUT or LOG_OUTPUT tags are present for a
- command. The default is "/var/log/sudo-io".
+ command. The default is _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo.
- mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The escape
- %h will expand to the host name of the machine.
- Default is "*** SECURITY information for %h ***".
+ mailsub Subject of the mail sent to the _\bm_\ba_\bi_\bl_\bt_\bo user. The
+ escape %h will expand to the host name of the machine.
+ Default is ``*** SECURITY information for %h ***''.
- noexec_file Path to a shared library containing dummy versions of
- the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b) library functions
+ noexec_file The _\bn_\bo_\be_\bx_\be_\bc option specifies the the fully-qualified
+ path to a shared library containing dummy versions of
+ the e\bex\bxe\bec\bcv\bv(), e\bex\bxe\bec\bcv\bve\be() and f\bfe\bex\bxe\bec\bcv\bve\be() library functions
that just return an error. This is used to implement
the _\bn_\bo_\be_\bx_\be_\bc functionality on systems that support
LD_PRELOAD or its equivalent. Defaults to
_\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
- passprompt The default prompt to use when asking for a password;
+ passprompt The default prompt to use when asking for a password;
can be overridden via the -\b-p\bp option or the SUDO_PROMPT
environment variable. The following percent (`%')
- escapes are supported:
+ escape sequences are supported:
+
+ %H expanded to the local host name including the
+ domain name (only if the machine's host name is
+ fully qualified or the _\bf_\bq_\bd_\bn option is set)
- %H expanded to the local host name including the
- domain name (on if the machine's host name is fully
- qualified or the _\bf_\bq_\bd_\bn option is set)
+ %h expanded to the local host name without the
+ domain name
- %h expanded to the local host name without the domain
- name
+ %p expanded to the user whose password is being
+ asked for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and
+ _\br_\bu_\bn_\ba_\bs_\bp_\bw flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
- %p expanded to the user whose password is being asked
- for (respects the _\br_\bo_\bo_\bt_\bp_\bw, _\bt_\ba_\br_\bg_\be_\bt_\bp_\bw and _\br_\bu_\bn_\ba_\bs_\bp_\bw
- flags in _\bs_\bu_\bd_\bo_\be_\br_\bs)
+ %U expanded to the login name of the user the
+ command will be run as (defaults to root)
- %U expanded to the login name of the user the command
- will be run as (defaults to root)
+ %u expanded to the invoking user's login name
- %u expanded to the invoking user's login name
+ %% two consecutive % characters are collapsed into a
+ single % character
- %% two consecutive % characters are collapsed into a
- single % character
+ The default value is ``Password:''.
- The default value is "Password:".
+ privs The default Solaris privileges to use when constructing
+ a new privilege set for a command. This is passed to
+ the executing process via the inherited privilege set,
+ but is bounded by the limit privileges. If the _\bp_\br_\bi_\bv_\bs
+ option is specified but the _\bl_\bi_\bm_\bi_\bt_\bp_\br_\bi_\bv_\bs option is not,
+ the limit privileges of the executing process is set to
+ _\bp_\br_\bi_\bv_\bs. The default privileges may be overridden on a
+ per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs. This option is only
+ available if s\bsu\bud\bdo\boe\ber\brs\bs is built on Solaris 10 or higher.
- role The default SELinux role to use when constructing a new
+ role The default SELinux role to use when constructing a new
security context to run the command. The default role
may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
via command line options. This option is only
- available whe s\bsu\bud\bdo\bo is built with SELinux support.
+ available when s\bsu\bud\bdo\bo is built with SELinux support.
- runas_default The default user to run commands as if the -\b-u\bu option is
+ runas_default The default user to run commands as if the -\b-u\bu option is
not specified on the command line. This defaults to
root.
- syslog_badpri Syslog priority to use when user authenticates
+ syslog_badpri Syslog priority to use when user authenticates
unsuccessfully. Defaults to alert.
The following syslog priorities are supported: a\bal\ble\ber\brt\bt,
c\bcr\bri\bit\bt, d\bde\beb\bbu\bug\bg, e\bem\bme\ber\brg\bg, e\ber\brr\br, i\bin\bnf\bfo\bo, n\bno\bot\bti\bic\bce\be, and w\bwa\bar\brn\bni\bin\bng\bg.
- syslog_goodpri Syslog priority to use when user authenticates
+ syslog_goodpri Syslog priority to use when user authenticates
successfully. Defaults to notice.
- See syslog_badpri for the list of supported syslog
+ See _\bs_\by_\bs_\bl_\bo_\bg_\b__\bb_\ba_\bd_\bp_\br_\bi for the list of supported syslog
priorities.
- sudoers_locale Locale to use when parsing the sudoers file, logging
+ sudoers_locale Locale to use when parsing the sudoers file, logging
commands, and sending email. Note that changing the
locale may affect how sudoers is interpreted. Defaults
- to "C".
+ to ``C''.
- timestampdir The directory in which s\bsu\bud\bdo\bo stores its timestamp files.
- The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
+ timestampdir The directory in which s\bsu\bud\bdo\bo stores its time stamp
+ files. The default is _\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo.
- timestampowner The owner of the timestamp directory and the timestamps
- stored therein. The default is root.
+ timestampowner The owner of the time stamp directory and the time
+ stamps stored therein. The default is root.
- type The default SELinux type to use when constructing a new
+ type The default SELinux type to use when constructing a new
security context to run the command. The default type
may be overridden on a per-command basis in _\bs_\bu_\bd_\bo_\be_\br_\bs or
via command line options. This option is only
- available whe s\bsu\bud\bdo\bo is built with SELinux support.
+ available when s\bsu\bud\bdo\bo is built with SELinux support.
- S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- askpass The _\ba_\bs_\bk_\bp_\ba_\bs_\bs option specifies the fully qualified path to a
+ askpass The _\ba_\bs_\bk_\bp_\ba_\bs_\bs option specifies the fully qualified path to a
helper program used to read the user's password when no
terminal is available. This may be the case when s\bsu\bud\bdo\bo is
executed from a graphical (as opposed to text-based)
_\ba_\bs_\bk_\bp_\ba_\bs_\bs may be overridden by the SUDO_ASKPASS environment
variable.
- env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option specifies the fully qualified path to a
+ env_file The _\be_\bn_\bv_\b__\bf_\bi_\bl_\be option specifies the fully qualified path to a
file containing variables to be set in the environment of
the program being run. Entries in this file should either
- be of the form VARIABLE=value or export VARIABLE=value.
- The value may optionally be surrounded by single or double
- quotes. Variables in this file are subject to other s\bsu\bud\bdo\bo
- environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
+ be of the form ``VARIABLE=value'' or ``export
+ VARIABLE=value''. The value may optionally be surrounded
+ by single or double quotes. Variables in this file are
+ subject to other s\bsu\bud\bdo\bo environment settings such as _\be_\bn_\bv_\b__\bk_\be_\be_\bp
+ and _\be_\bn_\bv_\b__\bc_\bh_\be_\bc_\bk.
- exempt_group
- Users in this group are exempt from password and PATH
+ exempt_group Users in this group are exempt from password and PATH
requirements. The group name specified should not include
a % prefix. This is not set by default.
- lecture This option controls when a short lecture will be printed
+ lecture This option controls when a short lecture will be printed
along with the password prompt. It has the following
possible values:
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\bo_\bn_\bc_\be.
- lecture_file
- Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
+ lecture_file Path to a file containing an alternate s\bsu\bud\bdo\bo lecture that
will be used in place of the standard lecture if the named
file exists. By default, s\bsu\bud\bdo\bo uses a built-in lecture.
- listpw This option controls when a password will be required when
+ listpw This option controls when a password will be required when
a user runs s\bsu\bud\bdo\bo with the -\b-l\bl option. It has the following
possible values:
- all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current host
- must have the NOPASSWD flag set to avoid entering a
- password.
+ all All the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the current
+ host must have the NOPASSWD flag set to avoid
+ entering a password.
- always The user must always enter a password to use the -\b-l\bl
- option.
+ always The user must always enter a password to use the
+ -\b-l\bl option.
- any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for the
- current host must have the NOPASSWD flag set to
- avoid entering a password.
+ any At least one of the user's _\bs_\bu_\bd_\bo_\be_\br_\bs entries for
+ the current host must have the NOPASSWD flag set
+ to avoid entering a password.
- never The user need never enter a password to use the -\b-l\bl
- option.
+ never The user need never enter a password to use the
+ -\b-l\bl option.
If no value is specified, a value of _\ba_\bn_\by is implied.
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\ba_\bn_\by.
- logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
+ logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log file).
Setting a path turns on logging to a file; negating this
option turns it off. By default, s\bsu\bud\bdo\bo logs via syslog.
- mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
+ mailerflags Flags to use when invoking mailer. Defaults to -\b-t\bt.
- mailerpath Path to mail program used to send warning mail. Defaults
+ mailerpath Path to mail program used to send warning mail. Defaults
to the path to sendmail found at configure time.
- mailfrom Address to use for the "from" address when sending warning
- and error mail. The address should be enclosed in double
- quotes ("") to protect against s\bsu\bud\bdo\bo interpreting the @
- sign. Defaults to the name of the user running s\bsu\bud\bdo\bo.
+ mailfrom Address to use for the ``from'' address when sending
+ warning and error mail. The address should be enclosed in
+ double quotes ("") to protect against s\bsu\bud\bdo\bo interpreting the
+ @ sign. Defaults to the name of the user running s\bsu\bud\bdo\bo.
- mailto Address to send warning and error mail to. The address
+ mailto Address to send warning and error mail to. The address
should be enclosed in double quotes ("") to protect against
s\bsu\bud\bdo\bo interpreting the @ sign. Defaults to root.
- secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
+ secure_path Path used for every command run from s\bsu\bud\bdo\bo. If you don't
trust the people running s\bsu\bud\bdo\bo to have a sane PATH
environment variable you may want to use this. Another use
- is if you want to have the "root path" be separate from the
- "user path." Users in the group specified by the
+ is if you want to have the ``root path'' be separate from
+ the ``user path''. Users in the group specified by the
_\be_\bx_\be_\bm_\bp_\bt_\b__\bg_\br_\bo_\bu_\bp option are not affected by _\bs_\be_\bc_\bu_\br_\be_\b__\bp_\ba_\bt_\bh. This
option is not set by default.
- syslog Syslog facility if syslog is being used for logging (negate
+ syslog Syslog facility if syslog is being used for logging (negate
to disable syslog logging). Defaults to auth.
The following syslog facilities are supported: a\bau\but\bth\bhp\bpr\bri\biv\bv (if
your OS supports it), a\bau\but\bth\bh, d\bda\bae\bem\bmo\bon\bn, u\bus\bse\ber\br, l\blo\boc\bca\bal\bl0\b0, l\blo\boc\bca\bal\bl1\b1,
l\blo\boc\bca\bal\bl2\b2, l\blo\boc\bca\bal\bl3\b3, l\blo\boc\bca\bal\bl4\b4, l\blo\boc\bca\bal\bl5\b5, l\blo\boc\bca\bal\bl6\b6, and l\blo\boc\bca\bal\bl7\b7.
- verifypw This option controls when a password will be required when
+ verifypw This option controls when a password will be required when
a user runs s\bsu\bud\bdo\bo with the -\b-v\bv option. It has the following
possible values:
Negating the option results in a value of _\bn_\be_\bv_\be_\br being used.
The default value is _\ba_\bl_\bl.
- L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
- env_check Environment variables to be removed from the user's
- environment if the variable's value contains % or /
+ env_check Environment variables to be removed from the user's
+ environment if the variable's value contains `%' or `/'
characters. This can be used to guard against printf-
style format vulnerabilities in poorly-written
programs. The argument may be a double-quoted, space-
environment variables to check is displayed when s\bsu\bud\bdo\bo
is run by root with the -\b-V\bV option.
- env_delete Environment variables to be removed from the user's
+ env_delete Environment variables to be removed from the user's
environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is not in effect.
The argument may be a double-quoted, space-separated
list or a single value without double-quotes. The list
potentially dangerous variables from the environment of
any setuid process (such as s\bsu\bud\bdo\bo).
- env_keep Environment variables to be preserved in the user's
+ env_keep Environment variables to be preserved in the user's
environment when the _\be_\bn_\bv_\b__\br_\be_\bs_\be_\bt option is in effect.
This allows fine-grained control over the environment
s\bsu\bud\bdo\bo-spawned processes will receive. The argument may
with the -\b-V\bV option.
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
+ _\b/_\be_\bt_\bc_\b/_\bg_\br_\bo_\bu_\bp Local groups file
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bg_\br_\bo_\bu_\bp List of network groups
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo I/O log files
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
- contrived. First, we allow a few environment variables to pass and
- then define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
-
- # Run X applications through sudo; HOME is used to find the
- # .Xauthority file. Note that other programs use HOME to find
- # configuration files and this may lead to privilege escalation!
- Defaults env_keep += "DISPLAY HOME"
-
- # User alias specification
- User_Alias FULLTIMERS = millert, mikef, dowdy
- User_Alias PARTTIMERS = bostley, jwfox, crawl
- User_Alias WEBMASTERS = will, wendy, wim
-
- # Runas alias specification
- Runas_Alias OP = root, operator
- Runas_Alias DB = oracle, sybase
- Runas_Alias ADMINGRP = adm, oper
-
- # Host alias specification
- Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
- SGI = grolsch, dandelion, black :\
- ALPHA = widget, thalamus, foobar :\
- HPPA = boa, nag, python
- Host_Alias CUNETS = 128.138.0.0/255.255.0.0
- Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
- Host_Alias SERVERS = master, mail, www, ns
- Host_Alias CDROM = orion, perseus, hercules
-
- # Cmnd alias specification
- Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
- /usr/sbin/restore, /usr/sbin/rrestore
- Cmnd_Alias KILL = /usr/bin/kill
- Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
- Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
- Cmnd_Alias HALT = /usr/sbin/halt
- Cmnd_Alias REBOOT = /usr/sbin/reboot
- Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
- /usr/local/bin/tcsh, /usr/bin/rsh,\
- /usr/local/bin/zsh
- Cmnd_Alias SU = /usr/bin/su
- Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+ Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of these are a bit
+ contrived. First, we allow a few environment variables to pass and then
+ define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+
+ # Run X applications through sudo; HOME is used to find the
+ # .Xauthority file. Note that other programs use HOME to find
+ # configuration files and this may lead to privilege escalation!
+ Defaults env_keep += "DISPLAY HOME"
+
+ # User alias specification
+ User_Alias FULLTIMERS = millert, mikef, dowdy
+ User_Alias PARTTIMERS = bostley, jwfox, crawl
+ User_Alias WEBMASTERS = will, wendy, wim
+
+ # Runas alias specification
+ Runas_Alias OP = root, operator
+ Runas_Alias DB = oracle, sybase
+ Runas_Alias ADMINGRP = adm, oper
+
+ # Host alias specification
+ Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
+ SGI = grolsch, dandelion, black :\
+ ALPHA = widget, thalamus, foobar :\
+ HPPA = boa, nag, python
+ Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+ Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+ Host_Alias SERVERS = master, mail, www, ns
+ Host_Alias CDROM = orion, perseus, hercules
+
+ # Cmnd alias specification
+ Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
+ /usr/sbin/restore, /usr/sbin/rrestore
+ Cmnd_Alias KILL = /usr/bin/kill
+ Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+ Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+ Cmnd_Alias HALT = /usr/sbin/halt
+ Cmnd_Alias REBOOT = /usr/sbin/reboot
+ Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
+ /usr/local/bin/tcsh, /usr/bin/rsh,\
+ /usr/local/bin/zsh
+ Cmnd_Alias SU = /usr/bin/su
+ Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
- Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo
- to log via _\bs_\by_\bs_\bl_\bo_\bg(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't
- want to subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt
- need not give a password, and we don't want to reset the LOGNAME, USER
- or USERNAME environment variables when running commands as root.
- Additionally, on the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an
- additional local log file and make sure we log the year in each log
- line since the log entries will be kept around for several years.
- Lastly, we disable shell escapes for the commands in the PAGERS
- Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
+ Here we override some of the compiled in default values. We want s\bsu\bud\bdo\bo to
+ log via syslog(3) using the _\ba_\bu_\bt_\bh facility in all cases. We don't want to
+ subject the full time staff to the s\bsu\bud\bdo\bo lecture, user m\bmi\bil\bll\ble\ber\brt\bt need not
+ give a password, and we don't want to reset the LOGNAME, USER or USERNAME
+ environment variables when running commands as root. Additionally, on
+ the machines in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, we keep an additional local log
+ file and make sure we log the year in each log line since the log entries
+ will be kept around for several years. Lastly, we disable shell escapes
+ for the commands in the PAGERS Cmnd_Alias (_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be, _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bp_\bg and
+ _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\be_\bs_\bs).
- # Override built-in defaults
- Defaults syslog=auth
- Defaults>root !set_logname
- Defaults:FULLTIMERS !lecture
- Defaults:millert !authenticate
- Defaults@SERVERS log_year, logfile=/var/log/sudo.log
- Defaults!PAGERS noexec
+ # Override built-in defaults
+ Defaults syslog=auth
+ Defaults>root !set_logname
+ Defaults:FULLTIMERS !lecture
+ Defaults:millert !authenticate
+ Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+ Defaults!PAGERS noexec
- The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
- what.
+ The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually determines who may run
+ what.
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
+ root ALL = (ALL) ALL
+ %wheel ALL = (ALL) ALL
- We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
- any user.
+ We let r\bro\boo\bot\bt and any user in group w\bwh\bhe\bee\bel\bl run any command on any host as
+ any user.
- FULLTIMERS ALL = NOPASSWD: ALL
+ FULLTIMERS ALL = NOPASSWD: ALL
- Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
- any host without authenticating themselves.
+ Full time sysadmins (m\bmi\bil\bll\ble\ber\brt\bt, m\bmi\bik\bke\bef\bf, and d\bdo\bow\bwd\bdy\by) may run any command on
+ any host without authenticating themselves.
- PARTTIMERS ALL = ALL
+ PARTTIMERS ALL = ALL
- Part time sysadmins (b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on
- any host but they must authenticate themselves first (since the entry
- lacks the NOPASSWD tag).
+ Part time sysadmins b\bbo\bos\bst\btl\ble\bey\by, j\bjw\bwf\bfo\box\bx, and c\bcr\bra\baw\bwl\bl) may run any command on any
+ host but they must authenticate themselves first (since the entry lacks
+ the NOPASSWD tag).
- jack CSNETS = ALL
+ jack CSNETS = ALL
- The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
- (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of
- those networks, only 128.138.204.0 has an explicit netmask (in CIDR
- notation) indicating it is a class C network. For the other networks
- in _\bC_\bS_\bN_\bE_\bT_\bS, the local machine's netmask will be used during matching.
+ The user j\bja\bac\bck\bk may run any command on the machines in the _\bC_\bS_\bN_\bE_\bT_\bS alias
+ (the networks 128.138.243.0, 128.138.204.0, and 128.138.242.0). Of those
+ networks, only 128.138.204.0 has an explicit netmask (in CIDR notation)
+ indicating it is a class C network. For the other networks in _\bC_\bS_\bN_\bE_\bT_\bS,
+ the local machine's netmask will be used during matching.
- lisa CUNETS = ALL
+ lisa CUNETS = ALL
- The user l\bli\bis\bsa\ba may run any command on any host in the _\bC_\bU_\bN_\bE_\bT_\bS alias (the
- class B network 128.138.0.0).
+ The user l\bli\bis\bsa\ba may run any command on any host in the _\bC_\bU_\bN_\bE_\bT_\bS alias (the
+ class B network 128.138.0.0).
- operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
- sudoedit /etc/printcap, /usr/oper/bin/
+ operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
+ sudoedit /etc/printcap, /usr/oper/bin/
- The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance.
- Here, those are commands related to backups, killing processes, the
- printing system, shutting down the system, and any commands in the
- directory _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
+ The o\bop\bpe\ber\bra\bat\bto\bor\br user may run commands limited to simple maintenance. Here,
+ those are commands related to backups, killing processes, the printing
+ system, shutting down the system, and any commands in the directory
+ _\b/_\bu_\bs_\br_\b/_\bo_\bp_\be_\br_\b/_\bb_\bi_\bn_\b/.
- joe ALL = /usr/bin/su operator
+ joe ALL = /usr/bin/su operator
- The user j\bjo\boe\be may only _\bs_\bu(1) to operator.
+ The user j\bjo\boe\be may only su(1) to operator.
- pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+ pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
- %opers ALL = (: ADMINGRP) /usr/sbin/
+ %opers ALL = (: ADMINGRP) /usr/sbin/
- Users in the o\bop\bpe\ber\brs\bs group may run commands in _\b/_\bu_\bs_\br_\b/_\bs_\bb_\bi_\bn_\b/ as themselves
- with any group in the _\bA_\bD_\bM_\bI_\bN_\bG_\bR_\bP Runas_Alias (the a\bad\bdm\bm and o\bop\bpe\ber\br groups).
+ Users in the o\bop\bpe\ber\brs\bs group may run commands in _\b/_\bu_\bs_\br_\b/_\bs_\bb_\bi_\bn_\b/ as themselves
+ with any group in the _\bA_\bD_\bM_\bI_\bN_\bG_\bR_\bP Runas_Alias (the a\bad\bdm\bm and o\bop\bpe\ber\br groups).
- The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
- the _\bH_\bP_\bP_\bA machines. Note that this assumes _\bp_\ba_\bs_\bs_\bw_\bd(1) does not take
- multiple user names on the command line.
+ The user p\bpe\bet\bte\be is allowed to change anyone's password except for root on
+ the _\bH_\bP_\bP_\bA machines. Note that this assumes passwd(1) does not take
+ multiple user names on the command line.
- bob SPARC = (OP) ALL : SGI = (OP) ALL
+ bob SPARC = (OP) ALL : SGI = (OP) ALL
- The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
- listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br).
+ The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI machines as any user
+ listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt and o\bop\bpe\ber\bra\bat\bto\bor\br.)
- jim +biglab = ALL
+ jim +biglab = ALL
- The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
- s\bsu\bud\bdo\bo knows that "biglab" is a netgroup due to the '+' prefix.
+ The user j\bji\bim\bm may run any command on machines in the _\bb_\bi_\bg_\bl_\ba_\bb netgroup.
+ s\bsu\bud\bdo\bo knows that ``biglab'' is a netgroup due to the `+' prefix.
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+ +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
- Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
- well as add and remove users, so they are allowed to run those commands
- on all machines.
+ Users in the s\bse\bec\bcr\bre\bet\bta\bar\bri\bie\bes\bs netgroup need to help manage the printers as
+ well as add and remove users, so they are allowed to run those commands
+ on all machines.
- fred ALL = (DB) NOPASSWD: ALL
+ fred ALL = (DB) NOPASSWD: ALL
- The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias
- (o\bor\bra\bac\bcl\ble\be or s\bsy\byb\bba\bas\bse\be) without giving a password.
+ The user f\bfr\bre\bed\bd can run commands as any user in the _\bD_\bB Runas_Alias (o\bor\bra\bac\bcl\ble\be
+ or s\bsy\byb\bba\bas\bse\be) without giving a password.
- john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+ john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
- On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
- not allowed to specify any options to the _\bs_\bu(1) command.
+ On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except root but he is
+ not allowed to specify any options to the su(1) command.
- jen ALL, !SERVERS = ALL
+ jen ALL, !SERVERS = ALL
- The user j\bje\ben\bn may run any command on any machine except for those in the
- _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and ns).
+ The user j\bje\ben\bn may run any command on any machine except for those in the
+ _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias (master, mail, www and ns).
- jill SERVERS = /usr/bin/, !SU, !SHELLS
+ jill SERVERS = /usr/bin/, !SU, !SHELLS
- For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
- the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU
- and _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
+ For any machine in the _\bS_\bE_\bR_\bV_\bE_\bR_\bS Host_Alias, j\bji\bil\bll\bl may run any commands in
+ the directory _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/ except for those commands belonging to the _\bS_\bU and
+ _\bS_\bH_\bE_\bL_\bL_\bS Cmnd_Aliases.
- steve CSNETS = (operator) /usr/local/op_commands/
+ steve CSNETS = (operator) /usr/local/op_commands/
- The user s\bst\bte\bev\bve\be may run any command in the directory
- /usr/local/op_commands/ but only as user operator.
+ The user s\bst\bte\bev\bve\be may run any command in the directory
+ /usr/local/op_commands/ but only as user operator.
- matt valkyrie = KILL
+ matt valkyrie = KILL
- On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be able to kill
- hung processes.
+ On his personal workstation, valkyrie, m\bma\bat\btt\bt needs to be able to kill hung
+ processes.
- WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+ WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
- On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias (will, wendy,
- and wim), may run any command as user www (which owns the web pages) or
- simply _\bs_\bu(1) to www.
+ On the host www, any user in the _\bW_\bE_\bB_\bM_\bA_\bS_\bT_\bE_\bR_\bS User_Alias (will, wendy, and
+ wim), may run any command as user www (which owns the web pages) or
+ simply su(1) to www.
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+ ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
+ /sbin/mount -o nosuid,nodev /dev/cd0a /CDROM
- Any user may mount or unmount a CD-ROM on the machines in the CDROM
- Host_Alias (orion, perseus, hercules) without entering a password.
- This is a bit tedious for users to type, so it is a prime candidate for
- encapsulating in a shell script.
+ Any user may mount or unmount a CD-ROM on the machines in the CDROM
+ Host_Alias (orion, perseus, hercules) without entering a password. This
+ is a bit tedious for users to type, so it is a prime candidate for
+ encapsulating in a shell script.
S\bSE\bEC\bCU\bUR\bRI\bIT\bTY\bY N\bNO\bOT\bTE\bES\bS
- It is generally not effective to "subtract" commands from ALL using the
- '!' operator. A user can trivially circumvent this by copying the
- desired command to a different name and then executing that. For
- example:
-
- bill ALL = ALL, !SU, !SHELLS
-
- Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
- _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
- use a shell escape from an editor or other program. Therefore, these
- kind of restrictions should be considered advisory at best (and
- reinforced by policy).
-
- Furthermore, if the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to
- reliably negate commands where the path name includes globbing (aka
- wildcard) characters. This is because the C library's _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3)
- function cannot resolve relative paths. While this is typically only
- an inconvenience for rules that grant privileges, it can result in a
- security issue for rules that subtract or revoke privileges.
-
- For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
-
- john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
- /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
-
- User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
- changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
-
-P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
- Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
- pleases, including run other programs. This can be a security issue
- since it is not uncommon for a program to allow shell escapes, which
- lets a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs
- that permit shell escapes include shells (obviously), editors,
- paginators, mail and terminal programs.
-
- There are two basic approaches to this problem:
-
- restrict Avoid giving users access to commands that allow the user to
- run arbitrary commands. Many editors have a restricted mode
- where shell escapes are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better
- solution to running editors via s\bsu\bud\bdo\bo. Due to the large
- number of programs that offer shell escapes, restricting
- users to the set of programs that do not is often unworkable.
-
- noexec Many systems that support shared libraries have the ability
- to override default library functions by pointing an
- environment variable (usually LD_PRELOAD) to an alternate
- shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality
- can be used to prevent a program run by s\bsu\bud\bdo\bo from executing
- any other programs. Note, however, that this applies only to
- native dynamically-linked executables. Statically-linked
- executables and foreign executables running under binary
- emulation are not affected.
-
- To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run the
- following as root:
-
- sudo -V | grep "dummy exec"
-
- If the resulting output contains a line that begins with:
-
- File containing dummy exec functions:
-
- then s\bsu\bud\bdo\bo may be able to replace the exec family of functions
- in the standard library with its own that simply return an
- error. Unfortunately, there is no foolproof way to know
- whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time. _\bn_\bo_\be_\bx_\be_\bc
- should work on SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX,
- MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to work on AIX and
- UnixWare. _\bn_\bo_\be_\bx_\be_\bc is expected to work on most operating
- systems that support the LD_PRELOAD environment variable.
- Check your operating system's manual pages for the dynamic
- linker (usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader)
- to see if LD_PRELOAD is supported.
-
- To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as
- documented in the User Specification section above. Here is
- that example again:
-
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
- This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
- with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands
- from executing other commands (such as a shell). If you are
- unsure whether or not your system is capable of supporting
- _\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if it works.
-
- Note that restricting shell escapes is not a panacea. Programs running
- as root are still capable of many potentially hazardous operations
- (such as changing or overwriting files) that could lead to unintended
- privilege escalation. In the specific case of an editor, a safer
- approach is to give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
+ L\bLi\bim\bmi\bit\bta\bat\bti\bio\bon\bns\bs o\bof\bf t\bth\bhe\be `\b`!\b!'\b' o\bop\bpe\ber\bra\bat\bto\bor\br
+ It is generally not effective to ``subtract'' commands from A\bAL\bLL\bL using the
+ `!' operator. A user can trivially circumvent this by copying the
+ desired command to a different name and then executing that. For
+ example:
+
+ bill ALL = ALL, !SU, !SHELLS
+
+ Doesn't really prevent b\bbi\bil\bll\bl from running the commands listed in _\bS_\bU or
+ _\bS_\bH_\bE_\bL_\bL_\bS since he can simply copy those commands to a different name, or
+ use a shell escape from an editor or other program. Therefore, these
+ kind of restrictions should be considered advisory at best (and
+ reinforced by policy).
+
+ In general, if a user has sudo A\bAL\bLL\bL there is nothing to prevent them from
+ creating their own program that gives them a root shell (or making their
+ own copy of a shell) regardless of any `!' elements in the user
+ specification.
+
+ S\bSe\bec\bcu\bur\bri\bit\bty\by i\bim\bmp\bpl\bli\bic\bca\bat\bti\bio\bon\bns\bs o\bof\bf _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb
+ If the _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb option is in use, it is not possible to reliably negate
+ commands where the path name includes globbing (aka wildcard) characters.
+ This is because the C library's fnmatch(3) function cannot resolve
+ relative paths. While this is typically only an inconvenience for rules
+ that grant privileges, it can result in a security issue for rules that
+ subtract or revoke privileges.
+
+ For example, given the following _\bs_\bu_\bd_\bo_\be_\br_\bs entry:
+
+ john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+
+ User j\bjo\boh\bhn\bn can still run /usr/bin/passwd root if _\bf_\ba_\bs_\bt_\b__\bg_\bl_\bo_\bb is enabled by
+ changing to _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn and running ./passwd root instead.
+
+ P\bPr\bre\bev\bve\ben\bnt\bti\bin\bng\bg S\bSh\bhe\bel\bll\bl E\bEs\bsc\bca\bap\bpe\bes\bs
+ Once s\bsu\bud\bdo\bo executes a program, that program is free to do whatever it
+ pleases, including run other programs. This can be a security issue
+ since it is not uncommon for a program to allow shell escapes, which lets
+ a user bypass s\bsu\bud\bdo\bo's access control and logging. Common programs that
+ permit shell escapes include shells (obviously), editors, paginators,
+ mail and terminal programs.
+
+ There are two basic approaches to this problem:
+
+ restrict Avoid giving users access to commands that allow the user to
+ run arbitrary commands. Many editors have a restricted mode
+ where shell escapes are disabled, though s\bsu\bud\bdo\boe\bed\bdi\bit\bt is a better
+ solution to running editors via s\bsu\bud\bdo\bo. Due to the large number
+ of programs that offer shell escapes, restricting users to the
+ set of programs that do not is often unworkable.
+
+ noexec Many systems that support shared libraries have the ability to
+ override default library functions by pointing an environment
+ variable (usually LD_PRELOAD) to an alternate shared library.
+ On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality can be used to
+ prevent a program run by s\bsu\bud\bdo\bo from executing any other
+ programs. Note, however, that this applies only to native
+ dynamically-linked executables. Statically-linked executables
+ and foreign executables running under binary emulation are not
+ affected.
+
+ The _\bn_\bo_\be_\bx_\be_\bc feature is known to work on SunOS, Solaris, *BSD,
+ Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and
+ above. It should be supported on most operating systems that
+ support the LD_PRELOAD environment variable. Check your
+ operating system's manual pages for the dynamic linker (usually
+ ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
+ LD_PRELOAD is supported.
+
+ On Solaris 10 and higher, _\bn_\bo_\be_\bx_\be_\bc uses Solaris privileges
+ instead of the LD_PRELOAD environment variable.
+
+ To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as
+ documented in the User Specification section above. Here is
+ that example again:
+
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+ This allows user a\baa\bar\bro\bon\bn to run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi
+ with _\bn_\bo_\be_\bx_\be_\bc enabled. This will prevent those two commands from
+ executing other commands (such as a shell). If you are unsure
+ whether or not your system is capable of supporting _\bn_\bo_\be_\bx_\be_\bc you
+ can always just try it out and check whether shell escapes work
+ when _\bn_\bo_\be_\bx_\be_\bc is enabled.
+
+ Note that restricting shell escapes is not a panacea. Programs running
+ as root are still capable of many potentially hazardous operations (such
+ as changing or overwriting files) that could lead to unintended privilege
+ escalation. In the specific case of an editor, a safer approach is to
+ give the user permission to run s\bsu\bud\bdo\boe\bed\bdi\bit\bt.
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\br_\bs_\bh(1), _\bs_\bu(1), _\bf_\bn_\bm_\ba_\bt_\bc_\bh(3), _\bg_\bl_\bo_\bb(3), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bs_\bu_\bd_\bo(8)
+ ssh(1), su(1), fnmatch(3), glob(3), mktemp(3), strftime(3),
+ sudoers.ldap(4), sudo(1m), visudo(1m)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
- locks the file and does grammatical checking. It is imperative that
- _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
- syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo command which
+ locks the file and does grammatical checking. It is imperative that
+ _\bs_\bu_\bd_\bo_\be_\br_\bs be free of syntax errors since s\bsu\bud\bdo\bo will not run with a
+ syntactically incorrect _\bs_\bu_\bd_\bo_\be_\br_\bs file.
- When using netgroups of machines (as opposed to users), if you store
- fully qualified host name in the netgroup (as is usually the case), you
- either need to have the machine's host name be fully qualified as
- returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
+ When using netgroups of machines (as opposed to users), if you store
+ fully qualified host name in the netgroup (as is usually the case), you
+ either need to have the machine's host name be fully qualified as
+ returned by the hostname command or use the _\bf_\bq_\bd_\bn option in _\bs_\bu_\bd_\bo_\be_\br_\bs.
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
+ archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of
- merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
- http://www.sudo.ws/sudo/license.html for complete details.
-
-
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
+ complete details.
-1.7.10 July 18, 2012 SUDOERS(4)
+Sudo 1.7.10 July 16, 2012 Sudo 1.7.10
-SUDOERS.LDAP(4) MAINTENANCE COMMANDS SUDOERS.LDAP(4)
-
-
+SUDOERS.LDAP(1m) System Manager's Manual SUDOERS.LDAP(1m)
N\bNA\bAM\bME\bE
- sudoers.ldap - sudo LDAP configuration
+ s\bsu\bud\bdo\boe\ber\brs\bs.\b.l\bld\bda\bap\bp - sudo LDAP configuration
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- In addition to the standard _\bs_\bu_\bd_\bo_\be_\br_\bs file, s\bsu\bud\bdo\bo may be configured via
- LDAP. This can be especially useful for synchronizing _\bs_\bu_\bd_\bo_\be_\br_\bs in a
- large, distributed environment.
-
- Using LDAP for _\bs_\bu_\bd_\bo_\be_\br_\bs has several benefits:
-
- o s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety. When LDAP is
- used, there are only two or three LDAP queries per invocation.
- This makes it especially fast and particularly usable in LDAP
- environments.
-
- o s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs. It is not
- possible to load LDAP data into the server that does not conform to
- the sudoers schema, so proper syntax is guaranteed. It is still
- possible to have typos in a user or host name, but this will not
- prevent s\bsu\bud\bdo\bo from running.
-
- o It is possible to specify per-entry options that override the
- global default options. _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs only supports default options
- and limited options associated with user/host/commands/aliases.
- The syntax is complicated and can be difficult for users to
- understand. Placing the options directly in the entry is more
- natural.
-
- o The v\bvi\bis\bsu\bud\bdo\bo program is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking
- and syntax checking of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file. Since LDAP updates
- are atomic, locking is no longer necessary. Because syntax is
- checked when the data is inserted into LDAP, there is no need for a
- specialized tool to check syntax.
-
- Another major difference between LDAP and file-based _\bs_\bu_\bd_\bo_\be_\br_\bs is that in
- LDAP, s\bsu\bud\bdo\bo-specific Aliases are not supported.
-
- For the most part, there is really no need for s\bsu\bud\bdo\bo-specific Aliases.
- Unix groups or user netgroups can be used in place of User_Aliases and
- Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
- Since Unix groups and netgroups can also be stored in LDAP there is no
- real need for s\bsu\bud\bdo\bo-specific aliases.
-
- Cmnd_Aliases are not really required either since it is possible to
- have multiple users listed in a sudoRole. Instead of defining a
- Cmnd_Alias that is referenced by multiple users, one can create a
- sudoRole that contains the commands and assign multiple users to it.
+ In addition to the standard _\bs_\bu_\bd_\bo_\be_\br_\bs file, s\bsu\bud\bdo\bo may be configured via
+ LDAP. This can be especially useful for synchronizing _\bs_\bu_\bd_\bo_\be_\br_\bs in a
+ large, distributed environment.
+
+ Using LDAP for _\bs_\bu_\bd_\bo_\be_\br_\bs has several benefits:
+
+ o\bo s\bsu\bud\bdo\bo no longer needs to read _\bs_\bu_\bd_\bo_\be_\br_\bs in its entirety. When LDAP is
+ used, there are only two or three LDAP queries per invocation. This
+ makes it especially fast and particularly usable in LDAP
+ environments.
+
+ o\bo s\bsu\bud\bdo\bo no longer exits if there is a typo in _\bs_\bu_\bd_\bo_\be_\br_\bs. It is not
+ possible to load LDAP data into the server that does not conform to
+ the sudoers schema, so proper syntax is guaranteed. It is still
+ possible to have typos in a user or host name, but this will not
+ prevent s\bsu\bud\bdo\bo from running.
+
+ o\bo It is possible to specify per-entry options that override the global
+ default options. _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs only supports default options and
+ limited options associated with user/host/commands/aliases. The
+ syntax is complicated and can be difficult for users to understand.
+ Placing the options directly in the entry is more natural.
+
+ o\bo The v\bvi\bis\bsu\bud\bdo\bo program is no longer needed. v\bvi\bis\bsu\bud\bdo\bo provides locking and
+ syntax checking of the _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs file. Since LDAP updates are
+ atomic, locking is no longer necessary. Because syntax is checked
+ when the data is inserted into LDAP, there is no need for a
+ specialized tool to check syntax.
+
+ Another major difference between LDAP and file-based _\bs_\bu_\bd_\bo_\be_\br_\bs is that in
+ LDAP, s\bsu\bud\bdo\bo-specific Aliases are not supported.
+
+ For the most part, there is really no need for s\bsu\bud\bdo\bo-specific Aliases.
+ Unix groups or user netgroups can be used in place of User_Aliases and
+ Runas_Aliases. Host netgroups can be used in place of Host_Aliases.
+ Since Unix groups and netgroups can also be stored in LDAP there is no
+ real need for s\bsu\bud\bdo\bo-specific aliases.
+
+ Cmnd_Aliases are not really required either since it is possible to have
+ multiple users listed in a sudoRole. Instead of defining a Cmnd_Alias
+ that is referenced by multiple users, one can create a sudoRole that
+ contains the commands and assign multiple users to it.
S\bSU\bUD\bDO\bOe\ber\brs\bs L\bLD\bDA\bAP\bP c\bco\bon\bnt\bta\bai\bin\bne\ber\br
- The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers LDAP
- container.
-
- Sudo first looks for the cn=default entry in the SUDOers container. If
- found, the multi-valued sudoOption attribute is parsed in the same
- manner as a global Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following
- example, the SSH_AUTH_SOCK variable will be preserved in the
- environment for all users.
-
- dn: cn=defaults,ou=SUDOers,dc=example,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: defaults
- description: Default sudoOption's go here
- sudoOption: env_keep+=SSH_AUTH_SOCK
-
- The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
- following attributes:
-
- s\bsu\bud\bdo\boU\bUs\bse\ber\br
- A user name, uid (prefixed with '#'), Unix group (prefixed with a
- '%') or user netgroup (prefixed with a '+').
-
- s\bsu\bud\bdo\boH\bHo\bos\bst\bt
+ The _\bs_\bu_\bd_\bo_\be_\br_\bs configuration is contained in the ou=SUDOers LDAP container.
+
+ Sudo first looks for the cn=default entry in the SUDOers container. If
+ found, the multi-valued sudoOption attribute is parsed in the same manner
+ as a global Defaults line in _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. In the following example, the
+ SSH_AUTH_SOCK variable will be preserved in the environment for all
+ users.
+
+ dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: defaults
+ description: Default sudoOption's go here
+ sudoOption: env_keep+=SSH_AUTH_SOCK
+
+ The equivalent of a sudoer in LDAP is a sudoRole. It consists of the
+ following attributes:
+
+ s\bsu\bud\bdo\boU\bUs\bse\ber\br
+ A user name, user ID (prefixed with `#'), Unix group (prefixed with
+ `%'), Unix group ID (prefixed with `%#'), or user netgroup
+ (prefixed with `+').
+
+ s\bsu\bud\bdo\boH\bHo\bos\bst\bt
A host name, IP address, IP network, or host netgroup (prefixed
- with a '+'). The special value ALL will match any host.
+ with a `+'). The special value ALL will match any host.
- s\bsu\bud\bdo\boC\bCo\bom\bmm\bma\ban\bnd\bd
+ s\bsu\bud\bdo\boC\bCo\bom\bmm\bma\ban\bnd\bd
A Unix command with optional command line arguments, potentially
including globbing characters (aka wild cards). The special value
ALL will match any command. If a command is prefixed with an
- exclamation point '!', the user will be prohibited from running
+ exclamation point `!', the user will be prohibited from running
that command.
- s\bsu\bud\bdo\boO\bOp\bpt\bti\bio\bon\bn
+ s\bsu\bud\bdo\boO\bOp\bpt\bti\bio\bon\bn
Identical in function to the global options described above, but
specific to the sudoRole in which it resides.
- s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsU\bUs\bse\ber\br
- A user name or uid (prefixed with '#') that commands may be run as
- or a Unix group (prefixed with a '%') or user netgroup (prefixed
- with a '+') that contains a list of users that commands may be run
+ s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsU\bUs\bse\ber\br
+ A user name or uid (prefixed with `#') that commands may be run as
+ or a Unix group (prefixed with a `%') or user netgroup (prefixed
+ with a `+') that contains a list of users that commands may be run
as. The special value ALL will match any user.
The sudoRunAsUser attribute is only available in s\bsu\bud\bdo\bo versions
1.7.0 and higher. Older versions of s\bsu\bud\bdo\bo use the sudoRunAs
attribute instead.
- s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsG\bGr\bro\bou\bup\bp
- A Unix group or gid (prefixed with '#') that commands may be run
+ s\bsu\bud\bdo\boR\bRu\bun\bnA\bAs\bsG\bGr\bro\bou\bup\bp
+ A Unix group or gid (prefixed with `#') that commands may be run
as. The special value ALL will match any group.
The sudoRunAsGroup attribute is only available in s\bsu\bud\bdo\bo versions
1.7.0 and higher.
- s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be
+ s\bsu\bud\bdo\boN\bNo\bot\btB\bBe\bef\bfo\bor\bre\be
A timestamp in the form yyyymmddHHMMSSZ that can be used to provide
a start date/time for when the sudoRole will be valid. If multiple
sudoNotBefore entries are present, the earliest is used. Note that
1.7.5 and higher and must be explicitly enabled via the
S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
- s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
+ s\bsu\bud\bdo\boN\bNo\bot\btA\bAf\bft\bte\ber\br
A timestamp in the form yyyymmddHHMMSSZ that indicates an
expiration date/time, after which the sudoRole will no longer be
valid. If multiple sudoNotBefore entries are present, the last one
and higher and must be explicitly enabled via the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD
option in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf.
- s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br
+ s\bsu\bud\bdo\boO\bOr\brd\bde\ber\br
The sudoRole entries retrieved from the LDAP directory have no
inherent order. The sudoOrder attribute is an integer (or floating
point value for LDAP servers that support it) that is used to sort
more closely mimic the behaviour of the sudoers file, where the of
the entries influences the result. If multiple entries match, the
entry with the highest sudoOrder attribute is chosen. This
- corresponds to the "last match" behavior of the sudoers file. If
+ corresponds to the ``last match'' behavior of the sudoers file. If
the sudoOrder attribute is not present, a value of 0 is assumed.
The sudoOrder attribute is only available in s\bsu\bud\bdo\bo versions 1.7.5
and higher.
- Each attribute listed above should contain a single value, but there
- may be multiple instances of each attribute type. A sudoRole must
- contain at least one sudoUser, sudoHost and sudoCommand.
+ Each attribute listed above should contain a single value, but there may
+ be multiple instances of each attribute type. A sudoRole must contain at
+ least one sudoUser, sudoHost and sudoCommand.
- The following example allows users in group wheel to run any command on
- any host via s\bsu\bud\bdo\bo:
+ The following example allows users in group wheel to run any command on
+ any host via s\bsu\bud\bdo\bo:
- dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: %wheel
- sudoUser: %wheel
- sudoHost: ALL
- sudoCommand: ALL
+ dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+ objectClass: top
+ objectClass: sudoRole
+ cn: %wheel
+ sudoUser: %wheel
+ sudoHost: ALL
+ sudoCommand: ALL
A\bAn\bna\bat\bto\bom\bmy\by o\bof\bf L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs l\blo\boo\bok\bku\bup\bp
- When looking up a sudoer using LDAP there are only two or three LDAP
- queries per invocation. The first query is to parse the global
- options. The second is to match against the user's name and the groups
- that the user belongs to. (The special ALL tag is matched in this
- query too.) If no match is returned for the user's name and groups, a
- third query returns all entries containing user netgroups and checks to
- see if the user belongs to any of them.
-
- If timed entries are enabled with the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD configuration
- directive, the LDAP queries include a subfilter that limits retrieval
- to entries that satisfy the time constraints, if any.
+ When looking up a sudoer using LDAP there are only two or three LDAP
+ queries per invocation. The first query is to parse the global options.
+ The second is to match against the user's name and the groups that the
+ user belongs to. (The special ALL tag is matched in this query too.) If
+ no match is returned for the user's name and groups, a third query
+ returns all entries containing user netgroups and checks to see if the
+ user belongs to any of them.
+
+ If timed entries are enabled with the S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD configuration
+ directive, the LDAP queries include a subfilter that limits retrieval to
+ entries that satisfy the time constraints, if any.
D\bDi\bif\bff\bfe\ber\bre\ben\bnc\bce\bes\bs b\bbe\bet\btw\bwe\bee\ben\bn L\bLD\bDA\bAP\bP a\ban\bnd\bd n\bno\bon\bn-\b-L\bLD\bDA\bAP\bP s\bsu\bud\bdo\boe\ber\brs\bs
- There are some subtle differences in the way sudoers is handled once in
- LDAP. Probably the biggest is that according to the RFC, LDAP ordering
- is arbitrary and you cannot expect that Attributes and Entries are
- returned in any specific order.
-
- The order in which different entries are applied can be controlled
- using the sudoOrder attribute, but there is no way to guarantee the
- order of attributes within a specific entry. If there are conflicting
- command rules in an entry, the negative takes precedence. This is
- called paranoid behavior (not necessarily the most specific match).
-
- Here is an example:
-
- # /etc/sudoers:
- # Allow all commands except shell
- johnny ALL=(root) ALL,!/bin/sh
- # Always allows all commands because ALL is matched last
- puddles ALL=(root) !/bin/sh,ALL
-
- # LDAP equivalent of johnny
- # Allows all commands except shell
- dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role1
- sudoUser: johnny
- sudoHost: ALL
- sudoCommand: ALL
- sudoCommand: !/bin/sh
-
- # LDAP equivalent of puddles
- # Notice that even though ALL comes last, it still behaves like
- # role1 since the LDAP code assumes the more paranoid configuration
- dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role2
- sudoUser: puddles
- sudoHost: ALL
- sudoCommand: !/bin/sh
- sudoCommand: ALL
-
- Another difference is that negations on the Host, User or Runas are
- currently ignored. For example, the following attributes do not behave
- the way one might expect.
-
- # does not match all but joe
- # rather, does not match anyone
- sudoUser: !joe
-
- # does not match all but joe
- # rather, matches everyone including Joe
- sudoUser: ALL
- sudoUser: !joe
-
- # does not match all but web01
- # rather, matches all hosts including web01
- sudoHost: ALL
- sudoHost: !web01
+ There are some subtle differences in the way sudoers is handled once in
+ LDAP. Probably the biggest is that according to the RFC, LDAP ordering
+ is arbitrary and you cannot expect that Attributes and Entries are
+ returned in any specific order.
+
+ The order in which different entries are applied can be controlled using
+ the sudoOrder attribute, but there is no way to guarantee the order of
+ attributes within a specific entry. If there are conflicting command
+ rules in an entry, the negative takes precedence. This is called
+ paranoid behavior (not necessarily the most specific match).
+
+ Here is an example:
+
+ # /etc/sudoers:
+ # Allow all commands except shell
+ johnny ALL=(root) ALL,!/bin/sh
+ # Always allows all commands because ALL is matched last
+ puddles ALL=(root) !/bin/sh,ALL
+
+ # LDAP equivalent of johnny
+ # Allows all commands except shell
+ dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role1
+ sudoUser: johnny
+ sudoHost: ALL
+ sudoCommand: ALL
+ sudoCommand: !/bin/sh
+
+ # LDAP equivalent of puddles
+ # Notice that even though ALL comes last, it still behaves like
+ # role1 since the LDAP code assumes the more paranoid configuration
+ dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+ objectClass: sudoRole
+ objectClass: top
+ cn: role2
+ sudoUser: puddles
+ sudoHost: ALL
+ sudoCommand: !/bin/sh
+ sudoCommand: ALL
+
+ Another difference is that negations on the Host, User or Runas are
+ currently ignored. For example, the following attributes do not behave
+ the way one might expect.
+
+ # does not match all but joe
+ # rather, does not match anyone
+ sudoUser: !joe
+
+ # does not match all but joe
+ # rather, matches everyone including Joe
+ sudoUser: ALL
+ sudoUser: !joe
+
+ # does not match all but web01
+ # rather, matches all hosts including web01
+ sudoHost: ALL
+ sudoHost: !web01
S\bSu\bud\bdo\boe\ber\brs\bs S\bSc\bch\bhe\bem\bma\ba
- In order to use s\bsu\bud\bdo\bo's LDAP support, the s\bsu\bud\bdo\bo schema must be installed
- on your LDAP server. In addition, be sure to index the 'sudoUser'
- attribute.
+ In order to use s\bsu\bud\bdo\bo's LDAP support, the s\bsu\bud\bdo\bo schema must be installed on
+ your LDAP server. In addition, be sure to index the sudoUser attribute.
- Three versions of the schema: one for OpenLDAP servers
- (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP), one for Netscape-derived servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt),
- and one for Microsoft Active Directory (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bA_\bc_\bt_\bi_\bv_\be_\bD_\bi_\br_\be_\bc_\bt_\bo_\br_\by) may be
- found in the s\bsu\bud\bdo\bo distribution.
+ Three versions of the schema: one for OpenLDAP servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP),
+ one for Netscape-derived servers (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bi_\bP_\bl_\ba_\bn_\be_\bt), and one for Microsoft
+ Active Directory (_\bs_\bc_\bh_\be_\bm_\ba_\b._\bA_\bc_\bt_\bi_\bv_\be_\bD_\bi_\br_\be_\bc_\bt_\bo_\br_\by) may be found in the s\bsu\bud\bdo\bo
+ distribution.
- The schema for s\bsu\bud\bdo\bo in OpenLDAP form is included in the EXAMPLES
- section.
+ The schema for s\bsu\bud\bdo\bo in OpenLDAP form is also included in the _\bE_\bX_\bA_\bM_\bP_\bL_\bE_\bS
+ section.
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
- Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific configuration.
- Typically, this file is shared amongst different LDAP-aware clients.
- As such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo
- parses _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ from
- those described in the system's _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual.
+ Sudo reads the _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf file for LDAP-specific configuration.
+ Typically, this file is shared amongst different LDAP-aware clients. As
+ such, most of the settings are not s\bsu\bud\bdo\bo-specific. Note that s\bsu\bud\bdo\bo parses
+ _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf itself and may support options that differ from those
+ described in the system's ldap.conf(1m) manual.
- Also note that on systems using the OpenLDAP libraries, default values
- specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are
- not used.
+ Also note that on systems using the OpenLDAP libraries, default values
+ specified in _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf or the user's _\b._\bl_\bd_\ba_\bp_\br_\bc files are not
+ used.
- Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf as being
- supported by s\bsu\bud\bdo\bo are honored. Configuration options are listed below
- in upper case but are parsed in a case-independent manner.
+ Only those options explicitly listed in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf as being supported
+ by s\bsu\bud\bdo\bo are honored. Configuration options are listed below in upper
+ case but are parsed in a case-independent manner.
- U\bUR\bRI\bI ldap[s]://[hostname[:port]] ...
+ U\bUR\bRI\bI _\bl_\bd_\ba_\bp_\b[_\bs_\b]_\b:_\b/_\b/_\b[_\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be_\b[_\b:_\bp_\bo_\br_\bt_\b]_\b] _\b._\b._\b.
Specifies a whitespace-delimited list of one or more URIs
describing the LDAP server(s) to connect to. The _\bp_\br_\bo_\bt_\bo_\bc_\bo_\bl may be
- either l\bld\bda\bap\bp or l\bld\bda\bap\bps\bs, the latter being for servers that support TLS
+ either _\bl_\bd_\ba_\bp _\bl_\bd_\ba_\bp_\bs, the latter being for servers that support TLS
(SSL) encryption. If no _\bp_\bo_\br_\bt is specified, the default is port 389
for ldap:// or port 636 for ldaps://. If no _\bh_\bo_\bs_\bt_\bn_\ba_\bm_\be is specified,
- s\bsu\bud\bdo\bo will connect to l\blo\boc\bca\bal\blh\bho\bos\bst\bt. Multiple U\bUR\bRI\bI lines are treated
+ s\bsu\bud\bdo\bo will connect to _\bl_\bo_\bc_\ba_\bl_\bh_\bo_\bs_\bt. Multiple U\bUR\bRI\bI lines are treated
identically to a U\bUR\bRI\bI line containing multiple entries. Only
systems using the OpenSSL libraries support the mixing of ldap://
and ldaps:// URIs. Both the Netscape-derived and Tivoli LDAP
libraries used on most commercial versions of Unix are only capable
of supporting one or the other.
- H\bHO\bOS\bST\bT name[:port] ...
+ H\bHO\bOS\bST\bT _\bn_\ba_\bm_\be_\b[_\b:_\bp_\bo_\br_\bt_\b] _\b._\b._\b.
If no U\bUR\bRI\bI is specified, the H\bHO\bOS\bST\bT parameter specifies a whitespace-
delimited list of LDAP servers to connect to. Each host may
- include an optional _\bp_\bo_\br_\bt separated by a colon (':'). The H\bHO\bOS\bST\bT
+ include an optional _\bp_\bo_\br_\bt separated by a colon (`:'). The H\bHO\bOS\bST\bT
parameter is deprecated in favor of the U\bUR\bRI\bI specification and is
included for backwards compatibility.
- P\bPO\bOR\bRT\bT port_number
+ P\bPO\bOR\bRT\bT _\bp_\bo_\br_\bt_\b__\bn_\bu_\bm_\bb_\be_\br
If no U\bUR\bRI\bI is specified, the P\bPO\bOR\bRT\bT parameter specifies the default
port to connect to on the LDAP server if a H\bHO\bOS\bST\bT parameter does not
specify the port itself. If no P\bPO\bOR\bRT\bT parameter is used, the default
P\bPO\bOR\bRT\bT parameter is deprecated in favor of the U\bUR\bRI\bI specification and
is included for backwards compatibility.
- B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
+ B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT _\bs_\be_\bc_\bo_\bn_\bd_\bs
The B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in
seconds, to wait while trying to connect to an LDAP server. If
multiple U\bUR\bRI\bIs or H\bHO\bOS\bST\bTs are specified, this is the amount of time to
wait before trying the next one in the list.
- N\bNE\bET\bTW\bWO\bOR\bRK\bK_\b_T\bTI\bIM\bME\bEO\bOU\bUT\bT seconds
+ N\bNE\bET\bTW\bWO\bOR\bRK\bK_\b_T\bTI\bIM\bME\bEO\bOU\bUT\bT _\bs_\be_\bc_\bo_\bn_\bd_\bs
An alias for B\bBI\bIN\bND\bD_\b_T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT for OpenLDAP compatibility.
- T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT seconds
+ T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT _\bs_\be_\bc_\bo_\bn_\bd_\bs
The T\bTI\bIM\bME\bEL\bLI\bIM\bMI\bIT\bT parameter specifies the amount of time, in seconds,
to wait for a response to an LDAP query.
- T\bTI\bIM\bME\bEO\bOU\bUT\bT seconds
+ T\bTI\bIM\bME\bEO\bOU\bUT\bT _\bs_\be_\bc_\bo_\bn_\bd_\bs
The T\bTI\bIM\bME\bEO\bOU\bUT\bT parameter specifies the amount of time, in seconds, to
wait for a response from the various LDAP APIs.
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE base
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE _\bb_\ba_\bs_\be
The base DN to use when performing s\bsu\bud\bdo\bo LDAP queries. Typically
this is of the form ou=SUDOers,dc=example,dc=com for the domain
example.com. Multiple S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_B\bBA\bAS\bSE\bE lines may be specified, in
which case they are queried in the order specified.
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_S\bSE\bEA\bAR\bRC\bCH\bH_\b_F\bFI\bIL\bLT\bTE\bER\bR ldap_filter
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_S\bSE\bEA\bAR\bRC\bCH\bH_\b_F\bFI\bIL\bLT\bTE\bER\bR _\bl_\bd_\ba_\bp_\b__\bf_\bi_\bl_\bt_\be_\br
An LDAP filter which is used to restrict the set of records
returned when performing a s\bsu\bud\bdo\bo LDAP query. Typically, this is of
the form attribute=value or
(&(attribute=value)(attribute2=value2)).
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD on/true/yes/off/false/no
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_T\bTI\bIM\bME\bED\bD _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
Whether or not to evaluate the sudoNotBefore and sudoNotAfter
attributes that implement time-dependent sudoers entries.
- S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG debug_level
+ S\bSU\bUD\bDO\bOE\bER\bRS\bS_\b_D\bDE\bEB\bBU\bUG\bG _\bd_\be_\bb_\bu_\bg_\b__\bl_\be_\bv_\be_\bl
This sets the debug level for s\bsu\bud\bdo\bo LDAP queries. Debugging
information is printed to the standard error. A value of 1 results
in a moderate amount of debugging information. A value of 2 shows
be set in a production environment as the extra information is
likely to confuse users.
- B\bBI\bIN\bND\bDD\bDN\bN DN
+ B\bBI\bIN\bND\bDD\bDN\bN _\bD_\bN
The B\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing LDAP operations.
If not specified, LDAP operations are performed with an anonymous
identity. By default, most LDAP servers will allow anonymous
access.
- B\bBI\bIN\bND\bDP\bPW\bW secret
+ B\bBI\bIN\bND\bDP\bPW\bW _\bs_\be_\bc_\br_\be_\bt
The B\bBI\bIN\bND\bDP\bPW\bW parameter specifies the password to use when performing
LDAP operations. This is typically used in conjunction with the
B\bBI\bIN\bND\bDD\bDN\bN parameter.
- R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN DN
+ R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN _\bD_\bN
The R\bRO\bOO\bOT\bTB\bBI\bIN\bND\bDD\bDN\bN parameter specifies the identity, in the form of a
Distinguished Name (DN), to use when performing privileged LDAP
operations, such as _\bs_\bu_\bd_\bo_\be_\br_\bs queries. The password corresponding to
the identity should be stored in _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bs_\be_\bc_\br_\be_\bt. If not
specified, the B\bBI\bIN\bND\bDD\bDN\bN identity is used (if any).
- L\bLD\bDA\bAP\bP_\b_V\bVE\bER\bRS\bSI\bIO\bON\bN number
+ L\bLD\bDA\bAP\bP_\b_V\bVE\bER\bRS\bSI\bIO\bON\bN _\bn_\bu_\bm_\bb_\be_\br
The version of the LDAP protocol to use when connecting to the
server. The default value is protocol version 3.
- S\bSS\bSL\bL on/true/yes/off/false/no
+ S\bSS\bSL\bL _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
If the S\bSS\bSL\bL parameter is set to on, true or yes, TLS (SSL)
encryption is always used when communicating with the LDAP server.
Typically, this involves connecting to the server on port 636
(ldaps).
- S\bSS\bSL\bL start_tls
+ S\bSS\bSL\bL _\bs_\bt_\ba_\br_\bt_\b__\bt_\bl_\bs
If the S\bSS\bSL\bL parameter is set to start_tls, the LDAP server
connection is initiated normally and TLS encryption is begun before
the bind credentials are sent. This has the advantage of not
requiring a dedicated port for encrypted communications. This
parameter is only supported by LDAP servers that honor the
- start_tls extension, such as the OpenLDAP server.
+ _\bs_\bt_\ba_\br_\bt_\b__\bt_\bl_\bs extension, such as the OpenLDAP and Tivoli Directory
+ servers.
- T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR on/true/yes/off/false/no
+ T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
If enabled, T\bTL\bLS\bS_\b_C\bCH\bHE\bEC\bCK\bKP\bPE\bEE\bER\bR will cause the LDAP server's TLS
certificated to be verified. If the server's TLS certificate
cannot be verified (usually because it is signed by an unknown
can be verified. This option is not supported by the Tivoli
Directory Server LDAP libraries.
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bT file name
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bT _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
An alias for T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE for OpenLDAP compatibility.
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE file name
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
The path to a certificate authority bundle which contains the
certificates for all the Certificate Authorities the client knows
to be valid, e.g. _\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\ba_\b-_\bb_\bu_\bn_\bd_\bl_\be_\b._\bp_\be_\bm. This option is only
libraries use the same certificate database for CA and client
certificates (see T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT).
- T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR directory
+ T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by
Similar to T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE but instead of a file, it is a directory
containing individual Certificate Authority certificates, e.g.
_\b/_\be_\bt_\bc_\b/_\bs_\bs_\bl_\b/_\bc_\be_\br_\bt_\bs. The directory specified by T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTD\bDI\bIR\bR is
checked after T\bTL\bLS\bS_\b_C\bCA\bAC\bCE\bER\bRT\bTF\bFI\bIL\bLE\bE. This option is only supported by the
OpenLDAP libraries.
- T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT file name
+ T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
The path to a file containing the client certificate which can be
used to authenticate the client to the LDAP server. The
certificate type depends on the LDAP libraries used.
OpenLDAP:
- tls_cert /etc/ssl/client_cert.pem
+ tls_cert /etc/ssl/client_cert.pem
Netscape-derived:
- tls_cert /var/ldap/cert7.db
+ tls_cert /var/ldap/cert7.db
Tivoli Directory Server:
- Unused, the key database specified by T\bTL\bLS\bS_\b_K\bKE\bEY\bY contains both
- keys and certificates.
+ Unused, the key database specified by T\bTL\bLS\bS_\b_K\bKE\bEY\bY contains both
+ keys and certificates.
- When using Netscape-derived libraries, this file may also contain
- Certificate Authority certificates.
+ When using Netscape-derived libraries, this file may also
+ contain Certificate Authority certificates.
- T\bTL\bLS\bS_\b_K\bKE\bEY\bY file name
+ T\bTL\bLS\bS_\b_K\bKE\bEY\bY _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
The path to a file containing the private key which matches the
certificate specified by T\bTL\bLS\bS_\b_C\bCE\bER\bRT\bT. The private key must not be
password-protected. The key type depends on the LDAP libraries
used.
OpenLDAP:
- tls_key /etc/ssl/client_key.pem
+ tls_key /etc/ssl/client_key.pem
Netscape-derived:
- tls_key /var/ldap/key3.db
+ tls_key /var/ldap/key3.db
Tivoli Directory Server:
- tls_cert /usr/ldap/ldapkey.kdb
-
+ tls_cert /usr/ldap/ldapkey.kdb
When using Tivoli LDAP libraries, this file may also contain
Certificate Authority and client certificates and may be encrypted.
- T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW secret
+ T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW _\bs_\be_\bc_\br_\be_\bt
The T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW contains the password used to decrypt the key
database on clients using the Tivoli Directory Server LDAP library.
If no T\bTL\bLS\bS_\b_K\bKE\bEY\bYP\bPW\bW is specified, a _\bs_\bt_\ba_\bs_\bh _\bf_\bi_\bl_\be will be used if it
ssl_password. This option is only supported by the Tivoli LDAP
libraries.
- T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE file name
+ T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
The T\bTL\bLS\bS_\b_R\bRA\bAN\bND\bDF\bFI\bIL\bLE\bE parameter specifies the path to an entropy source
for systems that lack a random device. It is generally used in
conjunction with _\bp_\br_\bn_\bg_\bd or _\be_\bg_\bd. This option is only supported by
the OpenLDAP libraries.
- T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS cipher list
+ T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS _\bc_\bi_\bp_\bh_\be_\br _\bl_\bi_\bs_\bt
The T\bTL\bLS\bS_\b_C\bCI\bIP\bPH\bHE\bER\bRS\bS parameter allows the administer to restrict which
encryption algorithms may be used for TLS (SSL) connections. See
the OpenLDAP or Tivoli Directory Server manual for a list of valid
ciphers. This option is not supported by Netscape-derived
libraries.
- U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
+ U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
Enable U\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL for LDAP servers that support SASL authentication.
- S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
+ S\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD _\bi_\bd_\be_\bn_\bt_\bi_\bt_\by
The SASL user name to use when connecting to the LDAP server. By
default, s\bsu\bud\bdo\bo will use an anonymous connection.
- R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL on/true/yes/off/false/no
+ R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL _\bo_\bn_\b/_\bt_\br_\bu_\be_\b/_\by_\be_\bs_\b/_\bo_\bf_\bf_\b/_\bf_\ba_\bl_\bs_\be_\b/_\bn_\bo
Enable R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL to enable SASL authentication when connecting
to an LDAP server from a privileged process, such as s\bsu\bud\bdo\bo.
- R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD identity
+ R\bRO\bOO\bOT\bTS\bSA\bAS\bSL\bL_\b_A\bAU\bUT\bTH\bH_\b_I\bID\bD _\bi_\bd_\be_\bn_\bt_\bi_\bt_\by
The SASL user name to use when R\bRO\bOO\bOT\bTU\bUS\bSE\bE_\b_S\bSA\bAS\bSL\bL is enabled.
- S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS none/properties
+ S\bSA\bAS\bSL\bL_\b_S\bSE\bEC\bCP\bPR\bRO\bOP\bPS\bS _\bn_\bo_\bn_\be_\b/_\bp_\br_\bo_\bp_\be_\br_\bt_\bi_\be_\bs
SASL security properties or _\bn_\bo_\bn_\be for no properties. See the SASL
programmer's manual for details.
- K\bKR\bRB\bB5\b5_\b_C\bCC\bCN\bNA\bAM\bME\bE file name
+ K\bKR\bRB\bB5\b5_\b_C\bCC\bCN\bNA\bAM\bME\bE _\bf_\bi_\bl_\be _\bn_\ba_\bm_\be
The path to the Kerberos 5 credential cache to use when
authenticating with the remote server.
- D\bDE\bER\bRE\bEF\bF never/searching/finding/always
+ D\bDE\bER\bRE\bEF\bF _\bn_\be_\bv_\be_\br_\b/_\bs_\be_\ba_\br_\bc_\bh_\bi_\bn_\bg_\b/_\bf_\bi_\bn_\bd_\bi_\bn_\bg_\b/_\ba_\bl_\bw_\ba_\by_\bs
How alias dereferencing is to be performed when searching. See the
- _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4) manual for a full description of this option.
+ ldap.conf(1m) manual for a full description of this option.
- See the ldap.conf entry in the EXAMPLES section.
+ See the _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf entry in the _\bE_\bX_\bA_\bM_\bP_\bL_\bE_\bS section.
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bns\bss\bsw\bwi\bit\btc\bch\bh.\b.c\bco\bon\bnf\bf
- Unless it is disabled at build time, s\bsu\bud\bdo\bo consults the Name Service
- Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order.
- Sudo looks for a line beginning with sudoers: and uses this to
- determine the search order. Note that s\bsu\bud\bdo\bo does not stop searching
- after the first match and later matches take precedence over earlier
- ones.
+ Unless it is disabled at build time, s\bsu\bud\bdo\bo consults the Name Service
+ Switch file, _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf, to specify the _\bs_\bu_\bd_\bo_\be_\br_\bs search order.
+ Sudo looks for a line beginning with sudoers: and uses this to determine
+ the search order. Note that s\bsu\bud\bdo\bo does not stop searching after the first
+ match and later matches take precedence over earlier ones. The following
+ sources are recognized:
- The following sources are recognized:
+ files read sudoers from _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs
+ ldap read sudoers from LDAP
- files read sudoers from F</etc/sudoers>
- ldap read sudoers from LDAP
+ In addition, the entry [NOTFOUND=return] will short-circuit the search if
+ the user was not found in the preceding source.
- In addition, the entry [NOTFOUND=return] will short-circuit the search
- if the user was not found in the preceding source.
+ To consult LDAP first followed by the local sudoers file (if it exists),
+ use:
- To consult LDAP first followed by the local sudoers file (if it
- exists), use:
+ sudoers: ldap files
- sudoers: ldap files
+ The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
- The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
+ sudoers: ldap
- sudoers: ldap
+ If the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
+ line, the following default is assumed:
- If the _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
- line, the following default is assumed:
+ sudoers: files
- sudoers: files
-
- Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
- operating system does not use an nsswitch.conf file, except on AIX (see
- below).
+ Note that _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf is supported even when the underlying
+ operating system does not use an nsswitch.conf file, except on AIX (see
+ below).
C\bCo\bon\bnf\bfi\big\bgu\bur\bri\bin\bng\bg n\bne\bet\bts\bsv\bvc\bc.\b.c\bco\bon\bnf\bf
- On AIX systems, the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is consulted instead of
- _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf. s\bsu\bud\bdo\bo simply treats _\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf as a variant of
- _\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the
- file format itself still applies.
+ On AIX systems, the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is consulted instead of
+ _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf. s\bsu\bud\bdo\bo simply treats _\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf as a variant of
+ _\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf; information in the previous section unrelated to the file
+ format itself still applies.
- To consult LDAP first followed by the local sudoers file (if it
- exists), use:
+ To consult LDAP first followed by the local sudoers file (if it exists),
+ use:
- sudoers = ldap, files
+ sudoers = ldap, files
- The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
+ The local _\bs_\bu_\bd_\bo_\be_\br_\bs file can be ignored completely by using:
- sudoers = ldap
+ sudoers = ldap
- To treat LDAP as authoratative and only use the local sudoers file if
- the user is not present in LDAP, use:
+ To treat LDAP as authoratative and only use the local sudoers file if the
+ user is not present in LDAP, use:
- sudoers = ldap = auth, files
+ sudoers = ldap = auth, files
- Note that in the above example, the auth qualfier only affects user
- lookups; both LDAP and _\bs_\bu_\bd_\bo_\be_\br_\bs will be queried for Defaults entries.
+ Note that in the above example, the auth qualfier only affects user
+ lookups; both LDAP and _\bs_\bu_\bd_\bo_\be_\br_\bs will be queried for Defaults entries.
- If the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers
- line, the following default is assumed:
+ If the _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf file is not present or there is no sudoers line,
+ the following default is assumed:
- sudoers = files
+ sudoers = files
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
+ _\b/_\be_\bt_\bc_\b/_\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf LDAP configuration file
- _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
+ _\b/_\be_\bt_\bc_\b/_\bn_\bs_\bs_\bw_\bi_\bt_\bc_\bh_\b._\bc_\bo_\bn_\bf determines sudoers source order
- _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf determines sudoers source order on AIX
+ _\b/_\be_\bt_\bc_\b/_\bn_\be_\bt_\bs_\bv_\bc_\b._\bc_\bo_\bn_\bf determines sudoers source order on AIX
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
E\bEx\bxa\bam\bmp\bpl\ble\be l\bld\bda\bap\bp.\b.c\bco\bon\bnf\bf
- # Either specify one or more URIs or one or more host:port pairs.
- # If neither is specified sudo will default to localhost, port 389.
- #
- #host ldapserver
- #host ldapserver1 ldapserver2:390
- #
- # Default port if host is specified without one, defaults to 389.
- #port 389
- #
- # URI will override the host and port settings.
- uri ldap://ldapserver
- #uri ldaps://secureldapserver
- #uri ldaps://secureldapserver ldap://ldapserver
- #
- # The amount of time, in seconds, to wait while trying to connect to
- # an LDAP server.
- bind_timelimit 30
- #
- # The amount of time, in seconds, to wait while performing an LDAP query.
- timelimit 30
- #
- # Must be set or sudo will ignore LDAP; may be specified multiple times.
- sudoers_base ou=SUDOers,dc=example,dc=com
- #
- # verbose sudoers matching from ldap
- #sudoers_debug 2
- #
- # Enable support for time-based entries in sudoers.
- #sudoers_timed yes
- #
- # optional proxy credentials
- #binddn <who to search as>
- #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
- #
- # LDAP protocol version, defaults to 3
- #ldap_version 3
- #
- # Define if you want to use an encrypted LDAP connection.
- # Typically, you must also set the port to 636 (ldaps).
- #ssl on
- #
- # Define if you want to use port 389 and switch to
- # encryption before the bind credentials are sent.
- # Only supported by LDAP servers that support the start_tls
- # extension such as OpenLDAP.
- #ssl start_tls
- #
- # Additional TLS options follow that allow tweaking of the
- # SSL/TLS connection.
- #
- #tls_checkpeer yes # verify server SSL certificate
- #tls_checkpeer no # ignore server SSL certificate
- #
- # If you enable tls_checkpeer, specify either tls_cacertfile
- # or tls_cacertdir. Only supported when using OpenLDAP.
- #
- #tls_cacertfile /etc/certs/trusted_signers.pem
- #tls_cacertdir /etc/certs
- #
- # For systems that don't have /dev/random
- # use this along with PRNGD or EGD.pl to seed the
- # random number pool to generate cryptographic session keys.
- # Only supported when using OpenLDAP.
- #
- #tls_randfile /etc/egd-pool
- #
- # You may restrict which ciphers are used. Consult your SSL
- # documentation for which options go here.
- # Only supported when using OpenLDAP.
- #
- #tls_ciphers <cipher-list>
- #
- # Sudo can provide a client certificate when communicating to
- # the LDAP server.
- # Tips:
- # * Enable both lines at the same time.
- # * Do not password protect the key file.
- # * Ensure the keyfile is only readable by root.
- #
- # For OpenLDAP:
- #tls_cert /etc/certs/client_cert.pem
- #tls_key /etc/certs/client_key.pem
- #
- # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
- # a directory, in which case the files in the directory must have the
- # default names (e.g. cert8.db and key4.db), or the path to the cert
- # and key files themselves. However, a bug in version 5.0 of the LDAP
- # SDK will prevent specific file names from working. For this reason
- # it is suggested that tls_cert and tls_key be set to a directory,
- # not a file name.
- #
- # The certificate database specified by tls_cert may contain CA certs
- # and/or the client's cert. If the client's cert is included, tls_key
- # should be specified as well.
- # For backward compatibility, "sslpath" may be used in place of tls_cert.
- #tls_cert /var/ldap
- #tls_key /var/ldap
- #
- # If using SASL authentication for LDAP (OpenSSL)
- # use_sasl yes
- # sasl_auth_id <SASL user name>
- # rootuse_sasl yes
- # rootsasl_auth_id <SASL user name for root access>
- # sasl_secprops none
- # krb5_ccname /etc/.ldapcache
+ # Either specify one or more URIs or one or more host:port pairs.
+ # If neither is specified sudo will default to localhost, port 389.
+ #
+ #host ldapserver
+ #host ldapserver1 ldapserver2:390
+ #
+ # Default port if host is specified without one, defaults to 389.
+ #port 389
+ #
+ # URI will override the host and port settings.
+ uri ldap://ldapserver
+ #uri ldaps://secureldapserver
+ #uri ldaps://secureldapserver ldap://ldapserver
+ #
+ # The amount of time, in seconds, to wait while trying to connect to
+ # an LDAP server.
+ bind_timelimit 30
+ #
+ # The amount of time, in seconds, to wait while performing an LDAP query.
+ timelimit 30
+ #
+ # Must be set or sudo will ignore LDAP; may be specified multiple times.
+ sudoers_base ou=SUDOers,dc=example,dc=com
+ #
+ # verbose sudoers matching from ldap
+ #sudoers_debug 2
+ #
+ # Enable support for time-based entries in sudoers.
+ #sudoers_timed yes
+ #
+ # optional proxy credentials
+ #binddn <who to search as>
+ #bindpw <password>
+ #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
+ #
+ # LDAP protocol version, defaults to 3
+ #ldap_version 3
+ #
+ # Define if you want to use an encrypted LDAP connection.
+ # Typically, you must also set the port to 636 (ldaps).
+ #ssl on
+ #
+ # Define if you want to use port 389 and switch to
+ # encryption before the bind credentials are sent.
+ # Only supported by LDAP servers that support the start_tls
+ # extension such as OpenLDAP.
+ #ssl start_tls
+ #
+ # Additional TLS options follow that allow tweaking of the
+ # SSL/TLS connection.
+ #
+ #tls_checkpeer yes # verify server SSL certificate
+ #tls_checkpeer no # ignore server SSL certificate
+ #
+ # If you enable tls_checkpeer, specify either tls_cacertfile
+ # or tls_cacertdir. Only supported when using OpenLDAP.
+ #
+ #tls_cacertfile /etc/certs/trusted_signers.pem
+ #tls_cacertdir /etc/certs
+ #
+ # For systems that don't have /dev/random
+ # use this along with PRNGD or EGD.pl to seed the
+ # random number pool to generate cryptographic session keys.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_randfile /etc/egd-pool
+ #
+ # You may restrict which ciphers are used. Consult your SSL
+ # documentation for which options go here.
+ # Only supported when using OpenLDAP.
+ #
+ #tls_ciphers <cipher-list>
+ #
+ # Sudo can provide a client certificate when communicating to
+ # the LDAP server.
+ # Tips:
+ # * Enable both lines at the same time.
+ # * Do not password protect the key file.
+ # * Ensure the keyfile is only readable by root.
+ #
+ # For OpenLDAP:
+ #tls_cert /etc/certs/client_cert.pem
+ #tls_key /etc/certs/client_key.pem
+ #
+ # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
+ # a directory, in which case the files in the directory must have the
+ # default names (e.g. cert8.db and key4.db), or the path to the cert
+ # and key files themselves. However, a bug in version 5.0 of the LDAP
+ # SDK will prevent specific file names from working. For this reason
+ # it is suggested that tls_cert and tls_key be set to a directory,
+ # not a file name.
+ #
+ # The certificate database specified by tls_cert may contain CA certs
+ # and/or the client's cert. If the client's cert is included, tls_key
+ # should be specified as well.
+ # For backward compatibility, "sslpath" may be used in place of tls_cert.
+ #tls_cert /var/ldap
+ #tls_key /var/ldap
+ #
+ # If using SASL authentication for LDAP (OpenSSL)
+ # use_sasl yes
+ # sasl_auth_id <SASL user name>
+ # rootuse_sasl yes
+ # rootsasl_auth_id <SASL user name for root access>
+ # sasl_secprops none
+ # krb5_ccname /etc/.ldapcache
S\bSu\bud\bdo\bo s\bsc\bch\bhe\bem\bma\ba f\bfo\bor\br O\bOp\bpe\ben\bnL\bLD\bDA\bAP\bP
- The following schema, in OpenLDAP format, is included with s\bsu\bud\bdo\bo source
- and binary distributions as _\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP. Simply copy it to the
- schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba), add the proper include
- line in slapd.conf and restart s\bsl\bla\bap\bpd\bd.
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.1
- NAME 'sudoUser'
- DESC 'User(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.2
- NAME 'sudoHost'
- DESC 'Host(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.3
- NAME 'sudoCommand'
- DESC 'Command(s) to be executed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.4
- NAME 'sudoRunAs'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.5
- NAME 'sudoOption'
- DESC 'Options(s) followed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.6
- NAME 'sudoRunAsUser'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.7
- NAME 'sudoRunAsGroup'
- DESC 'Group(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.8
- NAME 'sudoNotBefore'
- DESC 'Start of time interval for which the entry is valid'
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.9
- NAME 'sudoNotAfter'
- DESC 'End of time interval for which the entry is valid'
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
- NAME 'sudoOrder'
- DESC 'an integer to order the sudoRole entries'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
- objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
- DESC 'Sudoer Entries'
- MUST ( cn )
- MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
- sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
- sudoOrder $ description )
- )
+ The following schema, in OpenLDAP format, is included with s\bsu\bud\bdo\bo source
+ and binary distributions as _\bs_\bc_\bh_\be_\bm_\ba_\b._\bO_\bp_\be_\bn_\bL_\bD_\bA_\bP. Simply copy it to the
+ schema directory (e.g. _\b/_\be_\bt_\bc_\b/_\bo_\bp_\be_\bn_\bl_\bd_\ba_\bp_\b/_\bs_\bc_\bh_\be_\bm_\ba), add the proper include line
+ in _\bs_\bl_\ba_\bp_\bd_\b._\bc_\bo_\bn_\bf and restart s\bsl\bla\bap\bpd\bd.
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
+ DESC 'Group(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributetype ( 1.3.6.1.4.1.15953.9.1.9
+ NAME 'sudoNotAfter'
+ DESC 'End of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+ attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+ NAME 'sudoOrder'
+ DESC 'an integer to order the sudoRole entries'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+ objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+ sudoOrder $ description )
+ )
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bl_\bd_\ba_\bp_\b._\bc_\bo_\bn_\bf(4), _\bs_\bu_\bd_\bo_\be_\br_\bs(5)
+ ldap.conf(1m), sudoers(1m)
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- Note that there are differences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs is
- parsed compared to file-based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the "Differences between
- LDAP and non-LDAP sudoers" section for more information.
+ Note that there are differences in the way that LDAP-based _\bs_\bu_\bd_\bo_\be_\br_\bs is
+ parsed compared to file-based _\bs_\bu_\bd_\bo_\be_\br_\bs. See the _\bD_\bi_\bf_\bf_\be_\br_\be_\bn_\bc_\be_\bs _\bb_\be_\bt_\bw_\be_\be_\bn _\bL_\bD_\bA_\bP
+ _\ba_\bn_\bd _\bn_\bo_\bn_\b-_\bL_\bD_\bA_\bP _\bs_\bu_\bd_\bo_\be_\br_\bs section for more information.
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
- http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in s\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
+ archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of
- merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
- http://www.sudo.ws/sudo/license.html for complete details.
-
-
+ s\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
+ complete details.
-1.7.10 July 18, 2012 SUDOERS.LDAP(4)
+Sudo 1.7.10 July 12, 2012 Sudo 1.7.10
-.\" Copyright (c) 2003-2012
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
-.\"
+.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
+.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.ldap.mdoc.in
+.\"
+.\" Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
-.\"
+.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
-. ds C`
-. ds C'
-'br\}
-.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
-.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD. Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
-..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
-..
-.\}
.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "SUDOERS.LDAP @mansectform@"
-.TH SUDOERS.LDAP @mansectform@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
+.TH "SUDOERS.LDAP" "8" "July 12, 2012" "Sudo @PACKAGE_VERSION@" "OpenBSD System Manager's Manual"
.nh
+.if n .ad l
.SH "NAME"
-sudoers.ldap \- sudo LDAP configuration
+\fBsudoers.ldap\fR
+\- sudo LDAP configuration
.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-In addition to the standard \fIsudoers\fR file, \fBsudo\fR may be configured
-via \s-1LDAP\s0. This can be especially useful for synchronizing \fIsudoers\fR
+In addition to the standard
+\fIsudoers\fR
+file,
+\fBsudo\fR
+may be configured
+via LDAP.
+This can be especially useful for synchronizing
+\fIsudoers\fR
in a large, distributed environment.
.PP
-Using \s-1LDAP\s0 for \fIsudoers\fR has several benefits:
-.IP "\(bu" 4
-\&\fBsudo\fR no longer needs to read \fIsudoers\fR in its entirety. When
-\&\s-1LDAP\s0 is used, there are only two or three \s-1LDAP\s0 queries per invocation.
-This makes it especially fast and particularly usable in \s-1LDAP\s0
-environments.
-.IP "\(bu" 4
-\&\fBsudo\fR no longer exits if there is a typo in \fIsudoers\fR.
-It is not possible to load \s-1LDAP\s0 data into the server that does
+Using LDAP for
+\fIsudoers\fR
+has several benefits:
+.TP 4n
+\fBo\fR
+\fBsudo\fR
+no longer needs to read
+\fIsudoers\fR
+in its entirety.
+When LDAP is used, there are only two or three LDAP queries per invocation.
+This makes it especially fast and particularly usable in LDAP environments.
+.TP 4n
+\fBo\fR
+\fBsudo\fR
+no longer exits if there is a typo in
+\fIsudoers\fR.
+It is not possible to load LDAP data into the server that does
not conform to the sudoers schema, so proper syntax is guaranteed.
It is still possible to have typos in a user or host name, but
-this will not prevent \fBsudo\fR from running.
-.IP "\(bu" 4
+this will not prevent
+\fBsudo\fR
+from running.
+.TP 4n
+\fBo\fR
It is possible to specify per-entry options that override the global
-default options. \fI@sysconfdir@/sudoers\fR only supports default options and
-limited options associated with user/host/commands/aliases. The
-syntax is complicated and can be difficult for users to understand.
+default options.
+\fI@sysconfdir@/sudoers\fR
+only supports default options and limited options associated with
+user/host/commands/aliases.
+The syntax is complicated and can be difficult for users to understand.
Placing the options directly in the entry is more natural.
-.IP "\(bu" 4
-The \fBvisudo\fR program is no longer needed. \fBvisudo\fR provides
-locking and syntax checking of the \fI@sysconfdir@/sudoers\fR file.
-Since \s-1LDAP\s0 updates are atomic, locking is no longer necessary.
-Because syntax is checked when the data is inserted into \s-1LDAP\s0, there
+.TP 4n
+\fBo\fR
+The
+\fBvisudo\fR
+program is no longer needed.
+\fBvisudo\fR
+provides locking and syntax checking of the
+\fI@sysconfdir@/sudoers\fR
+file.
+Since LDAP updates are atomic, locking is no longer necessary.
+Because syntax is checked when the data is inserted into LDAP, there
is no need for a specialized tool to check syntax.
.PP
-Another major difference between \s-1LDAP\s0 and file-based \fIsudoers\fR
-is that in \s-1LDAP\s0, \fBsudo\fR\-specific Aliases are not supported.
+Another major difference between LDAP and file-based
+\fIsudoers\fR
+is that in LDAP,
+\fBsudo\fR-specific
+Aliases are not supported.
.PP
-For the most part, there is really no need for \fBsudo\fR\-specific
-Aliases. Unix groups or user netgroups can be used in place of
-User_Aliases and Runas_Aliases. Host netgroups can be used in place
-of Host_Aliases. Since Unix groups and netgroups can also be stored
-in \s-1LDAP\s0 there is no real need for \fBsudo\fR\-specific aliases.
+For the most part, there is really no need for
+\fBsudo\fR-specific
+Aliases.
+Unix groups or user netgroups can be used in place of User_Aliases and
+Runas_Aliases.
+Host netgroups can be used in place of Host_Aliases.
+Since Unix groups and netgroups can also be stored in LDAP there is no
+real need for
+\fBsudo\fR-specific
+aliases.
.PP
Cmnd_Aliases are not really required either since it is possible
-to have multiple users listed in a \f(CW\*(C`sudoRole\*(C'\fR. Instead of defining
-a Cmnd_Alias that is referenced by multiple users, one can create
-a \f(CW\*(C`sudoRole\*(C'\fR that contains the commands and assign multiple users
-to it.
-.SS "SUDOers \s-1LDAP\s0 container"
-.IX Subsection "SUDOers LDAP container"
-The \fIsudoers\fR configuration is contained in the \f(CW\*(C`ou=SUDOers\*(C'\fR \s-1LDAP\s0
-container.
-.PP
-Sudo first looks for the \f(CW\*(C`cn=default\*(C'\fR entry in the SUDOers container.
-If found, the multi-valued \f(CW\*(C`sudoOption\*(C'\fR attribute is parsed in the
-same manner as a global \f(CW\*(C`Defaults\*(C'\fR line in \fI@sysconfdir@/sudoers\fR. In
-the following example, the \f(CW\*(C`SSH_AUTH_SOCK\*(C'\fR variable will be preserved
-in the environment for all users.
+to have multiple users listed in a
+\fRsudoRole\fR.
+Instead of defining a Cmnd_Alias that is referenced by multiple users,
+one can create a
+\fRsudoRole\fR
+that contains the commands and assign multiple users to it.
+.SS "SUDOers LDAP container"
+The
+\fIsudoers\fR
+configuration is contained in the
+\fRou=SUDOers\fR
+LDAP container.
.PP
-.Vb 6
-\& dn: cn=defaults,ou=SUDOers,dc=example,dc=com
-\& objectClass: top
-\& objectClass: sudoRole
-\& cn: defaults
-\& description: Default sudoOption\*(Aqs go here
-\& sudoOption: env_keep+=SSH_AUTH_SOCK
-.Ve
+Sudo first looks for the
+\fRcn=default\fR
+entry in the SUDOers container.
+If found, the multi-valued
+\fRsudoOption\fR
+attribute is parsed in the same manner as a global
+\fRDefaults\fR
+line in
+\fI@sysconfdir@/sudoers\fR.
+In the following example, the
+\fRSSH_AUTH_SOCK\fR
+variable will be preserved in the environment for all users.
+.nf
+.sp
+.RS 4n
+dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOption: env_keep+=SSH_AUTH_SOCK
+.RE
+.fi
.PP
-The equivalent of a sudoer in \s-1LDAP\s0 is a \f(CW\*(C`sudoRole\*(C'\fR. It consists of
-the following attributes:
-.IP "\fBsudoUser\fR" 4
-.IX Item "sudoUser"
-A user name, uid (prefixed with \f(CW\*(Aq#\*(Aq\fR), Unix group (prefixed with
-a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed with a \f(CW\*(Aq+\*(Aq\fR).
-.IP "\fBsudoHost\fR" 4
-.IX Item "sudoHost"
-A host name, \s-1IP\s0 address, \s-1IP\s0 network, or host netgroup (prefixed
-with a \f(CW\*(Aq+\*(Aq\fR).
-The special value \f(CW\*(C`ALL\*(C'\fR will match any host.
-.IP "\fBsudoCommand\fR" 4
-.IX Item "sudoCommand"
+The equivalent of a sudoer in LDAP is a
+\fRsudoRole\fR.
+It consists of the following attributes:
+.TP 6n
+\fBsudoUser\fR
+A user name, user ID (prefixed with
+`#'),
+Unix group (prefixed with
+`%'),
+Unix group ID (prefixed with
+`%#'),
+or user netgroup (prefixed with
+`+').
+.TP 6n
+\fBsudoHost\fR
+A host name, IP address, IP network, or host netgroup (prefixed with a
+`+').
+The special value
+\fRALL\fR
+will match any host.
+.TP 6n
+\fBsudoCommand\fR
A Unix command with optional command line arguments, potentially
including globbing characters (aka wild cards).
-The special value \f(CW\*(C`ALL\*(C'\fR will match any command.
-If a command is prefixed with an exclamation point \f(CW\*(Aq!\*(Aq\fR, the
-user will be prohibited from running that command.
-.IP "\fBsudoOption\fR" 4
-.IX Item "sudoOption"
+The special value
+\fRALL\fR
+will match any command.
+If a command is prefixed with an exclamation point
+`\&!',
+the user will be prohibited from running that command.
+.TP 6n
+\fBsudoOption\fR
Identical in function to the global options described above, but
-specific to the \f(CW\*(C`sudoRole\*(C'\fR in which it resides.
-.IP "\fBsudoRunAsUser\fR" 4
-.IX Item "sudoRunAsUser"
-A user name or uid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run
-as or a Unix group (prefixed with a \f(CW\*(Aq%\*(Aq\fR) or user netgroup (prefixed
-with a \f(CW\*(Aq+\*(Aq\fR) that contains a list of users that commands may be
-run as.
-The special value \f(CW\*(C`ALL\*(C'\fR will match any user.
-.Sp
-The \f(CW\*(C`sudoRunAsUser\*(C'\fR attribute is only available in \fBsudo\fR versions
-1.7.0 and higher. Older versions of \fBsudo\fR use the \f(CW\*(C`sudoRunAs\*(C'\fR
+specific to the
+\fRsudoRole\fR
+in which it resides.
+.TP 6n
+\fBsudoRunAsUser\fR
+A user name or uid (prefixed with
+`#')
+that commands may be run as or a Unix group (prefixed with a
+`%')
+or user netgroup (prefixed with a
+`+')
+that contains a list of users that commands may be run as.
+The special value
+\fRALL\fR
+will match any user.
+.sp
+The
+\fRsudoRunAsUser\fR
+attribute is only available in
+\fBsudo\fR
+versions
+1.7.0 and higher.
+Older versions of
+\fBsudo\fR
+use the
+\fRsudoRunAs\fR
attribute instead.
-.IP "\fBsudoRunAsGroup\fR" 4
-.IX Item "sudoRunAsGroup"
-A Unix group or gid (prefixed with \f(CW\*(Aq#\*(Aq\fR) that commands may be run as.
-The special value \f(CW\*(C`ALL\*(C'\fR will match any group.
-.Sp
-The \f(CW\*(C`sudoRunAsGroup\*(C'\fR attribute is only available in \fBsudo\fR versions
+.TP 6n
+\fBsudoRunAsGroup\fR
+A Unix group or gid (prefixed with
+`#')
+that commands may be run as.
+The special value
+\fRALL\fR
+will match any group.
+.sp
+The
+\fRsudoRunAsGroup\fR
+attribute is only available in
+\fBsudo\fR
+versions
1.7.0 and higher.
-.IP "\fBsudoNotBefore\fR" 4
-.IX Item "sudoNotBefore"
-A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that can be used to provide
-a start date/time for when the \f(CW\*(C`sudoRole\*(C'\fR will be valid. If
-multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the earliest is used.
-Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
-not the local timezone. The minute and seconds portions are optional,
-but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
-.Sp
-The \f(CW\*(C`sudoNotBefore\*(C'\fR attribute is only available in \fBsudo\fR versions
-1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
-option in \fI@ldap_conf@\fR.
-.IP "\fBsudoNotAfter\fR" 4
-.IX Item "sudoNotAfter"
-A timestamp in the form \f(CW\*(C`yyyymmddHHMMSSZ\*(C'\fR that indicates an expiration
-date/time, after which the \f(CW\*(C`sudoRole\*(C'\fR will no longer be valid. If
-multiple \f(CW\*(C`sudoNotBefore\*(C'\fR entries are present, the last one is used.
-Note that timestamps must be in Coordinated Universal Time (\s-1UTC\s0),
-not the local timezone. The minute and seconds portions are optional,
-but some \s-1LDAP\s0 servers require that they be present (contrary to the \s-1RFC\s0).
-.Sp
-The \f(CW\*(C`sudoNotAfter\*(C'\fR attribute is only available in \fBsudo\fR versions
-1.7.5 and higher and must be explicitly enabled via the \fB\s-1SUDOERS_TIMED\s0\fR
-option in \fI@ldap_conf@\fR.
-.IP "\fBsudoOrder\fR" 4
-.IX Item "sudoOrder"
-The \f(CW\*(C`sudoRole\*(C'\fR entries retrieved from the \s-1LDAP\s0 directory have no
-inherent order. The \f(CW\*(C`sudoOrder\*(C'\fR attribute is an integer (or
-floating point value for \s-1LDAP\s0 servers that support it) that is used
-to sort the matching entries. This allows LDAP-based sudoers entries
-to more closely mimic the behaviour of the sudoers file, where the
-of the entries influences the result. If multiple entries match,
-the entry with the highest \f(CW\*(C`sudoOrder\*(C'\fR attribute is chosen. This
-corresponds to the \*(L"last match\*(R" behavior of the sudoers file. If
-the \f(CW\*(C`sudoOrder\*(C'\fR attribute is not present, a value of 0 is assumed.
-.Sp
-The \f(CW\*(C`sudoOrder\*(C'\fR attribute is only available in \fBsudo\fR versions
-1.7.5 and higher.
+.TP 6n
+\fBsudoNotBefore\fR
+A timestamp in the form
+\fRyyyymmddHHMMSSZ\fR
+that can be used to provide a start date/time for when the
+\fRsudoRole\fR
+will be valid.
+If multiple
+\fRsudoNotBefore\fR
+entries are present, the earliest is used.
+Note that timestamps must be in Coordinated Universal Time (UTC),
+not the local timezone.
+The minute and seconds portions are optional, but some LDAP servers
+require that they be present (contrary to the RFC).
+.sp
+The
+\fRsudoNotBefore\fR
+attribute is only available in
+\fBsudo\fR
+versions 1.7.5 and higher and must be explicitly enabled via the
+\fBSUDOERS_TIMED\fR
+option in
+\fI@ldap_conf@\fR.
+.TP 6n
+\fBsudoNotAfter\fR
+A timestamp in the form
+\fRyyyymmddHHMMSSZ\fR
+that indicates an expiration date/time, after which the
+\fRsudoRole\fR
+will no longer be valid.
+If multiple
+\fRsudoNotBefore\fR
+entries are present, the last one is used.
+Note that timestamps must be in Coordinated Universal Time (UTC),
+not the local timezone.
+The minute and seconds portions are optional, but some LDAP servers
+require that they be present (contrary to the RFC).
+.sp
+The
+\fRsudoNotAfter\fR
+attribute is only available in
+\fBsudo\fR
+versions
+1.7.5 and higher and must be explicitly enabled via the
+\fBSUDOERS_TIMED\fR
+option in
+\fI@ldap_conf@\fR.
+.TP 6n
+\fBsudoOrder\fR
+The
+\fRsudoRole\fR
+entries retrieved from the LDAP directory have no inherent order.
+The
+\fRsudoOrder\fR
+attribute is an integer (or floating point value for LDAP servers
+that support it) that is used to sort the matching entries.
+This allows LDAP-based sudoers entries to more closely mimic the behaviour
+of the sudoers file, where the of the entries influences the result.
+If multiple entries match, the entry with the highest
+\fRsudoOrder\fR
+attribute is chosen.
+This corresponds to the
+``last match''
+behavior of the sudoers file.
+If the
+\fRsudoOrder\fR
+attribute is not present, a value of 0 is assumed.
+.sp
+The
+\fRsudoOrder\fR
+attribute is only available in
+\fBsudo\fR
+versions 1.7.5 and higher.
.PP
Each attribute listed above should contain a single value, but there
-may be multiple instances of each attribute type. A \f(CW\*(C`sudoRole\*(C'\fR must
-contain at least one \f(CW\*(C`sudoUser\*(C'\fR, \f(CW\*(C`sudoHost\*(C'\fR and \f(CW\*(C`sudoCommand\*(C'\fR.
+may be multiple instances of each attribute type.
+A
+\fRsudoRole\fR
+must contain at least one
+\fRsudoUser\fR,
+\fRsudoHost\fR
+and
+\fRsudoCommand\fR.
.PP
The following example allows users in group wheel to run any command
-on any host via \fBsudo\fR:
-.PP
-.Vb 7
-\& dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
-\& objectClass: top
-\& objectClass: sudoRole
-\& cn: %wheel
-\& sudoUser: %wheel
-\& sudoHost: ALL
-\& sudoCommand: ALL
-.Ve
-.SS "Anatomy of \s-1LDAP\s0 sudoers lookup"
-.IX Subsection "Anatomy of LDAP sudoers lookup"
-When looking up a sudoer using \s-1LDAP\s0 there are only two or three
-\&\s-1LDAP\s0 queries per invocation. The first query is to parse the global
-options. The second is to match against the user's name and the
-groups that the user belongs to. (The special \s-1ALL\s0 tag is matched
-in this query too.) If no match is returned for the user's name
-and groups, a third query returns all entries containing user
-netgroups and checks to see if the user belongs to any of them.
+on any host via
+\fBsudo\fR:
+.nf
+.sp
+.RS 4n
+dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: %wheel
+sudoUser: %wheel
+sudoHost: ALL
+sudoCommand: ALL
+.RE
+.fi
+.SS "Anatomy of LDAP sudoers lookup"
+When looking up a sudoer using LDAP there are only two or three
+LDAP queries per invocation.
+The first query is to parse the global options.
+The second is to match against the user's name and the groups that
+the user belongs to.
+(The special
+\fRALL\fR
+tag is matched in this query too.)
+If no match is returned for the user's name and groups, a third
+query returns all entries containing user netgroups and checks
+to see if the user belongs to any of them.
.PP
-If timed entries are enabled with the \fB\s-1SUDOERS_TIMED\s0\fR configuration
-directive, the \s-1LDAP\s0 queries include a subfilter that limits retrieval
-to entries that satisfy the time constraints, if any.
-.SS "Differences between \s-1LDAP\s0 and non-LDAP sudoers"
-.IX Subsection "Differences between LDAP and non-LDAP sudoers"
+If timed entries are enabled with the
+\fBSUDOERS_TIMED\fR
+configuration directive, the LDAP queries include a subfilter that
+limits retrieval to entries that satisfy the time constraints, if any.
+.SS "Differences between LDAP and non-LDAP sudoers"
There are some subtle differences in the way sudoers is handled
-once in \s-1LDAP\s0. Probably the biggest is that according to the \s-1RFC\s0,
-\&\s-1LDAP\s0 ordering is arbitrary and you cannot expect that Attributes
-and Entries are returned in any specific order.
+once in LDAP.
+Probably the biggest is that according to the RFC, LDAP ordering
+is arbitrary and you cannot expect that Attributes and Entries are
+returned in any specific order.
.PP
The order in which different entries are applied can be controlled
-using the \f(CW\*(C`sudoOrder\*(C'\fR attribute, but there is no way to guarantee
-the order of attributes within a specific entry. If there are
-conflicting command rules in an entry, the negative takes precedence.
+using the
+\fRsudoOrder\fR
+attribute, but there is no way to guarantee the order of attributes
+within a specific entry.
+If there are conflicting command rules in an entry, the negative
+takes precedence.
This is called paranoid behavior (not necessarily the most specific
match).
.PP
Here is an example:
-.PP
-.Vb 5
-\& # /etc/sudoers:
-\& # Allow all commands except shell
-\& johnny ALL=(root) ALL,!/bin/sh
-\& # Always allows all commands because ALL is matched last
-\& puddles ALL=(root) !/bin/sh,ALL
-\&
-\& # LDAP equivalent of johnny
-\& # Allows all commands except shell
-\& dn: cn=role1,ou=Sudoers,dc=my\-domain,dc=com
-\& objectClass: sudoRole
-\& objectClass: top
-\& cn: role1
-\& sudoUser: johnny
-\& sudoHost: ALL
-\& sudoCommand: ALL
-\& sudoCommand: !/bin/sh
-\&
-\& # LDAP equivalent of puddles
-\& # Notice that even though ALL comes last, it still behaves like
-\& # role1 since the LDAP code assumes the more paranoid configuration
-\& dn: cn=role2,ou=Sudoers,dc=my\-domain,dc=com
-\& objectClass: sudoRole
-\& objectClass: top
-\& cn: role2
-\& sudoUser: puddles
-\& sudoHost: ALL
-\& sudoCommand: !/bin/sh
-\& sudoCommand: ALL
-.Ve
+.nf
+.sp
+.RS 4n
+# /etc/sudoers:
+# Allow all commands except shell
+johnny ALL=(root) ALL,!/bin/sh
+# Always allows all commands because ALL is matched last
+puddles ALL=(root) !/bin/sh,ALL
+
+# LDAP equivalent of johnny
+# Allows all commands except shell
+dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+objectClass: sudoRole
+objectClass: top
+cn: role1
+sudoUser: johnny
+sudoHost: ALL
+sudoCommand: ALL
+sudoCommand: !/bin/sh
+
+# LDAP equivalent of puddles
+# Notice that even though ALL comes last, it still behaves like
+# role1 since the LDAP code assumes the more paranoid configuration
+dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+objectClass: sudoRole
+objectClass: top
+cn: role2
+sudoUser: puddles
+sudoHost: ALL
+sudoCommand: !/bin/sh
+sudoCommand: ALL
+.RE
+.fi
.PP
Another difference is that negations on the Host, User or Runas are
-currently ignored. For example, the following attributes do not
-behave the way one might expect.
-.PP
-.Vb 3
-\& # does not match all but joe
-\& # rather, does not match anyone
-\& sudoUser: !joe
-\&
-\& # does not match all but joe
-\& # rather, matches everyone including Joe
-\& sudoUser: ALL
-\& sudoUser: !joe
-\&
-\& # does not match all but web01
-\& # rather, matches all hosts including web01
-\& sudoHost: ALL
-\& sudoHost: !web01
-.Ve
+currently ignored.
+For example, the following attributes do not behave the way one might expect.
+.nf
+.sp
+.RS 4n
+# does not match all but joe
+# rather, does not match anyone
+sudoUser: !joe
+
+# does not match all but joe
+# rather, matches everyone including Joe
+sudoUser: ALL
+sudoUser: !joe
+
+# does not match all but web01
+# rather, matches all hosts including web01
+sudoHost: ALL
+sudoHost: !web01
+.RE
+.fi
.SS "Sudoers Schema"
-.IX Subsection "Sudoers Schema"
-In order to use \fBsudo\fR's \s-1LDAP\s0 support, the \fBsudo\fR schema must be
-installed on your \s-1LDAP\s0 server. In addition, be sure to index the
-\&'sudoUser' attribute.
+In order to use
+\fBsudo\fR's
+LDAP support, the
+\fBsudo\fR
+schema must be
+installed on your LDAP server.
+In addition, be sure to index the
+\fRsudoUser\fR
+attribute.
.PP
-Three versions of the schema: one for OpenLDAP servers (\fIschema.OpenLDAP\fR),
-one for Netscape-derived servers (\fIschema.iPlanet\fR), and one for
-Microsoft Active Directory (\fIschema.ActiveDirectory\fR) may
-be found in the \fBsudo\fR distribution.
+Three versions of the schema: one for OpenLDAP servers
+(\fIschema.OpenLDAP\fR),
+one for Netscape-derived servers
+(\fIschema.iPlanet\fR),
+and one for Microsoft Active Directory
+(\fIschema.ActiveDirectory\fR)
+may be found in the
+\fBsudo\fR
+distribution.
.PP
-The schema for \fBsudo\fR in OpenLDAP form is included in the \s-1EXAMPLES\s0
+The schema for
+\fBsudo\fR
+in OpenLDAP form is also included in the
+\fIEXAMPLES\fR
section.
.SS "Configuring ldap.conf"
-.IX Subsection "Configuring ldap.conf"
-Sudo reads the \fI@ldap_conf@\fR file for LDAP-specific configuration.
+Sudo reads the
+\fI@ldap_conf@\fR
+file for LDAP-specific configuration.
Typically, this file is shared amongst different LDAP-aware clients.
-As such, most of the settings are not \fBsudo\fR\-specific. Note that
-\&\fBsudo\fR parses \fI@ldap_conf@\fR itself and may support options that
-differ from those described in the system's \fIldap.conf\fR\|(@mansectform@) manual.
+As such, most of the settings are not
+\fBsudo\fR-specific.
+Note that
+\fBsudo\fR
+parses
+\fI@ldap_conf@\fR
+itself and may support options that differ from those described in the
+system's
+ldap.conf(@mansectsu@)
+manual.
.PP
Also note that on systems using the OpenLDAP libraries, default
-values specified in \fI/etc/openldap/ldap.conf\fR or the user's
-\&\fI.ldaprc\fR files are not used.
+values specified in
+\fI/etc/openldap/ldap.conf\fR
+or the user's
+\fI.ldaprc\fR
+files are not used.
.PP
-Only those options explicitly listed in \fI@ldap_conf@\fR as being
-supported by \fBsudo\fR are honored. Configuration options are listed
-below in upper case but are parsed in a case-independent manner.
-.IP "\fB\s-1URI\s0\fR ldap[s]://[hostname[:port]] ..." 4
-.IX Item "URI ldap[s]://[hostname[:port]] ..."
+Only those options explicitly listed in
+\fI@ldap_conf@\fR
+as being supported by
+\fBsudo\fR
+are honored.
+Configuration options are listed below in upper case but are parsed
+in a case-independent manner.
+.TP 6n
+\fBURI\fR \fIldap[s]://[hostname[:port]] ...\fR
Specifies a whitespace-delimited list of one or more URIs describing
-the \s-1LDAP\s0 server(s) to connect to. The \fIprotocol\fR may be either
-\&\fBldap\fR or \fBldaps\fR, the latter being for servers that support \s-1TLS\s0
-(\s-1SSL\s0) encryption. If no \fIport\fR is specified, the default is port
-389 for \f(CW\*(C`ldap://\*(C'\fR or port 636 for \f(CW\*(C`ldaps://\*(C'\fR. If no \fIhostname\fR
-is specified, \fBsudo\fR will connect to \fBlocalhost\fR. Multiple \fB\s-1URI\s0\fR
-lines are treated identically to a \fB\s-1URI\s0\fR line containing multiple
-entries. Only systems using the OpenSSL libraries support the
-mixing of \f(CW\*(C`ldap://\*(C'\fR and \f(CW\*(C`ldaps://\*(C'\fR URIs. Both the Netscape-derived
-and Tivoli \s-1LDAP\s0 libraries used on most commercial versions of Unix
-are only capable of supporting one or the other.
-.IP "\fB\s-1HOST\s0\fR name[:port] ..." 4
-.IX Item "HOST name[:port] ..."
-If no \fB\s-1URI\s0\fR is specified, the \fB\s-1HOST\s0\fR parameter specifies a
-whitespace-delimited list of \s-1LDAP\s0 servers to connect to. Each host
-may include an optional \fIport\fR separated by a colon (':'). The
-\&\fB\s-1HOST\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR specification
-and is included for backwards compatibility.
-.IP "\fB\s-1PORT\s0\fR port_number" 4
-.IX Item "PORT port_number"
-If no \fB\s-1URI\s0\fR is specified, the \fB\s-1PORT\s0\fR parameter specifies the
-default port to connect to on the \s-1LDAP\s0 server if a \fB\s-1HOST\s0\fR parameter
-does not specify the port itself. If no \fB\s-1PORT\s0\fR parameter is used,
-the default is port 389 for \s-1LDAP\s0 and port 636 for \s-1LDAP\s0 over \s-1TLS\s0
-(\s-1SSL\s0). The \fB\s-1PORT\s0\fR parameter is deprecated in favor of the \fB\s-1URI\s0\fR
+the LDAP server(s) to connect to.
+The
+\fIprotocol\fR
+may be either
+\fIldap\fR
+\fIldaps\fR,
+the latter being for servers that support TLS (SSL) encryption.
+If no
+\fIport\fR
+is specified, the default is port 389 for
+\fRldap://\fR
+or port 636 for
+\fRldaps://\fR.
+If no
+\fIhostname\fR
+is specified,
+\fBsudo\fR
+will connect to
+\fIlocalhost\fR.
+Multiple
+\fBURI\fR
+lines are treated identically to a
+\fBURI\fR
+line containing multiple entries.
+Only systems using the OpenSSL libraries support the mixing of
+\fRldap://\fR
+and
+\fRldaps://\fR
+URIs.
+Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
+versions of Unix are only capable of supporting one or the other.
+.TP 6n
+\fBHOST\fR \fIname[:port] ...\fR
+If no
+\fBURI\fR
+is specified, the
+\fBHOST\fR
+parameter specifies a whitespace-delimited list of LDAP servers to connect to.
+Each host may include an optional
+\fIport\fR
+separated by a colon
+(`:\&').
+The
+\fBHOST\fR
+parameter is deprecated in favor of the
+\fBURI\fR
specification and is included for backwards compatibility.
-.IP "\fB\s-1BIND_TIMELIMIT\s0\fR seconds" 4
-.IX Item "BIND_TIMELIMIT seconds"
-The \fB\s-1BIND_TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
-to wait while trying to connect to an \s-1LDAP\s0 server. If multiple \fB\s-1URI\s0\fRs or
-\&\fB\s-1HOST\s0\fRs are specified, this is the amount of time to wait before trying
+.TP 6n
+\fBPORT\fR \fIport_number\fR
+If no
+\fBURI\fR
+is specified, the
+\fBPORT\fR
+parameter specifies the default port to connect to on the LDAP server if a
+\fBHOST\fR
+parameter does not specify the port itself.
+If no
+\fBPORT\fR
+parameter is used, the default is port 389 for LDAP and port 636 for LDAP
+over TLS (SSL).
+The
+\fBPORT\fR
+parameter is deprecated in favor of the
+\fBURI\fR
+specification and is included for backwards compatibility.
+.TP 6n
+\fBBIND_TIMELIMIT\fR \fIseconds\fR
+The
+\fBBIND_TIMELIMIT\fR
+parameter specifies the amount of time, in seconds, to wait while trying
+to connect to an LDAP server.
+If multiple
+\fBURI\fRs
+or
+\fBHOST\fRs
+are specified, this is the amount of time to wait before trying
the next one in the list.
-.IP "\fB\s-1NETWORK_TIMEOUT\s0\fR seconds" 4
-.IX Item "NETWORK_TIMEOUT seconds"
-An alias for \fB\s-1BIND_TIMELIMIT\s0\fR for OpenLDAP compatibility.
-.IP "\fB\s-1TIMELIMIT\s0\fR seconds" 4
-.IX Item "TIMELIMIT seconds"
-The \fB\s-1TIMELIMIT\s0\fR parameter specifies the amount of time, in seconds,
-to wait for a response to an \s-1LDAP\s0 query.
-.IP "\fB\s-1TIMEOUT\s0\fR seconds" 4
-.IX Item "TIMEOUT seconds"
-The \fB\s-1TIMEOUT\s0\fR parameter specifies the amount of time, in seconds,
-to wait for a response from the various \s-1LDAP\s0 APIs.
-.IP "\fB\s-1SUDOERS_BASE\s0\fR base" 4
-.IX Item "SUDOERS_BASE base"
-The base \s-1DN\s0 to use when performing \fBsudo\fR \s-1LDAP\s0 queries. Typically
-this is of the form \f(CW\*(C`ou=SUDOers,dc=example,dc=com\*(C'\fR for the domain
-\&\f(CW\*(C`example.com\*(C'\fR. Multiple \fB\s-1SUDOERS_BASE\s0\fR lines may be specified,
-in which case they are queried in the order specified.
-.IP "\fB\s-1SUDOERS_SEARCH_FILTER\s0\fR ldap_filter" 4
-.IX Item "SUDOERS_SEARCH_FILTER ldap_filter"
-An \s-1LDAP\s0 filter which is used to restrict the set of records returned
-when performing a \fBsudo\fR \s-1LDAP\s0 query. Typically, this is of the
-form \f(CW\*(C`attribute=value\*(C'\fR or \f(CW\*(C`(&(attribute=value)(attribute2=value2))\*(C'\fR.
-.IP "\fB\s-1SUDOERS_TIMED\s0\fR on/true/yes/off/false/no" 4
-.IX Item "SUDOERS_TIMED on/true/yes/off/false/no"
-Whether or not to evaluate the \f(CW\*(C`sudoNotBefore\*(C'\fR and \f(CW\*(C`sudoNotAfter\*(C'\fR
+.TP 6n
+\fBNETWORK_TIMEOUT\fR \fIseconds\fR
+An alias for
+\fBBIND_TIMELIMIT\fR
+for OpenLDAP compatibility.
+.TP 6n
+\fBTIMELIMIT\fR \fIseconds\fR
+The
+\fBTIMELIMIT\fR
+parameter specifies the amount of time, in seconds, to wait for a
+response to an LDAP query.
+.TP 6n
+\fBTIMEOUT\fR \fIseconds\fR
+The
+\fBTIMEOUT\fR
+parameter specifies the amount of time, in seconds, to wait for a
+response from the various LDAP APIs.
+.TP 6n
+\fBSUDOERS_BASE\fR \fIbase\fR
+The base DN to use when performing
+\fBsudo\fR
+LDAP queries.
+Typically this is of the form
+\fRou=SUDOers,dc=example,dc=com\fR
+for the domain
+\fRexample.com\fR.
+Multiple
+\fBSUDOERS_BASE\fR
+lines may be specified, in which case they are queried in the order specified.
+.TP 6n
+\fBSUDOERS_SEARCH_FILTER\fR \fIldap_filter\fR
+An LDAP filter which is used to restrict the set of records returned
+when performing a
+\fBsudo\fR
+LDAP query.
+Typically, this is of the
+form
+\fRattribute=value\fR
+or
+\fR(&(attribute=value)(attribute2=value2))\fR.
+.TP 6n
+\fBSUDOERS_TIMED\fR \fIon/true/yes/off/false/no\fR
+Whether or not to evaluate the
+\fRsudoNotBefore\fR
+and
+\fRsudoNotAfter\fR
attributes that implement time-dependent sudoers entries.
-.IP "\fB\s-1SUDOERS_DEBUG\s0\fR debug_level" 4
-.IX Item "SUDOERS_DEBUG debug_level"
-This sets the debug level for \fBsudo\fR \s-1LDAP\s0 queries. Debugging
-information is printed to the standard error. A value of 1 results
-in a moderate amount of debugging information. A value of 2 shows
-the results of the matches themselves. This parameter should not
-be set in a production environment as the extra information is
-likely to confuse users.
-.IP "\fB\s-1BINDDN\s0\fR \s-1DN\s0" 4
-.IX Item "BINDDN DN"
-The \fB\s-1BINDDN\s0\fR parameter specifies the identity, in the form of a
-Distinguished Name (\s-1DN\s0), to use when performing \s-1LDAP\s0 operations.
-If not specified, \s-1LDAP\s0 operations are performed with an anonymous
-identity. By default, most \s-1LDAP\s0 servers will allow anonymous access.
-.IP "\fB\s-1BINDPW\s0\fR secret" 4
-.IX Item "BINDPW secret"
-The \fB\s-1BINDPW\s0\fR parameter specifies the password to use when performing
-\&\s-1LDAP\s0 operations. This is typically used in conjunction with the
-\&\fB\s-1BINDDN\s0\fR parameter.
-.IP "\fB\s-1ROOTBINDDN\s0\fR \s-1DN\s0" 4
-.IX Item "ROOTBINDDN DN"
-The \fB\s-1ROOTBINDDN\s0\fR parameter specifies the identity, in the form of
-a Distinguished Name (\s-1DN\s0), to use when performing privileged \s-1LDAP\s0
-operations, such as \fIsudoers\fR queries. The password corresponding
-to the identity should be stored in \fI@ldap_secret@\fR.
-If not specified, the \fB\s-1BINDDN\s0\fR identity is used (if any).
-.IP "\fB\s-1LDAP_VERSION\s0\fR number" 4
-.IX Item "LDAP_VERSION number"
-The version of the \s-1LDAP\s0 protocol to use when connecting to the server.
+.TP 6n
+\fBSUDOERS_DEBUG\fR \fIdebug_level\fR
+This sets the debug level for
+\fBsudo\fR
+LDAP queries.
+Debugging information is printed to the standard error.
+A value of 1 results in a moderate amount of debugging information.
+A value of 2 shows the results of the matches themselves.
+This parameter should not be set in a production environment as the
+extra information is likely to confuse users.
+.TP 6n
+\fBBINDDN\fR \fIDN\fR
+The
+\fBBINDDN\fR
+parameter specifies the identity, in the form of a Distinguished Name (DN),
+to use when performing LDAP operations.
+If not specified, LDAP operations are performed with an anonymous identity.
+By default, most LDAP servers will allow anonymous access.
+.TP 6n
+\fBBINDPW\fR \fIsecret\fR
+The
+\fBBINDPW\fR
+parameter specifies the password to use when performing LDAP operations.
+This is typically used in conjunction with the
+\fBBINDDN\fR
+parameter.
+.TP 6n
+\fBROOTBINDDN\fR \fIDN\fR
+The
+\fBROOTBINDDN\fR
+parameter specifies the identity, in the form of a Distinguished Name (DN),
+to use when performing privileged LDAP operations, such as
+\fIsudoers\fR
+queries.
+The password corresponding
+to the identity should be stored in
+\fI@ldap_secret@\fR.
+If not specified, the
+\fBBINDDN\fR
+identity is used (if any).
+.TP 6n
+\fBLDAP_VERSION\fR \fInumber\fR
+The version of the LDAP protocol to use when connecting to the server.
The default value is protocol version 3.
-.IP "\fB\s-1SSL\s0\fR on/true/yes/off/false/no" 4
-.IX Item "SSL on/true/yes/off/false/no"
-If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`on\*(C'\fR, \f(CW\*(C`true\*(C'\fR or \f(CW\*(C`yes\*(C'\fR, \s-1TLS\s0
-(\s-1SSL\s0) encryption is always used when communicating with the \s-1LDAP\s0
-server. Typically, this involves connecting to the server on port
-636 (ldaps).
-.IP "\fB\s-1SSL\s0\fR start_tls" 4
-.IX Item "SSL start_tls"
-If the \fB\s-1SSL\s0\fR parameter is set to \f(CW\*(C`start_tls\*(C'\fR, the \s-1LDAP\s0 server
-connection is initiated normally and \s-1TLS\s0 encryption is begun before
-the bind credentials are sent. This has the advantage of not
-requiring a dedicated port for encrypted communications. This
-parameter is only supported by \s-1LDAP\s0 servers that honor the \f(CW\*(C`start_tls\*(C'\fR
-extension, such as the OpenLDAP server.
-.IP "\fB\s-1TLS_CHECKPEER\s0\fR on/true/yes/off/false/no" 4
-.IX Item "TLS_CHECKPEER on/true/yes/off/false/no"
-If enabled, \fB\s-1TLS_CHECKPEER\s0\fR will cause the \s-1LDAP\s0 server's \s-1TLS\s0
-certificated to be verified. If the server's \s-1TLS\s0 certificate cannot
-be verified (usually because it is signed by an unknown certificate
-authority), \fBsudo\fR will be unable to connect to it. If \fB\s-1TLS_CHECKPEER\s0\fR
-is disabled, no check is made. Note that disabling the check creates
-an opportunity for man-in-the-middle attacks since the server's
-identity will not be authenticated. If possible, the \s-1CA\s0's certificate
-should be installed locally so it can be verified. This option is
-not supported by the Tivoli Directory Server \s-1LDAP\s0 libraries.
-.IP "\fB\s-1TLS_CACERT\s0\fR file name" 4
-.IX Item "TLS_CACERT file name"
-An alias for \fB\s-1TLS_CACERTFILE\s0\fR for OpenLDAP compatibility.
-.IP "\fB\s-1TLS_CACERTFILE\s0\fR file name" 4
-.IX Item "TLS_CACERTFILE file name"
+.TP 6n
+\fBSSL\fR \fIon/true/yes/off/false/no\fR
+If the
+\fBSSL\fR
+parameter is set to
+\fRon\fR,
+\fRtrue\fR
+\fRor\fR
+\fRyes\fR,
+TLS (SSL) encryption is always used when communicating with the LDAP server.
+Typically, this involves connecting to the server on port 636 (ldaps).
+.TP 6n
+\fBSSL\fR \fIstart_tls\fR
+If the
+\fBSSL\fR
+parameter is set to
+\fRstart_tls\fR,
+the LDAP server connection is initiated normally and TLS encryption is
+begun before the bind credentials are sent.
+This has the advantage of not requiring a dedicated port for encrypted
+communications.
+This parameter is only supported by LDAP servers that honor the
+\fIstart_tls\fR
+extension, such as the OpenLDAP and Tivoli Directory servers.
+.TP 6n
+\fBTLS_CHECKPEER\fR \fIon/true/yes/off/false/no\fR
+If enabled,
+\fBTLS_CHECKPEER\fR
+will cause the LDAP server's TLS certificated to be verified.
+If the server's TLS certificate cannot be verified (usually because it
+is signed by an unknown certificate authority),
+\fBsudo\fR
+will be unable to connect to it.
+If
+\fBTLS_CHECKPEER\fR
+is disabled, no check is made.
+Note that disabling the check creates an opportunity for man-in-the-middle
+attacks since the server's identity will not be authenticated.
+If possible, the CA's certificate should be installed locally so it can
+be verified.
+This option is not supported by the Tivoli Directory Server LDAP libraries.
+.TP 6n
+\fBTLS_CACERT\fR \fIfile name\fR
+An alias for
+\fBTLS_CACERTFILE\fR
+for OpenLDAP compatibility.
+.TP 6n
+\fBTLS_CACERTFILE\fR \fIfile name\fR
The path to a certificate authority bundle which contains the certificates
-for all the Certificate Authorities the client knows to be valid,
-e.g. \fI/etc/ssl/ca\-bundle.pem\fR.
+for all the Certificate Authorities the client knows to be valid, e.g.\&
+\fI/etc/ssl/ca-bundle.pem\fR.
This option is only supported by the OpenLDAP libraries.
-Netscape-derived \s-1LDAP\s0 libraries use the same certificate
-database for \s-1CA\s0 and client certificates (see \fB\s-1TLS_CERT\s0\fR).
-.IP "\fB\s-1TLS_CACERTDIR\s0\fR directory" 4
-.IX Item "TLS_CACERTDIR directory"
-Similar to \fB\s-1TLS_CACERTFILE\s0\fR but instead of a file, it is a
-directory containing individual Certificate Authority certificates,
-e.g. \fI/etc/ssl/certs\fR.
-The directory specified by \fB\s-1TLS_CACERTDIR\s0\fR is checked after
-\&\fB\s-1TLS_CACERTFILE\s0\fR.
+Netscape-derived LDAP libraries use the same certificate
+database for CA and client certificates (see
+\fBTLS_CERT\fR).
+.TP 6n
+\fBTLS_CACERTDIR\fR \fIdirectory\fR
+Similar to
+\fBTLS_CACERTFILE\fR
+but instead of a file, it is a directory containing individual
+Certificate Authority certificates, e.g.\&
+\fI/etc/ssl/certs\fR.
+The directory specified by
+\fBTLS_CACERTDIR\fR
+is checked after
+\fBTLS_CACERTFILE\fR.
This option is only supported by the OpenLDAP libraries.
-.IP "\fB\s-1TLS_CERT\s0\fR file name" 4
-.IX Item "TLS_CERT file name"
+.TP 6n
+\fBTLS_CERT\fR \fIfile name\fR
The path to a file containing the client certificate which can
-be used to authenticate the client to the \s-1LDAP\s0 server.
-The certificate type depends on the \s-1LDAP\s0 libraries used.
-.Sp
+be used to authenticate the client to the LDAP server.
+The certificate type depends on the LDAP libraries used.
+.RS
+.TP 6n
OpenLDAP:
- \f(CW\*(C`tls_cert /etc/ssl/client_cert.pem\*(C'\fR
-.Sp
+\fRtls_cert /etc/ssl/client_cert.pem\fR
+.TP 6n
Netscape-derived:
- \f(CW\*(C`tls_cert /var/ldap/cert7.db\*(C'\fR
-.Sp
+\fRtls_cert /var/ldap/cert7.db\fR
+.TP 6n
Tivoli Directory Server:
- Unused, the key database specified by \fB\s-1TLS_KEY\s0\fR contains both
- keys and certificates.
-.Sp
+Unused, the key database specified by
+\fBTLS_KEY\fR
+contains both keys and certificates.
+.sp
When using Netscape-derived libraries, this file may also contain
Certificate Authority certificates.
-.IP "\fB\s-1TLS_KEY\s0\fR file name" 4
-.IX Item "TLS_KEY file name"
+.PP
+.RE
+.PD 0
+.TP 6n
+\fBTLS_KEY\fR \fIfile name\fR
The path to a file containing the private key which matches the
-certificate specified by \fB\s-1TLS_CERT\s0\fR. The private key must not be
-password-protected. The key type depends on the \s-1LDAP\s0 libraries
-used.
-.Sp
+certificate specified by
+\fBTLS_CERT\fR.
+The private key must not be password-protected.
+The key type depends on the LDAP libraries used.
+.RS
+.PD
+.TP 6n
OpenLDAP:
- \f(CW\*(C`tls_key /etc/ssl/client_key.pem\*(C'\fR
-.Sp
+\fRtls_key /etc/ssl/client_key.pem\fR
+.TP 6n
Netscape-derived:
- \f(CW\*(C`tls_key /var/ldap/key3.db\*(C'\fR
-.Sp
+\fRtls_key /var/ldap/key3.db\fR
+.TP 6n
Tivoli Directory Server:
- \f(CW\*(C`tls_cert /usr/ldap/ldapkey.kdb\*(C'\fR
-.Sp
-When using Tivoli \s-1LDAP\s0 libraries, this file may also contain
+\fRtls_cert /usr/ldap/ldapkey.kdb\fR
+.PD 0
+.PP
+.PD
+When using Tivoli LDAP libraries, this file may also contain
Certificate Authority and client certificates and may be encrypted.
-.IP "\fB\s-1TLS_KEYPW\s0\fR secret" 4
-.IX Item "TLS_KEYPW secret"
-The \fB\s-1TLS_KEYPW\s0\fR contains the password used to decrypt the key
-database on clients using the Tivoli Directory Server \s-1LDAP\s0 library.
-If no \fB\s-1TLS_KEYPW\s0\fR is specified, a \fIstash file\fR will be used if
-it exists. The \fIstash file\fR must have the same path as the file
-specified by \fB\s-1TLS_KEY\s0\fR, but use a \f(CW\*(C`.sth\*(C'\fR file extension instead
-of \f(CW\*(C`.kdb\*(C'\fR, e.g. \f(CW\*(C`ldapkey.sth\*(C'\fR. The default \f(CW\*(C`ldapkey.kdb\*(C'\fR that
-ships with Tivoli Directory Server is encrypted with the password
-\&\f(CW\*(C`ssl_password\*(C'\fR. This option is only supported by the Tivoli \s-1LDAP\s0
-libraries.
-.IP "\fB\s-1TLS_RANDFILE\s0\fR file name" 4
-.IX Item "TLS_RANDFILE file name"
-The \fB\s-1TLS_RANDFILE\s0\fR parameter specifies the path to an entropy
-source for systems that lack a random device. It is generally used
-in conjunction with \fIprngd\fR or \fIegd\fR.
+.PP
+.RE
+.PD 0
+.TP 6n
+\fBTLS_KEYPW\fR \fIsecret\fR
+The
+\fBTLS_KEYPW\fR
+contains the password used to decrypt the key database on clients
+using the Tivoli Directory Server LDAP library.
+If no
+\fBTLS_KEYPW\fR
+is specified, a
+\fIstash file\fR
+will be used if it exists.
+The
+\fIstash file\fR
+must have the same path as the file specified by
+\fBTLS_KEY\fR,
+but use a
+\fR.sth\fR
+file extension instead of
+\fR.kdb\fR,
+e.g.\&
+\fRldapkey.sth\fR.
+The default
+\fRldapkey.kdb\fR
+that ships with Tivoli Directory Server is encrypted with the password
+\fRssl_password\fR.
+This option is only supported by the Tivoli LDAP libraries.
+.PD
+.TP 6n
+\fBTLS_RANDFILE\fR \fIfile name\fR
+The
+\fBTLS_RANDFILE\fR
+parameter specifies the path to an entropy source for systems that lack
+a random device.
+It is generally used in conjunction with
+\fIprngd\fR
+or
+\fIegd\fR.
This option is only supported by the OpenLDAP libraries.
-.IP "\fB\s-1TLS_CIPHERS\s0\fR cipher list" 4
-.IX Item "TLS_CIPHERS cipher list"
-The \fB\s-1TLS_CIPHERS\s0\fR parameter allows the administer to restrict which
-encryption algorithms may be used for \s-1TLS\s0 (\s-1SSL\s0) connections. See
-the OpenLDAP or Tivoli Directory Server manual for a list of valid
-ciphers. This option is not supported by Netscape-derived libraries.
-.IP "\fB\s-1USE_SASL\s0\fR on/true/yes/off/false/no" 4
-.IX Item "USE_SASL on/true/yes/off/false/no"
-Enable \fB\s-1USE_SASL\s0\fR for \s-1LDAP\s0 servers that support \s-1SASL\s0 authentication.
-.IP "\fB\s-1SASL_AUTH_ID\s0\fR identity" 4
-.IX Item "SASL_AUTH_ID identity"
-The \s-1SASL\s0 user name to use when connecting to the \s-1LDAP\s0 server.
-By default, \fBsudo\fR will use an anonymous connection.
-.IP "\fB\s-1ROOTUSE_SASL\s0\fR on/true/yes/off/false/no" 4
-.IX Item "ROOTUSE_SASL on/true/yes/off/false/no"
-Enable \fB\s-1ROOTUSE_SASL\s0\fR to enable \s-1SASL\s0 authentication when connecting
-to an \s-1LDAP\s0 server from a privileged process, such as \fBsudo\fR.
-.IP "\fB\s-1ROOTSASL_AUTH_ID\s0\fR identity" 4
-.IX Item "ROOTSASL_AUTH_ID identity"
-The \s-1SASL\s0 user name to use when \fB\s-1ROOTUSE_SASL\s0\fR is enabled.
-.IP "\fB\s-1SASL_SECPROPS\s0\fR none/properties" 4
-.IX Item "SASL_SECPROPS none/properties"
-\&\s-1SASL\s0 security properties or \fInone\fR for no properties. See the
-\&\s-1SASL\s0 programmer's manual for details.
-.IP "\fB\s-1KRB5_CCNAME\s0\fR file name" 4
-.IX Item "KRB5_CCNAME file name"
+.TP 6n
+\fBTLS_CIPHERS\fR \fIcipher list\fR
+The
+\fBTLS_CIPHERS\fR
+parameter allows the administer to restrict which encryption algorithms
+may be used for TLS (SSL) connections.
+See the OpenLDAP or Tivoli Directory Server manual for a list of valid
+ciphers.
+This option is not supported by Netscape-derived libraries.
+.TP 6n
+\fBUSE_SASL\fR \fIon/true/yes/off/false/no\fR
+Enable
+\fBUSE_SASL\fR
+for LDAP servers that support SASL authentication.
+.TP 6n
+\fBSASL_AUTH_ID\fR \fIidentity\fR
+The SASL user name to use when connecting to the LDAP server.
+By default,
+\fBsudo\fR
+will use an anonymous connection.
+.TP 6n
+\fBROOTUSE_SASL\fR \fIon/true/yes/off/false/no\fR
+Enable
+\fBROOTUSE_SASL\fR
+to enable SASL authentication when connecting
+to an LDAP server from a privileged process, such as
+\fBsudo\fR.
+.TP 6n
+\fBROOTSASL_AUTH_ID\fR \fIidentity\fR
+The SASL user name to use when
+\fBROOTUSE_SASL\fR
+is enabled.
+.TP 6n
+\fBSASL_SECPROPS\fR \fInone/properties\fR
+SASL security properties or
+\fInone\fR
+for no properties.
+See the SASL programmer's manual for details.
+.TP 6n
+\fBKRB5_CCNAME\fR \fIfile name\fR
The path to the Kerberos 5 credential cache to use when authenticating
with the remote server.
-.IP "\fB\s-1DEREF\s0\fR never/searching/finding/always" 4
-.IX Item "DEREF never/searching/finding/always"
-How alias dereferencing is to be performed when searching. See the
-\&\fIldap.conf\fR\|(@mansectform@) manual for a full description of this option.
+.TP 6n
+\fBDEREF\fR \fInever/searching/finding/always\fR
+How alias dereferencing is to be performed when searching.
+See the
+ldap.conf(@mansectsu@)
+manual for a full description of this option.
.PP
-See the \f(CW\*(C`ldap.conf\*(C'\fR entry in the \s-1EXAMPLES\s0 section.
+See the
+\fIldap.conf\fR
+entry in the
+\fIEXAMPLES\fR
+section.
.SS "Configuring nsswitch.conf"
-.IX Subsection "Configuring nsswitch.conf"
-Unless it is disabled at build time, \fBsudo\fR consults the Name
-Service Switch file, \fI@nsswitch_conf@\fR, to specify the \fIsudoers\fR
-search order. Sudo looks for a line beginning with \f(CW\*(C`sudoers\*(C'\fR: and
-uses this to determine the search order. Note that \fBsudo\fR does
+Unless it is disabled at build time,
+\fBsudo\fR
+consults the Name Service Switch file,
+\fI@nsswitch_conf@\fR,
+to specify the
+\fIsudoers\fR
+search order.
+Sudo looks for a line beginning with
+\fRsudoers\fR:
+and uses this to determine the search order.
+Note that
+\fBsudo\fR
+does
not stop searching after the first match and later matches take
precedence over earlier ones.
-.PP
The following sources are recognized:
+.TP 10n
+files
+read sudoers from
+\fI@sysconfdir@/sudoers\fR
+.PD 0
+.TP 10n
+ldap
+read sudoers from LDAP
+.PD
.PP
-.Vb 2
-\& files read sudoers from F<@sysconfdir@/sudoers>
-\& ldap read sudoers from LDAP
-.Ve
-.PP
-In addition, the entry \f(CW\*(C`[NOTFOUND=return]\*(C'\fR will short-circuit the
-search if the user was not found in the preceding source.
+In addition, the entry
+\fR[NOTFOUND=return]\fR
+will short-circuit the search if the user was not found in the
+preceding source.
.PP
-To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
+To consult LDAP first followed by the local sudoers file (if it
exists), use:
+.nf
+.sp
+.RS 4n
+sudoers: ldap files
+.RE
+.fi
.PP
-.Vb 1
-\& sudoers: ldap files
-.Ve
-.PP
-The local \fIsudoers\fR file can be ignored completely by using:
-.PP
-.Vb 1
-\& sudoers: ldap
-.Ve
-.PP
-If the \fI@nsswitch_conf@\fR file is not present or there is no
-sudoers line, the following default is assumed:
+The local
+\fIsudoers\fR
+file can be ignored completely by using:
+.nf
+.sp
+.RS 4n
+sudoers: ldap
+.RE
+.fi
.PP
-.Vb 1
-\& sudoers: files
-.Ve
+If the
+\fI@nsswitch_conf@\fR
+file is not present or there is no sudoers line, the following
+default is assumed:
+.nf
+.sp
+.RS 4n
+sudoers: files
+.RE
+.fi
.PP
-Note that \fI@nsswitch_conf@\fR is supported even when the underlying
-operating system does not use an nsswitch.conf file, except on \s-1AIX\s0 (see below).
+Note that
+\fI@nsswitch_conf@\fR
+is supported even when the underlying operating system does not use
+an nsswitch.conf file, except on AIX (see below).
.SS "Configuring netsvc.conf"
-.IX Subsection "Configuring netsvc.conf"
-On \s-1AIX\s0 systems, the \fI@netsvc_conf@\fR file is consulted instead of
-\&\fI@nsswitch_conf@\fR. \fBsudo\fR simply treats \fInetsvc.conf\fR as a
-variant of \fInsswitch.conf\fR; information in the previous section
-unrelated to the file format itself still applies.
+On AIX systems, the
+\fI@netsvc_conf@\fR
+file is consulted instead of
+\fI@nsswitch_conf@\fR.
+\fBsudo\fR
+simply treats
+\fInetsvc.conf\fR
+as a variant of
+\fInsswitch.conf\fR;
+information in the previous section unrelated to the file format
+itself still applies.
.PP
-To consult \s-1LDAP\s0 first followed by the local sudoers file (if it
+To consult LDAP first followed by the local sudoers file (if it
exists), use:
+.nf
+.sp
+.RS 4n
+sudoers = ldap, files
+.RE
+.fi
.PP
-.Vb 1
-\& sudoers = ldap, files
-.Ve
-.PP
-The local \fIsudoers\fR file can be ignored completely by using:
-.PP
-.Vb 1
-\& sudoers = ldap
-.Ve
-.PP
-To treat \s-1LDAP\s0 as authoratative and only use the local sudoers file
-if the user is not present in \s-1LDAP\s0, use:
+The local
+\fIsudoers\fR
+file can be ignored completely by using:
+.nf
+.sp
+.RS 4n
+sudoers = ldap
+.RE
+.fi
.PP
-.Vb 1
-\& sudoers = ldap = auth, files
-.Ve
+To treat LDAP as authoratative and only use the local sudoers file
+if the user is not present in LDAP, use:
+.nf
+.sp
+.RS 4n
+sudoers = ldap = auth, files
+.RE
+.fi
.PP
-Note that in the above example, the \f(CW\*(C`auth\*(C'\fR qualfier only affects
-user lookups; both \s-1LDAP\s0 and \fIsudoers\fR will be queried for \f(CW\*(C`Defaults\*(C'\fR
+Note that in the above example, the
+\fRauth\fR
+qualfier only affects user lookups; both LDAP and
+\fIsudoers\fR
+will be queried for
+\fRDefaults\fR
entries.
.PP
-If the \fI@netsvc_conf@\fR file is not present or there is no
-sudoers line, the following default is assumed:
-.PP
-.Vb 1
-\& sudoers = files
-.Ve
+If the
+\fI@netsvc_conf@\fR
+file is not present or there is no sudoers line, the following
+default is assumed:
+.nf
+.sp
+.RS 4n
+sudoers = files
+.RE
+.fi
.SH "FILES"
-.IX Header "FILES"
-.ie n .IP "\fI@ldap_conf@\fR" 24
-.el .IP "\fI@ldap_conf@\fR" 24
-.IX Item "@ldap_conf@"
-\&\s-1LDAP\s0 configuration file
-.ie n .IP "\fI@nsswitch_conf@\fR" 24
-.el .IP "\fI@nsswitch_conf@\fR" 24
-.IX Item "@nsswitch_conf@"
+.TP 26n
+\fI@ldap_conf@\fR
+LDAP configuration file
+.TP 26n
+\fI@nsswitch_conf@\fR
determines sudoers source order
-.ie n .IP "\fI@netsvc_conf@\fR" 24
-.el .IP "\fI@netsvc_conf@\fR" 24
-.IX Item "@netsvc_conf@"
-determines sudoers source order on \s-1AIX\s0
+.TP 26n
+\fI@netsvc_conf@\fR
+determines sudoers source order on AIX
.SH "EXAMPLES"
-.IX Header "EXAMPLES"
.SS "Example ldap.conf"
-.IX Subsection "Example ldap.conf"
-.Vb 10
-\& # Either specify one or more URIs or one or more host:port pairs.
-\& # If neither is specified sudo will default to localhost, port 389.
-\& #
-\& #host ldapserver
-\& #host ldapserver1 ldapserver2:390
-\& #
-\& # Default port if host is specified without one, defaults to 389.
-\& #port 389
-\& #
-\& # URI will override the host and port settings.
-\& uri ldap://ldapserver
-\& #uri ldaps://secureldapserver
-\& #uri ldaps://secureldapserver ldap://ldapserver
-\& #
-\& # The amount of time, in seconds, to wait while trying to connect to
-\& # an LDAP server.
-\& bind_timelimit 30
-\& #
-\& # The amount of time, in seconds, to wait while performing an LDAP query.
-\& timelimit 30
-\& #
-\& # Must be set or sudo will ignore LDAP; may be specified multiple times.
-\& sudoers_base ou=SUDOers,dc=example,dc=com
-\& #
-\& # verbose sudoers matching from ldap
-\& #sudoers_debug 2
-\& #
-\& # Enable support for time\-based entries in sudoers.
-\& #sudoers_timed yes
-\& #
-\& # optional proxy credentials
-\& #binddn <who to search as>
-\& #bindpw <password>
-\& #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
-\& #
-\& # LDAP protocol version, defaults to 3
-\& #ldap_version 3
-\& #
-\& # Define if you want to use an encrypted LDAP connection.
-\& # Typically, you must also set the port to 636 (ldaps).
-\& #ssl on
-\& #
-\& # Define if you want to use port 389 and switch to
-\& # encryption before the bind credentials are sent.
-\& # Only supported by LDAP servers that support the start_tls
-\& # extension such as OpenLDAP.
-\& #ssl start_tls
-\& #
-\& # Additional TLS options follow that allow tweaking of the
-\& # SSL/TLS connection.
-\& #
-\& #tls_checkpeer yes # verify server SSL certificate
-\& #tls_checkpeer no # ignore server SSL certificate
-\& #
-\& # If you enable tls_checkpeer, specify either tls_cacertfile
-\& # or tls_cacertdir. Only supported when using OpenLDAP.
-\& #
-\& #tls_cacertfile /etc/certs/trusted_signers.pem
-\& #tls_cacertdir /etc/certs
-\& #
-\& # For systems that don\*(Aqt have /dev/random
-\& # use this along with PRNGD or EGD.pl to seed the
-\& # random number pool to generate cryptographic session keys.
-\& # Only supported when using OpenLDAP.
-\& #
-\& #tls_randfile /etc/egd\-pool
-\& #
-\& # You may restrict which ciphers are used. Consult your SSL
-\& # documentation for which options go here.
-\& # Only supported when using OpenLDAP.
-\& #
-\& #tls_ciphers <cipher\-list>
-\& #
-\& # Sudo can provide a client certificate when communicating to
-\& # the LDAP server.
-\& # Tips:
-\& # * Enable both lines at the same time.
-\& # * Do not password protect the key file.
-\& # * Ensure the keyfile is only readable by root.
-\& #
-\& # For OpenLDAP:
-\& #tls_cert /etc/certs/client_cert.pem
-\& #tls_key /etc/certs/client_key.pem
-\& #
-\& # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
-\& # a directory, in which case the files in the directory must have the
-\& # default names (e.g. cert8.db and key4.db), or the path to the cert
-\& # and key files themselves. However, a bug in version 5.0 of the LDAP
-\& # SDK will prevent specific file names from working. For this reason
-\& # it is suggested that tls_cert and tls_key be set to a directory,
-\& # not a file name.
-\& #
-\& # The certificate database specified by tls_cert may contain CA certs
-\& # and/or the client\*(Aqs cert. If the client\*(Aqs cert is included, tls_key
-\& # should be specified as well.
-\& # For backward compatibility, "sslpath" may be used in place of tls_cert.
-\& #tls_cert /var/ldap
-\& #tls_key /var/ldap
-\& #
-\& # If using SASL authentication for LDAP (OpenSSL)
-\& # use_sasl yes
-\& # sasl_auth_id <SASL user name>
-\& # rootuse_sasl yes
-\& # rootsasl_auth_id <SASL user name for root access>
-\& # sasl_secprops none
-\& # krb5_ccname /etc/.ldapcache
-.Ve
+.nf
+.RS 2n
+# Either specify one or more URIs or one or more host:port pairs.
+# If neither is specified sudo will default to localhost, port 389.
+#
+#host ldapserver
+#host ldapserver1 ldapserver2:390
+#
+# Default port if host is specified without one, defaults to 389.
+#port 389
+#
+# URI will override the host and port settings.
+uri ldap://ldapserver
+#uri ldaps://secureldapserver
+#uri ldaps://secureldapserver ldap://ldapserver
+#
+# The amount of time, in seconds, to wait while trying to connect to
+# an LDAP server.
+bind_timelimit 30
+#
+# The amount of time, in seconds, to wait while performing an LDAP query.
+timelimit 30
+#
+# Must be set or sudo will ignore LDAP; may be specified multiple times.
+sudoers_base ou=SUDOers,dc=example,dc=com
+#
+# verbose sudoers matching from ldap
+#sudoers_debug 2
+#
+# Enable support for time-based entries in sudoers.
+#sudoers_timed yes
+#
+# optional proxy credentials
+#binddn <who to search as>
+#bindpw <password>
+#rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
+#
+# LDAP protocol version, defaults to 3
+#ldap_version 3
+#
+# Define if you want to use an encrypted LDAP connection.
+# Typically, you must also set the port to 636 (ldaps).
+#ssl on
+#
+# Define if you want to use port 389 and switch to
+# encryption before the bind credentials are sent.
+# Only supported by LDAP servers that support the start_tls
+# extension such as OpenLDAP.
+#ssl start_tls
+#
+# Additional TLS options follow that allow tweaking of the
+# SSL/TLS connection.
+#
+#tls_checkpeer yes # verify server SSL certificate
+#tls_checkpeer no # ignore server SSL certificate
+#
+# If you enable tls_checkpeer, specify either tls_cacertfile
+# or tls_cacertdir. Only supported when using OpenLDAP.
+#
+#tls_cacertfile /etc/certs/trusted_signers.pem
+#tls_cacertdir /etc/certs
+#
+# For systems that don't have /dev/random
+# use this along with PRNGD or EGD.pl to seed the
+# random number pool to generate cryptographic session keys.
+# Only supported when using OpenLDAP.
+#
+#tls_randfile /etc/egd-pool
+#
+# You may restrict which ciphers are used. Consult your SSL
+# documentation for which options go here.
+# Only supported when using OpenLDAP.
+#
+#tls_ciphers <cipher-list>
+#
+# Sudo can provide a client certificate when communicating to
+# the LDAP server.
+# Tips:
+# * Enable both lines at the same time.
+# * Do not password protect the key file.
+# * Ensure the keyfile is only readable by root.
+#
+# For OpenLDAP:
+#tls_cert /etc/certs/client_cert.pem
+#tls_key /etc/certs/client_key.pem
+#
+# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
+# a directory, in which case the files in the directory must have the
+# default names (e.g. cert8.db and key4.db), or the path to the cert
+# and key files themselves. However, a bug in version 5.0 of the LDAP
+# SDK will prevent specific file names from working. For this reason
+# it is suggested that tls_cert and tls_key be set to a directory,
+# not a file name.
+#
+# The certificate database specified by tls_cert may contain CA certs
+# and/or the client's cert. If the client's cert is included, tls_key
+# should be specified as well.
+# For backward compatibility, "sslpath" may be used in place of tls_cert.
+#tls_cert /var/ldap
+#tls_key /var/ldap
+#
+# If using SASL authentication for LDAP (OpenSSL)
+# use_sasl yes
+# sasl_auth_id <SASL user name>
+# rootuse_sasl yes
+# rootsasl_auth_id <SASL user name for root access>
+# sasl_secprops none
+# krb5_ccname /etc/.ldapcache
+.RE
+.fi
.SS "Sudo schema for OpenLDAP"
-.IX Subsection "Sudo schema for OpenLDAP"
-The following schema, in OpenLDAP format, is included with \fBsudo\fR
-source and binary distributions as \fIschema.OpenLDAP\fR. Simply copy
-it to the schema directory (e.g. \fI/etc/openldap/schema\fR), add the
-proper \f(CW\*(C`include\*(C'\fR line in \f(CW\*(C`slapd.conf\*(C'\fR and restart \fBslapd\fR.
-.PP
-.Vb 6
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.1
-\& NAME \*(AqsudoUser\*(Aq
-\& DESC \*(AqUser(s) who may run sudo\*(Aq
-\& EQUALITY caseExactIA5Match
-\& SUBSTR caseExactIA5SubstringsMatch
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.2
-\& NAME \*(AqsudoHost\*(Aq
-\& DESC \*(AqHost(s) who may run sudo\*(Aq
-\& EQUALITY caseExactIA5Match
-\& SUBSTR caseExactIA5SubstringsMatch
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.3
-\& NAME \*(AqsudoCommand\*(Aq
-\& DESC \*(AqCommand(s) to be executed by sudo\*(Aq
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.4
-\& NAME \*(AqsudoRunAs\*(Aq
-\& DESC \*(AqUser(s) impersonated by sudo\*(Aq
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.5
-\& NAME \*(AqsudoOption\*(Aq
-\& DESC \*(AqOptions(s) followed by sudo\*(Aq
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.6
-\& NAME \*(AqsudoRunAsUser\*(Aq
-\& DESC \*(AqUser(s) impersonated by sudo\*(Aq
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.7
-\& NAME \*(AqsudoRunAsGroup\*(Aq
-\& DESC \*(AqGroup(s) impersonated by sudo\*(Aq
-\& EQUALITY caseExactIA5Match
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.8
-\& NAME \*(AqsudoNotBefore\*(Aq
-\& DESC \*(AqStart of time interval for which the entry is valid\*(Aq
-\& EQUALITY generalizedTimeMatch
-\& ORDERING generalizedTimeOrderingMatch
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-\&
-\& attributetype ( 1.3.6.1.4.1.15953.9.1.9
-\& NAME \*(AqsudoNotAfter\*(Aq
-\& DESC \*(AqEnd of time interval for which the entry is valid\*(Aq
-\& EQUALITY generalizedTimeMatch
-\& ORDERING generalizedTimeOrderingMatch
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-\&
-\& attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
-\& NAME \*(AqsudoOrder\*(Aq
-\& DESC \*(Aqan integer to order the sudoRole entries\*(Aq
-\& EQUALITY integerMatch
-\& ORDERING integerOrderingMatch
-\& SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-\&
-\& objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME \*(AqsudoRole\*(Aq SUP top STRUCTURAL
-\& DESC \*(AqSudoer Entries\*(Aq
-\& MUST ( cn )
-\& MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
-\& sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
-\& sudoOrder $ description )
-\& )
-.Ve
+The following schema, in OpenLDAP format, is included with
+\fBsudo\fR
+source and binary distributions as
+\fIschema.OpenLDAP\fR.
+Simply copy
+it to the schema directory (e.g.\&
+\fI/etc/openldap/schema\fR),
+add the proper
+\fRinclude\fR
+line in
+\fIslapd.conf\fR
+and restart
+\fBslapd\fR.
+.nf
+.sp
+.RS 2n
+attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
+ DESC 'Group(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.9
+ NAME 'sudoNotAfter'
+ DESC 'End of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+ NAME 'sudoOrder'
+ DESC 'an integer to order the sudoRole entries'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+ sudoOrder $ description )
+ )
+.RE
+.fi
.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIldap.conf\fR\|(@mansectform@), \fIsudoers\fR\|(5)
+ldap.conf(@mansectsu@),
+sudoers(@mansectsu@)
.SH "CAVEATS"
-.IX Header "CAVEATS"
-Note that there are differences in the way that LDAP-based \fIsudoers\fR
-is parsed compared to file-based \fIsudoers\fR. See the \*(L"Differences
-between \s-1LDAP\s0 and non-LDAP sudoers\*(R" section for more information.
+Note that there are differences in the way that LDAP-based
+\fIsudoers\fR
+is parsed compared to file-based
+\fIsudoers\fR.
+See the
+\fIDifferences between LDAP and non-LDAP sudoers\fR
+section for more information.
.SH "BUGS"
-.IX Header "BUGS"
-If you feel you have found a bug in \fBsudo\fR, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
+If you feel you have found a bug in
+\fBsudo\fR,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
-.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
-.IX Header "DISCLAIMER"
-\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
-file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
-for complete details.
+\fBsudo\fR
+is provided
+``AS IS''
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+\fBsudo\fR
+or http://www.sudo.ws/sudo/license.html for complete details.
--- /dev/null
+.\"
+.\" Copyright (c) 2003-2012 Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd July 12, 2012
+.Dt SUDOERS.LDAP @mansectsu@
+.Os Sudo @PACKAGE_VERSION@
+.Sh NAME
+.Nm sudoers.ldap
+.Nd sudo LDAP configuration
+.Sh DESCRIPTION
+In addition to the standard
+.Em sudoers
+file,
+.Nm sudo
+may be configured
+via LDAP.
+This can be especially useful for synchronizing
+.Em sudoers
+in a large, distributed environment.
+.Pp
+Using LDAP for
+.Em sudoers
+has several benefits:
+.Bl -bullet
+.It
+.Nm sudo
+no longer needs to read
+.Em sudoers
+in its entirety.
+When LDAP is used, there are only two or three LDAP queries per invocation.
+This makes it especially fast and particularly usable in LDAP environments.
+.It
+.Nm sudo
+no longer exits if there is a typo in
+.Em sudoers .
+It is not possible to load LDAP data into the server that does
+not conform to the sudoers schema, so proper syntax is guaranteed.
+It is still possible to have typos in a user or host name, but
+this will not prevent
+.Nm sudo
+from running.
+.It
+It is possible to specify per-entry options that override the global
+default options.
+.Pa @sysconfdir@/sudoers
+only supports default options and limited options associated with
+user/host/commands/aliases.
+The syntax is complicated and can be difficult for users to understand.
+Placing the options directly in the entry is more natural.
+.It
+The
+.Nm visudo
+program is no longer needed.
+.Nm visudo
+provides locking and syntax checking of the
+.Pa @sysconfdir@/sudoers
+file.
+Since LDAP updates are atomic, locking is no longer necessary.
+Because syntax is checked when the data is inserted into LDAP, there
+is no need for a specialized tool to check syntax.
+.El
+.Pp
+Another major difference between LDAP and file-based
+.Em sudoers
+is that in LDAP,
+.Nm sudo Ns No -specific
+Aliases are not supported.
+.Pp
+For the most part, there is really no need for
+.Nm sudo Ns No -specific
+Aliases.
+Unix groups or user netgroups can be used in place of User_Aliases and
+Runas_Aliases.
+Host netgroups can be used in place of Host_Aliases.
+Since Unix groups and netgroups can also be stored in LDAP there is no
+real need for
+.Nm sudo Ns No -specific
+aliases.
+.Pp
+Cmnd_Aliases are not really required either since it is possible
+to have multiple users listed in a
+.Li sudoRole .
+Instead of defining a Cmnd_Alias that is referenced by multiple users,
+one can create a
+.Li sudoRole
+that contains the commands and assign multiple users to it.
+.Ss SUDOers LDAP container
+The
+.Em sudoers
+configuration is contained in the
+.Li ou=SUDOers
+LDAP container.
+.Pp
+Sudo first looks for the
+.Li cn=default
+entry in the SUDOers container.
+If found, the multi-valued
+.Li sudoOption
+attribute is parsed in the same manner as a global
+.Li Defaults
+line in
+.Pa @sysconfdir@/sudoers .
+In the following example, the
+.Ev SSH_AUTH_SOCK
+variable will be preserved in the environment for all users.
+.Bd -literal -offset 4n
+dn: cn=defaults,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: defaults
+description: Default sudoOption's go here
+sudoOption: env_keep+=SSH_AUTH_SOCK
+.Ed
+.Pp
+The equivalent of a sudoer in LDAP is a
+.Li sudoRole .
+It consists of the following attributes:
+.Bl -tag -width 4n
+.It Sy sudoUser
+A user name, user ID (prefixed with
+.Ql # ) ,
+Unix group (prefixed with
+.Ql % ) ,
+Unix group ID (prefixed with
+.Ql %# ) ,
+or user netgroup (prefixed with
+.Ql + ) .
+.It Sy sudoHost
+A host name, IP address, IP network, or host netgroup (prefixed with a
+.Ql + ) .
+The special value
+.Li ALL
+will match any host.
+.It Sy sudoCommand
+A Unix command with optional command line arguments, potentially
+including globbing characters (aka wild cards).
+The special value
+.Li ALL
+will match any command.
+If a command is prefixed with an exclamation point
+.Ql \&! ,
+the user will be prohibited from running that command.
+.It Sy sudoOption
+Identical in function to the global options described above, but
+specific to the
+.Li sudoRole
+in which it resides.
+.It Sy sudoRunAsUser
+A user name or uid (prefixed with
+.Ql # )
+that commands may be run as or a Unix group (prefixed with a
+.Ql % )
+or user netgroup (prefixed with a
+.Ql + )
+that contains a list of users that commands may be run as.
+The special value
+.Li ALL
+will match any user.
+.Pp
+The
+.Li sudoRunAsUser
+attribute is only available in
+.Nm sudo
+versions
+1.7.0 and higher.
+Older versions of
+.Nm sudo
+use the
+.Li sudoRunAs
+attribute instead.
+.It Sy sudoRunAsGroup
+A Unix group or gid (prefixed with
+.Ql # )
+that commands may be run as.
+The special value
+.Li ALL
+will match any group.
+.Pp
+The
+.Li sudoRunAsGroup
+attribute is only available in
+.Nm sudo
+versions
+1.7.0 and higher.
+.It Sy sudoNotBefore
+A timestamp in the form
+.Li yyyymmddHHMMSSZ
+that can be used to provide a start date/time for when the
+.Li sudoRole
+will be valid.
+If multiple
+.Li sudoNotBefore
+entries are present, the earliest is used.
+Note that timestamps must be in Coordinated Universal Time (UTC),
+not the local timezone.
+The minute and seconds portions are optional, but some LDAP servers
+require that they be present (contrary to the RFC).
+.Pp
+The
+.Li sudoNotBefore
+attribute is only available in
+.Nm sudo
+versions 1.7.5 and higher and must be explicitly enabled via the
+.Sy SUDOERS_TIMED
+option in
+.Pa @ldap_conf@ .
+.It Sy sudoNotAfter
+A timestamp in the form
+.Li yyyymmddHHMMSSZ
+that indicates an expiration date/time, after which the
+.Li sudoRole
+will no longer be valid.
+If multiple
+.Li sudoNotBefore
+entries are present, the last one is used.
+Note that timestamps must be in Coordinated Universal Time (UTC),
+not the local timezone.
+The minute and seconds portions are optional, but some LDAP servers
+require that they be present (contrary to the RFC).
+.Pp
+The
+.Li sudoNotAfter
+attribute is only available in
+.Nm sudo
+versions
+1.7.5 and higher and must be explicitly enabled via the
+.Sy SUDOERS_TIMED
+option in
+.Pa @ldap_conf@ .
+.It Sy sudoOrder
+The
+.Li sudoRole
+entries retrieved from the LDAP directory have no inherent order.
+The
+.Li sudoOrder
+attribute is an integer (or floating point value for LDAP servers
+that support it) that is used to sort the matching entries.
+This allows LDAP-based sudoers entries to more closely mimic the behaviour
+of the sudoers file, where the of the entries influences the result.
+If multiple entries match, the entry with the highest
+.Li sudoOrder
+attribute is chosen.
+This corresponds to the
+.Dq last match
+behavior of the sudoers file.
+If the
+.Li sudoOrder
+attribute is not present, a value of 0 is assumed.
+.Pp
+The
+.Li sudoOrder
+attribute is only available in
+.Nm sudo
+versions 1.7.5 and higher.
+.El
+.Pp
+Each attribute listed above should contain a single value, but there
+may be multiple instances of each attribute type.
+A
+.Li sudoRole
+must contain at least one
+.Li sudoUser ,
+.Li sudoHost
+and
+.Li sudoCommand .
+.Pp
+The following example allows users in group wheel to run any command
+on any host via
+.Nm sudo :
+.Bd -literal -offset 4n
+dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
+objectClass: top
+objectClass: sudoRole
+cn: %wheel
+sudoUser: %wheel
+sudoHost: ALL
+sudoCommand: ALL
+.Ed
+.Ss Anatomy of LDAP sudoers lookup
+When looking up a sudoer using LDAP there are only two or three
+LDAP queries per invocation.
+The first query is to parse the global options.
+The second is to match against the user's name and the groups that
+the user belongs to.
+(The special
+.Li ALL
+tag is matched in this query too.)
+If no match is returned for the user's name and groups, a third
+query returns all entries containing user netgroups and checks
+to see if the user belongs to any of them.
+.Pp
+If timed entries are enabled with the
+.Sy SUDOERS_TIMED
+configuration directive, the LDAP queries include a subfilter that
+limits retrieval to entries that satisfy the time constraints, if any.
+.Ss Differences between LDAP and non-LDAP sudoers
+There are some subtle differences in the way sudoers is handled
+once in LDAP.
+Probably the biggest is that according to the RFC, LDAP ordering
+is arbitrary and you cannot expect that Attributes and Entries are
+returned in any specific order.
+.Pp
+The order in which different entries are applied can be controlled
+using the
+.Li sudoOrder
+attribute, but there is no way to guarantee the order of attributes
+within a specific entry.
+If there are conflicting command rules in an entry, the negative
+takes precedence.
+This is called paranoid behavior (not necessarily the most specific
+match).
+.Pp
+Here is an example:
+.Bd -literal -offset 4n
+# /etc/sudoers:
+# Allow all commands except shell
+johnny ALL=(root) ALL,!/bin/sh
+# Always allows all commands because ALL is matched last
+puddles ALL=(root) !/bin/sh,ALL
+
+# LDAP equivalent of johnny
+# Allows all commands except shell
+dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
+objectClass: sudoRole
+objectClass: top
+cn: role1
+sudoUser: johnny
+sudoHost: ALL
+sudoCommand: ALL
+sudoCommand: !/bin/sh
+
+# LDAP equivalent of puddles
+# Notice that even though ALL comes last, it still behaves like
+# role1 since the LDAP code assumes the more paranoid configuration
+dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
+objectClass: sudoRole
+objectClass: top
+cn: role2
+sudoUser: puddles
+sudoHost: ALL
+sudoCommand: !/bin/sh
+sudoCommand: ALL
+.Ed
+.Pp
+Another difference is that negations on the Host, User or Runas are
+currently ignored.
+For example, the following attributes do not behave the way one might expect.
+.Bd -literal -offset 4n
+# does not match all but joe
+# rather, does not match anyone
+sudoUser: !joe
+
+# does not match all but joe
+# rather, matches everyone including Joe
+sudoUser: ALL
+sudoUser: !joe
+
+# does not match all but web01
+# rather, matches all hosts including web01
+sudoHost: ALL
+sudoHost: !web01
+.Ed
+.Ss Sudoers Schema
+In order to use
+.Nm sudo Ns No 's
+LDAP support, the
+.Nm sudo
+schema must be
+installed on your LDAP server.
+In addition, be sure to index the
+.Li sudoUser
+attribute.
+.Pp
+Three versions of the schema: one for OpenLDAP servers
+.Pq Pa schema.OpenLDAP ,
+one for Netscape-derived servers
+.Pq Pa schema.iPlanet ,
+and one for Microsoft Active Directory
+.Pq Pa schema.ActiveDirectory
+may be found in the
+.Nm sudo
+distribution.
+.Pp
+The schema for
+.Nm sudo
+in OpenLDAP form is also included in the
+.Sx EXAMPLES
+section.
+.Ss Configuring ldap.conf
+Sudo reads the
+.Pa @ldap_conf@
+file for LDAP-specific configuration.
+Typically, this file is shared amongst different LDAP-aware clients.
+As such, most of the settings are not
+.Nm sudo Ns No -specific.
+Note that
+.Nm sudo
+parses
+.Pa @ldap_conf@
+itself and may support options that differ from those described in the
+system's
+.Xr ldap.conf @mansectsu@
+manual.
+.Pp
+Also note that on systems using the OpenLDAP libraries, default
+values specified in
+.Pa /etc/openldap/ldap.conf
+or the user's
+.Pa .ldaprc
+files are not used.
+.Pp
+Only those options explicitly listed in
+.Pa @ldap_conf@
+as being supported by
+.Nm sudo
+are honored.
+Configuration options are listed below in upper case but are parsed
+in a case-independent manner.
+.Bl -tag -width 4n
+.It Sy URI Ar ldap[s]://[hostname[:port]] ...
+Specifies a whitespace-delimited list of one or more URIs describing
+the LDAP server(s) to connect to.
+The
+.Em protocol
+may be either
+.Em ldap
+.Em ldaps ,
+the latter being for servers that support TLS (SSL) encryption.
+If no
+.Em port
+is specified, the default is port 389 for
+.Li ldap://
+or port 636 for
+.Li ldaps:// .
+If no
+.Em hostname
+is specified,
+.Nm sudo
+will connect to
+.Em localhost .
+Multiple
+.Sy URI
+lines are treated identically to a
+.Sy URI
+line containing multiple entries.
+Only systems using the OpenSSL libraries support the mixing of
+.Li ldap://
+and
+.Li ldaps://
+URIs.
+Both the Netscape-derived and Tivoli LDAP libraries used on most commercial
+versions of Unix are only capable of supporting one or the other.
+.It Sy HOST Ar name[:port] ...
+If no
+.Sy URI
+is specified, the
+.Sy HOST
+parameter specifies a whitespace-delimited list of LDAP servers to connect to.
+Each host may include an optional
+.Em port
+separated by a colon
+.Pq Ql :\& .
+The
+.Sy HOST
+parameter is deprecated in favor of the
+.Sy URI
+specification and is included for backwards compatibility.
+.It Sy PORT Ar port_number
+If no
+.Sy URI
+is specified, the
+.Sy PORT
+parameter specifies the default port to connect to on the LDAP server if a
+.Sy HOST
+parameter does not specify the port itself.
+If no
+.Sy PORT
+parameter is used, the default is port 389 for LDAP and port 636 for LDAP
+over TLS (SSL).
+The
+.Sy PORT
+parameter is deprecated in favor of the
+.Sy URI
+specification and is included for backwards compatibility.
+.It Sy BIND_TIMELIMIT Ar seconds
+The
+.Sy BIND_TIMELIMIT
+parameter specifies the amount of time, in seconds, to wait while trying
+to connect to an LDAP server.
+If multiple
+.Sy URI Ns No s
+or
+.Sy HOST Ns No s
+are specified, this is the amount of time to wait before trying
+the next one in the list.
+.It Sy NETWORK_TIMEOUT Ar seconds
+An alias for
+.Sy BIND_TIMELIMIT
+for OpenLDAP compatibility.
+.It Sy TIMELIMIT Ar seconds
+The
+.Sy TIMELIMIT
+parameter specifies the amount of time, in seconds, to wait for a
+response to an LDAP query.
+.It Sy TIMEOUT Ar seconds
+The
+.Sy TIMEOUT
+parameter specifies the amount of time, in seconds, to wait for a
+response from the various LDAP APIs.
+.It Sy SUDOERS_BASE Ar base
+The base DN to use when performing
+.Nm sudo
+LDAP queries.
+Typically this is of the form
+.Li ou=SUDOers,dc=example,dc=com
+for the domain
+.Li example.com .
+Multiple
+.Sy SUDOERS_BASE
+lines may be specified, in which case they are queried in the order specified.
+.It Sy SUDOERS_SEARCH_FILTER Ar ldap_filter
+An LDAP filter which is used to restrict the set of records returned
+when performing a
+.Nm sudo
+LDAP query.
+Typically, this is of the
+form
+.Li attribute=value
+or
+.Li (&(attribute=value)(attribute2=value2)) .
+.It Sy SUDOERS_TIMED Ar on/true/yes/off/false/no
+Whether or not to evaluate the
+.Li sudoNotBefore
+and
+.Li sudoNotAfter
+attributes that implement time-dependent sudoers entries.
+.It Sy SUDOERS_DEBUG Ar debug_level
+This sets the debug level for
+.Nm sudo
+LDAP queries.
+Debugging information is printed to the standard error.
+A value of 1 results in a moderate amount of debugging information.
+A value of 2 shows the results of the matches themselves.
+This parameter should not be set in a production environment as the
+extra information is likely to confuse users.
+.It Sy BINDDN Ar DN
+The
+.Sy BINDDN
+parameter specifies the identity, in the form of a Distinguished Name (DN),
+to use when performing LDAP operations.
+If not specified, LDAP operations are performed with an anonymous identity.
+By default, most LDAP servers will allow anonymous access.
+.It Sy BINDPW Ar secret
+The
+.Sy BINDPW
+parameter specifies the password to use when performing LDAP operations.
+This is typically used in conjunction with the
+.Sy BINDDN
+parameter.
+.It Sy ROOTBINDDN Ar DN
+The
+.Sy ROOTBINDDN
+parameter specifies the identity, in the form of a Distinguished Name (DN),
+to use when performing privileged LDAP operations, such as
+.Em sudoers
+queries.
+The password corresponding
+to the identity should be stored in
+.Pa @ldap_secret@ .
+If not specified, the
+.Sy BINDDN
+identity is used (if any).
+.It Sy LDAP_VERSION Ar number
+The version of the LDAP protocol to use when connecting to the server.
+The default value is protocol version 3.
+.It Sy SSL Ar on/true/yes/off/false/no
+If the
+.Sy SSL
+parameter is set to
+.Li on ,
+.Li true
+.Li or
+.Li yes ,
+TLS (SSL) encryption is always used when communicating with the LDAP server.
+Typically, this involves connecting to the server on port 636 (ldaps).
+.It Sy SSL Ar start_tls
+If the
+.Sy SSL
+parameter is set to
+.Li start_tls ,
+the LDAP server connection is initiated normally and TLS encryption is
+begun before the bind credentials are sent.
+This has the advantage of not requiring a dedicated port for encrypted
+communications.
+This parameter is only supported by LDAP servers that honor the
+.Em start_tls
+extension, such as the OpenLDAP and Tivoli Directory servers.
+.It Sy TLS_CHECKPEER Ar on/true/yes/off/false/no
+If enabled,
+.Sy TLS_CHECKPEER
+will cause the LDAP server's TLS certificated to be verified.
+If the server's TLS certificate cannot be verified (usually because it
+is signed by an unknown certificate authority),
+.Nm sudo
+will be unable to connect to it.
+If
+.Sy TLS_CHECKPEER
+is disabled, no check is made.
+Note that disabling the check creates an opportunity for man-in-the-middle
+attacks since the server's identity will not be authenticated.
+If possible, the CA's certificate should be installed locally so it can
+be verified.
+This option is not supported by the Tivoli Directory Server LDAP libraries.
+.It Sy TLS_CACERT Ar file name
+An alias for
+.Sy TLS_CACERTFILE
+for OpenLDAP compatibility.
+.It Sy TLS_CACERTFILE Ar file name
+The path to a certificate authority bundle which contains the certificates
+for all the Certificate Authorities the client knows to be valid, e.g.\&
+.Pa /etc/ssl/ca-bundle.pem .
+This option is only supported by the OpenLDAP libraries.
+Netscape-derived LDAP libraries use the same certificate
+database for CA and client certificates (see
+.Sy TLS_CERT ) .
+.It Sy TLS_CACERTDIR Ar directory
+Similar to
+.Sy TLS_CACERTFILE
+but instead of a file, it is a directory containing individual
+Certificate Authority certificates, e.g.\&
+.Pa /etc/ssl/certs .
+The directory specified by
+.Sy TLS_CACERTDIR
+is checked after
+.Sy TLS_CACERTFILE .
+This option is only supported by the OpenLDAP libraries.
+.It Sy TLS_CERT Ar file name
+The path to a file containing the client certificate which can
+be used to authenticate the client to the LDAP server.
+The certificate type depends on the LDAP libraries used.
+.Bl -tag -width 4n
+.It OpenLDAP:
+.Li tls_cert /etc/ssl/client_cert.pem
+.It Netscape-derived:
+.Li tls_cert /var/ldap/cert7.db
+.It Tivoli Directory Server:
+Unused, the key database specified by
+.Sy TLS_KEY
+contains both keys and certificates.
+.Pp
+When using Netscape-derived libraries, this file may also contain
+Certificate Authority certificates.
+.El
+.It Sy TLS_KEY Ar file name
+The path to a file containing the private key which matches the
+certificate specified by
+.Sy TLS_CERT .
+The private key must not be password-protected.
+The key type depends on the LDAP libraries used.
+.Bl -tag -width 4n
+.It OpenLDAP:
+.Li tls_key /etc/ssl/client_key.pem
+.It Netscape-derived:
+.Li tls_key /var/ldap/key3.db
+.It Tivoli Directory Server:
+.Li tls_cert /usr/ldap/ldapkey.kdb
+.El
+When using Tivoli LDAP libraries, this file may also contain
+Certificate Authority and client certificates and may be encrypted.
+.It Sy TLS_KEYPW Ar secret
+The
+.Sy TLS_KEYPW
+contains the password used to decrypt the key database on clients
+using the Tivoli Directory Server LDAP library.
+If no
+.Sy TLS_KEYPW
+is specified, a
+.Em stash file
+will be used if it exists.
+The
+.Em stash file
+must have the same path as the file specified by
+.Sy TLS_KEY ,
+but use a
+.Li .sth
+file extension instead of
+.Li .kdb ,
+e.g.\&
+.Li ldapkey.sth .
+The default
+.Li ldapkey.kdb
+that ships with Tivoli Directory Server is encrypted with the password
+.Li ssl_password .
+This option is only supported by the Tivoli LDAP libraries.
+.It Sy TLS_RANDFILE Ar file name
+The
+.Sy TLS_RANDFILE
+parameter specifies the path to an entropy source for systems that lack
+a random device.
+It is generally used in conjunction with
+.Em prngd
+or
+.Em egd .
+This option is only supported by the OpenLDAP libraries.
+.It Sy TLS_CIPHERS Ar cipher list
+The
+.Sy TLS_CIPHERS
+parameter allows the administer to restrict which encryption algorithms
+may be used for TLS (SSL) connections.
+See the OpenLDAP or Tivoli Directory Server manual for a list of valid
+ciphers.
+This option is not supported by Netscape-derived libraries.
+.It Sy USE_SASL Ar on/true/yes/off/false/no
+Enable
+.Sy USE_SASL
+for LDAP servers that support SASL authentication.
+.It Sy SASL_AUTH_ID Ar identity
+The SASL user name to use when connecting to the LDAP server.
+By default,
+.Nm sudo
+will use an anonymous connection.
+.It Sy ROOTUSE_SASL Ar on/true/yes/off/false/no
+Enable
+.Sy ROOTUSE_SASL
+to enable SASL authentication when connecting
+to an LDAP server from a privileged process, such as
+.Nm sudo .
+.It Sy ROOTSASL_AUTH_ID Ar identity
+The SASL user name to use when
+.Sy ROOTUSE_SASL
+is enabled.
+.It Sy SASL_SECPROPS Ar none/properties
+SASL security properties or
+.Em none
+for no properties.
+See the SASL programmer's manual for details.
+.It Sy KRB5_CCNAME Ar file name
+The path to the Kerberos 5 credential cache to use when authenticating
+with the remote server.
+.It Sy DEREF Ar never/searching/finding/always
+How alias dereferencing is to be performed when searching.
+See the
+.Xr ldap.conf @mansectsu@
+manual for a full description of this option.
+.El
+.Pp
+See the
+.Pa ldap.conf
+entry in the
+.Sx EXAMPLES
+section.
+.Ss Configuring nsswitch.conf
+Unless it is disabled at build time,
+.Nm sudo
+consults the Name Service Switch file,
+.Pa @nsswitch_conf@ ,
+to specify the
+.Em sudoers
+search order.
+Sudo looks for a line beginning with
+.Li sudoers :
+and uses this to determine the search order.
+Note that
+.Nm sudo
+does
+not stop searching after the first match and later matches take
+precedence over earlier ones.
+The following sources are recognized:
+.Pp
+.Bl -tag -width 8n -offset 4n -compact
+.It files
+read sudoers from
+.Pa @sysconfdir@/sudoers
+.It ldap
+read sudoers from LDAP
+.El
+.Pp
+In addition, the entry
+.Li [NOTFOUND=return]
+will short-circuit the search if the user was not found in the
+preceding source.
+.Pp
+To consult LDAP first followed by the local sudoers file (if it
+exists), use:
+.Bd -literal -offset 4n
+sudoers: ldap files
+.Ed
+.Pp
+The local
+.Em sudoers
+file can be ignored completely by using:
+.Bd -literal -offset 4n
+sudoers: ldap
+.Ed
+.Pp
+If the
+.Pa @nsswitch_conf@
+file is not present or there is no sudoers line, the following
+default is assumed:
+.Bd -literal -offset 4n
+sudoers: files
+.Ed
+.Pp
+Note that
+.Pa @nsswitch_conf@
+is supported even when the underlying operating system does not use
+an nsswitch.conf file, except on AIX (see below).
+.Ss Configuring netsvc.conf
+On AIX systems, the
+.Pa @netsvc_conf@
+file is consulted instead of
+.Pa @nsswitch_conf@ .
+.Nm sudo
+simply treats
+.Pa netsvc.conf
+as a variant of
+.Pa nsswitch.conf ;
+information in the previous section unrelated to the file format
+itself still applies.
+.Pp
+To consult LDAP first followed by the local sudoers file (if it
+exists), use:
+.Bd -literal -offset 4n
+sudoers = ldap, files
+.Ed
+.Pp
+The local
+.Em sudoers
+file can be ignored completely by using:
+.Bd -literal -offset 4n
+sudoers = ldap
+.Ed
+.Pp
+To treat LDAP as authoratative and only use the local sudoers file
+if the user is not present in LDAP, use:
+.Bd -literal -offset 4n
+sudoers = ldap = auth, files
+.Ed
+.Pp
+Note that in the above example, the
+.Li auth
+qualfier only affects user lookups; both LDAP and
+.Em sudoers
+will be queried for
+.Li Defaults
+entries.
+.Pp
+If the
+.Pa @netsvc_conf@
+file is not present or there is no sudoers line, the following
+default is assumed:
+.Bd -literal -offset 4n
+sudoers = files
+.Ed
+.Sh FILES
+.Bl -tag -width 24n
+.It Pa @ldap_conf@
+LDAP configuration file
+.It Pa @nsswitch_conf@
+determines sudoers source order
+.It Pa @netsvc_conf@
+determines sudoers source order on AIX
+.El
+.Sh EXAMPLES
+.Ss Example ldap.conf
+.Bd -literal -offset 2n
+# Either specify one or more URIs or one or more host:port pairs.
+# If neither is specified sudo will default to localhost, port 389.
+#
+#host ldapserver
+#host ldapserver1 ldapserver2:390
+#
+# Default port if host is specified without one, defaults to 389.
+#port 389
+#
+# URI will override the host and port settings.
+uri ldap://ldapserver
+#uri ldaps://secureldapserver
+#uri ldaps://secureldapserver ldap://ldapserver
+#
+# The amount of time, in seconds, to wait while trying to connect to
+# an LDAP server.
+bind_timelimit 30
+#
+# The amount of time, in seconds, to wait while performing an LDAP query.
+timelimit 30
+#
+# Must be set or sudo will ignore LDAP; may be specified multiple times.
+sudoers_base ou=SUDOers,dc=example,dc=com
+#
+# verbose sudoers matching from ldap
+#sudoers_debug 2
+#
+# Enable support for time-based entries in sudoers.
+#sudoers_timed yes
+#
+# optional proxy credentials
+#binddn <who to search as>
+#bindpw <password>
+#rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
+#
+# LDAP protocol version, defaults to 3
+#ldap_version 3
+#
+# Define if you want to use an encrypted LDAP connection.
+# Typically, you must also set the port to 636 (ldaps).
+#ssl on
+#
+# Define if you want to use port 389 and switch to
+# encryption before the bind credentials are sent.
+# Only supported by LDAP servers that support the start_tls
+# extension such as OpenLDAP.
+#ssl start_tls
+#
+# Additional TLS options follow that allow tweaking of the
+# SSL/TLS connection.
+#
+#tls_checkpeer yes # verify server SSL certificate
+#tls_checkpeer no # ignore server SSL certificate
+#
+# If you enable tls_checkpeer, specify either tls_cacertfile
+# or tls_cacertdir. Only supported when using OpenLDAP.
+#
+#tls_cacertfile /etc/certs/trusted_signers.pem
+#tls_cacertdir /etc/certs
+#
+# For systems that don't have /dev/random
+# use this along with PRNGD or EGD.pl to seed the
+# random number pool to generate cryptographic session keys.
+# Only supported when using OpenLDAP.
+#
+#tls_randfile /etc/egd-pool
+#
+# You may restrict which ciphers are used. Consult your SSL
+# documentation for which options go here.
+# Only supported when using OpenLDAP.
+#
+#tls_ciphers <cipher-list>
+#
+# Sudo can provide a client certificate when communicating to
+# the LDAP server.
+# Tips:
+# * Enable both lines at the same time.
+# * Do not password protect the key file.
+# * Ensure the keyfile is only readable by root.
+#
+# For OpenLDAP:
+#tls_cert /etc/certs/client_cert.pem
+#tls_key /etc/certs/client_key.pem
+#
+# For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
+# a directory, in which case the files in the directory must have the
+# default names (e.g. cert8.db and key4.db), or the path to the cert
+# and key files themselves. However, a bug in version 5.0 of the LDAP
+# SDK will prevent specific file names from working. For this reason
+# it is suggested that tls_cert and tls_key be set to a directory,
+# not a file name.
+#
+# The certificate database specified by tls_cert may contain CA certs
+# and/or the client's cert. If the client's cert is included, tls_key
+# should be specified as well.
+# For backward compatibility, "sslpath" may be used in place of tls_cert.
+#tls_cert /var/ldap
+#tls_key /var/ldap
+#
+# If using SASL authentication for LDAP (OpenSSL)
+# use_sasl yes
+# sasl_auth_id <SASL user name>
+# rootuse_sasl yes
+# rootsasl_auth_id <SASL user name for root access>
+# sasl_secprops none
+# krb5_ccname /etc/.ldapcache
+.Ed
+.Ss Sudo schema for OpenLDAP
+The following schema, in OpenLDAP format, is included with
+.Nm sudo
+source and binary distributions as
+.Pa schema.OpenLDAP .
+Simply copy
+it to the schema directory (e.g.\&
+.Pa /etc/openldap/schema ) ,
+add the proper
+.Li include
+line in
+.Pa slapd.conf
+and restart
+.Nm slapd .
+.Bd -literal -offset 2n
+attributetype ( 1.3.6.1.4.1.15953.9.1.1
+ NAME 'sudoUser'
+ DESC 'User(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.2
+ NAME 'sudoHost'
+ DESC 'Host(s) who may run sudo'
+ EQUALITY caseExactIA5Match
+ SUBSTR caseExactIA5SubstringsMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.3
+ NAME 'sudoCommand'
+ DESC 'Command(s) to be executed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.4
+ NAME 'sudoRunAs'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.5
+ NAME 'sudoOption'
+ DESC 'Options(s) followed by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.6
+ NAME 'sudoRunAsUser'
+ DESC 'User(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.7
+ NAME 'sudoRunAsGroup'
+ DESC 'Group(s) impersonated by sudo'
+ EQUALITY caseExactIA5Match
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.8
+ NAME 'sudoNotBefore'
+ DESC 'Start of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+attributetype ( 1.3.6.1.4.1.15953.9.1.9
+ NAME 'sudoNotAfter'
+ DESC 'End of time interval for which the entry is valid'
+ EQUALITY generalizedTimeMatch
+ ORDERING generalizedTimeOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
+
+attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
+ NAME 'sudoOrder'
+ DESC 'an integer to order the sudoRole entries'
+ EQUALITY integerMatch
+ ORDERING integerOrderingMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
+
+objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
+ DESC 'Sudoer Entries'
+ MUST ( cn )
+ MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
+ sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
+ sudoOrder $ description )
+ )
+.Ed
+.Sh SEE ALSO
+.Xr ldap.conf @mansectsu@ ,
+.Xr sudoers @mansectsu@
+.Sh CAVEATS
+Note that there are differences in the way that LDAP-based
+.Em sudoers
+is parsed compared to file-based
+.Em sudoers .
+See the
+.Sx Differences between LDAP and non-LDAP sudoers
+section for more information.
+.Sh BUGS
+If you feel you have found a bug in
+.Nm sudo ,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
+.Sh SUPPORT
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+.Sh DISCLAIMER
+.Nm sudo
+is provided
+.Dq AS IS
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+.Nm sudo
+or http://www.sudo.ws/sudo/license.html for complete details.
+++ /dev/null
-Copyright (c) 2003-2012
- Todd C. Miller <Todd.Miller@courtesan.com>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-=pod
-
-=head1 NAME
-
-sudoers.ldap - sudo LDAP configuration
-
-=head1 DESCRIPTION
-
-In addition to the standard I<sudoers> file, B<sudo> may be configured
-via LDAP. This can be especially useful for synchronizing I<sudoers>
-in a large, distributed environment.
-
-Using LDAP for I<sudoers> has several benefits:
-
-=over 4
-
-=item *
-
-B<sudo> no longer needs to read I<sudoers> in its entirety. When
-LDAP is used, there are only two or three LDAP queries per invocation.
-This makes it especially fast and particularly usable in LDAP
-environments.
-
-=item *
-
-B<sudo> no longer exits if there is a typo in I<sudoers>.
-It is not possible to load LDAP data into the server that does
-not conform to the sudoers schema, so proper syntax is guaranteed.
-It is still possible to have typos in a user or host name, but
-this will not prevent B<sudo> from running.
-
-=item *
-
-It is possible to specify per-entry options that override the global
-default options. F<@sysconfdir@/sudoers> only supports default options and
-limited options associated with user/host/commands/aliases. The
-syntax is complicated and can be difficult for users to understand.
-Placing the options directly in the entry is more natural.
-
-=item *
-
-The B<visudo> program is no longer needed. B<visudo> provides
-locking and syntax checking of the F<@sysconfdir@/sudoers> file.
-Since LDAP updates are atomic, locking is no longer necessary.
-Because syntax is checked when the data is inserted into LDAP, there
-is no need for a specialized tool to check syntax.
-
-=back
-
-Another major difference between LDAP and file-based I<sudoers>
-is that in LDAP, B<sudo>-specific Aliases are not supported.
-
-For the most part, there is really no need for B<sudo>-specific
-Aliases. Unix groups or user netgroups can be used in place of
-User_Aliases and Runas_Aliases. Host netgroups can be used in place
-of Host_Aliases. Since Unix groups and netgroups can also be stored
-in LDAP there is no real need for B<sudo>-specific aliases.
-
-Cmnd_Aliases are not really required either since it is possible
-to have multiple users listed in a C<sudoRole>. Instead of defining
-a Cmnd_Alias that is referenced by multiple users, one can create
-a C<sudoRole> that contains the commands and assign multiple users
-to it.
-
-=head2 SUDOers LDAP container
-
-The I<sudoers> configuration is contained in the C<ou=SUDOers> LDAP
-container.
-
-Sudo first looks for the C<cn=default> entry in the SUDOers container.
-If found, the multi-valued C<sudoOption> attribute is parsed in the
-same manner as a global C<Defaults> line in F<@sysconfdir@/sudoers>. In
-the following example, the C<SSH_AUTH_SOCK> variable will be preserved
-in the environment for all users.
-
- dn: cn=defaults,ou=SUDOers,dc=example,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: defaults
- description: Default sudoOption's go here
- sudoOption: env_keep+=SSH_AUTH_SOCK
-
-The equivalent of a sudoer in LDAP is a C<sudoRole>. It consists of
-the following attributes:
-
-=over 4
-
-=item B<sudoUser>
-
-A user name, uid (prefixed with C<'#'>), Unix group (prefixed with
-a C<'%'>) or user netgroup (prefixed with a C<'+'>).
-
-=item B<sudoHost>
-
-A host name, IP address, IP network, or host netgroup (prefixed
-with a C<'+'>).
-The special value C<ALL> will match any host.
-
-=item B<sudoCommand>
-
-A Unix command with optional command line arguments, potentially
-including globbing characters (aka wild cards).
-The special value C<ALL> will match any command.
-If a command is prefixed with an exclamation point C<'!'>, the
-user will be prohibited from running that command.
-
-=item B<sudoOption>
-
-Identical in function to the global options described above, but
-specific to the C<sudoRole> in which it resides.
-
-=item B<sudoRunAsUser>
-
-A user name or uid (prefixed with C<'#'>) that commands may be run
-as or a Unix group (prefixed with a C<'%'>) or user netgroup (prefixed
-with a C<'+'>) that contains a list of users that commands may be
-run as.
-The special value C<ALL> will match any user.
-
-The C<sudoRunAsUser> attribute is only available in B<sudo> versions
-1.7.0 and higher. Older versions of B<sudo> use the C<sudoRunAs>
-attribute instead.
-
-=item B<sudoRunAsGroup>
-
-A Unix group or gid (prefixed with C<'#'>) that commands may be run as.
-The special value C<ALL> will match any group.
-
-The C<sudoRunAsGroup> attribute is only available in B<sudo> versions
-1.7.0 and higher.
-
-=item B<sudoNotBefore>
-
-A timestamp in the form C<yyyymmddHHMMSSZ> that can be used to provide
-a start date/time for when the C<sudoRole> will be valid. If
-multiple C<sudoNotBefore> entries are present, the earliest is used.
-Note that timestamps must be in Coordinated Universal Time (UTC),
-not the local timezone. The minute and seconds portions are optional,
-but some LDAP servers require that they be present (contrary to the RFC).
-
-The C<sudoNotBefore> attribute is only available in B<sudo> versions
-1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
-option in F<@ldap_conf@>.
-
-=item B<sudoNotAfter>
-
-A timestamp in the form C<yyyymmddHHMMSSZ> that indicates an expiration
-date/time, after which the C<sudoRole> will no longer be valid. If
-multiple C<sudoNotBefore> entries are present, the last one is used.
-Note that timestamps must be in Coordinated Universal Time (UTC),
-not the local timezone. The minute and seconds portions are optional,
-but some LDAP servers require that they be present (contrary to the RFC).
-
-The C<sudoNotAfter> attribute is only available in B<sudo> versions
-1.7.5 and higher and must be explicitly enabled via the B<SUDOERS_TIMED>
-option in F<@ldap_conf@>.
-
-=item B<sudoOrder>
-
-The C<sudoRole> entries retrieved from the LDAP directory have no
-inherent order. The C<sudoOrder> attribute is an integer (or
-floating point value for LDAP servers that support it) that is used
-to sort the matching entries. This allows LDAP-based sudoers entries
-to more closely mimic the behaviour of the sudoers file, where the
-of the entries influences the result. If multiple entries match,
-the entry with the highest C<sudoOrder> attribute is chosen. This
-corresponds to the "last match" behavior of the sudoers file. If
-the C<sudoOrder> attribute is not present, a value of 0 is assumed.
-
-The C<sudoOrder> attribute is only available in B<sudo> versions
-1.7.5 and higher.
-
-=back
-
-Each attribute listed above should contain a single value, but there
-may be multiple instances of each attribute type. A C<sudoRole> must
-contain at least one C<sudoUser>, C<sudoHost> and C<sudoCommand>.
-
-The following example allows users in group wheel to run any command
-on any host via B<sudo>:
-
- dn: cn=%wheel,ou=SUDOers,dc=example,dc=com
- objectClass: top
- objectClass: sudoRole
- cn: %wheel
- sudoUser: %wheel
- sudoHost: ALL
- sudoCommand: ALL
-
-=head2 Anatomy of LDAP sudoers lookup
-
-When looking up a sudoer using LDAP there are only two or three
-LDAP queries per invocation. The first query is to parse the global
-options. The second is to match against the user's name and the
-groups that the user belongs to. (The special ALL tag is matched
-in this query too.) If no match is returned for the user's name
-and groups, a third query returns all entries containing user
-netgroups and checks to see if the user belongs to any of them.
-
-If timed entries are enabled with the B<SUDOERS_TIMED> configuration
-directive, the LDAP queries include a subfilter that limits retrieval
-to entries that satisfy the time constraints, if any.
-
-=head2 Differences between LDAP and non-LDAP sudoers
-
-There are some subtle differences in the way sudoers is handled
-once in LDAP. Probably the biggest is that according to the RFC,
-LDAP ordering is arbitrary and you cannot expect that Attributes
-and Entries are returned in any specific order.
-
-The order in which different entries are applied can be controlled
-using the C<sudoOrder> attribute, but there is no way to guarantee
-the order of attributes within a specific entry. If there are
-conflicting command rules in an entry, the negative takes precedence.
-This is called paranoid behavior (not necessarily the most specific
-match).
-
-Here is an example:
-
- # /etc/sudoers:
- # Allow all commands except shell
- johnny ALL=(root) ALL,!/bin/sh
- # Always allows all commands because ALL is matched last
- puddles ALL=(root) !/bin/sh,ALL
-
- # LDAP equivalent of johnny
- # Allows all commands except shell
- dn: cn=role1,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role1
- sudoUser: johnny
- sudoHost: ALL
- sudoCommand: ALL
- sudoCommand: !/bin/sh
-
- # LDAP equivalent of puddles
- # Notice that even though ALL comes last, it still behaves like
- # role1 since the LDAP code assumes the more paranoid configuration
- dn: cn=role2,ou=Sudoers,dc=my-domain,dc=com
- objectClass: sudoRole
- objectClass: top
- cn: role2
- sudoUser: puddles
- sudoHost: ALL
- sudoCommand: !/bin/sh
- sudoCommand: ALL
-
-Another difference is that negations on the Host, User or Runas are
-currently ignored. For example, the following attributes do not
-behave the way one might expect.
-
- # does not match all but joe
- # rather, does not match anyone
- sudoUser: !joe
-
- # does not match all but joe
- # rather, matches everyone including Joe
- sudoUser: ALL
- sudoUser: !joe
-
- # does not match all but web01
- # rather, matches all hosts including web01
- sudoHost: ALL
- sudoHost: !web01
-
-=head2 Sudoers Schema
-
-In order to use B<sudo>'s LDAP support, the B<sudo> schema must be
-installed on your LDAP server. In addition, be sure to index the
-'sudoUser' attribute.
-
-Three versions of the schema: one for OpenLDAP servers (F<schema.OpenLDAP>),
-one for Netscape-derived servers (F<schema.iPlanet>), and one for
-Microsoft Active Directory (F<schema.ActiveDirectory>) may
-be found in the B<sudo> distribution.
-
-The schema for B<sudo> in OpenLDAP form is included in the L<EXAMPLES>
-section.
-
-=head2 Configuring ldap.conf
-
-Sudo reads the F<@ldap_conf@> file for LDAP-specific configuration.
-Typically, this file is shared amongst different LDAP-aware clients.
-As such, most of the settings are not B<sudo>-specific. Note that
-B<sudo> parses F<@ldap_conf@> itself and may support options that
-differ from those described in the system's L<ldap.conf(5)> manual.
-
-Also note that on systems using the OpenLDAP libraries, default
-values specified in F</etc/openldap/ldap.conf> or the user's
-F<.ldaprc> files are not used.
-
-Only those options explicitly listed in F<@ldap_conf@> as being
-supported by B<sudo> are honored. Configuration options are listed
-below in upper case but are parsed in a case-independent manner.
-
-=over 4
-
-=item B<URI> ldap[s]://[hostname[:port]] ...
-
-Specifies a whitespace-delimited list of one or more URIs describing
-the LDAP server(s) to connect to. The I<protocol> may be either
-B<ldap> or B<ldaps>, the latter being for servers that support TLS
-(SSL) encryption. If no I<port> is specified, the default is port
-389 for C<ldap://> or port 636 for C<ldaps://>. If no I<hostname>
-is specified, B<sudo> will connect to B<localhost>. Multiple B<URI>
-lines are treated identically to a B<URI> line containing multiple
-entries. Only systems using the OpenSSL libraries support the
-mixing of C<ldap://> and C<ldaps://> URIs. Both the Netscape-derived
-and Tivoli LDAP libraries used on most commercial versions of Unix
-are only capable of supporting one or the other.
-
-=item B<HOST> name[:port] ...
-
-If no B<URI> is specified, the B<HOST> parameter specifies a
-whitespace-delimited list of LDAP servers to connect to. Each host
-may include an optional I<port> separated by a colon (':'). The
-B<HOST> parameter is deprecated in favor of the B<URI> specification
-and is included for backwards compatibility.
-
-=item B<PORT> port_number
-
-If no B<URI> is specified, the B<PORT> parameter specifies the
-default port to connect to on the LDAP server if a B<HOST> parameter
-does not specify the port itself. If no B<PORT> parameter is used,
-the default is port 389 for LDAP and port 636 for LDAP over TLS
-(SSL). The B<PORT> parameter is deprecated in favor of the B<URI>
-specification and is included for backwards compatibility.
-
-=item B<BIND_TIMELIMIT> seconds
-
-The B<BIND_TIMELIMIT> parameter specifies the amount of time, in seconds,
-to wait while trying to connect to an LDAP server. If multiple B<URI>s or
-B<HOST>s are specified, this is the amount of time to wait before trying
-the next one in the list.
-
-=item B<NETWORK_TIMEOUT> seconds
-
-An alias for B<BIND_TIMELIMIT> for OpenLDAP compatibility.
-
-=item B<TIMELIMIT> seconds
-
-The B<TIMELIMIT> parameter specifies the amount of time, in seconds,
-to wait for a response to an LDAP query.
-
-=item B<TIMEOUT> seconds
-
-The B<TIMEOUT> parameter specifies the amount of time, in seconds,
-to wait for a response from the various LDAP APIs.
-
-=item B<SUDOERS_BASE> base
-
-The base DN to use when performing B<sudo> LDAP queries. Typically
-this is of the form C<ou=SUDOers,dc=example,dc=com> for the domain
-C<example.com>. Multiple B<SUDOERS_BASE> lines may be specified,
-in which case they are queried in the order specified.
-
-=item B<SUDOERS_SEARCH_FILTER> ldap_filter
-
-An LDAP filter which is used to restrict the set of records returned
-when performing a B<sudo> LDAP query. Typically, this is of the
-form C<attribute=value> or C<(&(attribute=value)(attribute2=value2))>.
-
-=item B<SUDOERS_TIMED> on/true/yes/off/false/no
-
-Whether or not to evaluate the C<sudoNotBefore> and C<sudoNotAfter>
-attributes that implement time-dependent sudoers entries.
-
-=item B<SUDOERS_DEBUG> debug_level
-
-This sets the debug level for B<sudo> LDAP queries. Debugging
-information is printed to the standard error. A value of 1 results
-in a moderate amount of debugging information. A value of 2 shows
-the results of the matches themselves. This parameter should not
-be set in a production environment as the extra information is
-likely to confuse users.
-
-=item B<BINDDN> DN
-
-The B<BINDDN> parameter specifies the identity, in the form of a
-Distinguished Name (DN), to use when performing LDAP operations.
-If not specified, LDAP operations are performed with an anonymous
-identity. By default, most LDAP servers will allow anonymous access.
-
-=item B<BINDPW> secret
-
-The B<BINDPW> parameter specifies the password to use when performing
-LDAP operations. This is typically used in conjunction with the
-B<BINDDN> parameter.
-
-=item B<ROOTBINDDN> DN
-
-The B<ROOTBINDDN> parameter specifies the identity, in the form of
-a Distinguished Name (DN), to use when performing privileged LDAP
-operations, such as I<sudoers> queries. The password corresponding
-to the identity should be stored in F<@ldap_secret@>.
-If not specified, the B<BINDDN> identity is used (if any).
-
-=item B<LDAP_VERSION> number
-
-The version of the LDAP protocol to use when connecting to the server.
-The default value is protocol version 3.
-
-=item B<SSL> on/true/yes/off/false/no
-
-If the B<SSL> parameter is set to C<on>, C<true> or C<yes>, TLS
-(SSL) encryption is always used when communicating with the LDAP
-server. Typically, this involves connecting to the server on port
-636 (ldaps).
-
-=item B<SSL> start_tls
-
-If the B<SSL> parameter is set to C<start_tls>, the LDAP server
-connection is initiated normally and TLS encryption is begun before
-the bind credentials are sent. This has the advantage of not
-requiring a dedicated port for encrypted communications. This
-parameter is only supported by LDAP servers that honor the C<start_tls>
-extension, such as the OpenLDAP server.
-
-=item B<TLS_CHECKPEER> on/true/yes/off/false/no
-
-If enabled, B<TLS_CHECKPEER> will cause the LDAP server's TLS
-certificated to be verified. If the server's TLS certificate cannot
-be verified (usually because it is signed by an unknown certificate
-authority), B<sudo> will be unable to connect to it. If B<TLS_CHECKPEER>
-is disabled, no check is made. Note that disabling the check creates
-an opportunity for man-in-the-middle attacks since the server's
-identity will not be authenticated. If possible, the CA's certificate
-should be installed locally so it can be verified. This option is
-not supported by the Tivoli Directory Server LDAP libraries.
-
-=item B<TLS_CACERT> file name
-
-An alias for B<TLS_CACERTFILE> for OpenLDAP compatibility.
-
-=item B<TLS_CACERTFILE> file name
-
-The path to a certificate authority bundle which contains the certificates
-for all the Certificate Authorities the client knows to be valid,
-e.g. F</etc/ssl/ca-bundle.pem>.
-This option is only supported by the OpenLDAP libraries.
-Netscape-derived LDAP libraries use the same certificate
-database for CA and client certificates (see B<TLS_CERT>).
-
-=item B<TLS_CACERTDIR> directory
-
-Similar to B<TLS_CACERTFILE> but instead of a file, it is a
-directory containing individual Certificate Authority certificates,
-e.g. F</etc/ssl/certs>.
-The directory specified by B<TLS_CACERTDIR> is checked after
-B<TLS_CACERTFILE>.
-This option is only supported by the OpenLDAP libraries.
-
-=item B<TLS_CERT> file name
-
-The path to a file containing the client certificate which can
-be used to authenticate the client to the LDAP server.
-The certificate type depends on the LDAP libraries used.
-
-OpenLDAP:
- C<tls_cert /etc/ssl/client_cert.pem>
-
-Netscape-derived:
- C<tls_cert /var/ldap/cert7.db>
-
-Tivoli Directory Server:
- Unused, the key database specified by B<TLS_KEY> contains both
- keys and certificates.
-
-When using Netscape-derived libraries, this file may also contain
-Certificate Authority certificates.
-
-=item B<TLS_KEY> file name
-
-The path to a file containing the private key which matches the
-certificate specified by B<TLS_CERT>. The private key must not be
-password-protected. The key type depends on the LDAP libraries
-used.
-
-OpenLDAP:
- C<tls_key /etc/ssl/client_key.pem>
-
-Netscape-derived:
- C<tls_key /var/ldap/key3.db>
-
-Tivoli Directory Server:
- C<tls_cert /usr/ldap/ldapkey.kdb>
-
-When using Tivoli LDAP libraries, this file may also contain
-Certificate Authority and client certificates and may be encrypted.
-
-=item B<TLS_KEYPW> secret
-
-The B<TLS_KEYPW> contains the password used to decrypt the key
-database on clients using the Tivoli Directory Server LDAP library.
-If no B<TLS_KEYPW> is specified, a I<stash file> will be used if
-it exists. The I<stash file> must have the same path as the file
-specified by B<TLS_KEY>, but use a C<.sth> file extension instead
-of C<.kdb>, e.g. C<ldapkey.sth>. The default C<ldapkey.kdb> that
-ships with Tivoli Directory Server is encrypted with the password
-C<ssl_password>. This option is only supported by the Tivoli LDAP
-libraries.
-
-=item B<TLS_RANDFILE> file name
-
-The B<TLS_RANDFILE> parameter specifies the path to an entropy
-source for systems that lack a random device. It is generally used
-in conjunction with I<prngd> or I<egd>.
-This option is only supported by the OpenLDAP libraries.
-
-=item B<TLS_CIPHERS> cipher list
-
-The B<TLS_CIPHERS> parameter allows the administer to restrict which
-encryption algorithms may be used for TLS (SSL) connections. See
-the OpenLDAP or Tivoli Directory Server manual for a list of valid
-ciphers. This option is not supported by Netscape-derived libraries.
-
-=item B<USE_SASL> on/true/yes/off/false/no
-
-Enable B<USE_SASL> for LDAP servers that support SASL authentication.
-
-=item B<SASL_AUTH_ID> identity
-
-The SASL user name to use when connecting to the LDAP server.
-By default, B<sudo> will use an anonymous connection.
-
-=item B<ROOTUSE_SASL> on/true/yes/off/false/no
-
-Enable B<ROOTUSE_SASL> to enable SASL authentication when connecting
-to an LDAP server from a privileged process, such as B<sudo>.
-
-=item B<ROOTSASL_AUTH_ID> identity
-
-The SASL user name to use when B<ROOTUSE_SASL> is enabled.
-
-=item B<SASL_SECPROPS> none/properties
-
-SASL security properties or I<none> for no properties. See the
-SASL programmer's manual for details.
-
-=item B<KRB5_CCNAME> file name
-
-The path to the Kerberos 5 credential cache to use when authenticating
-with the remote server.
-
-=item B<DEREF> never/searching/finding/always
-
-How alias dereferencing is to be performed when searching. See the
-L<ldap.conf(5)> manual for a full description of this option.
-
-=back
-
-See the C<ldap.conf> entry in the L<EXAMPLES> section.
-
-=head2 Configuring nsswitch.conf
-
-Unless it is disabled at build time, B<sudo> consults the Name
-Service Switch file, F<@nsswitch_conf@>, to specify the I<sudoers>
-search order. Sudo looks for a line beginning with C<sudoers>: and
-uses this to determine the search order. Note that B<sudo> does
-not stop searching after the first match and later matches take
-precedence over earlier ones.
-
-The following sources are recognized:
-
- files read sudoers from F<@sysconfdir@/sudoers>
- ldap read sudoers from LDAP
-
-In addition, the entry C<[NOTFOUND=return]> will short-circuit the
-search if the user was not found in the preceding source.
-
-To consult LDAP first followed by the local sudoers file (if it
-exists), use:
-
- sudoers: ldap files
-
-The local I<sudoers> file can be ignored completely by using:
-
- sudoers: ldap
-
-If the F<@nsswitch_conf@> file is not present or there is no
-sudoers line, the following default is assumed:
-
- sudoers: files
-
-Note that F<@nsswitch_conf@> is supported even when the underlying
-operating system does not use an nsswitch.conf file, except on AIX (see below).
-
-=head2 Configuring netsvc.conf
-
-On AIX systems, the F<@netsvc_conf@> file is consulted instead of
-F<@nsswitch_conf@>. B<sudo> simply treats I<netsvc.conf> as a
-variant of I<nsswitch.conf>; information in the previous section
-unrelated to the file format itself still applies.
-
-To consult LDAP first followed by the local sudoers file (if it
-exists), use:
-
- sudoers = ldap, files
-
-The local I<sudoers> file can be ignored completely by using:
-
- sudoers = ldap
-
-To treat LDAP as authoratative and only use the local sudoers file
-if the user is not present in LDAP, use:
-
- sudoers = ldap = auth, files
-
-Note that in the above example, the C<auth> qualfier only affects
-user lookups; both LDAP and I<sudoers> will be queried for C<Defaults>
-entries.
-
-If the F<@netsvc_conf@> file is not present or there is no
-sudoers line, the following default is assumed:
-
- sudoers = files
-
-=head1 FILES
-
-=over 24
-
-=item F<@ldap_conf@>
-
-LDAP configuration file
-
-=item F<@nsswitch_conf@>
-
-determines sudoers source order
-
-=item F<@netsvc_conf@>
-
-determines sudoers source order on AIX
-
-=back
-
-=head1 EXAMPLES
-
-=head2 Example ldap.conf
-
- # Either specify one or more URIs or one or more host:port pairs.
- # If neither is specified sudo will default to localhost, port 389.
- #
- #host ldapserver
- #host ldapserver1 ldapserver2:390
- #
- # Default port if host is specified without one, defaults to 389.
- #port 389
- #
- # URI will override the host and port settings.
- uri ldap://ldapserver
- #uri ldaps://secureldapserver
- #uri ldaps://secureldapserver ldap://ldapserver
- #
- # The amount of time, in seconds, to wait while trying to connect to
- # an LDAP server.
- bind_timelimit 30
- #
- # The amount of time, in seconds, to wait while performing an LDAP query.
- timelimit 30
- #
- # Must be set or sudo will ignore LDAP; may be specified multiple times.
- sudoers_base ou=SUDOers,dc=example,dc=com
- #
- # verbose sudoers matching from ldap
- #sudoers_debug 2
- #
- # Enable support for time-based entries in sudoers.
- #sudoers_timed yes
- #
- # optional proxy credentials
- #binddn <who to search as>
- #bindpw <password>
- #rootbinddn <who to search as, uses /etc/ldap.secret for bindpw>
- #
- # LDAP protocol version, defaults to 3
- #ldap_version 3
- #
- # Define if you want to use an encrypted LDAP connection.
- # Typically, you must also set the port to 636 (ldaps).
- #ssl on
- #
- # Define if you want to use port 389 and switch to
- # encryption before the bind credentials are sent.
- # Only supported by LDAP servers that support the start_tls
- # extension such as OpenLDAP.
- #ssl start_tls
- #
- # Additional TLS options follow that allow tweaking of the
- # SSL/TLS connection.
- #
- #tls_checkpeer yes # verify server SSL certificate
- #tls_checkpeer no # ignore server SSL certificate
- #
- # If you enable tls_checkpeer, specify either tls_cacertfile
- # or tls_cacertdir. Only supported when using OpenLDAP.
- #
- #tls_cacertfile /etc/certs/trusted_signers.pem
- #tls_cacertdir /etc/certs
- #
- # For systems that don't have /dev/random
- # use this along with PRNGD or EGD.pl to seed the
- # random number pool to generate cryptographic session keys.
- # Only supported when using OpenLDAP.
- #
- #tls_randfile /etc/egd-pool
- #
- # You may restrict which ciphers are used. Consult your SSL
- # documentation for which options go here.
- # Only supported when using OpenLDAP.
- #
- #tls_ciphers <cipher-list>
- #
- # Sudo can provide a client certificate when communicating to
- # the LDAP server.
- # Tips:
- # * Enable both lines at the same time.
- # * Do not password protect the key file.
- # * Ensure the keyfile is only readable by root.
- #
- # For OpenLDAP:
- #tls_cert /etc/certs/client_cert.pem
- #tls_key /etc/certs/client_key.pem
- #
- # For SunONE or iPlanet LDAP, tls_cert and tls_key may specify either
- # a directory, in which case the files in the directory must have the
- # default names (e.g. cert8.db and key4.db), or the path to the cert
- # and key files themselves. However, a bug in version 5.0 of the LDAP
- # SDK will prevent specific file names from working. For this reason
- # it is suggested that tls_cert and tls_key be set to a directory,
- # not a file name.
- #
- # The certificate database specified by tls_cert may contain CA certs
- # and/or the client's cert. If the client's cert is included, tls_key
- # should be specified as well.
- # For backward compatibility, "sslpath" may be used in place of tls_cert.
- #tls_cert /var/ldap
- #tls_key /var/ldap
- #
- # If using SASL authentication for LDAP (OpenSSL)
- # use_sasl yes
- # sasl_auth_id <SASL user name>
- # rootuse_sasl yes
- # rootsasl_auth_id <SASL user name for root access>
- # sasl_secprops none
- # krb5_ccname /etc/.ldapcache
-
-=head2 Sudo schema for OpenLDAP
-
-The following schema, in OpenLDAP format, is included with B<sudo>
-source and binary distributions as F<schema.OpenLDAP>. Simply copy
-it to the schema directory (e.g. F</etc/openldap/schema>), add the
-proper C<include> line in C<slapd.conf> and restart B<slapd>.
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.1
- NAME 'sudoUser'
- DESC 'User(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.2
- NAME 'sudoHost'
- DESC 'Host(s) who may run sudo'
- EQUALITY caseExactIA5Match
- SUBSTR caseExactIA5SubstringsMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.3
- NAME 'sudoCommand'
- DESC 'Command(s) to be executed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.4
- NAME 'sudoRunAs'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.5
- NAME 'sudoOption'
- DESC 'Options(s) followed by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.6
- NAME 'sudoRunAsUser'
- DESC 'User(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.7
- NAME 'sudoRunAsGroup'
- DESC 'Group(s) impersonated by sudo'
- EQUALITY caseExactIA5Match
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.8
- NAME 'sudoNotBefore'
- DESC 'Start of time interval for which the entry is valid'
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- attributetype ( 1.3.6.1.4.1.15953.9.1.9
- NAME 'sudoNotAfter'
- DESC 'End of time interval for which the entry is valid'
- EQUALITY generalizedTimeMatch
- ORDERING generalizedTimeOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
-
- attributeTypes ( 1.3.6.1.4.1.15953.9.1.10
- NAME 'sudoOrder'
- DESC 'an integer to order the sudoRole entries'
- EQUALITY integerMatch
- ORDERING integerOrderingMatch
- SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
-
- objectclass ( 1.3.6.1.4.1.15953.9.2.1 NAME 'sudoRole' SUP top STRUCTURAL
- DESC 'Sudoer Entries'
- MUST ( cn )
- MAY ( sudoUser $ sudoHost $ sudoCommand $ sudoRunAs $ sudoRunAsUser $
- sudoRunAsGroup $ sudoOption $ sudoNotBefore $ sudoNotAfter $
- sudoOrder $ description )
- )
-
-=head1 SEE ALSO
-
-L<ldap.conf(5)>, L<sudoers(5)>
-
-=head1 CAVEATS
-
-Note that there are differences in the way that LDAP-based I<sudoers>
-is parsed compared to file-based I<sudoers>. See the L<Differences
-between LDAP and non-LDAP sudoers> section for more information.
-
-=head1 BUGS
-
-If you feel you have found a bug in B<sudo>, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
-
-=head1 SUPPORT
-
-Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
-search the archives.
-
-=head1 DISCLAIMER
-
-B<sudo> is provided ``AS IS'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the LICENSE
-file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
-for complete details.
-.\" Copyright (c) 1994-1996, 1998-2005, 2007-2011
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
-.\"
+.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
+.\" IT IS GENERATED AUTOMATICALLY FROM sudoers.mdoc.in
+.\"
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
-.\"
+.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
+.\"
.\" Sponsored in part by the Defense Advanced Research Projects
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
-.\"
-.nr SL @SEMAN@
-.nr BA @BAMAN@
-.nr LC @LCMAN@
-.\"
-.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
-. ds C`
-. ds C'
-'br\}
-.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD. Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
-..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
-..
-.\}
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "SUDOERS @mansectform@"
-.TH SUDOERS @mansectform@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
+.TH "SUDOERS" "@mansectsu@" "July 16, 2012" "Sudo @PACKAGE_VERSION@" "Programmer's Manual"
.nh
+.if n .ad l
.SH "NAME"
-sudoers \- list of which users may execute what
+\fBsudoers\fR
+\- list of which users may execute what
.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-The \fIsudoers\fR file is composed of two types of entries: aliases
+The
+\fIsudoers\fR
+file is composed of two types of entries: aliases
(basically variables) and user specifications (which specify who
may run what).
.PP
Where there are multiple matches, the last match is used (which is
not necessarily the most specific match).
.PP
-The \fIsudoers\fR grammar will be described below in Extended Backus-Naur
-Form (\s-1EBNF\s0). Don't despair if you don't know what \s-1EBNF\s0 is; it is
-fairly simple, and the definitions below are annotated.
-.SS "Quick guide to \s-1EBNF\s0"
-.IX Subsection "Quick guide to EBNF"
-\&\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language.
-Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. E.g.,
-.PP
-.Vb 1
-\& symbol ::= definition | alternate1 | alternate2 ...
-.Ve
-.PP
-Each \fIproduction rule\fR references others and thus makes up a
-grammar for the language. \s-1EBNF\s0 also contains the following
+The
+\fIsudoers\fR
+grammar will be described below in Extended Backus-Naur
+Form (EBNF).
+Don't despair if you are unfamiliar with EBNF; it is fairly simple,
+and the definitions below are annotated.
+.SS "Quick guide to EBNF"
+EBNF is a concise and exact way of describing the grammar of a language.
+Each EBNF definition is made up of
+\fIproduction rules\fR.
+E.g.,
+.PP
+\fRsymbol ::= definition\fR | \fRalternate1\fR | \fRalternate2 ...\fR
+.PP
+Each
+\fIproduction rule\fR
+references others and thus makes up a
+grammar for the language.
+EBNF also contains the following
operators, which many readers will recognize from regular
-expressions. Do not, however, confuse them with \*(L"wildcard\*(R"
+expressions.
+Do not, however, confuse them with
+``wildcard''
characters, which have different meanings.
-.ie n .IP "\*(C`?\*(C'" 4
-.el .IP "\f(CW\*(C`?\*(C'\fR" 4
-.IX Item "?"
+.TP 6n
+\fR\&?\fR
Means that the preceding symbol (or group of symbols) is optional.
That is, it may appear once or not at all.
-.ie n .IP "\*(C`*\*(C'" 4
-.el .IP "\f(CW\*(C`*\*(C'\fR" 4
-.IX Item "*"
+.TP 6n
+\fR*\fR
Means that the preceding symbol (or group of symbols) may appear
zero or more times.
-.ie n .IP "\*(C`+\*(C'" 4
-.el .IP "\f(CW\*(C`+\*(C'\fR" 4
-.IX Item "+"
+.TP 6n
+\fR+\fR
Means that the preceding symbol (or group of symbols) may appear
one or more times.
.PP
-Parentheses may be used to group symbols together. For clarity,
-we will use single quotes ('') to designate what is a verbatim character
-string (as opposed to a symbol name).
+Parentheses may be used to group symbols together.
+For clarity,
+we will use single quotes
+('')
+to designate what is a verbatim character string (as opposed to a symbol name).
.SS "Aliases"
-.IX Subsection "Aliases"
-There are four kinds of aliases: \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR,
-\&\f(CW\*(C`Host_Alias\*(C'\fR and \f(CW\*(C`Cmnd_Alias\*(C'\fR.
-.PP
-.Vb 4
-\& Alias ::= \*(AqUser_Alias\*(Aq User_Alias (\*(Aq:\*(Aq User_Alias)* |
-\& \*(AqRunas_Alias\*(Aq Runas_Alias (\*(Aq:\*(Aq Runas_Alias)* |
-\& \*(AqHost_Alias\*(Aq Host_Alias (\*(Aq:\*(Aq Host_Alias)* |
-\& \*(AqCmnd_Alias\*(Aq Cmnd_Alias (\*(Aq:\*(Aq Cmnd_Alias)*
-\&
-\& User_Alias ::= NAME \*(Aq=\*(Aq User_List
-\&
-\& Runas_Alias ::= NAME \*(Aq=\*(Aq Runas_List
-\&
-\& Host_Alias ::= NAME \*(Aq=\*(Aq Host_List
-\&
-\& Cmnd_Alias ::= NAME \*(Aq=\*(Aq Cmnd_List
-\&
-\& NAME ::= [A\-Z]([A\-Z][0\-9]_)*
-.Ve
-.PP
-Each \fIalias\fR definition is of the form
-.PP
-.Vb 1
-\& Alias_Type NAME = item1, item2, ...
-.Ve
-.PP
-where \fIAlias_Type\fR is one of \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, \f(CW\*(C`Host_Alias\*(C'\fR,
-or \f(CW\*(C`Cmnd_Alias\*(C'\fR. A \f(CW\*(C`NAME\*(C'\fR is a string of uppercase letters, numbers,
-and underscore characters ('_'). A \f(CW\*(C`NAME\*(C'\fR \fBmust\fR start with an
-uppercase letter. It is possible to put several alias definitions
-of the same type on a single line, joined by a colon (':'). E.g.,
-.PP
-.Vb 1
-\& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
-.Ve
-.PP
-The definitions of what constitutes a valid \fIalias\fR member follow.
-.PP
-.Vb 2
-\& User_List ::= User |
-\& User \*(Aq,\*(Aq User_List
-\&
-\& User ::= \*(Aq!\*(Aq* user name |
-\& \*(Aq!\*(Aq* #uid |
-\& \*(Aq!\*(Aq* %group |
-\& \*(Aq!\*(Aq* %#gid |
-\& \*(Aq!\*(Aq* +netgroup |
-\& \*(Aq!\*(Aq* %:nonunix_group |
-\& \*(Aq!\*(Aq* %:#nonunix_gid |
-\& \*(Aq!\*(Aq* User_Alias
-.Ve
-.PP
-A \f(CW\*(C`User_List\*(C'\fR is made up of one or more user names, user ids
-(prefixed with '#'), system group names and ids (prefixed with '%'
-and '%#' respectively), netgroups (prefixed with '+'), non-Unix
-group names and IDs (prefixed with '%:' and '%:#' respectively) and
-\&\f(CW\*(C`User_Alias\*(C'\fRes. Each list item may be prefixed with zero or more
-\&'!' operators. An odd number of '!' operators negate the value of
+There are four kinds of aliases:
+\fRUser_Alias\fR,
+\fRRunas_Alias\fR,
+\fRHost_Alias\fR
+and
+\fRCmnd_Alias\fR.
+.nf
+.sp
+.RS 0n
+Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
+ 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
+ 'Host_Alias' Host_Alias (':' Host_Alias)* |
+ 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
+
+User_Alias ::= NAME '=' User_List
+
+Runas_Alias ::= NAME '=' Runas_List
+
+Host_Alias ::= NAME '=' Host_List
+
+Cmnd_Alias ::= NAME '=' Cmnd_List
+
+NAME ::= [A-Z]([A-Z][0-9]_)*
+.RE
+.fi
+.PP
+Each
+\fIalias\fR
+definition is of the form
+.nf
+.sp
+.RS 0n
+Alias_Type NAME = item1, item2, ...
+.RE
+.fi
+.PP
+where
+\fIAlias_Type\fR
+is one of
+\fRUser_Alias\fR,
+\fRRunas_Alias\fR,
+\fRHost_Alias\fR,
+or
+\fRCmnd_Alias\fR.
+A
+\fRNAME\fR
+is a string of uppercase letters, numbers,
+and underscore characters
+(`_').
+A
+\fRNAME\fR
+\fBmust\fR
+start with an
+uppercase letter.
+It is possible to put several alias definitions
+of the same type on a single line, joined by a colon
+(`:\&').
+E.g.,
+.nf
+.sp
+.RS 0n
+Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
+.RE
+.fi
+.PP
+The definitions of what constitutes a valid
+\fIalias\fR
+member follow.
+.nf
+.sp
+.RS 0n
+User_List ::= User |
+ User ',' User_List
+
+User ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* User_Alias
+.RE
+.fi
+.PP
+A
+\fRUser_List\fR
+is made up of one or more user names, user ids
+(prefixed with
+`#'),
+system group names and ids (prefixed with
+`%'
+and
+`%#'
+respectively), netgroups (prefixed with
+`+'),
+non-Unix group names and IDs (prefixed with
+`%:'
+and
+`%:#'
+respectively) and
+\fRUser_Alias\fRes.
+Each list item may be prefixed with zero or more
+`\&!'
+operators.
+An odd number of
+`\&!'
+operators negate the value of
the item; an even number just cancel each other out.
.PP
-A \f(CW\*(C`user name\*(C'\fR, \f(CW\*(C`uid\*(C'\fR, \f(CW\*(C`group\*(C'\fR, \f(CW\*(C`gid\*(C'\fR, \f(CW\*(C`netgroup\*(C'\fR, \f(CW\*(C`nonunix_group\*(C'\fR
-or \f(CW\*(C`nonunix_gid\*(C'\fR may be enclosed in double quotes to avoid the
-need for escaping special characters. Alternately, special characters
-may be specified in escaped hex mode, e.g. \ex20 for space. When
+A
+\fRuser name\fR,
+\fRuid\fR,
+\fRgroup\fR,
+\fRgid\fR,
+\fRnetgroup\fR,
+\fRnonunix_group\fR
+or
+\fRnonunix_gid\fR
+may be enclosed in double quotes to avoid the
+need for escaping special characters.
+Alternately, special characters
+may be specified in escaped hex mode, e.g.\& \ex20 for space.
+When
using double quotes, any prefix characters must be included inside
the quotes.
.PP
-The \f(CW\*(C`nonunix_group\*(C'\fR and \f(CW\*(C`nonunix_gid\*(C'\fR syntax depends on the
-underlying implementation. For instance, the \s-1QAS\s0 \s-1AD\s0 backend supports
-the following formats:
-.IP "\(bu" 4
-Group in the same domain: \*(L"%:Group Name\*(R"
-.IP "\(bu" 4
-Group in any domain: \*(L"%:Group Name@FULLY.QUALIFIED.DOMAIN\*(R"
-.IP "\(bu" 4
-Group \s-1SID:\s0 \*(L"%:S\-1\-2\-34\-5678901234\-5678901234\-5678901234\-567\*(R"
-.PP
-Note that quotes around group names are optional. Unquoted strings
-must use a backslash (\e) to escape spaces and special characters.
-See \*(L"Other special characters and reserved words\*(R" for a list of
+The actual
+\fRnonunix_group\fR
+and
+\fRnonunix_gid\fR
+syntax depends on
+the underlying implementation.
+For instance, the QAS AD backend supports the following formats:
+.TP 6n
+\fBo\fR
+Group in the same domain: "%:Group Name"
+.TP 6n
+\fBo\fR
+Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
+.TP 6n
+\fBo\fR
+Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
+.PP
+Note that quotes around group names are optional.
+Unquoted strings must use a backslash
+(`\e')
+to escape spaces and special characters.
+See
+\fIOther special characters and reserved words\fR
+for a list of
characters that need to be escaped.
+.nf
+.sp
+.RS 0n
+Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
+
+Runas_Member ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* +netgroup |
+ '!'* Runas_Alias
+.RE
+.fi
.PP
-.Vb 2
-\& Runas_List ::= Runas_Member |
-\& Runas_Member \*(Aq,\*(Aq Runas_List
-\&
-\& Runas_Member ::= \*(Aq!\*(Aq* user name |
-\& \*(Aq!\*(Aq* #uid |
-\& \*(Aq!\*(Aq* %group |
-\& \*(Aq!\*(Aq* %#gid |
-\& \*(Aq!\*(Aq* %:nonunix_group |
-\& \*(Aq!\*(Aq* %:#nonunix_gid |
-\& \*(Aq!\*(Aq* +netgroup |
-\& \*(Aq!\*(Aq* Runas_Alias
-.Ve
-.PP
-A \f(CW\*(C`Runas_List\*(C'\fR is similar to a \f(CW\*(C`User_List\*(C'\fR except that instead
-of \f(CW\*(C`User_Alias\*(C'\fRes it can contain \f(CW\*(C`Runas_Alias\*(C'\fRes. Note that
-user names and groups are matched as strings. In other words, two
+A
+\fRRunas_List\fR
+is similar to a
+\fRUser_List\fR
+except that instead
+of
+\fRUser_Alias\fRes
+it can contain
+\fRRunas_Alias\fRes.
+Note that
+user names and groups are matched as strings.
+In other words, two
users (groups) with the same uid (gid) are considered to be distinct.
-If you wish to match all user names with the same uid (e.g.\ root
-and toor), you can use a uid instead (#0 in the example given).
-.PP
-.Vb 2
-\& Host_List ::= Host |
-\& Host \*(Aq,\*(Aq Host_List
-\&
-\& Host ::= \*(Aq!\*(Aq* host name |
-\& \*(Aq!\*(Aq* ip_addr |
-\& \*(Aq!\*(Aq* network(/netmask)? |
-\& \*(Aq!\*(Aq* +netgroup |
-\& \*(Aq!\*(Aq* Host_Alias
-.Ve
-.PP
-A \f(CW\*(C`Host_List\*(C'\fR is made up of one or more host names, \s-1IP\s0 addresses,
-network numbers, netgroups (prefixed with '+') and other aliases.
-Again, the value of an item may be negated with the '!' operator.
+If you wish to match all user names with the same uid (e.g.\&
+root and toor), you can use a uid instead (#0 in the example given).
+.nf
+.sp
+.RS 0n
+Host_List ::= Host |
+ Host ',' Host_List
+
+Host ::= '!'* host name |
+ '!'* ip_addr |
+ '!'* network(/netmask)? |
+ '!'* +netgroup |
+ '!'* Host_Alias
+.RE
+.fi
+.PP
+A
+\fRHost_List\fR
+is made up of one or more host names, IP addresses,
+network numbers, netgroups (prefixed with
+`+')
+and other aliases.
+Again, the value of an item may be negated with the
+`\&!'
+operator.
If you do not specify a netmask along with the network number,
-\&\fBsudo\fR will query each of the local host's network interfaces and,
+\fBsudo\fR
+will query each of the local host's network interfaces and,
if the network number corresponds to one of the hosts's network
-interfaces, the corresponding netmask will be used. The netmask
-may be specified either in standard \s-1IP\s0 address notation
-(e.g.\ 255.255.255.0 or ffff:ffff:ffff:ffff::),
-or \s-1CIDR\s0 notation (number of bits, e.g.\ 24 or 64). A host name may
-include shell-style wildcards (see the Wildcards section below),
-but unless the \f(CW\*(C`host name\*(C'\fR command on your machine returns the fully
-qualified host name, you'll need to use the \fIfqdn\fR option for
-wildcards to be useful. Note \fBsudo\fR only inspects actual network
-interfaces; this means that \s-1IP\s0 address 127.0.0.1 (localhost) will
-never match. Also, the host name \*(L"localhost\*(R" will only match if
-that is the actual host name, which is usually only the case for
-non-networked systems.
-.PP
-.Vb 2
-\& Cmnd_List ::= Cmnd |
-\& Cmnd \*(Aq,\*(Aq Cmnd_List
-\&
-\& commandname ::= file name |
-\& file name args |
-\& file name \*(Aq""\*(Aq
-\&
-\& Cmnd ::= \*(Aq!\*(Aq* commandname |
-\& \*(Aq!\*(Aq* directory |
-\& \*(Aq!\*(Aq* "sudoedit" |
-\& \*(Aq!\*(Aq* Cmnd_Alias
-.Ve
-.PP
-A \f(CW\*(C`Cmnd_List\*(C'\fR is a list of one or more commandnames, directories, and other
-aliases. A commandname is a fully qualified file name which may include
-shell-style wildcards (see the Wildcards section below). A simple
-file name allows the user to run the command with any arguments he/she
-wishes. However, you may also specify command line arguments (including
-wildcards). Alternately, you can specify \f(CW""\fR to indicate that the command
-may only be run \fBwithout\fR command line arguments. A directory is a
-fully qualified path name ending in a '/'. When you specify a directory
-in a \f(CW\*(C`Cmnd_List\*(C'\fR, the user will be able to run any file within that directory
-(but not in any subdirectories therein).
-.PP
-If a \f(CW\*(C`Cmnd\*(C'\fR has associated command line arguments, then the arguments
-in the \f(CW\*(C`Cmnd\*(C'\fR must match exactly those given by the user on the command line
-(or match the wildcards if there are any). Note that the following
-characters must be escaped with a '\e' if they are used in command
-arguments: ',', ':', '=', '\e'. The special command \f(CW"sudoedit"\fR
-is used to permit a user to run \fBsudo\fR with the \fB\-e\fR option (or
-as \fBsudoedit\fR). It may take command line arguments just as
-a normal command does.
+interfaces, the corresponding netmask will be used.
+The netmask
+may be specified either in standard IP address notation
+(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
+or CIDR notation (number of bits, e.g.\& 24 or 64).
+A host name may include shell-style wildcards (see the
+\fIWildcards\fR
+section below),
+but unless the
+\fRhost name\fR
+command on your machine returns the fully
+qualified host name, you'll need to use the
+\fIfqdn\fR
+option for wildcards to be useful.
+Note that
+\fBsudo\fR
+only inspects actual network interfaces; this means that IP address
+127.0.0.1 (localhost) will never match.
+Also, the host name
+``localhost''
+will only match if that is the actual host name, which is usually
+only the case for non-networked systems.
+.nf
+.sp
+.RS 0n
+Cmnd_List ::= Cmnd |
+ Cmnd ',' Cmnd_List
+
+command name ::= file name |
+ file name args |
+ file name '""'
+
+Cmnd ::= '!'* command name |
+ '!'* directory |
+ '!'* "sudoedit" |
+ '!'* Cmnd_Alias
+.RE
+.fi
+.PP
+A
+\fRCmnd_List\fR
+is a list of one or more command names, directories, and other aliases.
+A command name is a fully qualified file name which may include
+shell-style wildcards (see the
+\fIWildcards\fR
+section below).
+A simple file name allows the user to run the command with any
+arguments he/she wishes.
+However, you may also specify command line arguments (including
+wildcards).
+Alternately, you can specify
+\fR\&""\fR
+to indicate that the command
+may only be run
+\fBwithout\fR
+command line arguments.
+A directory is a
+fully qualified path name ending in a
+`/'.
+When you specify a directory in a
+\fRCmnd_List\fR,
+the user will be able to run any file within that directory
+(but not in any sub-directories therein).
+.PP
+If a
+\fRCmnd\fR
+has associated command line arguments, then the arguments
+in the
+\fRCmnd\fR
+must match exactly those given by the user on the command line
+(or match the wildcards if there are any).
+Note that the following characters must be escaped with a
+`\e'
+if they are used in command arguments:
+`,\&',
+`:\&',
+`=\&',
+`\e'.
+The special command
+``\fRsudoedit\fR''
+is used to permit a user to run
+\fBsudo\fR
+with the
+\fB\-e\fR
+option (or as
+\fBsudoedit\fR).
+It may take command line arguments just as a normal command does.
.SS "Defaults"
-.IX Subsection "Defaults"
Certain configuration options may be changed from their default
-values at runtime via one or more \f(CW\*(C`Default_Entry\*(C'\fR lines. These
-may affect all users on any host, all users on a specific host, a
+values at run-time via one or more
+\fRDefault_Entry\fR
+lines.
+These may affect all users on any host, all users on a specific host, a
specific user, a specific command, or commands being run as a specific user.
Note that per-command entries may not include command line arguments.
-If you need to specify arguments, define a \f(CW\*(C`Cmnd_Alias\*(C'\fR and reference
+If you need to specify arguments, define a
+\fRCmnd_Alias\fR
+and reference
that instead.
+.nf
+.sp
+.RS 0n
+Default_Type ::= 'Defaults' |
+ 'Defaults' '@' Host_List |
+ 'Defaults' ':' User_List |
+ 'Defaults' '!' Cmnd_List |
+ 'Defaults' '>' Runas_List
+
+Default_Entry ::= Default_Type Parameter_List
+
+Parameter_List ::= Parameter |
+ Parameter ',' Parameter_List
+
+Parameter ::= Parameter '=' Value |
+ Parameter '+=' Value |
+ Parameter '-=' Value |
+ '!'* Parameter
+.RE
+.fi
.PP
-.Vb 5
-\& Default_Type ::= \*(AqDefaults\*(Aq |
-\& \*(AqDefaults\*(Aq \*(Aq@\*(Aq Host_List |
-\& \*(AqDefaults\*(Aq \*(Aq:\*(Aq User_List |
-\& \*(AqDefaults\*(Aq \*(Aq!\*(Aq Cmnd_List |
-\& \*(AqDefaults\*(Aq \*(Aq>\*(Aq Runas_List
-\&
-\& Default_Entry ::= Default_Type Parameter_List
-\&
-\& Parameter_List ::= Parameter |
-\& Parameter \*(Aq,\*(Aq Parameter_List
-\&
-\& Parameter ::= Parameter \*(Aq=\*(Aq Value |
-\& Parameter \*(Aq+=\*(Aq Value |
-\& Parameter \*(Aq\-=\*(Aq Value |
-\& \*(Aq!\*(Aq* Parameter
-.Ve
-.PP
-Parameters may be \fBflags\fR, \fBinteger\fR values, \fBstrings\fR, or \fBlists\fR.
-Flags are implicitly boolean and can be turned off via the '!'
-operator. Some integer, string and list parameters may also be
-used in a boolean context to disable them. Values may be enclosed
-in double quotes (\f(CW""\fR) when they contain multiple words. Special
-characters may be escaped with a backslash (\f(CW\*(C`\e\*(C'\fR).
-.PP
-Lists have two additional assignment operators, \f(CW\*(C`+=\*(C'\fR and \f(CW\*(C`\-=\*(C'\fR.
+Parameters may be
+\fBflags\fR,
+\fBinteger\fR
+values,
+\fBstrings\fR,
+or
+\fBlists\fR.
+Flags are implicitly boolean and can be turned off via the
+`\&!'
+operator.
+Some integer, string and list parameters may also be
+used in a boolean context to disable them.
+Values may be enclosed
+in double quotes
+(\&"")
+when they contain multiple words.
+Special characters may be escaped with a backslash
+(`\e').
+.PP
+Lists have two additional assignment operators,
+\fR+=\fR
+and
+\fR-=\fR.
These operators are used to add to and delete from a list respectively.
-It is not an error to use the \f(CW\*(C`\-=\*(C'\fR operator to remove an element
+It is not an error to use the
+\fR-=\fR
+operator to remove an element
that does not exist in a list.
.PP
Defaults entries are parsed in the following order: generic, host
and user Defaults first, then runas Defaults and finally command
defaults.
.PP
-See \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" for a list of supported Defaults parameters.
+See
+\fISUDOERS OPTIONS\fR
+for a list of supported Defaults parameters.
.SS "User Specification"
-.IX Subsection "User Specification"
-.Vb 2
-\& User_Spec ::= User_List Host_List \*(Aq=\*(Aq Cmnd_Spec_List \e
-\& (\*(Aq:\*(Aq Host_List \*(Aq=\*(Aq Cmnd_Spec_List)*
-\&
-\& Cmnd_Spec_List ::= Cmnd_Spec |
-\& Cmnd_Spec \*(Aq,\*(Aq Cmnd_Spec_List
-\&
-.ie \n(SL \& Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
-.el \& Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
-\&
-\& Runas_Spec ::= \*(Aq(\*(Aq Runas_List? (\*(Aq:\*(Aq Runas_List)? \*(Aq)\*(Aq
-\&
-.if \n(SL \{\
-\& SELinux_Spec ::= (\*(AqROLE=role\*(Aq | \*(AqTYPE=type\*(Aq)
-\&
-\}
-\& Tag_Spec ::= (\*(AqNOPASSWD:\*(Aq | \*(AqPASSWD:\*(Aq | \*(AqNOEXEC:\*(Aq | \*(AqEXEC:\*(Aq |
-\& \*(AqSETENV:\*(Aq | \*(AqNOSETENV:\*(Aq | \*(AqLOG_INPUT:\*(Aq | \*(AqNOLOG_INPUT:\*(Aq |
-\& \*(AqLOG_OUTPUT:\*(Aq | \*(AqNOLOG_OUTPUT:\*(Aq)
-.Ve
-.PP
-A \fBuser specification\fR determines which commands a user may run
-(and as what user) on specified hosts. By default, commands are
-run as \fBroot\fR, but this can be changed on a per-command basis.
-.PP
-The basic structure of a user specification is `who where = (as_whom)
-what'. Let's break that down into its constituent parts:
+.nf
+.RS 0n
+User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
+ (':' Host_List '=' Cmnd_Spec_List)*
+
+Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+
+Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Solaris_Priv_Spec? Tag_Spec* Cmnd
+
+Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
+
+SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
+
+Solaris_Priv_Spec ::= ('PRIVS=privset' | 'LIMITPRIVS=privset')
+
+Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
+ 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
+.RE
+.fi
+.PP
+A
+\fBuser specification\fR
+determines which commands a user may run
+(and as what user) on specified hosts.
+By default, commands are
+run as
+\fBroot\fR,
+but this can be changed on a per-command basis.
+.PP
+The basic structure of a user specification is
+``who where = (as_whom) what''.
+Let's break that down into its constituent parts:
.SS "Runas_Spec"
-.IX Subsection "Runas_Spec"
-A \f(CW\*(C`Runas_Spec\*(C'\fR determines the user and/or the group that a command
-may be run as. A fully-specified \f(CW\*(C`Runas_Spec\*(C'\fR consists of two
-\&\f(CW\*(C`Runas_List\*(C'\fRs (as defined above) separated by a colon (':') and
-enclosed in a set of parentheses. The first \f(CW\*(C`Runas_List\*(C'\fR indicates
-which users the command may be run as via \fBsudo\fR's \fB\-u\fR option.
+A
+\fRRunas_Spec\fR
+determines the user and/or the group that a command
+may be run as.
+A fully-specified
+\fRRunas_Spec\fR
+consists of two
+\fRRunas_List\fRs
+(as defined above) separated by a colon
+(`:\&')
+and enclosed in a set of parentheses.
+The first
+\fRRunas_List\fR
+indicates
+which users the command may be run as via
+\fBsudo\fR's
+\fB\-u\fR
+option.
The second defines a list of groups that can be specified via
-\&\fBsudo\fR's \fB\-g\fR option. If both \f(CW\*(C`Runas_List\*(C'\fRs are specified, the
-command may be run with any combination of users and groups listed
-in their respective \f(CW\*(C`Runas_List\*(C'\fRs. If only the first is specified,
-the command may be run as any user in the list but no \fB\-g\fR option
-may be specified. If the first \f(CW\*(C`Runas_List\*(C'\fR is empty but the
+\fBsudo\fR's
+\fB\-g\fR
+option.
+If both
+\fRRunas_List\fRs
+are specified, the command may be run with any combination of users
+and groups listed in their respective
+\fRRunas_List\fRs.
+If only the first is specified, the command may be run as any user
+in the list but no
+\fB\-g\fR
+option
+may be specified.
+If the first
+\fRRunas_List\fR
+is empty but the
second is specified, the command may be run as the invoking user
-with the group set to any listed in the \f(CW\*(C`Runas_List\*(C'\fR. If no
-\&\f(CW\*(C`Runas_Spec\*(C'\fR is specified the command may be run as \fBroot\fR and
+with the group set to any listed in the
+\fRRunas_List\fR.
+If no
+\fRRunas_Spec\fR
+is specified the command may be run as
+\fBroot\fR
+and
no group may be specified.
.PP
-A \f(CW\*(C`Runas_Spec\*(C'\fR sets the default for the commands that follow it.
+A
+\fRRunas_Spec\fR
+sets the default for the commands that follow it.
What this means is that for the entry:
+.nf
+.sp
+.RS 0n
+dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+.RE
+.fi
.PP
-.Vb 1
-\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
-.Ve
-.PP
-The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and
-\&\fI/usr/bin/lprm\fR \*(-- but only as \fBoperator\fR. E.g.,
-.PP
-.Vb 1
-\& $ sudo \-u operator /bin/ls
-.Ve
-.PP
-It is also possible to override a \f(CW\*(C`Runas_Spec\*(C'\fR later on in an
-entry. If we modify the entry like so:
-.PP
-.Vb 1
-\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
-.Ve
-.PP
-Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR,
-but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR.
+The user
+\fBdgb\fR
+may run
+\fI/bin/ls\fR,
+\fI/bin/kill\fR,
+and
+\fI/usr/bin/lprm\fR\(embut
+only as
+\fBoperator\fR.
+E.g.,
+.nf
+.sp
+.RS 0n
+$ sudo -u operator /bin/ls
+.RE
+.fi
.PP
-We can extend this to allow \fBdgb\fR to run \f(CW\*(C`/bin/ls\*(C'\fR with either
-the user or group set to \fBoperator\fR:
+It is also possible to override a
+\fRRunas_Spec\fR
+later on in an entry.
+If we modify the entry like so:
+.nf
+.sp
+.RS 0n
+dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+.RE
+.fi
.PP
-.Vb 2
-\& dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
-\& /usr/bin/lprm
-.Ve
+Then user
+\fBdgb\fR
+is now allowed to run
+\fI/bin/ls\fR
+as
+\fBoperator\fR,
+but
+\fI/bin/kill\fR
+and
+\fI/usr/bin/lprm\fR
+as
+\fBroot\fR.
+.PP
+We can extend this to allow
+\fBdgb\fR
+to run
+\fR/bin/ls\fR
+with either
+the user or group set to
+\fBoperator\fR:
+.nf
+.sp
+.RS 0n
+dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
+ /usr/bin/lprm
+.RE
+.fi
.PP
-Note that while the group portion of the \f(CW\*(C`Runas_Spec\*(C'\fR permits the
+Note that while the group portion of the
+\fRRunas_Spec\fR
+permits the
user to run as command with that group, it does not force the user
-to do so. If no group is specified on the command line, the command
+to do so.
+If no group is specified on the command line, the command
will run with the group listed in the target user's password database
-entry. The following would all be permitted by the sudoers entry above:
-.PP
-.Vb 3
-\& $ sudo \-u operator /bin/ls
-\& $ sudo \-u operator \-g operator /bin/ls
-\& $ sudo \-g operator /bin/ls
-.Ve
+entry.
+The following would all be permitted by the sudoers entry above:
+.nf
+.sp
+.RS 0n
+$ sudo -u operator /bin/ls
+$ sudo -u operator -g operator /bin/ls
+$ sudo -g operator /bin/ls
+.RE
+.fi
.PP
-In the following example, user \fBtcm\fR may run commands that access
+In the following example, user
+\fBtcm\fR
+may run commands that access
a modem device file with the dialer group.
-.PP
-.Vb 2
-\& tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
-\& /usr/local/bin/minicom
-.Ve
+.nf
+.sp
+.RS 0n
+tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
+ /usr/local/bin/minicom
+.RE
+.fi
.PP
Note that in this example only the group will be set, the command
-still runs as user \fBtcm\fR. E.g.
-.PP
-.Vb 1
-\& $ sudo \-g dialer /usr/bin/cu
-.Ve
-.PP
-Multiple users and groups may be present in a \f(CW\*(C`Runas_Spec\*(C'\fR, in
-which case the user may select any combination of users and groups
-via the \fB\-u\fR and \fB\-g\fR options. In this example:
+still runs as user
+\fBtcm\fR.
+E.g.\&
+.nf
+.sp
+.RS 0n
+$ sudo -g dialer /usr/bin/cu
+.RE
+.fi
.PP
-.Vb 1
-\& alan ALL = (root, bin : operator, system) ALL
-.Ve
+Multiple users and groups may be present in a
+\fRRunas_Spec\fR,
+in which case the user may select any combination of users and groups via the
+\fB\-u\fR
+and
+\fB\-g\fR
+options.
+In this example:
+.nf
+.sp
+.RS 0n
+alan ALL = (root, bin : operator, system) ALL
+.RE
+.fi
.PP
-user \fBalan\fR may run any command as either user root or bin,
+user
+\fBalan\fR
+may run any command as either user root or bin,
optionally setting the group to operator or system.
-.if \n(SL \{\
.SS "SELinux_Spec"
-.IX Subsection "SELinux_Spec"
-On systems with SELinux support, \fIsudoers\fR entries may optionally have
-an SELinux role and/or type associated with a command. If a role or
+On systems with SELinux support,
+\fIsudoers\fR
+entries may optionally have an SELinux role and/or type associated
+with a command.
+If a role or
type is specified with the command it will override any default values
-specified in \fIsudoers\fR. A role or type specified on the command line,
-however, will supercede the values in \fIsudoers\fR.
-\}
-.SS "Tag_Spec"
-.IX Subsection "Tag_Spec"
-A command may have zero or more tags associated with it. There are
-ten possible tag values, \f(CW\*(C`NOPASSWD\*(C'\fR, \f(CW\*(C`PASSWD\*(C'\fR, \f(CW\*(C`NOEXEC\*(C'\fR,
-\&\f(CW\*(C`EXEC\*(C'\fR, \f(CW\*(C`SETENV\*(C'\fR, \f(CW\*(C`NOSETENV\*(C'\fR, \f(CW\*(C`LOG_INPUT\*(C'\fR, \f(CW\*(C`NOLOG_INPUT\*(C'\fR,
-\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR and \f(CW\*(C`NOLOG_OUTPUT\*(C'\fR. Once a tag is set on a \f(CW\*(C`Cmnd\*(C'\fR,
-subsequent \f(CW\*(C`Cmnd\*(C'\fRs in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR, inherit the tag unless
-it is overridden by the opposite tag (in other words, \f(CW\*(C`PASSWD\*(C'\fR overrides
-\&\f(CW\*(C`NOPASSWD\*(C'\fR and \f(CW\*(C`NOEXEC\*(C'\fR overrides \f(CW\*(C`EXEC\*(C'\fR).
-.PP
-\fI\s-1NOPASSWD\s0 and \s-1PASSWD\s0\fR
-.IX Subsection "NOPASSWD and PASSWD"
-.PP
-By default, \fBsudo\fR requires that a user authenticate him or herself
-before running a command. This behavior can be modified via the
-\&\f(CW\*(C`NOPASSWD\*(C'\fR tag. Like a \f(CW\*(C`Runas_Spec\*(C'\fR, the \f(CW\*(C`NOPASSWD\*(C'\fR tag sets
-a default for the commands that follow it in the \f(CW\*(C`Cmnd_Spec_List\*(C'\fR.
-Conversely, the \f(CW\*(C`PASSWD\*(C'\fR tag can be used to reverse things.
+specified in
+\fIsudoers\fR.
+A role or type specified on the command line,
+however, will supersede the values in
+\fIsudoers\fR.
+.SS "Solaris_Priv_Spec"
+On Solaris systems,
+\fIsudoers\fR
+entries may optionally specify Solaris privilege set and/or limit
+privilege set associated with a command.
+If privileges or limit privileges are specified with the command
+it will override any default values specified in
+\fIsudoers\fR.
+.PP
+A privilege set is a comma-separated list of privilege names.
+The
+ppriv(1)
+command can be used to list all privileges known to the system.
For example:
+.nf
+.sp
+.RS 0n
+$ ppriv -l
+.RE
+.fi
.PP
-.Vb 1
-\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
-.Ve
-.PP
-would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and
-\&\fI/usr/bin/lprm\fR as \fBroot\fR on the machine rushmore without
-authenticating himself. If we only want \fBray\fR to be able to
-run \fI/bin/kill\fR without a password the entry would be:
-.PP
-.Vb 1
-\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
-.Ve
-.PP
-Note, however, that the \f(CW\*(C`PASSWD\*(C'\fR tag has no effect on users who are
-in the group specified by the \fIexempt_group\fR option.
-.PP
-By default, if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is applied to any of the entries
-for a user on the current host, he or she will be able to run
-\&\f(CW\*(C`sudo \-l\*(C'\fR without a password. Additionally, a user may only run
-\&\f(CW\*(C`sudo \-v\*(C'\fR without a password if the \f(CW\*(C`NOPASSWD\*(C'\fR tag is present
-for all a user's entries that pertain to the current host.
-This behavior may be overridden via the verifypw and listpw options.
-.PP
-\fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR
-.IX Subsection "NOEXEC and EXEC"
-.PP
-If \fBsudo\fR has been compiled with \fInoexec\fR support and the underlying
-operating system supports it, the \f(CW\*(C`NOEXEC\*(C'\fR tag can be used to prevent
-a dynamically-linked executable from running further commands itself.
-.PP
-In the following example, user \fBaaron\fR may run \fI/usr/bin/more\fR
-and \fI/usr/bin/vi\fR but shell escapes will be disabled.
-.PP
-.Vb 1
-\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-.Ve
-.PP
-See the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0 \s-1ESCAPES\s0\*(R" section below for more details
-on how \f(CW\*(C`NOEXEC\*(C'\fR works and whether or not it will work on your system.
-.PP
-\fI\s-1SETENV\s0 and \s-1NOSETENV\s0\fR
-.IX Subsection "SETENV and NOSETENV"
-.PP
-These tags override the value of the \fIsetenv\fR option on a per-command
-basis. Note that if \f(CW\*(C`SETENV\*(C'\fR has been set for a command, the user
-may disable the \fIenv_reset\fR option from the command line via the
-\&\fB\-E\fR option. Additionally, environment variables set on the command
-line are not subject to the restrictions imposed by \fIenv_check\fR,
-\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
-be allowed to set variables in this manner. If the command matched
-is \fB\s-1ALL\s0\fR, the \f(CW\*(C`SETENV\*(C'\fR tag is implied for that command; this
-default may be overridden by use of the \f(CW\*(C`NOSETENV\*(C'\fR tag.
-.PP
-\fI\s-1LOG_INPUT\s0 and \s-1NOLOG_INPUT\s0\fR
-.IX Subsection "LOG_INPUT and NOLOG_INPUT"
+In addition, there are several
+``special''
+privilege strings:
+.TP 10n
+none
+the empty set
+.TP 10n
+all
+the set of all privileges
+.TP 10n
+zone
+the set of all privileges available in the current zone
+.TP 10n
+basic
+the default set of privileges normal users are granted at login time
+.PP
+Privileges can be excluded from a set by prefixing the privilege
+name with either an
+`\&!'
+or
+`\-'
+character.
+.SS "Tag_Spec"
+A command may have zero or more tags associated with it.
+There are
+ten possible tag values:
+\fRNOPASSWD\fR,
+\fRPASSWD\fR,
+\fRNOEXEC\fR,
+\fREXEC\fR,
+\fRSETENV\fR,
+\fRNOSETENV\fR,
+\fRLOG_INPUT\fR,
+\fRNOLOG_INPUT\fR,
+\fRLOG_OUTPUT\fR
+and
+\fRNOLOG_OUTPUT\fR.
+Once a tag is set on a
+\fRCmnd\fR,
+subsequent
+\fRCmnd\fRs
+in the
+\fRCmnd_Spec_List\fR,
+inherit the tag unless it is overridden by the opposite tag (in other words,
+\fRPASSWD\fR
+overrides
+\fRNOPASSWD\fR
+and
+\fRNOEXEC\fR
+overrides
+\fREXEC\fR).
+.PP
+\fINOPASSWD and PASSWD\fR
+.PP
+By default,
+\fBsudo\fR
+requires that a user authenticate him or herself
+before running a command.
+This behavior can be modified via the
+\fRNOPASSWD\fR
+tag.
+Like a
+\fRRunas_Spec\fR,
+the
+\fRNOPASSWD\fR
+tag sets
+a default for the commands that follow it in the
+\fRCmnd_Spec_List\fR.
+Conversely, the
+\fRPASSWD\fR
+tag can be used to reverse things.
+For example:
+.nf
+.sp
+.RS 0n
+ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+.RE
+.fi
.PP
-These tags override the value of the \fIlog_input\fR option on a
-per-command basis. For more information, see the description of
-\&\fIlog_input\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
+would allow the user
+\fBray\fR
+to run
+\fI/bin/kill\fR,
+\fI/bin/ls\fR,
+and
+\fI/usr/bin/lprm\fR
+as
+\fBroot\fR
+on the machine rushmore without authenticating himself.
+If we only want
+\fBray\fR
+to be able to
+run
+\fI/bin/kill\fR
+without a password the entry would be:
+.nf
+.sp
+.RS 0n
+ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+.RE
+.fi
.PP
-\fI\s-1LOG_OUTPUT\s0 and \s-1NOLOG_OUTPUT\s0\fR
-.IX Subsection "LOG_OUTPUT and NOLOG_OUTPUT"
+Note, however, that the
+\fRPASSWD\fR
+tag has no effect on users who are in the group specified by the
+\fIexempt_group\fR
+option.
+.PP
+By default, if the
+\fRNOPASSWD\fR
+tag is applied to any of the entries for a user on the current host,
+he or she will be able to run
+``\fRsudo -l\fR''
+without a password.
+Additionally, a user may only run
+``\fRsudo -v\fR''
+without a password if the
+\fRNOPASSWD\fR
+tag is present for all a user's entries that pertain to the current host.
+This behavior may be overridden via the
+\fIverifypw\fR
+and
+\fIlistpw\fR
+options.
+.PP
+\fINOEXEC and EXEC\fR
+.PP
+If
+\fBsudo\fR
+has been compiled with
+\fInoexec\fR
+support and the underlying operating system supports it, the
+\fRNOEXEC\fR
+tag can be used to prevent a dynamically-linked executable from
+running further commands itself.
+.PP
+In the following example, user
+\fBaaron\fR
+may run
+\fI/usr/bin/more\fR
+and
+\fI/usr/bin/vi\fR
+but shell escapes will be disabled.
+.nf
+.sp
+.RS 0n
+aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+.RE
+.fi
.PP
-These tags override the value of the \fIlog_output\fR option on a
-per-command basis. For more information, see the description of
-\&\fIlog_output\fR in the \*(L"\s-1SUDOERS\s0 \s-1OPTIONS\s0\*(R" section below.
+See the
+\fIPreventing Shell Escapes\fR
+section below for more details on how
+\fRNOEXEC\fR
+works and whether or not it will work on your system.
+.PP
+\fISETENV and NOSETENV\fR
+.PP
+These tags override the value of the
+\fIsetenv\fR
+option on a per-command basis.
+Note that if
+\fRSETENV\fR
+has been set for a command, the user may disable the
+\fIenv_reset\fR
+option from the command line via the
+\fB\-E\fR
+option.
+Additionally, environment variables set on the command
+line are not subject to the restrictions imposed by
+\fIenv_check\fR,
+\fIenv_delete\fR,
+or
+\fIenv_keep\fR.
+As such, only trusted users should be allowed to set variables in this manner.
+If the command matched is
+\fBALL\fR,
+the
+\fRSETENV\fR
+tag is implied for that command; this default may be overridden by use of the
+\fRNOSETENV\fR
+tag.
+.PP
+\fILOG_INPUT and NOLOG_INPUT\fR
+.PP
+These tags override the value of the
+\fIlog_input\fR
+option on a per-command basis.
+For more information, see the description of
+\fIlog_input\fR
+in the
+\fISUDOERS OPTIONS\fR
+section below.
+.PP
+\fILOG_OUTPUT and NOLOG_OUTPUT\fR
+.PP
+These tags override the value of the
+\fIlog_output\fR
+option on a per-command basis.
+For more information, see the description of
+\fIlog_output\fR
+in the
+\fISUDOERS OPTIONS\fR
+section below.
.SS "Wildcards"
-.IX Subsection "Wildcards"
-\&\fBsudo\fR allows shell-style \fIwildcards\fR (aka meta or glob characters)
-to be used in host names, path names and command line arguments in
-the \fIsudoers\fR file. Wildcard matching is done via the \fB\s-1POSIX\s0\fR
-\&\fIglob\fR\|(3) and \fIfnmatch\fR\|(3) routines. Note that these are \fInot\fR
+\fBsudo\fR
+allows shell-style
+\fIwildcards\fR
+(aka meta or glob characters)
+to be used in host names, path names and command line arguments in the
+\fIsudoers\fR
+file.
+Wildcard matching is done via the
+\fBPOSIX\fR
+glob(3)
+and
+fnmatch(3)
+routines.
+Note that these are
+\fInot\fR
regular expressions.
-.ie n .IP "\*(C`*\*(C'" 8
-.el .IP "\f(CW\*(C`*\*(C'\fR" 8
-.IX Item "*"
+.TP 10n
+\fR*\fR
Matches any set of zero or more characters.
-.ie n .IP "\*(C`?\*(C'" 8
-.el .IP "\f(CW\*(C`?\*(C'\fR" 8
-.IX Item "?"
+.TP 10n
+\fR\&?\fR
Matches any single character.
-.ie n .IP "\*(C`[...]\*(C'" 8
-.el .IP "\f(CW\*(C`[...]\*(C'\fR" 8
-.IX Item "[...]"
+.TP 10n
+\fR[...]\fR
Matches any character in the specified range.
-.ie n .IP "\*(C`[!...]\*(C'" 8
-.el .IP "\f(CW\*(C`[!...]\*(C'\fR" 8
-.IX Item "[!...]"
-Matches any character \fBnot\fR in the specified range.
-.ie n .IP "\*(C`\ex\*(C'" 8
-.el .IP "\f(CW\*(C`\ex\*(C'\fR" 8
-.IX Item "x"
-For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to
-escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"]\*(R".
-.PP
-\&\s-1POSIX\s0 character classes may also be used if your system's \fIglob\fR\|(3)
-and \fIfnmatch\fR\|(3) functions support them. However, because the
-\&\f(CW\*(Aq:\*(Aq\fR character has special meaning in \fIsudoers\fR, it must be
-escaped. For example:
-.PP
-.Vb 1
-\& /bin/ls [[\e:alpha\e:]]*
-.Ve
+.TP 10n
+\fR[!...]\fR
+Matches any character
+\fBnot\fR
+in the specified range.
+.TP 10n
+\fR\ex\fR
+For any character
+`x',
+evaluates to
+`x'.
+This is used to escape special characters such as:
+`*',
+`\&?',
+`[\&',
+and
+`]\&'.
+.PP
+POSIX character classes may also be used if your system's
+glob(3)
+and
+fnmatch(3)
+functions support them.
+However, because the
+`:\&'
+character has special meaning in
+\fIsudoers\fR,
+it must be
+escaped.
+For example:
+.nf
+.sp
+.RS 4n
+/bin/ls [[\:alpha\:]]*
+.RE
+.fi
.PP
Would match any file name beginning with a letter.
.PP
-Note that a forward slash ('/') will \fBnot\fR be matched by
-wildcards used in the path name. When matching the command
-line arguments, however, a slash \fBdoes\fR get matched by
-wildcards. This is to make a path like:
+Note that a forward slash
+(`/')
+will
+\fBnot\fR
+be matched by
+wildcards used in the path name.
+This is to make a path like:
+.nf
+.sp
+.RS 4n
+/usr/bin/*
+.RE
+.fi
+.PP
+match
+\fI/usr/bin/who\fR
+but not
+\fI/usr/bin/X11/xterm\fR.
+.PP
+When matching the command line arguments, however, a slash
+\fBdoes\fR
+get matched by wildcards since command line arguments may contain
+arbitrary strings and not just path names.
+.PP
+Wildcards in command line arguments should be used with care.
+Because command line arguments are matched as a single, concatenated
+string, a wildcard such as
+`\&?'
+or
+`*'
+can match multiple words.
+For example, while a sudoers entry like:
+.nf
+.sp
+.RS 4n
+%operator ALL = /bin/cat /var/log/messages*
+.RE
+.fi
.PP
-.Vb 1
-\& /usr/bin/*
-.Ve
+will allow command like:
+.nf
+.sp
+.RS 4n
+$ sudo cat /var/log/messages.1
+.RE
+.fi
.PP
-match \fI/usr/bin/who\fR but not \fI/usr/bin/X11/xterm\fR.
+It will also allow:
+.nf
+.sp
+.RS 4n
+$ sudo cat /var/log/messages /etc/shadow
+.RE
+.fi
+.PP
+which is probably not what was intended.
.SS "Exceptions to wildcard rules"
-.IX Subsection "Exceptions to wildcard rules"
The following exceptions apply to the above rules:
-.ie n .IP """""" 8
-.el .IP "\f(CW``''\fR" 8
-.IX Item """"""
-If the empty string \f(CW""\fR is the only command line argument in the
-\&\fIsudoers\fR entry it means that command is not allowed to be run
-with \fBany\fR arguments.
+.TP 10n
+\fR\&""\fR
+If the empty string
+\fR\&""\fR
+is the only command line argument in the
+\fIsudoers\fR
+entry it means that command is not allowed to be run with
+\fBany\fR
+arguments.
+.TP 10n
+sudoedit
+Command line arguments to the
+\fIsudoedit\fR
+built-in command should always be path names, so a forward slash
+(`/')
+will not be matched by a wildcard.
.SS "Including other files from within sudoers"
-.IX Subsection "Including other files from within sudoers"
-It is possible to include other \fIsudoers\fR files from within the
-\&\fIsudoers\fR file currently being parsed using the \f(CW\*(C`#include\*(C'\fR and
-\&\f(CW\*(C`#includedir\*(C'\fR directives.
-.PP
-This can be used, for example, to keep a site-wide \fIsudoers\fR file
-in addition to a local, per-machine file. For the sake of this
-example the site-wide \fIsudoers\fR will be \fI/etc/sudoers\fR and the
-per-machine one will be \fI/etc/sudoers.local\fR. To include
-\&\fI/etc/sudoers.local\fR from within \fI/etc/sudoers\fR we would use the
-following line in \fI/etc/sudoers\fR:
-.Sp
-.RS 4
-\&\f(CW\*(C`#include /etc/sudoers.local\*(C'\fR
+It is possible to include other
+\fIsudoers\fR
+files from within the
+\fIsudoers\fR
+file currently being parsed using the
+\fR#include\fR
+and
+\fR#includedir\fR
+directives.
+.PP
+This can be used, for example, to keep a site-wide
+\fIsudoers\fR
+file in addition to a local, per-machine file.
+For the sake of this example the site-wide
+\fIsudoers\fR
+will be
+\fI/etc/sudoers\fR
+and the per-machine one will be
+\fI/etc/sudoers.local\fR.
+To include
+\fI/etc/sudoers.local\fR
+from within
+\fI/etc/sudoers\fR
+we would use the
+following line in
+\fI/etc/sudoers\fR:
+.nf
+.sp
+.RS 4n
+#include /etc/sudoers.local
.RE
+.fi
.PP
-When \fBsudo\fR reaches this line it will suspend processing of the
-current file (\fI/etc/sudoers\fR) and switch to \fI/etc/sudoers.local\fR.
-Upon reaching the end of \fI/etc/sudoers.local\fR, the rest of
-\&\fI/etc/sudoers\fR will be processed. Files that are included may
-themselves include other files. A hard limit of 128 nested include
-files is enforced to prevent include file loops.
+When
+\fBsudo\fR
+reaches this line it will suspend processing of the current file
+(\fI/etc/sudoers\fR)
+and switch to
+\fI/etc/sudoers.local\fR.
+Upon reaching the end of
+\fI/etc/sudoers.local\fR,
+the rest of
+\fI/etc/sudoers\fR
+will be processed.
+Files that are included may themselves include other files.
+A hard limit of 128 nested include files is enforced to prevent include
+file loops.
.PP
If the path to the include file is not fully-qualified (does not
-begin with a \f(CW\*(C`/\*(C'\fR), it must be located in the same directory as the
-sudoers file it was included from. For example, if \fI/etc/sudoers\fR
+begin with a
+`/',
+it must be located in the same directory as the sudoers file it was
+included from.
+For example, if
+\fI/etc/sudoers\fR
contains the line:
-.Sp
-.RS 4
-\&\f(CW\*(C`#include sudoers.local\*(C'\fR
+.nf
+.sp
+.RS 4n
+\fR#include sudoers.local\fR
.RE
+.fi
.PP
-the file that will be included is \fI/etc/sudoers.local\fR.
-.PP
-The file name may also include the \f(CW%h\fR escape, signifying the short form
-of the host name. In other words, if the machine's host name is \*(L"xerxes\*(R", then
-.PP
-\&\f(CW\*(C`#include /etc/sudoers.%h\*(C'\fR
-.PP
-will cause \fBsudo\fR to include the file \fI/etc/sudoers.xerxes\fR.
-.PP
-The \f(CW\*(C`#includedir\*(C'\fR directive can be used to create a \fIsudo.d\fR
-directory that the system package manager can drop \fIsudoers\fR rules
-into as part of package installation. For example, given:
+the file that will be included is
+\fI/etc/sudoers.local\fR.
.PP
-\&\f(CW\*(C`#includedir /etc/sudoers.d\*(C'\fR
+The file name may also include the
+\fR%h\fR
+escape, signifying the short form of the host name.
+In other words, if the machine's host name is
+``xerxes'',
+then
+.nf
+.sp
+.RS 4n
+#include /etc/sudoers.%h
+.RE
+.fi
.PP
-\&\fBsudo\fR will read each file in \fI/etc/sudoers.d\fR, skipping file
-names that end in \f(CW\*(C`~\*(C'\fR or contain a \f(CW\*(C`.\*(C'\fR character to avoid causing
-problems with package manager or editor temporary/backup files.
-Files are parsed in sorted lexical order. That is,
-\&\fI/etc/sudoers.d/01_first\fR will be parsed before
-\&\fI/etc/sudoers.d/10_second\fR. Be aware that because the sorting is
-lexical, not numeric, \fI/etc/sudoers.d/1_whoops\fR would be loaded
-\&\fBafter\fR \fI/etc/sudoers.d/10_second\fR. Using a consistent number
-of leading zeroes in the file names can be used to avoid such
-problems.
+will cause
+\fBsudo\fR
+to include the file
+\fI/etc/sudoers.xerxes\fR.
+.PP
+The
+\fR#includedir\fR
+directive can be used to create a
+\fIsudo.d\fR
+directory that the system package manager can drop
+\fIsudoers\fR
+rules
+into as part of package installation.
+For example, given:
+.nf
+.sp
+.RS 4n
+#includedir /etc/sudoers.d
+.RE
+.fi
.PP
-Note that unlike files included via \f(CW\*(C`#include\*(C'\fR, \fBvisudo\fR will not
-edit the files in a \f(CW\*(C`#includedir\*(C'\fR directory unless one of them
-contains a syntax error. It is still possible to run \fBvisudo\fR
-with the \fB\-f\fR flag to edit the files directly.
+\fBsudo\fR
+will read each file in
+\fI/etc/sudoers.d\fR,
+skipping file names that end in
+`~'
+or contain a
+`.\&'
+character to avoid causing problems with package manager or editor
+temporary/backup files.
+Files are parsed in sorted lexical order.
+That is,
+\fI/etc/sudoers.d/01_first\fR
+will be parsed before
+\fI/etc/sudoers.d/10_second\fR.
+Be aware that because the sorting is lexical, not numeric,
+\fI/etc/sudoers.d/1_whoops\fR
+would be loaded
+\fBafter\fR
+\fI/etc/sudoers.d/10_second\fR.
+Using a consistent number of leading zeroes in the file names can be used
+to avoid such problems.
+.PP
+Note that unlike files included via
+\fR#include\fR,
+\fBvisudo\fR
+will not edit the files in a
+\fR#includedir\fR
+directory unless one of them contains a syntax error.
+It is still possible to run
+\fBvisudo\fR
+with the
+\fB\-f\fR
+flag to edit the files directly.
.SS "Other special characters and reserved words"
-.IX Subsection "Other special characters and reserved words"
-The pound sign ('#') is used to indicate a comment (unless it is
-part of a #include directive or unless it occurs in the context of
-a user name and is followed by one or more digits, in which case
-it is treated as a uid). Both the comment character and any text
-after it, up to the end of the line, are ignored.
-.PP
-The reserved word \fB\s-1ALL\s0\fR is a built-in \fIalias\fR that always causes
-a match to succeed. It can be used wherever one might otherwise
-use a \f(CW\*(C`Cmnd_Alias\*(C'\fR, \f(CW\*(C`User_Alias\*(C'\fR, \f(CW\*(C`Runas_Alias\*(C'\fR, or \f(CW\*(C`Host_Alias\*(C'\fR.
-You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the
-built-in alias will be used in preference to your own. Please note
-that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it
-allows the user to run \fBany\fR command on the system.
-.PP
-An exclamation point ('!') can be used as a logical \fInot\fR operator
-both in an \fIalias\fR and in front of a \f(CW\*(C`Cmnd\*(C'\fR. This allows one to
-exclude certain values. Note, however, that using a \f(CW\*(C`!\*(C'\fR in
-conjunction with the built-in \f(CW\*(C`ALL\*(C'\fR alias to allow a user to
-run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0
-\&\s-1NOTES\s0 below).
-.PP
-Long lines can be continued with a backslash ('\e') as the last
-character on the line.
-.PP
-Whitespace between elements in a list as well as special syntactic
-characters in a \fIUser Specification\fR ('=', ':', '(', ')') is optional.
-.PP
-The following characters must be escaped with a backslash ('\e') when
-used as part of a word (e.g.\ a user name or host name):
-\&'!', '=', ':', ',', '(', ')', '\e'.
+The pound sign
+(`#')
+is used to indicate a comment (unless it is part of a #include
+directive or unless it occurs in the context of a user name and is
+followed by one or more digits, in which case it is treated as a
+uid).
+Both the comment character and any text after it, up to the end of
+the line, are ignored.
+.PP
+The reserved word
+\fBALL\fR
+is a built-in
+\fIalias\fR
+that always causes a match to succeed.
+It can be used wherever one might otherwise use a
+\fRCmnd_Alias\fR,
+\fRUser_Alias\fR,
+\fRRunas_Alias\fR,
+or
+\fRHost_Alias\fR.
+You should not try to define your own
+\fIalias\fR
+called
+\fBALL\fR
+as the built-in alias will be used in preference to your own.
+Please note that using
+\fBALL\fR
+can be dangerous since in a command context, it allows the user to run
+\fBany\fR
+command on the system.
+.PP
+An exclamation point
+(`\&!')
+can be used as a logical
+\fInot\fR
+operator both in an
+\fIalias\fR
+and in front of a
+\fRCmnd\fR.
+This allows one to exclude certain values.
+Note, however, that using a
+`\&!'
+in conjunction with the built-in
+\fBALL\fR
+alias to allow a user to run
+``all but a few''
+commands rarely works as intended (see
+\fISECURITY NOTES\fR
+below).
+.PP
+Long lines can be continued with a backslash
+(`\e')
+as the last character on the line.
+.PP
+White space between elements in a list as well as special syntactic
+characters in a
+\fIUser Specification\fR
+(`=\&',
+`:\&',
+`(\&',
+`)\&')
+is optional.
+.PP
+The following characters must be escaped with a backslash
+(`\e')
+when used as part of a word (e.g.\& a user name or host name):
+`\&!',
+`=\&',
+`:\&',
+`,\&',
+`(\&',
+`)\&',
+`\e'.
.SH "SUDOERS OPTIONS"
-.IX Header "SUDOERS OPTIONS"
-\&\fBsudo\fR's behavior can be modified by \f(CW\*(C`Default_Entry\*(C'\fR lines, as
-explained earlier. A list of all supported Defaults parameters,
-grouped by type, are listed below.
-.PP
-\&\fBBoolean Flags\fR:
-.IP "always_set_home" 16
-.IX Item "always_set_home"
-If enabled, \fBsudo\fR will set the \f(CW\*(C`HOME\*(C'\fR environment variable to the
-home directory of the target user (which is root unless the \fB\-u\fR
-option is used). This effectively means that the \fB\-H\fR option is
-always implied. Note that \f(CW\*(C`HOME\*(C'\fR is already set when the the
-\&\fIenv_reset\fR option is enabled, so \fIalways_set_home\fR is only
-effective for configurations where either \fIenv_reset\fR is disabled
-or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
-This flag is \fIoff\fR by default.
-.IP "authenticate" 16
-.IX Item "authenticate"
+\fBsudo\fR's
+behavior can be modified by
+\fRDefault_Entry\fR
+lines, as explained earlier.
+A list of all supported Defaults parameters, grouped by type, are listed below.
+.PP
+\fBBoolean Flags\fR:
+.TP 18n
+always_set_home
+If enabled,
+\fBsudo\fR
+will set the
+\fRHOME\fR
+environment variable to the home directory of the target user
+(which is root unless the
+\fB\-u\fR
+option is used).
+This effectively means that the
+\fB\-H\fR
+option is always implied.
+Note that
+\fRHOME\fR
+is already set when the the
+\fIenv_reset\fR
+option is enabled, so
+\fIalways_set_home\fR
+is only effective for configurations where either
+\fIenv_reset\fR
+is disabled or
+\fRHOME\fR
+is present in the
+\fIenv_keep\fR
+list.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+authenticate
If set, users must authenticate themselves via a password (or other
-means of authentication) before they may run commands. This default
-may be overridden via the \f(CW\*(C`PASSWD\*(C'\fR and \f(CW\*(C`NOPASSWD\*(C'\fR tags.
-This flag is \fIon\fR by default.
-.IP "closefrom_override" 16
-.IX Item "closefrom_override"
-If set, the user may use \fBsudo\fR's \fB\-C\fR option which
-overrides the default starting point at which \fBsudo\fR begins
-closing open file descriptors. This flag is \fIoff\fR by default.
-.IP "compress_io" 16
-.IX Item "compress_io"
-If set, and \fBsudo\fR is configured to log a command's input or output,
-the I/O logs will be compressed using \fBzlib\fR. This flag is \fIon\fR
-by default when \fBsudo\fR is compiled with \fBzlib\fR support.
-.IP "env_editor" 16
-.IX Item "env_editor"
-If set, \fBvisudo\fR will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0
+means of authentication) before they may run commands.
+This default may be overridden via the
+\fRPASSWD\fR
+and
+\fRNOPASSWD\fR
+tags.
+This flag is
+\fIon\fR
+by default.
+.TP 18n
+closefrom_override
+If set, the user may use
+\fBsudo\fR's
+\fB\-C\fR
+option which overrides the default starting point at which
+\fBsudo\fR
+begins closing open file descriptors.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+compress_io
+If set, and
+\fBsudo\fR
+is configured to log a command's input or output,
+the I/O logs will be compressed using
+\fBzlib\fR.
+This flag is
+\fIon\fR
+by default when
+\fBsudo\fR
+is compiled with
+\fBzlib\fR
+support.
+.TP 18n
+env_editor
+If set,
+\fBvisudo\fR
+will use the value of the
+\fREDITOR\fR
+or
+\fRVISUAL\fR
environment variables before falling back on the default editor list.
Note that this may create a security hole as it allows the user to
-run any arbitrary command as root without logging. A safer alternative
-is to place a colon-separated list of editors in the \f(CW\*(C`editor\*(C'\fR
-variable. \fBvisudo\fR will then only use the \s-1EDITOR\s0 or \s-1VISUAL\s0 if
-they match a value specified in \f(CW\*(C`editor\*(C'\fR. This flag is \fI@env_editor@\fR by
-default.
-.IP "env_reset" 16
-.IX Item "env_reset"
-If set, \fBsudo\fR will run the command in a minimal environment
-containing the \f(CW\*(C`TERM\*(C'\fR, \f(CW\*(C`PATH\*(C'\fR, \f(CW\*(C`HOME\*(C'\fR, \f(CW\*(C`MAIL\*(C'\fR, \f(CW\*(C`SHELL\*(C'\fR,
-\&\f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR, \f(CW\*(C`USERNAME\*(C'\fR and \f(CW\*(C`SUDO_*\*(C'\fR variables. Any
-variables in the caller's environment that match the \f(CW\*(C`env_keep\*(C'\fR
-and \f(CW\*(C`env_check\*(C'\fR lists are then added, followed by any variables
-present in the file specified by the \fIenv_file\fR option (if any).
-The default contents of the \f(CW\*(C`env_keep\*(C'\fR and \f(CW\*(C`env_check\*(C'\fR lists are
-displayed when \fBsudo\fR is run by root with the \fB\-V\fR option. If
-the \fIsecure_path\fR option is set, its value will be used for the
-\&\f(CW\*(C`PATH\*(C'\fR environment variable. This flag is \fI@env_reset@\fR by
+run any arbitrary command as root without logging.
+A safer alternative is to place a colon-separated list of editors
+in the
+\fReditor\fR
+variable.
+\fBvisudo\fR
+will then only use the
+\fREDITOR\fR
+or
+\fRVISUAL\fR
+if they match a value specified in
+\fReditor\fR.
+This flag is
+\fI@env_editor@\fR
+by
default.
-.IP "fast_glob" 16
-.IX Item "fast_glob"
-Normally, \fBsudo\fR uses the \fIglob\fR\|(3) function to do shell-style
-globbing when matching path names. However, since it accesses the
-file system, \fIglob\fR\|(3) can take a long time to complete for some
-patterns, especially when the pattern references a network file
-system that is mounted on demand (automounted). The \fIfast_glob\fR
-option causes \fBsudo\fR to use the \fIfnmatch\fR\|(3) function, which does
-not access the file system to do its matching. The disadvantage
-of \fIfast_glob\fR is that it is unable to match relative path names
-such as \fI./ls\fR or \fI../bin/ls\fR. This has security implications
-when path names that include globbing characters are used with the
-negation operator, \f(CW\*(Aq!\*(Aq\fR, as such rules can be trivially bypassed.
-As such, this option should not be used when \fIsudoers\fR contains rules
-that contain negated path names which include globbing characters.
-This flag is \fIoff\fR by default.
-.IP "fqdn" 16
-.IX Item "fqdn"
+.TP 18n
+env_reset
+If set,
+\fBsudo\fR
+will run the command in a minimal environment containing the
+\fRTERM\fR,
+\fRPATH\fR,
+\fRHOME\fR,
+\fRMAIL\fR,
+\fRSHELL\fR,
+\fRLOGNAME\fR,
+\fRUSER\fR,
+\fRUSERNAME\fR
+and
+\fRSUDO_*\fR
+variables.
+Any
+variables in the caller's environment that match the
+\fRenv_keep\fR
+and
+\fRenv_check\fR
+lists are then added, followed by any variables present in the file
+specified by the
+\fIenv_file\fR
+option (if any).
+The default contents of the
+\fRenv_keep\fR
+and
+\fRenv_check\fR
+lists are displayed when
+\fBsudo\fR
+is run by root with the
+\fB\-V\fR
+option.
+If the
+\fIsecure_path\fR
+option is set, its value will be used for the
+\fRPATH\fR
+environment variable.
+This flag is
+\fI@env_reset@\fR
+by default.
+.TP 18n
+fast_glob
+Normally,
+\fBsudo\fR
+uses the
+glob(3)
+function to do shell-style globbing when matching path names.
+However, since it accesses the file system,
+glob(3)
+can take a long time to complete for some patterns, especially
+when the pattern references a network file system that is mounted
+on demand (auto mounted).
+The
+\fIfast_glob\fR
+option causes
+\fBsudo\fR
+to use the
+fnmatch(3)
+function, which does not access the file system to do its matching.
+The disadvantage of
+\fIfast_glob\fR
+is that it is unable to match relative path names such as
+\fI./ls\fR
+or
+\fI../bin/ls\fR.
+This has security implications when path names that include globbing
+characters are used with the negation operator,
+`!\&',
+as such rules can be trivially bypassed.
+As such, this option should not be used when
+\fIsudoers\fR
+contains rules that contain negated path names which include globbing
+characters.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+fqdn
Set this flag if you want to put fully qualified host names in the
-\&\fIsudoers\fR file.
+\fIsudoers\fR
+file when the local host name (as returned by the
+\fRhostname\fR
+command) does not contain the domain name.
In other words, instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
-Beware that turning on \fIfqdn\fR requires \fBsudo\fR to make \s-1DNS\s0 lookups
-which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example
-if the machine is not plugged into the network). Also note that
-you must use the host's official name as \s-1DNS\s0 knows it. That is,
-you may not use a host alias (\f(CW\*(C`CNAME\*(C'\fR entry) due to performance
-issues and the fact that there is no way to get all aliases from
-\&\s-1DNS\s0. If your machine's host name (as returned by the \f(CW\*(C`hostname\*(C'\fR
-command) is already fully qualified you shouldn't need to set
-\&\fIfqdn\fR. This flag is \fI@fqdn@\fR by default.
-.IP "ignore_dot" 16
-.IX Item "ignore_dot"
-If set, \fBsudo\fR will ignore \*(L".\*(R" or "" (current dir) in the \f(CW\*(C`PATH\*(C'\fR
-environment variable; the \f(CW\*(C`PATH\*(C'\fR itself is not modified. This
-flag is \fI@ignore_dot@\fR by default.
-.IP "ignore_local_sudoers" 16
-.IX Item "ignore_local_sudoers"
-If set via \s-1LDAP\s0, parsing of \fI@sysconfdir@/sudoers\fR will be skipped.
+This option is only effective when the
+``canonical''
+host name, as returned by the
+\fBgetaddrinfo\fR()
+or
+\fBgethostbyname\fR()
+function, is a fully-qualified domain name.
+This is usually the case when the system is configured to use DNS
+for host name resolution.
+.sp
+If the system is configured to use the
+\fI/etc/hosts\fR
+file in preference to DNS, the
+``canonical''
+host name may not be fully-qualified.
+The order that sources are queried for hosts name resolution
+is usually specified in the
+\fI@nsswitch_conf@\fR,
+\fI@netsvc_conf@\fR,
+\fI/etc/host.conf\fR,
+or, in some cases,
+\fI/etc/resolv.conf\fR
+file.
+In the
+\fI/etc/hosts\fR
+file, the first host name of the entry is considered to be the
+``canonical''
+name; subsequent names are aliases that are not used by
+\fBsudoers\fR.
+For example, the following hosts file line for the machine
+``xyzzy''
+has the fully-qualified domain name as the
+``canonical''
+host name, and the short version as an alias.
+.sp
+.RS 6n
+192.168.1.1 xyzzy.sudo.ws xyzzy
+.RE
+.sp
+If the machine's hosts file entry is not formatted properly, the
+\fIfqdn\fR
+option will not be effective if it is queried before DNS.
+.sp
+Beware that when using DNS for host name resolution, turning on
+\fIfqdn\fR
+requires
+\fBsudoers\fR
+to make DNS lookups which renders
+\fBsudo\fR
+unusable if DNS stops working (for example if the machine is disconnected
+from the network).
+Also note that just like with the hosts file, you must use the
+``canonical''
+name as DNS knows it.
+That is, you may not use a host alias
+(\fRCNAME\fR
+entry)
+due to performance issues and the fact that there is no way to get all
+aliases from DNS.
+.sp
+This flag is
+\fI@fqdn@\fR
+by default.
+.TP 18n
+ignore_dot
+If set,
+\fBsudo\fR
+will ignore "." or "" (both denoting current directory) in the
+\fRPATH\fR
+environment variable; the
+\fRPATH\fR
+itself is not modified.
+This flag is
+\fI@ignore_dot@\fR
+by default.
+.TP 18n
+ignore_local_sudoers
+If set via LDAP, parsing of
+\fI@sysconfdir@/sudoers\fR
+will be skipped.
This is intended for Enterprises that wish to prevent the usage of local
-sudoers files so that only \s-1LDAP\s0 is used. This thwarts the efforts of
-rogue operators who would attempt to add roles to \fI@sysconfdir@/sudoers\fR.
-When this option is present, \fI@sysconfdir@/sudoers\fR does not even need to
-exist. Since this option tells \fBsudo\fR how to behave when no specific \s-1LDAP\s0
-entries have been matched, this sudoOption is only meaningful for the
-\&\f(CW\*(C`cn=defaults\*(C'\fR section. This flag is \fIoff\fR by default.
-.IP "insults" 16
-.IX Item "insults"
-If set, \fBsudo\fR will insult users when they enter an incorrect
-password. This flag is \fI@insults@\fR by default.
-.IP "log_host" 16
-.IX Item "log_host"
-If set, the host name will be logged in the (non-syslog) \fBsudo\fR log file.
-This flag is \fIoff\fR by default.
-.IP "log_input" 16
-.IX Item "log_input"
-If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
-user input.
+sudoers files so that only LDAP is used.
+This thwarts the efforts of rogue operators who would attempt to add roles to
+\fI@sysconfdir@/sudoers\fR.
+When this option is present,
+\fI@sysconfdir@/sudoers\fR
+does not even need to exist.
+Since this option tells
+\fBsudo\fR
+how to behave when no specific LDAP entries have been matched, this
+sudoOption is only meaningful for the
+\fRcn=defaults\fR
+section.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+insults
+If set,
+\fBsudo\fR
+will insult users when they enter an incorrect password.
+This flag is
+\fI@insults@\fR
+by default.
+.TP 18n
+log_host
+If set, the host name will be logged in the (non-syslog)
+\fBsudo\fR
+log file.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+log_input
+If set,
+\fBsudo\fR
+will run the command in a
+\fIpseudo tty\fR
+and log all user input.
If the standard input is not connected to the user's tty, due to
I/O redirection or because the command is part of a pipeline, that
input is also captured and stored in a separate log file.
-.Sp
-Input is logged to the directory specified by the \fIiolog_dir\fR
-option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
-is included in the normal \fBsudo\fR log line, prefixed with "\f(CW\*(C`TSID=\*(C'\fR".
-.Sp
+.sp
+Input is logged to the directory specified by the
+\fIiolog_dir\fR
+option
+(\fI@iolog_dir@\fR
+by default)
+using a unique session ID that is included in the normal
+\fBsudo\fR
+log line, prefixed with
+``\fRTSID=\fR''.
+.sp
Note that user input may contain sensitive information such as
passwords (even if they are not echoed to the screen), which will
-be stored in the log file unencrypted. In most cases, logging the
-command output via \fIlog_output\fR is all that is required.
-.IP "log_output" 16
-.IX Item "log_output"
-If set, \fBsudo\fR will run the command in a \fIpseudo tty\fR and log all
-output that is sent to the screen, similar to the \fIscript\fR\|(1) command.
+be stored in the log file unencrypted.
+In most cases, logging the command output via
+\fIlog_output\fR
+is all that is required.
+.TP 18n
+log_output
+If set,
+\fBsudo\fR
+will run the command in a
+\fIpseudo tty\fR
+and log all output that is sent to the screen, similar to the
+script(1)
+command.
If the standard output or standard error is not connected to the
user's tty, due to I/O redirection or because the command is part
of a pipeline, that output is also captured and stored in separate
log files.
-.Sp
-Output is logged to the directory specified by the \fIiolog_dir\fR
-option (\fI@iolog_dir@\fR by default) using a unique session \s-1ID\s0 that
-is included in the normal \fBsudo\fR log line, prefixed with "\f(CW\*(C`TSID=\*(C'\fR".
-.Sp
-Output logs may be viewed with the \fIsudoreplay\fR\|(@mansectsu@) utility, which
-can also be used to list or search the available logs.
-.IP "log_year" 16
-.IX Item "log_year"
-If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file.
-This flag is \fIoff\fR by default.
-.IP "long_otp_prompt" 16
-.IX Item "long_otp_prompt"
-When validating with a One Time Password (\s-1OTP\s0) scheme such as
-\&\fBS/Key\fR or \fB\s-1OPIE\s0\fR, a two-line prompt is used to make it easier
-to cut and paste the challenge to a local window. It's not as
-pretty as the default but some people find it more convenient. This
-flag is \fI@long_otp_prompt@\fR by default.
-.IP "mail_always" 16
-.IX Item "mail_always"
-Send mail to the \fImailto\fR user every time a users runs \fBsudo\fR.
-This flag is \fIoff\fR by default.
-.IP "mail_badpass" 16
-.IX Item "mail_badpass"
-Send mail to the \fImailto\fR user if the user running \fBsudo\fR does not
-enter the correct password. This flag is \fIoff\fR by default.
-.IP "mail_no_host" 16
-.IX Item "mail_no_host"
-If set, mail will be sent to the \fImailto\fR user if the invoking
-user exists in the \fIsudoers\fR file, but is not allowed to run
-commands on the current host. This flag is \fI@mail_no_host@\fR by default.
-.IP "mail_no_perms" 16
-.IX Item "mail_no_perms"
-If set, mail will be sent to the \fImailto\fR user if the invoking
-user is allowed to use \fBsudo\fR but the command they are trying is not
-listed in their \fIsudoers\fR file entry or is explicitly denied.
-This flag is \fI@mail_no_perms@\fR by default.
-.IP "mail_no_user" 16
-.IX Item "mail_no_user"
-If set, mail will be sent to the \fImailto\fR user if the invoking
-user is not in the \fIsudoers\fR file. This flag is \fI@mail_no_user@\fR
+.sp
+Output is logged to the directory specified by the
+\fIiolog_dir\fR
+option
+(\fI@iolog_dir@\fR
+by default)
+using a unique session ID that is included in the normal
+\fBsudo\fR
+log line, prefixed with
+``\fRTSID=\fR''.
+.sp
+Output logs may be viewed with the
+sudoreplay(@mansectsu@)
+utility, which can also be used to list or search the available logs.
+.TP 18n
+log_year
+If set, the four-digit year will be logged in the (non-syslog)
+\fBsudo\fR
+log file.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+long_otp_prompt
+When validating with a One Time Password (OTP) scheme such as
+\fBS/Key\fR
+or
+\fBOPIE\fR,
+a two-line prompt is used to make it easier
+to cut and paste the challenge to a local window.
+It's not as pretty as the default but some people find it more convenient.
+This flag is
+\fI@long_otp_prompt@\fR
+by default.
+.TP 18n
+mail_always
+Send mail to the
+\fImailto\fR
+user every time a users runs
+\fBsudo\fR.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+mail_badpass
+Send mail to the
+\fImailto\fR
+user if the user running
+\fBsudo\fR
+does not enter the correct password.
+If the command the user is attempting to run is not permitted by
+\fIsudoers\fR
+and one of the
+\fImail_always\fR,
+\fImail_no_host\fR,
+\fImail_no_perms\fR
+or
+\fImail_no_user\fR
+flags are set, this flag will have no effect.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+mail_no_host
+If set, mail will be sent to the
+\fImailto\fR
+user if the invoking user exists in the
+\fIsudoers\fR
+file, but is not allowed to run commands on the current host.
+This flag is
+\fI@mail_no_host@\fR
+by default.
+.TP 18n
+mail_no_perms
+If set, mail will be sent to the
+\fImailto\fR
+user if the invoking user is allowed to use
+\fBsudo\fR
+but the command they are trying is not listed in their
+\fIsudoers\fR
+file entry or is explicitly denied.
+This flag is
+\fI@mail_no_perms@\fR
+by default.
+.TP 18n
+mail_no_user
+If set, mail will be sent to the
+\fImailto\fR
+user if the invoking user is not in the
+\fIsudoers\fR
+file.
+This flag is
+\fI@mail_no_user@\fR
by default.
-.IP "noexec" 16
-.IX Item "noexec"
-If set, all commands run via \fBsudo\fR will behave as if the \f(CW\*(C`NOEXEC\*(C'\fR
-tag has been set, unless overridden by a \f(CW\*(C`EXEC\*(C'\fR tag. See the
-description of \fI\s-1NOEXEC\s0 and \s-1EXEC\s0\fR below as well as the \*(L"\s-1PREVENTING\s0 \s-1SHELL\s0
-\&\s-1ESCAPES\s0\*(R" section at the end of this manual. This flag is \fIoff\fR by default.
-.IP "path_info" 16
-.IX Item "path_info"
-Normally, \fBsudo\fR will tell the user when a command could not be
-found in their \f(CW\*(C`PATH\*(C'\fR environment variable. Some sites may wish
-to disable this as it could be used to gather information on the
-location of executables that the normal user does not have access
-to. The disadvantage is that if the executable is simply not in
-the user's \f(CW\*(C`PATH\*(C'\fR, \fBsudo\fR will tell the user that they are not
-allowed to run it, which can be confusing. This flag is \fI@path_info@\fR
+.TP 18n
+noexec
+If set, all commands run via
+\fBsudo\fR
+will behave as if the
+\fRNOEXEC\fR
+tag has been set, unless overridden by a
+\fREXEC\fR
+tag.
+See the description of
+\fINOEXEC and EXEC\fR
+below as well as the
+\fIPreventing Shell Escapes\fR
+section at the end of this manual.
+This flag is
+\fIoff\fR
by default.
-.IP "passprompt_override" 16
-.IX Item "passprompt_override"
-The password prompt specified by \fIpassprompt\fR will normally only
-be used if the password prompt provided by systems such as \s-1PAM\s0 matches
-the string \*(L"Password:\*(R". If \fIpassprompt_override\fR is set, \fIpassprompt\fR
-will always be used. This flag is \fIoff\fR by default.
-.IP "preserve_groups" 16
-.IX Item "preserve_groups"
-By default, \fBsudo\fR will initialize the group vector to the list of
-groups the target user is in. When \fIpreserve_groups\fR is set, the
-user's existing group vector is left unaltered. The real and
-effective group IDs, however, are still set to match the target
-user. This flag is \fIoff\fR by default.
-.IP "pwfeedback" 16
-.IX Item "pwfeedback"
-By default, \fBsudo\fR reads the password like most other Unix programs,
+.TP 18n
+path_info
+Normally,
+\fBsudo\fR
+will tell the user when a command could not be
+found in their
+\fRPATH\fR
+environment variable.
+Some sites may wish to disable this as it could be used to gather
+information on the location of executables that the normal user does
+not have access to.
+The disadvantage is that if the executable is simply not in the user's
+\fRPATH\fR,
+\fBsudo\fR
+will tell the user that they are not allowed to run it, which can be confusing.
+This flag is
+\fI@path_info@\fR
+by default.
+.TP 18n
+passprompt_override
+The password prompt specified by
+\fIpassprompt\fR
+will normally only be used if the password prompt provided by systems
+such as PAM matches the string
+``Password:''.
+If
+\fIpassprompt_override\fR
+is set,
+\fIpassprompt\fR
+will always be used.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+preserve_groups
+By default,
+\fBsudo\fR
+will initialize the group vector to the list of groups the target user is in.
+When
+\fIpreserve_groups\fR
+is set, the user's existing group vector is left unaltered.
+The real and effective group IDs, however, are still set to match the
+target user.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+pwfeedback
+By default,
+\fBsudo\fR
+reads the password like most other Unix programs,
by turning off echo until the user hits the return (or enter) key.
-Some users become confused by this as it appears to them that \fBsudo\fR
-has hung at this point. When \fIpwfeedback\fR is set, \fBsudo\fR will
-provide visual feedback when the user presses a key. Note that
-this does have a security impact as an onlooker may be able to
+Some users become confused by this as it appears to them that
+\fBsudo\fR
+has hung at this point.
+When
+\fIpwfeedback\fR
+is set,
+\fBsudo\fR
+will provide visual feedback when the user presses a key.
+Note that this does have a security impact as an onlooker may be able to
determine the length of the password being entered.
-This flag is \fIoff\fR by default.
-.IP "requiretty" 16
-.IX Item "requiretty"
-If set, \fBsudo\fR will only run when the user is logged in to a real
-tty. When this flag is set, \fBsudo\fR can only be run from a login
-session and not via other means such as \fIcron\fR\|(@mansectsu@) or cgi-bin scripts.
-This flag is \fIoff\fR by default.
-.IP "root_sudo" 16
-.IX Item "root_sudo"
-If set, root is allowed to run \fBsudo\fR too. Disabling this prevents users
-from \*(L"chaining\*(R" \fBsudo\fR commands to get a root shell by doing something
-like \f(CW"sudo sudo /bin/sh"\fR. Note, however, that turning off \fIroot_sudo\fR
-will also prevent root from running \fBsudoedit\fR.
-Disabling \fIroot_sudo\fR provides no real additional security; it
-exists purely for historical reasons.
-This flag is \fI@root_sudo@\fR by default.
-.IP "rootpw" 16
-.IX Item "rootpw"
-If set, \fBsudo\fR will prompt for the root password instead of the password
-of the invoking user. This flag is \fIoff\fR by default.
-.IP "runaspw" 16
-.IX Item "runaspw"
-If set, \fBsudo\fR will prompt for the password of the user defined by the
-\&\fIrunas_default\fR option (defaults to \f(CW\*(C`@runas_default@\*(C'\fR) instead of the
-password of the invoking user. This flag is \fIoff\fR by default.
-.IP "set_home" 16
-.IX Item "set_home"
-If enabled and \fBsudo\fR is invoked with the \fB\-s\fR option the \f(CW\*(C`HOME\*(C'\fR
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+requiretty
+If set,
+\fBsudo\fR
+will only run when the user is logged in to a real tty.
+When this flag is set,
+\fBsudo\fR
+can only be run from a login session and not via other means such as
+cron(@mansectsu@)
+or cgi-bin scripts.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+root_sudo
+If set, root is allowed to run
+\fBsudo\fR
+too.
+Disabling this prevents users from
+``chaining''
+\fBsudo\fR
+commands to get a root shell by doing something like
+``\fRsudo sudo /bin/sh\fR''.
+Note, however, that turning off
+\fIroot_sudo\fR
+will also prevent root from running
+\fBsudoedit\fR.
+Disabling
+\fIroot_sudo\fR
+provides no real additional security; it exists purely for historical reasons.
+This flag is
+\fI@root_sudo@\fR
+by default.
+.TP 18n
+rootpw
+If set,
+\fBsudo\fR
+will prompt for the root password instead of the password of the invoking user.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+runaspw
+If set,
+\fBsudo\fR
+will prompt for the password of the user defined by the
+\fIrunas_default\fR
+option (defaults to
+\fR@runas_default@\fR)
+instead of the password of the invoking user.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+set_home
+If enabled and
+\fBsudo\fR
+is invoked with the
+\fB\-s\fR
+option the
+\fRHOME\fR
environment variable will be set to the home directory of the target
-user (which is root unless the \fB\-u\fR option is used). This effectively
-makes the \fB\-s\fR option imply \fB\-H\fR. Note that \f(CW\*(C`HOME\*(C'\fR is already
-set when the the \fIenv_reset\fR option is enabled, so \fIset_home\fR is
-only effective for configurations where either \fIenv_reset\fR is disabled
-or \f(CW\*(C`HOME\*(C'\fR is present in the \fIenv_keep\fR list.
-This flag is \fIoff\fR by default.
-.IP "set_logname" 16
-.IX Item "set_logname"
-Normally, \fBsudo\fR will set the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR and \f(CW\*(C`USERNAME\*(C'\fR
-environment variables to the name of the target user (usually root
-unless the \fB\-u\fR option is given). However, since some programs
-(including the \s-1RCS\s0 revision control system) use \f(CW\*(C`LOGNAME\*(C'\fR to
-determine the real identity of the user, it may be desirable to
-change this behavior. This can be done by negating the set_logname
-option. Note that if the \fIenv_reset\fR option has not been disabled,
-entries in the \fIenv_keep\fR list will override the value of
-\&\fIset_logname\fR. This flag is \fIon\fR by default.
-.IP "setenv" 16
-.IX Item "setenv"
-Allow the user to disable the \fIenv_reset\fR option from the command
-line. Additionally, environment variables set via the command line
-are not subject to the restrictions imposed by \fIenv_check\fR,
-\&\fIenv_delete\fR, or \fIenv_keep\fR. As such, only trusted users should
-be allowed to set variables in this manner. This flag is \fIoff\fR
+user (which is root unless the
+\fB\-u\fR
+option is used).
+This effectively makes the
+\fB\-s\fR
+option imply
+\fB\-H\fR.
+Note that
+\fRHOME\fR
+is already set when the the
+\fIenv_reset\fR
+option is enabled, so
+\fIset_home\fR
+is only effective for configurations where either
+\fIenv_reset\fR
+is disabled
+or
+\fRHOME\fR
+is present in the
+\fIenv_keep\fR
+list.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+set_logname
+Normally,
+\fBsudo\fR
+will set the
+\fRLOGNAME\fR,
+\fRUSER\fR
+and
+\fRUSERNAME\fR
+environment variables to the name of the target user (usually root unless the
+\fB\-u\fR
+option is given).
+However, since some programs (including the RCS revision control system) use
+\fRLOGNAME\fR
+to determine the real identity of the user, it may be desirable to
+change this behavior.
+This can be done by negating the set_logname option.
+Note that if the
+\fIenv_reset\fR
+option has not been disabled, entries in the
+\fIenv_keep\fR
+list will override the value of
+\fIset_logname\fR.
+This flag is
+\fIon\fR
+by default.
+.TP 18n
+setenv
+Allow the user to disable the
+\fIenv_reset\fR
+option from the command line via the
+\fB\-E\fR
+option.
+Additionally, environment variables set via the command line are
+not subject to the restrictions imposed by
+\fIenv_check\fR,
+\fIenv_delete\fR,
+or
+\fIenv_keep\fR.
+As such, only trusted users should be allowed to set variables in this manner.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+shell_noargs
+If set and
+\fBsudo\fR
+is invoked with no arguments it acts as if the
+\fB\-s\fR
+option had been given.
+That is, it runs a shell as root (the shell is determined by the
+\fRSHELL\fR
+environment variable if it is set, falling back on the shell listed
+in the invoking user's /etc/passwd entry if not).
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+stay_setuid
+Normally, when
+\fBsudo\fR
+executes a command the real and effective UIDs are set to the target
+user (root by default).
+This option changes that behavior such that the real UID is left
+as the invoking user's UID.
+In other words, this makes
+\fBsudo\fR
+act as a setuid wrapper.
+This can be useful on systems that disable some potentially
+dangerous functionality when a program is run setuid.
+This option is only effective on systems that support either the
+setreuid(2)
+or
+setresuid(2)
+system call.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+targetpw
+If set,
+\fBsudo\fR
+will prompt for the password of the user specified
+by the
+\fB\-u\fR
+option (defaults to
+\fRroot\fR)
+instead of the password of the invoking user.
+In addition, the time stamp file name will include the target user's name.
+Note that this flag precludes the use of a uid not listed in the passwd
+database as an argument to the
+\fB\-u\fR
+option.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+tty_tickets
+If set, users must authenticate on a per-tty basis.
+With this flag enabled,
+\fBsudo\fR
+will use a file named for the tty the user is
+logged in on in the user's time stamp directory.
+If disabled, the time stamp of the directory is used instead.
+This flag is
+\fI@tty_tickets@\fR
+by default.
+.TP 18n
+umask_override
+If set,
+\fBsudo\fR
+will set the umask as specified by
+\fIsudoers\fR
+without modification.
+This makes it possible to specify a more permissive umask in
+\fIsudoers\fR
+than the user's own umask and matches historical behavior.
+If
+\fIumask_override\fR
+is not set,
+\fBsudo\fR
+will set the umask to be the union of the user's umask and what is specified in
+\fIsudoers\fR.
+This flag is
+\fI@umask_override@\fR
+by default.
+.TP 18n
+use_loginclass
+If set,
+\fBsudo\fR
+will apply the defaults specified for the target user's login class
+if one exists.
+Only available if
+\fBsudo\fR
+is configured with the
+\fR--with-logincap\fR
+option.
+This flag is
+\fIoff\fR
+by default.
+.TP 18n
+use_pty
+If set,
+\fBsudo\fR
+will run the command in a pseudo-pty even if no I/O logging is being gone.
+A malicious program run under
+\fBsudo\fR
+could conceivably fork a background process that retains to the user's
+terminal device after the main program has finished executing.
+Use of this option will make that impossible.
+This flag is
+\fIoff\fR
by default.
-.IP "shell_noargs" 16
-.IX Item "shell_noargs"
-If set and \fBsudo\fR is invoked with no arguments it acts as if the
-\&\fB\-s\fR option had been given. That is, it runs a shell as root (the
-shell is determined by the \f(CW\*(C`SHELL\*(C'\fR environment variable if it is
-set, falling back on the shell listed in the invoking user's
-/etc/passwd entry if not). This flag is \fIoff\fR by default.
-.IP "stay_setuid" 16
-.IX Item "stay_setuid"
-Normally, when \fBsudo\fR executes a command the real and effective
-UIDs are set to the target user (root by default). This option
-changes that behavior such that the real \s-1UID\s0 is left as the invoking
-user's \s-1UID\s0. In other words, this makes \fBsudo\fR act as a setuid
-wrapper. This can be useful on systems that disable some potentially
-dangerous functionality when a program is run setuid. This option
-is only effective on systems with either the \fIsetreuid()\fR or \fIsetresuid()\fR
-function. This flag is \fIoff\fR by default.
-.IP "targetpw" 16
-.IX Item "targetpw"
-If set, \fBsudo\fR will prompt for the password of the user specified
-by the \fB\-u\fR option (defaults to \f(CW\*(C`root\*(C'\fR) instead of the password
-of the invoking user. In addition, the timestamp file name will
-include the target user's name. Note that this flag precludes the
-use of a uid not listed in the passwd database as an argument to
-the \fB\-u\fR option. This flag is \fIoff\fR by default.
-.IP "tty_tickets" 16
-.IX Item "tty_tickets"
-If set, users must authenticate on a per-tty basis. With this flag
-enabled, \fBsudo\fR will use a file named for the tty the user is
-logged in on in the user's time stamp directory. If disabled, the
-time stamp of the directory is used instead. This flag is
-\&\fI@tty_tickets@\fR by default.
-.IP "umask_override" 16
-.IX Item "umask_override"
-If set, \fBsudo\fR will set the umask as specified by \fIsudoers\fR without
-modification. This makes it possible to specify a more permissive
-umask in \fIsudoers\fR than the user's own umask and matches historical
-behavior. If \fIumask_override\fR is not set, \fBsudo\fR will set the
-umask to be the union of the user's umask and what is specified in
-\&\fIsudoers\fR. This flag is \fI@umask_override@\fR by default.
-.if \n(LC \{\
-.IP "use_loginclass" 16
-.IX Item "use_loginclass"
-If set, \fBsudo\fR will apply the defaults specified for the target user's
-login class if one exists. Only available if \fBsudo\fR is configured with
-the \-\-with\-logincap option. This flag is \fIoff\fR by default.
-\}
-.IP "use_pty" 16
-.IX Item "use_pty"
-If set, \fBsudo\fR will run the command in a pseudo-pty even if no I/O
-logging is being gone. A malicious program run under \fBsudo\fR could
-conceivably fork a background process that retains to the user's
-terminal device after the main program has finished executing. Use
-of this option will make that impossible.
-.IP "visiblepw" 16
-.IX Item "visiblepw"
-By default, \fBsudo\fR will refuse to run if the user must enter a
-password but it is not possible to disable echo on the terminal.
-If the \fIvisiblepw\fR flag is set, \fBsudo\fR will prompt for a password
-even when it would be visible on the screen. This makes it possible
-to run things like \f(CW"ssh somehost sudo ls"\fR since by default, \fIssh\fR\|(1) does
-not allocate a tty when running a command. This flag is \fIoff\fR by default.
-.PP
-\&\fBIntegers\fR:
-.IP "closefrom" 16
-.IX Item "closefrom"
-Before it executes a command, \fBsudo\fR will close all open file
-descriptors other than standard input, standard output and standard
-error (ie: file descriptors 0\-2). The \fIclosefrom\fR option can be used
-to specify a different file descriptor at which to start closing.
-The default is \f(CW3\fR.
-.IP "passwd_tries" 16
-.IX Item "passwd_tries"
+.TP 18n
+visiblepw
+By default,
+\fBsudo\fR
+will refuse to run if the user must enter a password but it is not
+possible to disable echo on the terminal.
+If the
+\fIvisiblepw\fR
+flag is set,
+\fBsudo\fR
+will prompt for a password even when it would be visible on the screen.
+This makes it possible to run things like
+``\fRssh somehost sudo ls\fR''
+since by default,
+ssh(1)
+does
+not allocate a tty when running a command.
+This flag is
+\fIoff\fR
+by default.
+.PP
+\fBIntegers\fR:
+.TP 18n
+closefrom
+Before it executes a command,
+\fBsudo\fR
+will close all open file descriptors other than standard input,
+standard output and standard error (ie: file descriptors 0-2).
+The
+\fIclosefrom\fR
+option can be used to specify a different file descriptor at which
+to start closing.
+The default is
+\fR3\fR.
+.TP 18n
+passwd_tries
The number of tries a user gets to enter his/her password before
-\&\fBsudo\fR logs the failure and exits. The default is \f(CW\*(C`@passwd_tries@\*(C'\fR.
-.PP
-\&\fBIntegers that can be used in a boolean context\fR:
-.IP "loglinelen" 16
-.IX Item "loglinelen"
-Number of characters per line for the file log. This value is used
-to decide when to wrap lines for nicer log files. This has no
-effect on the syslog log file, only the file log. The default is
-\&\f(CW\*(C`@loglen@\*(C'\fR (use 0 or negate the option to disable word wrap).
-.IP "passwd_timeout" 16
-.IX Item "passwd_timeout"
-Number of minutes before the \fBsudo\fR password prompt times out, or
-\&\f(CW0\fR for no timeout. The timeout may include a fractional component
-if minute granularity is insufficient, for example \f(CW2.5\fR. The
-default is \f(CW\*(C`@password_timeout@\*(C'\fR.
-.IP "timestamp_timeout" 16
-.IX Item "timestamp_timeout"
-Number of minutes that can elapse before \fBsudo\fR will ask for a
-passwd again. The timeout may include a fractional component if
-minute granularity is insufficient, for example \f(CW2.5\fR. The default
-is \f(CW\*(C`@timeout@\*(C'\fR. Set this to \f(CW0\fR to always prompt for a password.
-If set to a value less than \f(CW0\fR the user's timestamp will never
-expire. This can be used to allow users to create or delete their
-own timestamps via \f(CW\*(C`sudo \-v\*(C'\fR and \f(CW\*(C`sudo \-k\*(C'\fR respectively.
-.IP "umask" 16
-.IX Item "umask"
-Umask to use when running the command. Negate this option or set
-it to 0777 to preserve the user's umask. The actual umask that is
-used will be the union of the user's umask and the value of the
-\&\fIumask\fR option, which defaults to \f(CW\*(C`@sudo_umask@\*(C'\fR. This guarantees
-that \fBsudo\fR never lowers the umask when running a command. Note
-on systems that use \s-1PAM\s0, the default \s-1PAM\s0 configuration may specify
-its own umask which will override the value set in \fIsudoers\fR.
-.PP
-\&\fBStrings\fR:
-.IP "badpass_message" 16
-.IX Item "badpass_message"
+\fBsudo\fR
+logs the failure and exits.
+The default is
+\fR@passwd_tries@\fR.
+.PP
+\fBIntegers that can be used in a boolean context\fR:
+.TP 18n
+loglinelen
+Number of characters per line for the file log.
+This value is used to decide when to wrap lines for nicer log files.
+This has no effect on the syslog log file, only the file log.
+The default is
+\fR@loglen@\fR
+(use 0 or negate the option to disable word wrap).
+.TP 18n
+passwd_timeout
+Number of minutes before the
+\fBsudo\fR
+password prompt times out, or
+\fR0\fR
+for no timeout.
+The timeout may include a fractional component
+if minute granularity is insufficient, for example
+\fR2.5\fR.
+The
+default is
+\fR@password_timeout@\fR.
+.TP 18n
+timestamp_timeout
+.br
+Number of minutes that can elapse before
+\fBsudo\fR
+will ask for a passwd again.
+The timeout may include a fractional component if
+minute granularity is insufficient, for example
+\fR2.5\fR.
+The default is
+\fR@timeout@\fR.
+Set this to
+\fR0\fR
+to always prompt for a password.
+If set to a value less than
+\fR0\fR
+the user's time stamp will never expire.
+This can be used to allow users to create or delete their own time stamps via
+``\fRsudo -v\fR''
+and
+``\fRsudo -k\fR''
+respectively.
+.TP 18n
+umask
+Umask to use when running the command.
+Negate this option or set it to 0777 to preserve the user's umask.
+The actual umask that is used will be the union of the user's umask
+and the value of the
+\fIumask\fR
+option, which defaults to
+\fR@sudo_umask@\fR.
+This guarantees
+that
+\fBsudo\fR
+never lowers the umask when running a command.
+Note: on systems that use PAM, the default PAM configuration may specify
+its own umask which will override the value set in
+\fIsudoers\fR.
+.PP
+\fBStrings\fR:
+.TP 18n
+badpass_message
Message that is displayed if a user enters an incorrect password.
-The default is \f(CW\*(C`@badpass_message@\*(C'\fR unless insults are enabled.
-.IP "editor" 16
-.IX Item "editor"
-A colon (':') separated list of editors allowed to be used with
-\&\fBvisudo\fR. \fBvisudo\fR will choose the editor that matches the user's
-\&\s-1EDITOR\s0 environment variable if possible, or the first editor in the
-list that exists and is executable. The default is \f(CW"@editor@"\fR.
-.IP "iolog_dir" 16
-.IX Item "iolog_dir"
-The directory in which to store input/output logs when the \fIlog_input\fR
-or \fIlog_output\fR options are enabled or when the \f(CW\*(C`LOG_INPUT\*(C'\fR or
-\&\f(CW\*(C`LOG_OUTPUT\*(C'\fR tags are present for a command.
-The default is \f(CW"@iolog_dir@"\fR.
-.IP "mailsub" 16
-.IX Item "mailsub"
-Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR
+The default is
+\fR@badpass_message@\fR
+unless insults are enabled.
+.TP 18n
+editor
+A colon
+(`:\&')
+separated list of editors allowed to be used with
+\fBvisudo\fR.
+\fBvisudo\fR
+will choose the editor that matches the user's
+\fREDITOR\fR
+environment variable if possible, or the first editor in the
+list that exists and is executable.
+The default is
+\fI@editor@\fR.
+.TP 18n
+iolog_dir
+The directory in which to store input/output logs when the
+\fIlog_input\fR
+or
+\fIlog_output\fR
+options are enabled or when the
+\fRLOG_INPUT\fR
+or
+\fRLOG_OUTPUT\fR
+tags are present for a command.
+The default is
+\fI@iolog_dir@\fR.
+.TP 18n
+mailsub
+Subject of the mail sent to the
+\fImailto\fR
+user.
+The escape
+\fR%h\fR
will expand to the host name of the machine.
-Default is "\f(CW\*(C`@mailsub@\*(C'\fR".
-.IP "noexec_file" 16
-.IX Item "noexec_file"
-Path to a shared library containing dummy versions of the \fIexecv()\fR,
-\&\fIexecve()\fR and \fIfexecve()\fR library functions that just return an error.
-This is used to implement the \fInoexec\fR functionality on systems that
-support \f(CW\*(C`LD_PRELOAD\*(C'\fR or its equivalent. Defaults to \fI@noexec_file@\fR.
-.IP "passprompt" 16
-.IX Item "passprompt"
-The default prompt to use when asking for a password; can be overridden
-via the \fB\-p\fR option or the \f(CW\*(C`SUDO_PROMPT\*(C'\fR environment variable.
-The following percent (`\f(CW\*(C`%\*(C'\fR') escapes are supported:
-.RS 16
-.ie n .IP "%H" 4
-.el .IP "\f(CW%H\fR" 4
-.IX Item "%H"
+Default is
+``\fR@mailsub@\fR''.
+.TP 18n
+noexec_file
+The
+\fInoexec\fR
+option specifies the the fully-qualified path to a shared library
+containing dummy versions of the
+\fBexecv\fR(),
+\fBexecve\fR()
+and
+\fBfexecve\fR()
+library functions that just return an error.
+This is used to implement the
+\fInoexec\fR
+functionality on systems that support
+\fRLD_PRELOAD\fR
+or its equivalent.
+Defaults to
+\fI@noexec_file@\fR.
+.TP 18n
+passprompt
+The default prompt to use when asking for a password; can be overridden via the
+\fB\-p\fR
+option or the
+\fRSUDO_PROMPT\fR
+environment variable.
+The following percent
+(`%')
+escape sequences are supported:
+.RS
+.TP 6n
+\fR%H\fR
expanded to the local host name including the domain name
-(on if the machine's host name is fully qualified or the \fIfqdn\fR
+(only if the machine's host name is fully qualified or the
+\fIfqdn\fR
option is set)
-.ie n .IP "%h" 4
-.el .IP "\f(CW%h\fR" 4
-.IX Item "%h"
+.TP 6n
+\fR%h\fR
expanded to the local host name without the domain name
-.ie n .IP "%p" 4
-.el .IP "\f(CW%p\fR" 4
-.IX Item "%p"
-expanded to the user whose password is being asked for (respects the
-\&\fIrootpw\fR, \fItargetpw\fR and \fIrunaspw\fR flags in \fIsudoers\fR)
-.ie n .IP "%U" 4
-.el .IP "\f(CW%U\fR" 4
-.IX Item "%U"
+.TP 6n
+\fR%p\fR
+expanded to the user whose password is being asked for (respects the
+\fIrootpw\fR,
+\fItargetpw\fR
+and
+\fIrunaspw\fR
+flags in
+\fIsudoers\fR)
+.TP 6n
+\fR\&%U\fR
expanded to the login name of the user the command will
be run as (defaults to root)
-.ie n .IP "%u" 4
-.el .IP "\f(CW%u\fR" 4
-.IX Item "%u"
+.TP 6n
+\fR%u\fR
expanded to the invoking user's login name
-.ie n .IP "\*(C`%%\*(C'" 4
-.el .IP "\f(CW\*(C`%%\*(C'\fR" 4
-.IX Item "%%"
-two consecutive \f(CW\*(C`%\*(C'\fR characters are collapsed into a single \f(CW\*(C`%\*(C'\fR character
-.RE
-.RS 16
-.Sp
-The default value is "\f(CW\*(C`@passprompt@\*(C'\fR".
+.TP 6n
+\fR%%\fR
+two consecutive
+\fR%\fR
+characters are collapsed into a single
+\fR%\fR
+character
+.PP
+The default value is
+``\fR@passprompt@\fR''.
+.PP
.RE
-.if \n(SL \{\
-.IP "role" 16
-.IX Item "role"
+.PD 0
+.TP 18n
+privs
+The default Solaris privileges to use when constructing a new
+privilege set for a command.
+This is passed to the executing process via the inherited privilege set,
+but is bounded by the limit privileges.
+If the
+\fIprivs\fR
+option is specified but the
+\fIlimitprivs\fR
+option is not, the limit privileges of the executing process is set to
+\fIprivs\fR.
+The default privileges may be overridden on a per-command basis in
+\fIsudoers\fR.
+This option is only available if
+\fBsudoers\fR
+is built on Solaris 10 or higher.
+.PD
+.TP 18n
+role
The default SELinux role to use when constructing a new security
-context to run the command. The default role may be overridden on
-a per-command basis in \fIsudoers\fR or via command line options.
-This option is only available whe \fBsudo\fR is built with SELinux support.
-\}
-.IP "runas_default" 16
-.IX Item "runas_default"
-The default user to run commands as if the \fB\-u\fR option is not specified
-on the command line. This defaults to \f(CW\*(C`@runas_default@\*(C'\fR.
-.IP "syslog_badpri" 16
-.IX Item "syslog_badpri"
+context to run the command.
+The default role may be overridden on a per-command basis in
+\fIsudoers\fR
+or via command line options.
+This option is only available when
+\fBsudo\fR
+is built with SELinux support.
+.TP 18n
+runas_default
+The default user to run commands as if the
+\fB\-u\fR
+option is not specified on the command line.
+This defaults to
+\fR@runas_default@\fR.
+.TP 18n
+syslog_badpri
Syslog priority to use when user authenticates unsuccessfully.
-Defaults to \f(CW\*(C`@badpri@\*(C'\fR.
-.Sp
-The following syslog priorities are supported: \fBalert\fR, \fBcrit\fR,
-\&\fBdebug\fR, \fBemerg\fR, \fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR.
-.IP "syslog_goodpri" 16
-.IX Item "syslog_goodpri"
+Defaults to
+\fR@badpri@\fR.
+.sp
+The following syslog priorities are supported:
+\fBalert\fR,
+\fBcrit\fR,
+\fBdebug\fR,
+\fBemerg\fR,
+\fBerr\fR,
+\fBinfo\fR,
+\fBnotice\fR,
+and
+\fBwarning\fR.
+.TP 18n
+syslog_goodpri
Syslog priority to use when user authenticates successfully.
-Defaults to \f(CW\*(C`@goodpri@\*(C'\fR.
-.Sp
-See syslog_badpri for the list of supported syslog priorities.
-.IP "sudoers_locale" 16
-.IX Item "sudoers_locale"
+Defaults to
+\fR@goodpri@\fR.
+.sp
+See
+\fIsyslog_badpri\fR
+for the list of supported syslog priorities.
+.TP 18n
+sudoers_locale
Locale to use when parsing the sudoers file, logging commands, and
-sending email. Note that changing the locale may affect how sudoers
-is interpreted. Defaults to \f(CW"C"\fR.
-.IP "timestampdir" 16
-.IX Item "timestampdir"
-The directory in which \fBsudo\fR stores its timestamp files.
-The default is \fI@timedir@\fR.
-.IP "timestampowner" 16
-.IX Item "timestampowner"
-The owner of the timestamp directory and the timestamps stored therein.
-The default is \f(CW\*(C`root\*(C'\fR.
-.if \n(SL \{\
-.IP "type" 16
-.IX Item "type"
+sending email.
+Note that changing the locale may affect how sudoers is interpreted.
+Defaults to
+``\fRC\fR''.
+.TP 18n
+timestampdir
+The directory in which
+\fBsudo\fR
+stores its time stamp files.
+The default is
+\fI@timedir@\fR.
+.TP 18n
+timestampowner
+The owner of the time stamp directory and the time stamps stored therein.
+The default is
+\fRroot\fR.
+.TP 18n
+type
The default SELinux type to use when constructing a new security
-context to run the command. The default type may be overridden on
-a per-command basis in \fIsudoers\fR or via command line options.
-This option is only available whe \fBsudo\fR is built with SELinux support.
-\}
-.PP
-\&\fBStrings that can be used in a boolean context\fR:
-.IP "askpass" 12
-.IX Item "askpass"
-The \fIaskpass\fR option specifies the fully qualified path to a helper
-program used to read the user's password when no terminal is
-available. This may be the case when \fBsudo\fR is executed from a
-graphical (as opposed to text-based) application. The program
-specified by \fIaskpass\fR should display the argument passed to it
-as the prompt and write the user's password to the standard output.
-The value of \fIaskpass\fR may be overridden by the \f(CW\*(C`SUDO_ASKPASS\*(C'\fR
+context to run the command.
+The default type may be overridden on a per-command basis in
+\fIsudoers\fR
+or via command line options.
+This option is only available when
+\fBsudo\fR
+is built with SELinux support.
+.PP
+\fBStrings that can be used in a boolean context\fR:
+.TP 14n
+askpass
+The
+\fIaskpass\fR
+option specifies the fully qualified path to a helper program used
+to read the user's password when no terminal is available.
+This may be the case when
+\fBsudo\fR
+is executed from a graphical (as opposed to text-based) application.
+The program specified by
+\fIaskpass\fR
+should display the argument passed to it as the prompt and write
+the user's password to the standard output.
+The value of
+\fIaskpass\fR
+may be overridden by the
+\fRSUDO_ASKPASS\fR
environment variable.
-.IP "env_file" 12
-.IX Item "env_file"
-The \fIenv_file\fR option specifies the fully qualified path to a
-file containing variables to be set in the environment of the program
-being run. Entries in this file should either be of the form
-\&\f(CW\*(C`VARIABLE=value\*(C'\fR or \f(CW\*(C`export VARIABLE=value\*(C'\fR. The value may
-optionally be surrounded by single or double quotes. Variables in
-this file are subject to other \fBsudo\fR environment settings such
-as \fIenv_keep\fR and \fIenv_check\fR.
-.IP "exempt_group" 12
-.IX Item "exempt_group"
-Users in this group are exempt from password and \s-1PATH\s0 requirements.
-The group name specified should not include a \f(CW\*(C`%\*(C'\fR prefix.
+.TP 14n
+env_file
+The
+\fIenv_file\fR
+option specifies the fully qualified path to a file containing variables
+to be set in the environment of the program being run.
+Entries in this file should either be of the form
+``\fRVARIABLE=value\fR''
+or
+``\fRexport VARIABLE=value\fR''.
+The value may optionally be surrounded by single or double quotes.
+Variables in this file are subject to other
+\fBsudo\fR
+environment settings such as
+\fIenv_keep\fR
+and
+\fIenv_check\fR.
+.TP 14n
+exempt_group
+Users in this group are exempt from password and PATH requirements.
+The group name specified should not include a
+\fR%\fR
+prefix.
This is not set by default.
-.IP "lecture" 12
-.IX Item "lecture"
+.TP 14n
+lecture
This option controls when a short lecture will be printed along with
-the password prompt. It has the following possible values:
-.RS 12
-.IP "always" 8
-.IX Item "always"
+the password prompt.
+It has the following possible values:
+.RS
+.TP 8n
+always
Always lecture the user.
-.IP "never" 8
-.IX Item "never"
+.TP 8n
+never
Never lecture the user.
-.IP "once" 8
-.IX Item "once"
-Only lecture the user the first time they run \fBsudo\fR.
-.RE
-.RS 12
-.Sp
-If no value is specified, a value of \fIonce\fR is implied.
-Negating the option results in a value of \fInever\fR being used.
-The default value is \fI@lecture@\fR.
-.RE
-.IP "lecture_file" 12
-.IX Item "lecture_file"
-Path to a file containing an alternate \fBsudo\fR lecture that will
-be used in place of the standard lecture if the named file exists.
-By default, \fBsudo\fR uses a built-in lecture.
-.IP "listpw" 12
-.IX Item "listpw"
-This option controls when a password will be required when a
-user runs \fBsudo\fR with the \fB\-l\fR option. It has the following possible values:
-.RS 12
-.IP "all" 8
-.IX Item "all"
-All the user's \fIsudoers\fR entries for the current host must have
-the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "always" 8
-.IX Item "always"
-The user must always enter a password to use the \fB\-l\fR option.
-.IP "any" 8
-.IX Item "any"
-At least one of the user's \fIsudoers\fR entries for the current host
-must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "never" 8
-.IX Item "never"
-The user need never enter a password to use the \fB\-l\fR option.
+.TP 8n
+once
+Only lecture the user the first time they run
+\fBsudo\fR.
+.PP
+If no value is specified, a value of
+\fIonce\fR
+is implied.
+Negating the option results in a value of
+\fInever\fR
+being used.
+The default value is
+\fI@lecture@\fR.
+.PP
.RE
-.RS 12
-.Sp
-If no value is specified, a value of \fIany\fR is implied.
-Negating the option results in a value of \fInever\fR being used.
-The default value is \fIany\fR.
+.PD 0
+.TP 14n
+lecture_file
+Path to a file containing an alternate
+\fBsudo\fR
+lecture that will be used in place of the standard lecture if the named
+file exists.
+By default,
+\fBsudo\fR
+uses a built-in lecture.
+.PD
+.TP 14n
+listpw
+This option controls when a password will be required when a user runs
+\fBsudo\fR
+with the
+\fB\-l\fR
+option.
+It has the following possible values:
+.RS
+.TP 10n
+all
+All the user's
+\fIsudoers\fR
+entries for the current host must have
+the
+\fRNOPASSWD\fR
+flag set to avoid entering a password.
+.TP 10n
+always
+The user must always enter a password to use the
+\fB\-l\fR
+option.
+.TP 10n
+any
+At least one of the user's
+\fIsudoers\fR
+entries for the current host
+must have the
+\fRNOPASSWD\fR
+flag set to avoid entering a password.
+.TP 10n
+never
+The user need never enter a password to use the
+\fB\-l\fR
+option.
+.PP
+If no value is specified, a value of
+\fIany\fR
+is implied.
+Negating the option results in a value of
+\fInever\fR
+being used.
+The default value is
+\fIany\fR.
+.PP
.RE
-.IP "logfile" 12
-.IX Item "logfile"
-Path to the \fBsudo\fR log file (not the syslog log file). Setting a path
-turns on logging to a file; negating this option turns it off.
-By default, \fBsudo\fR logs via syslog.
-.IP "mailerflags" 12
-.IX Item "mailerflags"
-Flags to use when invoking mailer. Defaults to \fB\-t\fR.
-.IP "mailerpath" 12
-.IX Item "mailerpath"
+.PD 0
+.TP 14n
+logfile
+Path to the
+\fBsudo\fR
+log file (not the syslog log file).
+Setting a path turns on logging to a file;
+negating this option turns it off.
+By default,
+\fBsudo\fR
+logs via syslog.
+.PD
+.TP 14n
+mailerflags
+Flags to use when invoking mailer. Defaults to
+\fB\-t\fR.
+.TP 14n
+mailerpath
Path to mail program used to send warning mail.
Defaults to the path to sendmail found at configure time.
-.IP "mailfrom" 12
-.IX Item "mailfrom"
-Address to use for the \*(L"from\*(R" address when sending warning and error
-mail. The address should be enclosed in double quotes (\f(CW""\fR) to
-protect against \fBsudo\fR interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to
-the name of the user running \fBsudo\fR.
-.IP "mailto" 12
-.IX Item "mailto"
-Address to send warning and error mail to. The address should
-be enclosed in double quotes (\f(CW""\fR) to protect against \fBsudo\fR
-interpreting the \f(CW\*(C`@\*(C'\fR sign. Defaults to \f(CW\*(C`@mailto@\*(C'\fR.
-.IP "secure_path" 12
-.IX Item "secure_path"
-Path used for every command run from \fBsudo\fR. If you don't trust the
-people running \fBsudo\fR to have a sane \f(CW\*(C`PATH\*(C'\fR environment variable you may
-want to use this. Another use is if you want to have the \*(L"root path\*(R"
-be separate from the \*(L"user path.\*(R" Users in the group specified by the
-\&\fIexempt_group\fR option are not affected by \fIsecure_path\fR.
+.TP 14n
+mailfrom
+Address to use for the
+``from''
+address when sending warning and error mail.
+The address should be enclosed in double quotes
+(\&"")
+to protect against
+\fBsudo\fR
+interpreting the
+\fR@\fR
+sign.
+Defaults to the name of the user running
+\fBsudo\fR.
+.TP 14n
+mailto
+Address to send warning and error mail to.
+The address should be enclosed in double quotes
+(\&"")
+to protect against
+\fBsudo\fR
+interpreting the
+\fR@\fR
+sign.
+Defaults to
+\fR@mailto@\fR.
+.TP 14n
+secure_path
+Path used for every command run from
+\fBsudo\fR.
+If you don't trust the
+people running
+\fBsudo\fR
+to have a sane
+\fRPATH\fR
+environment variable you may want to use this.
+Another use is if you want to have the
+``root path''
+be separate from the
+``user path''.
+Users in the group specified by the
+\fIexempt_group\fR
+option are not affected by
+\fIsecure_path\fR.
This option is @secure_path@ by default.
-.IP "syslog" 12
-.IX Item "syslog"
+.TP 14n
+syslog
Syslog facility if syslog is being used for logging (negate to
-disable syslog logging). Defaults to \f(CW\*(C`@logfac@\*(C'\fR.
-.Sp
-The following syslog facilities are supported: \fBauthpriv\fR (if your
-\&\s-1OS\s0 supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR,
-\&\fBlocal2\fR, \fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR.
-.IP "verifypw" 12
-.IX Item "verifypw"
+disable syslog logging).
+Defaults to
+\fR@logfac@\fR.
+.sp
+The following syslog facilities are supported:
+\fBauthpriv\fR
+(if your
+OS supports it),
+\fBauth\fR,
+\fBdaemon\fR,
+\fBuser\fR,
+\fBlocal0\fR,
+\fBlocal1\fR,
+\fBlocal2\fR,
+\fBlocal3\fR,
+\fBlocal4\fR,
+\fBlocal5\fR,
+\fBlocal6\fR,
+and
+\fBlocal7\fR.
+.TP 14n
+verifypw
This option controls when a password will be required when a user runs
-\&\fBsudo\fR with the \fB\-v\fR option. It has the following possible values:
-.RS 12
-.IP "all" 8
-.IX Item "all"
-All the user's \fIsudoers\fR entries for the current host must have
-the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "always" 8
-.IX Item "always"
-The user must always enter a password to use the \fB\-v\fR option.
-.IP "any" 8
-.IX Item "any"
-At least one of the user's \fIsudoers\fR entries for the current host
-must have the \f(CW\*(C`NOPASSWD\*(C'\fR flag set to avoid entering a password.
-.IP "never" 8
-.IX Item "never"
-The user need never enter a password to use the \fB\-v\fR option.
-.RE
-.RS 12
-.Sp
-If no value is specified, a value of \fIall\fR is implied.
-Negating the option results in a value of \fInever\fR being used.
-The default value is \fIall\fR.
+\fBsudo\fR
+with the
+\fB\-v\fR
+option.
+It has the following possible values:
+.RS
+.TP 8n
+all
+All the user's
+\fIsudoers\fR
+entries for the current host must have the
+\fRNOPASSWD\fR
+flag set to avoid entering a password.
+.TP 8n
+always
+The user must always enter a password to use the
+\fB\-v\fR
+option.
+.TP 8n
+any
+At least one of the user's
+\fIsudoers\fR
+entries for the current host must have the
+\fRNOPASSWD\fR
+flag set to avoid entering a password.
+.TP 8n
+never
+The user need never enter a password to use the
+\fB\-v\fR
+option.
+.PP
+If no value is specified, a value of
+\fIall\fR
+is implied.
+Negating the option results in a value of
+\fInever\fR
+being used.
+The default value is
+\fIall\fR.
.RE
.PP
-\&\fBLists that can be used in a boolean context\fR:
-.IP "env_check" 16
-.IX Item "env_check"
+\fBLists that can be used in a boolean context\fR:
+.TP 18n
+env_check
Environment variables to be removed from the user's environment if
-the variable's value contains \f(CW\*(C`%\*(C'\fR or \f(CW\*(C`/\*(C'\fR characters. This can
-be used to guard against printf-style format vulnerabilities in
-poorly-written programs. The argument may be a double-quoted,
-space-separated list or a single value without double-quotes. The
-list can be replaced, added to, deleted from, or disabled by using
-the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators respectively. Regardless
-of whether the \f(CW\*(C`env_reset\*(C'\fR option is enabled or disabled, variables
-specified by \f(CW\*(C`env_check\*(C'\fR will be preserved in the environment if
-they pass the aforementioned check. The default list of environment
-variables to check is displayed when \fBsudo\fR is run by root with
-the \fB\-V\fR option.
-.IP "env_delete" 16
-.IX Item "env_delete"
-Environment variables to be removed from the user's environment
-when the \fIenv_reset\fR option is not in effect. The argument may
-be a double-quoted, space-separated list or a single value without
-double-quotes. The list can be replaced, added to, deleted from,
-or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and \f(CW\*(C`!\*(C'\fR operators
-respectively. The default list of environment variables to remove
-is displayed when \fBsudo\fR is run by root with the \fB\-V\fR option.
+the variable's value contains
+`%'
+or
+`/'
+characters.
+This can be used to guard against printf-style format vulnerabilities
+in poorly-written programs.
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes.
+The list can be replaced, added to, deleted from, or disabled by using
+the
+\fR=\fR,
+\fR+=\fR,
+\fR-=\fR,
+and
+\fR\&!\fR
+operators respectively.
+Regardless of whether the
+\fRenv_reset\fR
+option is enabled or disabled, variables specified by
+\fRenv_check\fR
+will be preserved in the environment if they pass the aforementioned check.
+The default list of environment variables to check is displayed when
+\fBsudo\fR
+is run by root with
+the
+\fB\-V\fR
+option.
+.TP 18n
+env_delete
+Environment variables to be removed from the user's environment when the
+\fIenv_reset\fR
+option is not in effect.
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes.
+The list can be replaced, added to, deleted from, or disabled by using the
+\fR=\fR,
+\fR+=\fR,
+\fR-=\fR,
+and
+\fR\&!\fR
+operators respectively.
+The default list of environment variables to remove is displayed when
+\fBsudo\fR
+is run by root with the
+\fB\-V\fR
+option.
Note that many operating systems will remove potentially dangerous
variables from the environment of any setuid process (such as
-\&\fBsudo\fR).
-.IP "env_keep" 16
-.IX Item "env_keep"
-Environment variables to be preserved in the user's environment
-when the \fIenv_reset\fR option is in effect. This allows fine-grained
-control over the environment \fBsudo\fR\-spawned processes will receive.
+\fBsudo\fR).
+.TP 18n
+env_keep
+Environment variables to be preserved in the user's environment when the
+\fIenv_reset\fR
+option is in effect.
+This allows fine-grained control over the environment
+\fBsudo\fR-spawned
+processes will receive.
The argument may be a double-quoted, space-separated list or a
-single value without double-quotes. The list can be replaced, added
-to, deleted from, or disabled by using the \f(CW\*(C`=\*(C'\fR, \f(CW\*(C`+=\*(C'\fR, \f(CW\*(C`\-=\*(C'\fR, and
-\&\f(CW\*(C`!\*(C'\fR operators respectively. The default list of variables to keep
-is displayed when \fBsudo\fR is run by root with the \fB\-V\fR option.
+single value without double-quotes.
+The list can be replaced, added to, deleted from, or disabled by using the
+\fR=\fR,
+\fR+=\fR,
+\fR-=\fR,
+and
+\fR\&!\fR
+operators respectively.
+The default list of variables to keep
+is displayed when
+\fBsudo\fR
+is run by root with the
+\fB\-V\fR
+option.
.SH "FILES"
-.IX Header "FILES"
-.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
-.el .IP "\fI@sysconfdir@/sudoers\fR" 24
-.IX Item "@sysconfdir@/sudoers"
+.TP 26n
+\fI@sysconfdir@/sudoers\fR
List of who can run what
-.IP "\fI/etc/group\fR" 24
-.IX Item "/etc/group"
+.TP 26n
+\fI/etc/group\fR
Local groups file
-.IP "\fI/etc/netgroup\fR" 24
-.IX Item "/etc/netgroup"
+.TP 26n
+\fI/etc/netgroup\fR
List of network groups
-.ie n .IP "\fI@iolog_dir@\fR" 24
-.el .IP "\fI@iolog_dir@\fR" 24
-.IX Item "@iolog_dir@"
+.TP 26n
+\fI@iolog_dir@\fR
I/O log files
.SH "EXAMPLES"
-.IX Header "EXAMPLES"
-Below are example \fIsudoers\fR entries. Admittedly, some of
-these are a bit contrived. First, we allow a few environment
-variables to pass and then define our \fIaliases\fR:
-.PP
-.Vb 4
-\& # Run X applications through sudo; HOME is used to find the
-\& # .Xauthority file. Note that other programs use HOME to find
-\& # configuration files and this may lead to privilege escalation!
-\& Defaults env_keep += "DISPLAY HOME"
-\&
-\& # User alias specification
-\& User_Alias FULLTIMERS = millert, mikef, dowdy
-\& User_Alias PARTTIMERS = bostley, jwfox, crawl
-\& User_Alias WEBMASTERS = will, wendy, wim
-\&
-\& # Runas alias specification
-\& Runas_Alias OP = root, operator
-\& Runas_Alias DB = oracle, sybase
-\& Runas_Alias ADMINGRP = adm, oper
-\&
-\& # Host alias specification
-\& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
-\& SGI = grolsch, dandelion, black :\e
-\& ALPHA = widget, thalamus, foobar :\e
-\& HPPA = boa, nag, python
-\& Host_Alias CUNETS = 128.138.0.0/255.255.0.0
-\& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
-\& Host_Alias SERVERS = master, mail, www, ns
-\& Host_Alias CDROM = orion, perseus, hercules
-\&
-\& # Cmnd alias specification
-\& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
-\& /usr/sbin/restore, /usr/sbin/rrestore
-\& Cmnd_Alias KILL = /usr/bin/kill
-\& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
-\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
-\& Cmnd_Alias HALT = /usr/sbin/halt
-\& Cmnd_Alias REBOOT = /usr/sbin/reboot
-\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
-\& /usr/local/bin/tcsh, /usr/bin/rsh,\e
-\& /usr/local/bin/zsh
-\& Cmnd_Alias SU = /usr/bin/su
-\& Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
-.Ve
-.PP
-Here we override some of the compiled in default values. We want
-\&\fBsudo\fR to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all
-cases. We don't want to subject the full time staff to the \fBsudo\fR
-lecture, user \fBmillert\fR need not give a password, and we don't
-want to reset the \f(CW\*(C`LOGNAME\*(C'\fR, \f(CW\*(C`USER\*(C'\fR or \f(CW\*(C`USERNAME\*(C'\fR environment
-variables when running commands as root. Additionally, on the
-machines in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, we keep an additional
-local log file and make sure we log the year in each log line since
-the log entries will be kept around for several years. Lastly, we
-disable shell escapes for the commands in the \s-1PAGERS\s0 \f(CW\*(C`Cmnd_Alias\*(C'\fR
-(\fI/usr/bin/more\fR, \fI/usr/bin/pg\fR and \fI/usr/bin/less\fR).
-.PP
-.Vb 7
-\& # Override built\-in defaults
-\& Defaults syslog=auth
-\& Defaults>root !set_logname
-\& Defaults:FULLTIMERS !lecture
-\& Defaults:millert !authenticate
-\& Defaults@SERVERS log_year, logfile=/var/log/sudo.log
-\& Defaults!PAGERS noexec
-.Ve
-.PP
-The \fIUser specification\fR is the part that actually determines who may
-run what.
-.PP
-.Vb 2
-\& root ALL = (ALL) ALL
-\& %wheel ALL = (ALL) ALL
-.Ve
-.PP
-We let \fBroot\fR and any user in group \fBwheel\fR run any command on any
-host as any user.
-.PP
-.Vb 1
-\& FULLTIMERS ALL = NOPASSWD: ALL
-.Ve
-.PP
-Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any
-command on any host without authenticating themselves.
-.PP
-.Vb 1
-\& PARTTIMERS ALL = ALL
-.Ve
-.PP
-Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any
-command on any host but they must authenticate themselves first
-(since the entry lacks the \f(CW\*(C`NOPASSWD\*(C'\fR tag).
-.PP
-.Vb 1
-\& jack CSNETS = ALL
-.Ve
-.PP
-The user \fBjack\fR may run any command on the machines in the \fI\s-1CSNETS\s0\fR alias
-(the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR).
-Of those networks, only \f(CW128.138.204.0\fR has an explicit netmask (in
-\&\s-1CIDR\s0 notation) indicating it is a class C network. For the other
-networks in \fI\s-1CSNETS\s0\fR, the local machine's netmask will be used
-during matching.
-.PP
-.Vb 1
-\& lisa CUNETS = ALL
-.Ve
-.PP
-The user \fBlisa\fR may run any command on any host in the \fI\s-1CUNETS\s0\fR alias
-(the class B network \f(CW128.138.0.0\fR).
-.PP
-.Vb 2
-\& operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
-\& sudoedit /etc/printcap, /usr/oper/bin/
-.Ve
-.PP
-The \fBoperator\fR user may run commands limited to simple maintenance.
-Here, those are commands related to backups, killing processes, the
-printing system, shutting down the system, and any commands in the
-directory \fI/usr/oper/bin/\fR.
-.PP
-.Vb 1
-\& joe ALL = /usr/bin/su operator
-.Ve
-.PP
-The user \fBjoe\fR may only \fIsu\fR\|(1) to operator.
+Below are example
+\fIsudoers\fR
+entries.
+Admittedly, some of these are a bit contrived.
+First, we allow a few environment variables to pass and then define our
+\fIaliases\fR:
+.nf
+.sp
+.RS 0n
+# Run X applications through sudo; HOME is used to find the
+# .Xauthority file. Note that other programs use HOME to find
+# configuration files and this may lead to privilege escalation!
+Defaults env_keep += "DISPLAY HOME"
+
+# User alias specification
+User_Alias FULLTIMERS = millert, mikef, dowdy
+User_Alias PARTTIMERS = bostley, jwfox, crawl
+User_Alias WEBMASTERS = will, wendy, wim
+
+# Runas alias specification
+Runas_Alias OP = root, operator
+Runas_Alias DB = oracle, sybase
+Runas_Alias ADMINGRP = adm, oper
+
+# Host alias specification
+Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
+ SGI = grolsch, dandelion, black :\e
+ ALPHA = widget, thalamus, foobar :\e
+ HPPA = boa, nag, python
+Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+Host_Alias SERVERS = master, mail, www, ns
+Host_Alias CDROM = orion, perseus, hercules
+
+# Cmnd alias specification
+Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
+ /usr/sbin/restore, /usr/sbin/rrestore
+Cmnd_Alias KILL = /usr/bin/kill
+Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+Cmnd_Alias HALT = /usr/sbin/halt
+Cmnd_Alias REBOOT = /usr/sbin/reboot
+Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
+ /usr/local/bin/tcsh, /usr/bin/rsh,\e
+ /usr/local/bin/zsh
+Cmnd_Alias SU = /usr/bin/su
+Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+.RE
+.fi
.PP
-.Vb 1
-\& pete HPPA = /usr/bin/passwd [A\-Za\-z]*, !/usr/bin/passwd root
-\&
-\& %opers ALL = (: ADMINGRP) /usr/sbin/
-.Ve
+Here we override some of the compiled in default values.
+We want
+\fBsudo\fR
+to log via
+syslog(3)
+using the
+\fIauth\fR
+facility in all cases.
+We don't want to subject the full time staff to the
+\fBsudo\fR
+lecture, user
+\fBmillert\fR
+need not give a password, and we don't want to reset the
+\fRLOGNAME\fR,
+\fRUSER\fR
+or
+\fRUSERNAME\fR
+environment variables when running commands as root.
+Additionally, on the machines in the
+\fISERVERS\fR
+\fRHost_Alias\fR,
+we keep an additional local log file and make sure we log the year
+in each log line since the log entries will be kept around for several years.
+Lastly, we disable shell escapes for the commands in the PAGERS
+\fRCmnd_Alias\fR
+(\fI/usr/bin/more\fR,
+\fI/usr/bin/pg\fR
+and
+\fI/usr/bin/less\fR)
+\&.
+.nf
+.sp
+.RS 0n
+# Override built-in defaults
+Defaults syslog=auth
+Defaults>root !set_logname
+Defaults:FULLTIMERS !lecture
+Defaults:millert !authenticate
+Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+Defaults!PAGERS noexec
+.RE
+.fi
.PP
-Users in the \fBopers\fR group may run commands in \fI/usr/sbin/\fR as themselves
-with any group in the \fI\s-1ADMINGRP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (the \fBadm\fR and \fBoper\fR
-groups).
+The
+\fIUser specification\fR
+is the part that actually determines who may run what.
+.nf
+.sp
+.RS 0n
+root ALL = (ALL) ALL
+%wheel ALL = (ALL) ALL
+.RE
+.fi
.PP
-The user \fBpete\fR is allowed to change anyone's password except for
-root on the \fI\s-1HPPA\s0\fR machines. Note that this assumes \fIpasswd\fR\|(1)
-does not take multiple user names on the command line.
+We let
+\fBroot\fR
+and any user in group
+\fBwheel\fR
+run any command on any host as any user.
+.nf
+.sp
+.RS 0n
+FULLTIMERS ALL = NOPASSWD: ALL
+.RE
+.fi
.PP
-.Vb 1
-\& bob SPARC = (OP) ALL : SGI = (OP) ALL
-.Ve
+Full time sysadmins
+(\fBmillert\fR,
+\fBmikef\fR,
+and
+\fBdowdy\fR)
+may run any command on any host without authenticating themselves.
+.nf
+.sp
+.RS 0n
+PARTTIMERS ALL = ALL
+.RE
+.fi
.PP
-The user \fBbob\fR may run anything on the \fI\s-1SPARC\s0\fR and \fI\s-1SGI\s0\fR machines
-as any user listed in the \fI\s-1OP\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR (\fBroot\fR and \fBoperator\fR).
+Part time sysadmins
+\fBbostley\fR,
+\fBjwfox\fR,
+and
+\fBcrawl\fR)
+may run any command on any host but they must authenticate themselves
+first (since the entry lacks the
+\fRNOPASSWD\fR
+tag).
+.nf
+.sp
+.RS 0n
+jack CSNETS = ALL
+.RE
+.fi
.PP
-.Vb 1
-\& jim +biglab = ALL
-.Ve
+The user
+\fBjack\fR
+may run any command on the machines in the
+\fICSNETS\fR
+alias (the networks
+\fR128.138.243.0\fR,
+\fR128.138.204.0\fR,
+and
+\fR128.138.242.0\fR).
+Of those networks, only
+\fR128.138.204.0\fR
+has an explicit netmask (in CIDR notation) indicating it is a class C network.
+For the other networks in
+\fICSNETS\fR,
+the local machine's netmask will be used during matching.
+.nf
+.sp
+.RS 0n
+lisa CUNETS = ALL
+.RE
+.fi
.PP
-The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup.
-\&\fBsudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the '+' prefix.
+The user
+\fBlisa\fR
+may run any command on any host in the
+\fICUNETS\fR
+alias (the class B network
+\fR128.138.0.0\fR).
+.nf
+.sp
+.RS 0n
+operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
+ sudoedit /etc/printcap, /usr/oper/bin/
+.RE
+.fi
.PP
-.Vb 1
-\& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-.Ve
+The
+\fBoperator\fR
+user may run commands limited to simple maintenance.
+Here, those are commands related to backups, killing processes, the
+printing system, shutting down the system, and any commands in the
+directory
+\fI/usr/oper/bin/\fR.
+.nf
+.sp
+.RS 0n
+joe ALL = /usr/bin/su operator
+.RE
+.fi
.PP
-Users in the \fBsecretaries\fR netgroup need to help manage the printers
-as well as add and remove users, so they are allowed to run those
-commands on all machines.
+The user
+\fBjoe\fR
+may only
+su(1)
+to operator.
+.nf
+.sp
+.RS 0n
+pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+
+%opers ALL = (: ADMINGRP) /usr/sbin/
+.RE
+.fi
.PP
-.Vb 1
-\& fred ALL = (DB) NOPASSWD: ALL
-.Ve
+Users in the
+\fBopers\fR
+group may run commands in
+\fI/usr/sbin/\fR
+as themselves
+with any group in the
+\fIADMINGRP\fR
+\fRRunas_Alias\fR
+(the
+\fBadm\fR
+and
+\fBoper\fR
+groups).
.PP
-The user \fBfred\fR can run commands as any user in the \fI\s-1DB\s0\fR \f(CW\*(C`Runas_Alias\*(C'\fR
-(\fBoracle\fR or \fBsybase\fR) without giving a password.
+The user
+\fBpete\fR
+is allowed to change anyone's password except for
+root on the
+\fIHPPA\fR
+machines.
+Note that this assumes
+passwd(1)
+does not take multiple user names on the command line.
+.nf
+.sp
+.RS 0n
+bob SPARC = (OP) ALL : SGI = (OP) ALL
+.RE
+.fi
.PP
-.Vb 1
-\& john ALPHA = /usr/bin/su [!\-]*, !/usr/bin/su *root*
-.Ve
+The user
+\fBbob\fR
+may run anything on the
+\fISPARC\fR
+and
+\fISGI\fR
+machines as any user listed in the
+\fIOP\fR
+\fRRunas_Alias\fR
+(\fBroot\fR
+and
+\fBoperator\fR.)
+.nf
+.sp
+.RS 0n
+jim +biglab = ALL
+.RE
+.fi
.PP
-On the \fI\s-1ALPHA\s0\fR machines, user \fBjohn\fR may su to anyone except root
-but he is not allowed to specify any options to the \fIsu\fR\|(1) command.
+The user
+\fBjim\fR
+may run any command on machines in the
+\fIbiglab\fR
+netgroup.
+\fBsudo\fR
+knows that
+``biglab''
+is a netgroup due to the
+`+'
+prefix.
+.nf
+.sp
+.RS 0n
++secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+.RE
+.fi
.PP
-.Vb 1
-\& jen ALL, !SERVERS = ALL
-.Ve
+Users in the
+\fBsecretaries\fR
+netgroup need to help manage the printers as well as add and remove users,
+so they are allowed to run those commands on all machines.
+.nf
+.sp
+.RS 0n
+fred ALL = (DB) NOPASSWD: ALL
+.RE
+.fi
.PP
-The user \fBjen\fR may run any command on any machine except for those
-in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR (master, mail, www and ns).
+The user
+\fBfred\fR
+can run commands as any user in the
+\fIDB\fR
+\fRRunas_Alias\fR
+(\fBoracle\fR
+or
+\fBsybase\fR)
+without giving a password.
+.nf
+.sp
+.RS 0n
+john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+.RE
+.fi
.PP
-.Vb 1
-\& jill SERVERS = /usr/bin/, !SU, !SHELLS
-.Ve
+On the
+\fIALPHA\fR
+machines, user
+\fBjohn\fR
+may su to anyone except root but he is not allowed to specify any options
+to the
+su(1)
+command.
+.nf
+.sp
+.RS 0n
+jen ALL, !SERVERS = ALL
+.RE
+.fi
.PP
-For any machine in the \fI\s-1SERVERS\s0\fR \f(CW\*(C`Host_Alias\*(C'\fR, \fBjill\fR may run
-any commands in the directory \fI/usr/bin/\fR except for those commands
-belonging to the \fI\s-1SU\s0\fR and \fI\s-1SHELLS\s0\fR \f(CW\*(C`Cmnd_Aliases\*(C'\fR.
+The user
+\fBjen\fR
+may run any command on any machine except for those in the
+\fISERVERS\fR
+\fRHost_Alias\fR
+(master, mail, www and ns).
+.nf
+.sp
+.RS 0n
+jill SERVERS = /usr/bin/, !SU, !SHELLS
+.RE
+.fi
.PP
-.Vb 1
-\& steve CSNETS = (operator) /usr/local/op_commands/
-.Ve
+For any machine in the
+\fISERVERS\fR
+\fRHost_Alias\fR,
+\fBjill\fR
+may run
+any commands in the directory
+\fI/usr/bin/\fR
+except for those commands
+belonging to the
+\fISU\fR
+and
+\fISHELLS\fR
+\fRCmnd_Aliases\fR.
+.nf
+.sp
+.RS 0n
+steve CSNETS = (operator) /usr/local/op_commands/
+.RE
+.fi
.PP
-The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/
+The user
+\fBsteve\fR
+may run any command in the directory /usr/local/op_commands/
but only as user operator.
+.nf
+.sp
+.RS 0n
+matt valkyrie = KILL
+.RE
+.fi
.PP
-.Vb 1
-\& matt valkyrie = KILL
-.Ve
-.PP
-On his personal workstation, valkyrie, \fBmatt\fR needs to be able to
-kill hung processes.
-.PP
-.Vb 1
-\& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
-.Ve
-.PP
-On the host www, any user in the \fI\s-1WEBMASTERS\s0\fR \f(CW\*(C`User_Alias\*(C'\fR (will,
-wendy, and wim), may run any command as user www (which owns the
-web pages) or simply \fIsu\fR\|(1) to www.
+On his personal workstation, valkyrie,
+\fBmatt\fR
+needs to be able to kill hung processes.
+.nf
+.sp
+.RS 0n
+WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+.RE
+.fi
.PP
-.Vb 2
-\& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
-\& /sbin/mount \-o nosuid\e,nodev /dev/cd0a /CDROM
-.Ve
+On the host www, any user in the
+\fIWEBMASTERS\fR
+\fRUser_Alias\fR
+(will, wendy, and wim), may run any command as user www (which owns the
+web pages) or simply
+su(1)
+to www.
+.nf
+.sp
+.RS 0n
+ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+.RE
+.fi
.PP
-Any user may mount or unmount a CD-ROM on the machines in the \s-1CDROM\s0
-\&\f(CW\*(C`Host_Alias\*(C'\fR (orion, perseus, hercules) without entering a password.
+Any user may mount or unmount a CD-ROM on the machines in the CDROM
+\fRHost_Alias\fR
+(orion, perseus, hercules) without entering a password.
This is a bit tedious for users to type, so it is a prime candidate
for encapsulating in a shell script.
.SH "SECURITY NOTES"
-.IX Header "SECURITY NOTES"
-It is generally not effective to \*(L"subtract\*(R" commands from \f(CW\*(C`ALL\*(C'\fR
-using the '!' operator. A user can trivially circumvent this
-by copying the desired command to a different name and then
-executing that. For example:
-.PP
-.Vb 1
-\& bill ALL = ALL, !SU, !SHELLS
-.Ve
-.PP
-Doesn't really prevent \fBbill\fR from running the commands listed in
-\&\fI\s-1SU\s0\fR or \fI\s-1SHELLS\s0\fR since he can simply copy those commands to a
-different name, or use a shell escape from an editor or other
-program. Therefore, these kind of restrictions should be considered
+.SS "Limitations of the `!\&' operator"
+It is generally not effective to
+``subtract''
+commands from
+\fBALL\fR
+using the
+`!\&'
+operator.
+A user can trivially circumvent this by copying the desired command
+to a different name and then executing that.
+For example:
+.nf
+.sp
+.RS 0n
+bill ALL = ALL, !SU, !SHELLS
+.RE
+.fi
+.PP
+Doesn't really prevent
+\fBbill\fR
+from running the commands listed in
+\fISU\fR
+or
+\fISHELLS\fR
+since he can simply copy those commands to a different name, or use
+a shell escape from an editor or other program.
+Therefore, these kind of restrictions should be considered
advisory at best (and reinforced by policy).
.PP
-Furthermore, if the \fIfast_glob\fR option is in use, it is not possible
-to reliably negate commands where the path name includes globbing
-(aka wildcard) characters. This is because the C library's
-\&\fIfnmatch\fR\|(3) function cannot resolve relative paths. While this
-is typically only an inconvenience for rules that grant privileges,
-it can result in a security issue for rules that subtract or revoke
-privileges.
-.PP
-For example, given the following \fIsudoers\fR entry:
-.PP
-.Vb 2
-\& john ALL = /usr/bin/passwd [a\-zA\-Z0\-9]*, /usr/bin/chsh [a\-zA\-Z0\-9]*,\e
-\& /usr/bin/chfn [a\-zA\-Z0\-9]*, !/usr/bin/* root
-.Ve
-.PP
-User \fBjohn\fR can still run \f(CW\*(C`/usr/bin/passwd root\*(C'\fR if \fIfast_glob\fR is
-enabled by changing to \fI/usr/bin\fR and running \f(CW\*(C`./passwd root\*(C'\fR instead.
-.SH "PREVENTING SHELL ESCAPES"
-.IX Header "PREVENTING SHELL ESCAPES"
-Once \fBsudo\fR executes a program, that program is free to do whatever
-it pleases, including run other programs. This can be a security
-issue since it is not uncommon for a program to allow shell escapes,
-which lets a user bypass \fBsudo\fR's access control and logging.
+In general, if a user has sudo
+\fBALL\fR
+there is nothing to prevent them from creating their own program that gives
+them a root shell (or making their own copy of a shell) regardless of any
+`!\&'
+elements in the user specification.
+.SS "Security implications of \fIfast_glob\fR"
+If the
+\fIfast_glob\fR
+option is in use, it is not possible to reliably negate commands where the
+path name includes globbing (aka wildcard) characters.
+This is because the C library's
+fnmatch(3)
+function cannot resolve relative paths.
+While this is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke privileges.
+.PP
+For example, given the following
+\fIsudoers\fR
+entry:
+.nf
+.sp
+.RS 0n
+john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+.RE
+.fi
+.PP
+User
+\fBjohn\fR
+can still run
+\fR/usr/bin/passwd root\fR
+if
+\fIfast_glob\fR
+is enabled by changing to
+\fI/usr/bin\fR
+and running
+\fR./passwd root\fR
+instead.
+.SS "Preventing Shell Escapes"
+Once
+\fBsudo\fR
+executes a program, that program is free to do whatever
+it pleases, including run other programs.
+This can be a security issue since it is not uncommon for a program to
+allow shell escapes, which lets a user bypass
+\fBsudo\fR's
+access control and logging.
Common programs that permit shell escapes include shells (obviously),
editors, paginators, mail and terminal programs.
.PP
There are two basic approaches to this problem:
-.IP "restrict" 10
-.IX Item "restrict"
+.TP 10n
+restrict
Avoid giving users access to commands that allow the user to run
-arbitrary commands. Many editors have a restricted mode where shell
-escapes are disabled, though \fBsudoedit\fR is a better solution to
-running editors via \fBsudo\fR. Due to the large number of programs that
+arbitrary commands.
+Many editors have a restricted mode where shell
+escapes are disabled, though
+\fBsudoedit\fR
+is a better solution to
+running editors via
+\fBsudo\fR.
+Due to the large number of programs that
offer shell escapes, restricting users to the set of programs that
do not is often unworkable.
-.IP "noexec" 10
-.IX Item "noexec"
+.TP 10n
+noexec
Many systems that support shared libraries have the ability to
override default library functions by pointing an environment
-variable (usually \f(CW\*(C`LD_PRELOAD\*(C'\fR) to an alternate shared library.
-On such systems, \fBsudo\fR's \fInoexec\fR functionality can be used to
-prevent a program run by \fBsudo\fR from executing any other programs.
+variable (usually
+\fRLD_PRELOAD\fR)
+to an alternate shared library.
+On such systems,
+\fBsudo\fR's
+\fInoexec\fR
+functionality can be used to prevent a program run by
+\fBsudo\fR
+from executing any other programs.
Note, however, that this applies only to native dynamically-linked
-executables. Statically-linked executables and foreign executables
+executables.
+Statically-linked executables and foreign executables
running under binary emulation are not affected.
-.Sp
-To tell whether or not \fBsudo\fR supports \fInoexec\fR, you can run
-the following as root:
-.Sp
-.Vb 1
-\& sudo \-V | grep "dummy exec"
-.Ve
-.Sp
-If the resulting output contains a line that begins with:
-.Sp
-.Vb 1
-\& File containing dummy exec functions:
-.Ve
-.Sp
-then \fBsudo\fR may be able to replace the exec family of functions
-in the standard library with its own that simply return an error.
-Unfortunately, there is no foolproof way to know whether or not
-\&\fInoexec\fR will work at compile-time. \fInoexec\fR should work on
-SunOS, Solaris, *BSD, Linux, \s-1IRIX\s0, Tru64 \s-1UNIX\s0, MacOS X, and HP-UX
-11.x. It is known \fBnot\fR to work on \s-1AIX\s0 and UnixWare. \fInoexec\fR
-is expected to work on most operating systems that support the
-\&\f(CW\*(C`LD_PRELOAD\*(C'\fR environment variable. Check your operating system's
-manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
-dld.sl, rld, or loader) to see if \f(CW\*(C`LD_PRELOAD\*(C'\fR is supported.
-.Sp
-To enable \fInoexec\fR for a command, use the \f(CW\*(C`NOEXEC\*(C'\fR tag as documented
-in the User Specification section above. Here is that example again:
-.Sp
-.Vb 1
-\& aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-.Ve
-.Sp
-This allows user \fBaaron\fR to run \fI/usr/bin/more\fR and \fI/usr/bin/vi\fR
-with \fInoexec\fR enabled. This will prevent those two commands from
-executing other commands (such as a shell). If you are unsure
-whether or not your system is capable of supporting \fInoexec\fR you
-can always just try it out and see if it works.
-.PP
-Note that restricting shell escapes is not a panacea. Programs
-running as root are still capable of many potentially hazardous
+.sp
+The
+\fInoexec\fR
+feature is known to work on SunOS, Solaris, *BSD,
+Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
+It should be supported on most operating systems that support the
+\fRLD_PRELOAD\fR
+environment variable.
+Check your operating system's manual pages for the dynamic linker
+(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
+\fRLD_PRELOAD\fR
+is supported.
+.sp
+On Solaris 10 and higher,
+\fInoexec\fR
+uses Solaris privileges instead of the
+\fRLD_PRELOAD\fR
+environment variable.
+.sp
+To enable
+\fInoexec\fR
+for a command, use the
+\fRNOEXEC\fR
+tag as documented
+in the User Specification section above.
+Here is that example again:
+.RS
+.nf
+.sp
+.RS 0n
+aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+.RE
+.fi
+.sp
+This allows user
+\fBaaron\fR
+to run
+\fI/usr/bin/more\fR
+and
+\fI/usr/bin/vi\fR
+with
+\fInoexec\fR
+enabled.
+This will prevent those two commands from
+executing other commands (such as a shell).
+If you are unsure whether or not your system is capable of supporting
+\fInoexec\fR
+you can always just try it out and check whether shell escapes work when
+\fInoexec\fR
+is enabled.
+.RE
+.PP
+Note that restricting shell escapes is not a panacea.
+Programs running as root are still capable of many potentially hazardous
operations (such as changing or overwriting files) that could lead
-to unintended privilege escalation. In the specific case of an
-editor, a safer approach is to give the user permission to run
-\&\fBsudoedit\fR.
+to unintended privilege escalation.
+In the specific case of an editor, a safer approach is to give the
+user permission to run
+\fBsudoedit\fR.
.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIrsh\fR\|(1), \fIsu\fR\|(1), \fIfnmatch\fR\|(3), \fIglob\fR\|(3), \fIsudo\fR\|(@mansectsu@), \fIvisudo\fR\|(8)
+ssh(1),
+su(1),
+fnmatch(3),
+glob(3),
+mktemp(3),
+strftime(3),
+sudoers.ldap(@mansectform@),
+sudo(@mansectsu@),
+visudo(@mansectsu@)
.SH "CAVEATS"
-.IX Header "CAVEATS"
-The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR
-command which locks the file and does grammatical checking. It is
-imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR
-will not run with a syntactically incorrect \fIsudoers\fR file.
+The
+\fIsudoers\fR
+file should
+\fBalways\fR
+be edited by the
+\fBvisudo\fR
+command which locks the file and does grammatical checking.
+It is
+imperative that
+\fIsudoers\fR
+be free of syntax errors since
+\fBsudo\fR
+will not run with a syntactically incorrect
+\fIsudoers\fR
+file.
.PP
When using netgroups of machines (as opposed to users), if you
store fully qualified host name in the netgroup (as is usually the
case), you either need to have the machine's host name be fully qualified
-as returned by the \f(CW\*(C`hostname\*(C'\fR command or use the \fIfqdn\fR option in
-\&\fIsudoers\fR.
+as returned by the
+\fRhostname\fR
+command or use the
+\fIfqdn\fR
+option in
+\fIsudoers\fR.
.SH "BUGS"
-.IX Header "BUGS"
-If you feel you have found a bug in \fBsudo\fR, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
+If you feel you have found a bug in
+\fBsudo\fR,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
-.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
-.IX Header "DISCLAIMER"
-\&\fBsudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
-file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
-for complete details.
+\fBsudo\fR
+is provided
+``AS IS''
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+\fBsudo\fR
+or http://www.sudo.ws/sudo/license.html for complete details.
--- /dev/null
+.\"
+.\" Copyright (c) 1994-1996, 1998-2005, 2007-2012
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Sponsored in part by the Defense Advanced Research Projects
+.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
+.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
+.\"
+.Dd July 16, 2012
+.Dt SUDOERS @mansectform@
+.Os Sudo @PACKAGE_VERSION@
+.Sh NAME
+.Nm sudoers
+.Nd list of which users may execute what
+.Sh DESCRIPTION
+The
+.Em sudoers
+file is composed of two types of entries: aliases
+(basically variables) and user specifications (which specify who
+may run what).
+.Pp
+When multiple entries match for a user, they are applied in order.
+Where there are multiple matches, the last match is used (which is
+not necessarily the most specific match).
+.Pp
+The
+.Em sudoers
+grammar will be described below in Extended Backus-Naur
+Form (EBNF).
+Don't despair if you are unfamiliar with EBNF; it is fairly simple,
+and the definitions below are annotated.
+.Ss Quick guide to EBNF
+EBNF is a concise and exact way of describing the grammar of a language.
+Each EBNF definition is made up of
+.Em production rules .
+E.g.,
+.Pp
+.Li symbol ::= definition | alternate1 | alternate2 ...
+.Pp
+Each
+.Em production rule
+references others and thus makes up a
+grammar for the language.
+EBNF also contains the following
+operators, which many readers will recognize from regular
+expressions.
+Do not, however, confuse them with
+.Dq wildcard
+characters, which have different meanings.
+.Bl -tag -width 4n
+.It Li \&?
+Means that the preceding symbol (or group of symbols) is optional.
+That is, it may appear once or not at all.
+.It Li *
+Means that the preceding symbol (or group of symbols) may appear
+zero or more times.
+.It Li +
+Means that the preceding symbol (or group of symbols) may appear
+one or more times.
+.El
+.Pp
+Parentheses may be used to group symbols together.
+For clarity,
+we will use single quotes
+.Pq ''
+to designate what is a verbatim character string (as opposed to a symbol name).
+.Ss Aliases
+There are four kinds of aliases:
+.Li User_Alias ,
+.Li Runas_Alias ,
+.Li Host_Alias
+and
+.Li Cmnd_Alias .
+.Bd -literal
+Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
+ 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
+ 'Host_Alias' Host_Alias (':' Host_Alias)* |
+ 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
+
+User_Alias ::= NAME '=' User_List
+
+Runas_Alias ::= NAME '=' Runas_List
+
+Host_Alias ::= NAME '=' Host_List
+
+Cmnd_Alias ::= NAME '=' Cmnd_List
+
+NAME ::= [A-Z]([A-Z][0-9]_)*
+.Ed
+.Pp
+Each
+.Em alias
+definition is of the form
+.Bd -literal
+Alias_Type NAME = item1, item2, ...
+.Ed
+.Pp
+where
+.Em Alias_Type
+is one of
+.Li User_Alias ,
+.Li Runas_Alias ,
+.Li Host_Alias ,
+or
+.Li Cmnd_Alias .
+A
+.Li NAME
+is a string of uppercase letters, numbers,
+and underscore characters
+.Pq Ql _ .
+A
+.Li NAME
+.Sy must
+start with an
+uppercase letter.
+It is possible to put several alias definitions
+of the same type on a single line, joined by a colon
+.Pq Ql :\& .
+E.g.,
+.Bd -literal
+Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
+.Ed
+.Pp
+The definitions of what constitutes a valid
+.Em alias
+member follow.
+.Bd -literal
+User_List ::= User |
+ User ',' User_List
+
+User ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* +netgroup |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* User_Alias
+.Ed
+.Pp
+A
+.Li User_List
+is made up of one or more user names, user ids
+(prefixed with
+.Ql # ) ,
+system group names and ids (prefixed with
+.Ql %
+and
+.Ql %#
+respectively), netgroups (prefixed with
+.Ql + ) ,
+non-Unix group names and IDs (prefixed with
+.Ql %:
+and
+.Ql %:#
+respectively) and
+.Li User_Alias Ns No es.
+Each list item may be prefixed with zero or more
+.Ql \&!
+operators.
+An odd number of
+.Ql \&!
+operators negate the value of
+the item; an even number just cancel each other out.
+.Pp
+A
+.Li user name ,
+.Li uid ,
+.Li group ,
+.Li gid ,
+.Li netgroup ,
+.Li nonunix_group
+or
+.Li nonunix_gid
+may be enclosed in double quotes to avoid the
+need for escaping special characters.
+Alternately, special characters
+may be specified in escaped hex mode, e.g.\& \ex20 for space.
+When
+using double quotes, any prefix characters must be included inside
+the quotes.
+.Pp
+The actual
+.Li nonunix_group
+and
+.Li nonunix_gid
+syntax depends on
+the underlying implementation.
+For instance, the QAS AD backend supports the following formats:
+.Bl -bullet -width 4n
+.It
+Group in the same domain: "%:Group Name"
+.It
+Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
+.It
+Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
+.El
+.Pp
+Note that quotes around group names are optional.
+Unquoted strings must use a backslash
+.Pq Ql \e
+to escape spaces and special characters.
+See
+.Sx Other special characters and reserved words
+for a list of
+characters that need to be escaped.
+.Bd -literal
+Runas_List ::= Runas_Member |
+ Runas_Member ',' Runas_List
+
+Runas_Member ::= '!'* user name |
+ '!'* #uid |
+ '!'* %group |
+ '!'* %#gid |
+ '!'* %:nonunix_group |
+ '!'* %:#nonunix_gid |
+ '!'* +netgroup |
+ '!'* Runas_Alias
+.Ed
+.Pp
+A
+.Li Runas_List
+is similar to a
+.Li User_List
+except that instead
+of
+.Li User_Alias Ns No es
+it can contain
+.Li Runas_Alias Ns No es .
+Note that
+user names and groups are matched as strings.
+In other words, two
+users (groups) with the same uid (gid) are considered to be distinct.
+If you wish to match all user names with the same uid (e.g.\&
+root and toor), you can use a uid instead (#0 in the example given).
+.Bd -literal
+Host_List ::= Host |
+ Host ',' Host_List
+
+Host ::= '!'* host name |
+ '!'* ip_addr |
+ '!'* network(/netmask)? |
+ '!'* +netgroup |
+ '!'* Host_Alias
+.Ed
+.Pp
+A
+.Li Host_List
+is made up of one or more host names, IP addresses,
+network numbers, netgroups (prefixed with
+.Ql + )
+and other aliases.
+Again, the value of an item may be negated with the
+.Ql \&!
+operator.
+If you do not specify a netmask along with the network number,
+.Nm sudo
+will query each of the local host's network interfaces and,
+if the network number corresponds to one of the hosts's network
+interfaces, the corresponding netmask will be used.
+The netmask
+may be specified either in standard IP address notation
+(e.g.\& 255.255.255.0 or ffff:ffff:ffff:ffff::),
+or CIDR notation (number of bits, e.g.\& 24 or 64).
+A host name may include shell-style wildcards (see the
+.Sx Wildcards
+section below),
+but unless the
+.Li host name
+command on your machine returns the fully
+qualified host name, you'll need to use the
+.Em fqdn
+option for wildcards to be useful.
+Note that
+.Nm sudo
+only inspects actual network interfaces; this means that IP address
+127.0.0.1 (localhost) will never match.
+Also, the host name
+.Dq localhost
+will only match if that is the actual host name, which is usually
+only the case for non-networked systems.
+.Bd -literal
+Cmnd_List ::= Cmnd |
+ Cmnd ',' Cmnd_List
+
+command name ::= file name |
+ file name args |
+ file name '""'
+
+Cmnd ::= '!'* command name |
+ '!'* directory |
+ '!'* "sudoedit" |
+ '!'* Cmnd_Alias
+.Ed
+.Pp
+A
+.Li Cmnd_List
+is a list of one or more command names, directories, and other aliases.
+A command name is a fully qualified file name which may include
+shell-style wildcards (see the
+.Sx Wildcards
+section below).
+A simple file name allows the user to run the command with any
+arguments he/she wishes.
+However, you may also specify command line arguments (including
+wildcards).
+Alternately, you can specify
+.Li \&""
+to indicate that the command
+may only be run
+.Sy without
+command line arguments.
+A directory is a
+fully qualified path name ending in a
+.Ql / .
+When you specify a directory in a
+.Li Cmnd_List ,
+the user will be able to run any file within that directory
+(but not in any sub-directories therein).
+.Pp
+If a
+.Li Cmnd
+has associated command line arguments, then the arguments
+in the
+.Li Cmnd
+must match exactly those given by the user on the command line
+(or match the wildcards if there are any).
+Note that the following characters must be escaped with a
+.Ql \e
+if they are used in command arguments:
+.Ql ,\& ,
+.Ql :\& ,
+.Ql =\& ,
+.Ql \e .
+The special command
+.Dq Li sudoedit
+is used to permit a user to run
+.Nm sudo
+with the
+.Fl e
+option (or as
+.Nm sudoedit ) .
+It may take command line arguments just as a normal command does.
+.Ss Defaults
+Certain configuration options may be changed from their default
+values at run-time via one or more
+.Li Default_Entry
+lines.
+These may affect all users on any host, all users on a specific host, a
+specific user, a specific command, or commands being run as a specific user.
+Note that per-command entries may not include command line arguments.
+If you need to specify arguments, define a
+.Li Cmnd_Alias
+and reference
+that instead.
+.Bd -literal
+Default_Type ::= 'Defaults' |
+ 'Defaults' '@' Host_List |
+ 'Defaults' ':' User_List |
+ 'Defaults' '!' Cmnd_List |
+ 'Defaults' '>' Runas_List
+
+Default_Entry ::= Default_Type Parameter_List
+
+Parameter_List ::= Parameter |
+ Parameter ',' Parameter_List
+
+Parameter ::= Parameter '=' Value |
+ Parameter '+=' Value |
+ Parameter '-=' Value |
+ '!'* Parameter
+.Ed
+.Pp
+Parameters may be
+.Sy flags ,
+.Sy integer
+values,
+.Sy strings ,
+or
+.Sy lists .
+Flags are implicitly boolean and can be turned off via the
+.Ql \&!
+operator.
+Some integer, string and list parameters may also be
+used in a boolean context to disable them.
+Values may be enclosed
+in double quotes
+.Pq \&""
+when they contain multiple words.
+Special characters may be escaped with a backslash
+.Pq Ql \e .
+.Pp
+Lists have two additional assignment operators,
+.Li +=
+and
+.Li -= .
+These operators are used to add to and delete from a list respectively.
+It is not an error to use the
+.Li -=
+operator to remove an element
+that does not exist in a list.
+.Pp
+Defaults entries are parsed in the following order: generic, host
+and user Defaults first, then runas Defaults and finally command
+defaults.
+.Pp
+See
+.Sx SUDOERS OPTIONS
+for a list of supported Defaults parameters.
+.Ss User Specification
+.Bd -literal
+User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \e
+ (':' Host_List '=' Cmnd_Spec_List)*
+
+Cmnd_Spec_List ::= Cmnd_Spec |
+ Cmnd_Spec ',' Cmnd_Spec_List
+
+Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
+
+Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
+
+SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
+
+Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
+ 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
+ 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
+.Ed
+.Pp
+A
+.Sy user specification
+determines which commands a user may run
+(and as what user) on specified hosts.
+By default, commands are
+run as
+.Sy root ,
+but this can be changed on a per-command basis.
+.Pp
+The basic structure of a user specification is
+.Dq who where = (as_whom) what .
+Let's break that down into its constituent parts:
+.Ss Runas_Spec
+A
+.Li Runas_Spec
+determines the user and/or the group that a command
+may be run as.
+A fully-specified
+.Li Runas_Spec
+consists of two
+.Li Runas_List Ns No s
+(as defined above) separated by a colon
+.Pq Ql :\&
+and enclosed in a set of parentheses.
+The first
+.Li Runas_List
+indicates
+which users the command may be run as via
+.Nm sudo Ns No 's
+.Fl u
+option.
+The second defines a list of groups that can be specified via
+.Nm sudo Ns No 's
+.Fl g
+option.
+If both
+.Li Runas_List Ns No s
+are specified, the command may be run with any combination of users
+and groups listed in their respective
+.Li Runas_List Ns No s.
+If only the first is specified, the command may be run as any user
+in the list but no
+.Fl g
+option
+may be specified.
+If the first
+.Li Runas_List
+is empty but the
+second is specified, the command may be run as the invoking user
+with the group set to any listed in the
+.Li Runas_List .
+If no
+.Li Runas_Spec
+is specified the command may be run as
+.Sy root
+and
+no group may be specified.
+.Pp
+A
+.Li Runas_Spec
+sets the default for the commands that follow it.
+What this means is that for the entry:
+.Bd -literal
+dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
+.Ed
+.Pp
+The user
+.Sy dgb
+may run
+.Pa /bin/ls ,
+.Pa /bin/kill ,
+and
+.Pa /usr/bin/lprm Ns No \(em Ns but
+only as
+.Sy operator .
+E.g.,
+.Bd -literal
+$ sudo -u operator /bin/ls
+.Ed
+.Pp
+It is also possible to override a
+.Li Runas_Spec
+later on in an entry.
+If we modify the entry like so:
+.Bd -literal
+dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
+.Ed
+.Pp
+Then user
+.Sy dgb
+is now allowed to run
+.Pa /bin/ls
+as
+.Sy operator ,
+but
+.Pa /bin/kill
+and
+.Pa /usr/bin/lprm
+as
+.Sy root .
+.Pp
+We can extend this to allow
+.Sy dgb
+to run
+.Li /bin/ls
+with either
+the user or group set to
+.Sy operator :
+.Bd -literal
+dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\e
+ /usr/bin/lprm
+.Ed
+.Pp
+Note that while the group portion of the
+.Li Runas_Spec
+permits the
+user to run as command with that group, it does not force the user
+to do so.
+If no group is specified on the command line, the command
+will run with the group listed in the target user's password database
+entry.
+The following would all be permitted by the sudoers entry above:
+.Bd -literal
+$ sudo -u operator /bin/ls
+$ sudo -u operator -g operator /bin/ls
+$ sudo -g operator /bin/ls
+.Ed
+.Pp
+In the following example, user
+.Sy tcm
+may run commands that access
+a modem device file with the dialer group.
+.Bd -literal
+tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\e
+ /usr/local/bin/minicom
+.Ed
+.Pp
+Note that in this example only the group will be set, the command
+still runs as user
+.Sy tcm .
+E.g.\&
+.Bd -literal
+$ sudo -g dialer /usr/bin/cu
+.Ed
+.Pp
+Multiple users and groups may be present in a
+.Li Runas_Spec ,
+in which case the user may select any combination of users and groups via the
+.Fl u
+and
+.Fl g
+options.
+In this example:
+.Bd -literal
+alan ALL = (root, bin : operator, system) ALL
+.Ed
+.Pp
+user
+.Sy alan
+may run any command as either user root or bin,
+optionally setting the group to operator or system.
+.Ss SELinux_Spec
+On systems with SELinux support,
+.Em sudoers
+entries may optionally have an SELinux role and/or type associated
+with a command.
+If a role or
+type is specified with the command it will override any default values
+specified in
+.Em sudoers .
+A role or type specified on the command line,
+however, will supersede the values in
+.Em sudoers .
+.Ss Tag_Spec
+A command may have zero or more tags associated with it.
+There are
+ten possible tag values:
+.Li NOPASSWD ,
+.Li PASSWD ,
+.Li NOEXEC ,
+.Li EXEC ,
+.Li SETENV ,
+.Li NOSETENV ,
+.Li LOG_INPUT ,
+.Li NOLOG_INPUT ,
+.Li LOG_OUTPUT
+and
+.Li NOLOG_OUTPUT .
+Once a tag is set on a
+.Li Cmnd ,
+subsequent
+.Li Cmnd Ns No s
+in the
+.Li Cmnd_Spec_List ,
+inherit the tag unless it is overridden by the opposite tag (in other words,
+.Li PASSWD
+overrides
+.Li NOPASSWD
+and
+.Li NOEXEC
+overrides
+.Li EXEC ) .
+.Pp
+.Em NOPASSWD and PASSWD
+.Pp
+By default,
+.Nm sudo
+requires that a user authenticate him or herself
+before running a command.
+This behavior can be modified via the
+.Li NOPASSWD
+tag.
+Like a
+.Li Runas_Spec ,
+the
+.Li NOPASSWD
+tag sets
+a default for the commands that follow it in the
+.Li Cmnd_Spec_List .
+Conversely, the
+.Li PASSWD
+tag can be used to reverse things.
+For example:
+.Bd -literal
+ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
+.Ed
+.Pp
+would allow the user
+.Sy ray
+to run
+.Pa /bin/kill ,
+.Pa /bin/ls ,
+and
+.Pa /usr/bin/lprm
+as
+.Sy root
+on the machine rushmore without authenticating himself.
+If we only want
+.Sy ray
+to be able to
+run
+.Pa /bin/kill
+without a password the entry would be:
+.Bd -literal
+ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+.Ed
+.Pp
+Note, however, that the
+.Li PASSWD
+tag has no effect on users who are in the group specified by the
+.Em exempt_group
+option.
+.Pp
+By default, if the
+.Li NOPASSWD
+tag is applied to any of the entries for a user on the current host,
+he or she will be able to run
+.Dq Li sudo -l
+without a password.
+Additionally, a user may only run
+.Dq Li sudo -v
+without a password if the
+.Li NOPASSWD
+tag is present for all a user's entries that pertain to the current host.
+This behavior may be overridden via the
+.Em verifypw
+and
+.Em listpw
+options.
+.Pp
+.Em NOEXEC and EXEC
+.Pp
+If
+.Nm sudo
+has been compiled with
+.Em noexec
+support and the underlying operating system supports it, the
+.Li NOEXEC
+tag can be used to prevent a dynamically-linked executable from
+running further commands itself.
+.Pp
+In the following example, user
+.Sy aaron
+may run
+.Pa /usr/bin/more
+and
+.Pa /usr/bin/vi
+but shell escapes will be disabled.
+.Bd -literal
+aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+.Ed
+.Pp
+See the
+.Sx Preventing Shell Escapes
+section below for more details on how
+.Li NOEXEC
+works and whether or not it will work on your system.
+.Pp
+.Em SETENV and NOSETENV
+.Pp
+These tags override the value of the
+.Em setenv
+option on a per-command basis.
+Note that if
+.Li SETENV
+has been set for a command, the user may disable the
+.Em env_reset
+option from the command line via the
+.Fl E
+option.
+Additionally, environment variables set on the command
+line are not subject to the restrictions imposed by
+.Em env_check ,
+.Em env_delete ,
+or
+.Em env_keep .
+As such, only trusted users should be allowed to set variables in this manner.
+If the command matched is
+.Sy ALL ,
+the
+.Li SETENV
+tag is implied for that command; this default may be overridden by use of the
+.Li NOSETENV
+tag.
+.Pp
+.Em LOG_INPUT and NOLOG_INPUT
+.Pp
+These tags override the value of the
+.Em log_input
+option on a per-command basis.
+For more information, see the description of
+.Em log_input
+in the
+.Sx SUDOERS OPTIONS
+section below.
+.Pp
+.Em LOG_OUTPUT and NOLOG_OUTPUT
+.Pp
+These tags override the value of the
+.Em log_output
+option on a per-command basis.
+For more information, see the description of
+.Em log_output
+in the
+.Sx SUDOERS OPTIONS
+section below.
+.Ss Wildcards
+.Nm sudo
+allows shell-style
+.Em wildcards
+(aka meta or glob characters)
+to be used in host names, path names and command line arguments in the
+.Em sudoers
+file.
+Wildcard matching is done via the
+.Sy POSIX
+.Xr glob 3
+and
+.Xr fnmatch 3
+routines.
+Note that these are
+.Em not
+regular expressions.
+.Bl -tag -width 8n
+.It Li *
+Matches any set of zero or more characters.
+.It Li \&?
+Matches any single character.
+.It Li [...]
+Matches any character in the specified range.
+.It Li [!...]
+Matches any character
+.Sy not
+in the specified range.
+.It Li \ex
+For any character
+.Sq x ,
+evaluates to
+.Sq x .
+This is used to escape special characters such as:
+.Ql * ,
+.Ql \&? ,
+.Ql [\& ,
+and
+.Ql ]\& .
+.El
+.Pp
+POSIX character classes may also be used if your system's
+.Xr glob 3
+and
+.Xr fnmatch 3
+functions support them.
+However, because the
+.Ql :\&
+character has special meaning in
+.Em sudoers ,
+it must be
+escaped.
+For example:
+.Bd -literal -offset 4n
+/bin/ls [[\:alpha\:]]*
+.Ed
+.Pp
+Would match any file name beginning with a letter.
+.Pp
+Note that a forward slash
+.Pq Ql /
+will
+.Sy not
+be matched by
+wildcards used in the path name.
+This is to make a path like:
+.Bd -literal -offset 4n
+/usr/bin/*
+.Ed
+.Pp
+match
+.Pa /usr/bin/who
+but not
+.Pa /usr/bin/X11/xterm .
+.Pp
+When matching the command line arguments, however, a slash
+.Sy does
+get matched by wildcards since command line arguments may contain
+arbitrary strings and not just path names.
+.Pp
+Wildcards in command line arguments should be used with care.
+Because command line arguments are matched as a single, concatenated
+string, a wildcard such as
+.Ql \&?
+or
+.Ql *
+can match multiple words.
+For example, while a sudoers entry like:
+.Bd -literal -offset 4n
+%operator ALL = /bin/cat /var/log/messages*
+.Ed
+.Pp
+will allow command like:
+.Bd -literal -offset 4n
+$ sudo cat /var/log/messages.1
+.Ed
+.Pp
+It will also allow:
+.Bd -literal -offset 4n
+$ sudo cat /var/log/messages /etc/shadow
+.Ed
+.Pp
+which is probably not what was intended.
+.Ss Exceptions to wildcard rules
+The following exceptions apply to the above rules:
+.Bl -tag -width 8n
+.It Li \&""
+If the empty string
+.Li \&""
+is the only command line argument in the
+.Em sudoers
+entry it means that command is not allowed to be run with
+.Sy any
+arguments.
+.It sudoedit
+Command line arguments to the
+.Em sudoedit
+built-in command should always be path names, so a forward slash
+.Pq Ql /
+will not be matched by a wildcard.
+.El
+.Ss Including other files from within sudoers
+It is possible to include other
+.Em sudoers
+files from within the
+.Em sudoers
+file currently being parsed using the
+.Li #include
+and
+.Li #includedir
+directives.
+.Pp
+This can be used, for example, to keep a site-wide
+.Em sudoers
+file in addition to a local, per-machine file.
+For the sake of this example the site-wide
+.Em sudoers
+will be
+.Pa /etc/sudoers
+and the per-machine one will be
+.Pa /etc/sudoers.local .
+To include
+.Pa /etc/sudoers.local
+from within
+.Pa /etc/sudoers
+we would use the
+following line in
+.Pa /etc/sudoers :
+.Bd -literal -offset 4n
+#include /etc/sudoers.local
+.Ed
+.Pp
+When
+.Nm sudo
+reaches this line it will suspend processing of the current file
+.Pq Pa /etc/sudoers
+and switch to
+.Pa /etc/sudoers.local .
+Upon reaching the end of
+.Pa /etc/sudoers.local ,
+the rest of
+.Pa /etc/sudoers
+will be processed.
+Files that are included may themselves include other files.
+A hard limit of 128 nested include files is enforced to prevent include
+file loops.
+.Pp
+If the path to the include file is not fully-qualified (does not
+begin with a
+.Ql / ,
+it must be located in the same directory as the sudoers file it was
+included from.
+For example, if
+.Pa /etc/sudoers
+contains the line:
+.Bd -literal -offset 4n
+.Li #include sudoers.local
+.Ed
+.Pp
+the file that will be included is
+.Pa /etc/sudoers.local .
+.Pp
+The file name may also include the
+.Li %h
+escape, signifying the short form of the host name.
+In other words, if the machine's host name is
+.Dq xerxes ,
+then
+.Bd -literal -offset 4n
+#include /etc/sudoers.%h
+.Ed
+.Pp
+will cause
+.Nm sudo
+to include the file
+.Pa /etc/sudoers.xerxes .
+.Pp
+The
+.Li #includedir
+directive can be used to create a
+.Pa sudo.d
+directory that the system package manager can drop
+.Em sudoers
+rules
+into as part of package installation.
+For example, given:
+.Bd -literal -offset 4n
+#includedir /etc/sudoers.d
+.Ed
+.Pp
+.Nm sudo
+will read each file in
+.Pa /etc/sudoers.d ,
+skipping file names that end in
+.Ql ~
+or contain a
+.Ql .\&
+character to avoid causing problems with package manager or editor
+temporary/backup files.
+Files are parsed in sorted lexical order.
+That is,
+.Pa /etc/sudoers.d/01_first
+will be parsed before
+.Pa /etc/sudoers.d/10_second .
+Be aware that because the sorting is lexical, not numeric,
+.Pa /etc/sudoers.d/1_whoops
+would be loaded
+.Sy after
+.Pa /etc/sudoers.d/10_second .
+Using a consistent number of leading zeroes in the file names can be used
+to avoid such problems.
+.Pp
+Note that unlike files included via
+.Li #include ,
+.Nm visudo
+will not edit the files in a
+.Li #includedir
+directory unless one of them contains a syntax error.
+It is still possible to run
+.Nm visudo
+with the
+.Fl f
+flag to edit the files directly.
+.Ss Other special characters and reserved words
+The pound sign
+.Pq Ql #
+is used to indicate a comment (unless it is part of a #include
+directive or unless it occurs in the context of a user name and is
+followed by one or more digits, in which case it is treated as a
+uid).
+Both the comment character and any text after it, up to the end of
+the line, are ignored.
+.Pp
+The reserved word
+.Sy ALL
+is a built-in
+.Em alias
+that always causes a match to succeed.
+It can be used wherever one might otherwise use a
+.Li Cmnd_Alias ,
+.Li User_Alias ,
+.Li Runas_Alias ,
+or
+.Li Host_Alias .
+You should not try to define your own
+.Em alias
+called
+.Sy ALL
+as the built-in alias will be used in preference to your own.
+Please note that using
+.Sy ALL
+can be dangerous since in a command context, it allows the user to run
+.Sy any
+command on the system.
+.Pp
+An exclamation point
+.Pq Ql \&!
+can be used as a logical
+.Em not
+operator both in an
+.Em alias
+and in front of a
+.Li Cmnd .
+This allows one to exclude certain values.
+Note, however, that using a
+.Ql \&!
+in conjunction with the built-in
+.Sy ALL
+alias to allow a user to run
+.Dq all but a few
+commands rarely works as intended (see
+.Sx SECURITY NOTES
+below).
+.Pp
+Long lines can be continued with a backslash
+.Pq Ql \e
+as the last character on the line.
+.Pp
+White space between elements in a list as well as special syntactic
+characters in a
+.Em User Specification
+.Po
+.Ql =\& ,
+.Ql :\& ,
+.Ql (\& ,
+.Ql )\&
+.Pc
+is optional.
+.Pp
+The following characters must be escaped with a backslash
+.Pq Ql \e
+when used as part of a word (e.g.\& a user name or host name):
+.Ql \&! ,
+.Ql =\& ,
+.Ql :\& ,
+.Ql ,\& ,
+.Ql (\& ,
+.Ql )\& ,
+.Ql \e .
+.Sh SUDOERS OPTIONS
+.Nm sudo Ns No 's
+behavior can be modified by
+.Li Default_Entry
+lines, as explained earlier.
+A list of all supported Defaults parameters, grouped by type, are listed below.
+.Pp
+.Sy Boolean Flags :
+.Bl -tag -width 16n
+.It always_set_home
+If enabled,
+.Nm sudo
+will set the
+.Ev HOME
+environment variable to the home directory of the target user
+(which is root unless the
+.Fl u
+option is used).
+This effectively means that the
+.Fl H
+option is always implied.
+Note that
+.Ev HOME
+is already set when the the
+.Em env_reset
+option is enabled, so
+.Em always_set_home
+is only effective for configurations where either
+.Em env_reset
+is disabled or
+.Ev HOME
+is present in the
+.Em env_keep
+list.
+This flag is
+.Em off
+by default.
+.It authenticate
+If set, users must authenticate themselves via a password (or other
+means of authentication) before they may run commands.
+This default may be overridden via the
+.Li PASSWD
+and
+.Li NOPASSWD
+tags.
+This flag is
+.Em on
+by default.
+.It closefrom_override
+If set, the user may use
+.Nm sudo Ns No 's
+.Fl C
+option which overrides the default starting point at which
+.Nm sudo
+begins closing open file descriptors.
+This flag is
+.Em off
+by default.
+.It compress_io
+If set, and
+.Nm sudo
+is configured to log a command's input or output,
+the I/O logs will be compressed using
+.Sy zlib .
+This flag is
+.Em on
+by default when
+.Nm sudo
+is compiled with
+.Sy zlib
+support.
+.It env_editor
+If set,
+.Nm visudo
+will use the value of the
+.Ev EDITOR
+or
+.Ev VISUAL
+environment variables before falling back on the default editor list.
+Note that this may create a security hole as it allows the user to
+run any arbitrary command as root without logging.
+A safer alternative is to place a colon-separated list of editors
+in the
+.Li editor
+variable.
+.Nm visudo
+will then only use the
+.Ev EDITOR
+or
+.Ev VISUAL
+if they match a value specified in
+.Li editor .
+This flag is
+.Em @env_editor@
+by
+default.
+.It env_reset
+If set,
+.Nm sudo
+will run the command in a minimal environment containing the
+.Ev TERM ,
+.Ev PATH ,
+.Ev HOME ,
+.Ev MAIL ,
+.Ev SHELL ,
+.Ev LOGNAME ,
+.Ev USER ,
+.Ev USERNAME
+and
+.Ev SUDO_*
+variables.
+Any
+variables in the caller's environment that match the
+.Li env_keep
+and
+.Li env_check
+lists are then added, followed by any variables present in the file
+specified by the
+.Em env_file
+option (if any).
+The default contents of the
+.Li env_keep
+and
+.Li env_check
+lists are displayed when
+.Nm sudo
+is run by root with the
+.Fl V
+option.
+If the
+.Em secure_path
+option is set, its value will be used for the
+.Ev PATH
+environment variable.
+This flag is
+.Em @env_reset@
+by default.
+.It fast_glob
+Normally,
+.Nm sudo
+uses the
+.Xr glob 3
+function to do shell-style globbing when matching path names.
+However, since it accesses the file system,
+.Xr glob 3
+can take a long time to complete for some patterns, especially
+when the pattern references a network file system that is mounted
+on demand (auto mounted).
+The
+.Em fast_glob
+option causes
+.Nm sudo
+to use the
+.Xr fnmatch 3
+function, which does not access the file system to do its matching.
+The disadvantage of
+.Em fast_glob
+is that it is unable to match relative path names such as
+.Pa ./ls
+or
+.Pa ../bin/ls .
+This has security implications when path names that include globbing
+characters are used with the negation operator,
+.Ql !\& ,
+as such rules can be trivially bypassed.
+As such, this option should not be used when
+.Em sudoers
+contains rules that contain negated path names which include globbing
+characters.
+This flag is
+.Em off
+by default.
+.It fqdn
+Set this flag if you want to put fully qualified host names in the
+.Em sudoers
+file when the local host name (as returned by the
+.Li hostname
+command) does not contain the domain name.
+In other words, instead of myhost you would use myhost.mydomain.edu.
+You may still use the short form if you wish (and even mix the two).
+This option is only effective when the
+.Dq canonical
+host name, as returned by the
+.Fn getaddrinfo
+or
+.Fn gethostbyname
+function, is a fully-qualified domain name.
+This is usually the case when the system is configured to use DNS
+for host name resolution.
+.Pp
+If the system is configured to use the
+.Pa /etc/hosts
+file in preference to DNS, the
+.Dq canonical
+host name may not be fully-qualified.
+The order that sources are queried for hosts name resolution
+is usually specified in the
+.Pa @nsswitch_conf@ ,
+.Pa @netsvc_conf@ ,
+.Pa /etc/host.conf ,
+or, in some cases,
+.Pa /etc/resolv.conf
+file.
+In the
+.Pa /etc/hosts
+file, the first host name of the entry is considered to be the
+.Dq canonical
+name; subsequent names are aliases that are not used by
+.Nm sudoers .
+For example, the following hosts file line for the machine
+.Dq xyzzy
+has the fully-qualified domain name as the
+.Dq canonical
+host name, and the short version as an alias.
+.sp
+.Dl 192.168.1.1 xyzzy.sudo.ws xyzzy
+.sp
+If the machine's hosts file entry is not formatted properly, the
+.Em fqdn
+option will not be effective if it is queried before DNS.
+.Pp
+Beware that when using DNS for host name resolution, turning on
+.Em fqdn
+requires
+.Nm sudoers
+to make DNS lookups which renders
+.Nm sudo
+unusable if DNS stops working (for example if the machine is disconnected
+from the network).
+Also note that just like with the hosts file, you must use the
+.Dq canonical
+name as DNS knows it.
+That is, you may not use a host alias
+.Po
+.Li CNAME
+entry
+.Pc
+due to performance issues and the fact that there is no way to get all
+aliases from DNS.
+.Pp
+This flag is
+.Em @fqdn@
+by default.
+.It ignore_dot
+If set,
+.Nm sudo
+will ignore "." or "" (both denoting current directory) in the
+.Ev PATH
+environment variable; the
+.Ev PATH
+itself is not modified.
+This flag is
+.Em @ignore_dot@
+by default.
+.It ignore_local_sudoers
+If set via LDAP, parsing of
+.Pa @sysconfdir@/sudoers
+will be skipped.
+This is intended for Enterprises that wish to prevent the usage of local
+sudoers files so that only LDAP is used.
+This thwarts the efforts of rogue operators who would attempt to add roles to
+.Pa @sysconfdir@/sudoers .
+When this option is present,
+.Pa @sysconfdir@/sudoers
+does not even need to exist.
+Since this option tells
+.Nm sudo
+how to behave when no specific LDAP entries have been matched, this
+sudoOption is only meaningful for the
+.Li cn=defaults
+section.
+This flag is
+.Em off
+by default.
+.It insults
+If set,
+.Nm sudo
+will insult users when they enter an incorrect password.
+This flag is
+.Em @insults@
+by default.
+.It log_host
+If set, the host name will be logged in the (non-syslog)
+.Nm sudo
+log file.
+This flag is
+.Em off
+by default.
+.It log_input
+If set,
+.Nm sudo
+will run the command in a
+.Em pseudo tty
+and log all user input.
+If the standard input is not connected to the user's tty, due to
+I/O redirection or because the command is part of a pipeline, that
+input is also captured and stored in a separate log file.
+.Pp
+Input is logged to the directory specified by the
+.Em iolog_dir
+option
+.Po
+.Pa @iolog_dir@
+by default
+.Pc
+using a unique session ID that is included in the normal
+.Nm sudo
+log line, prefixed with
+.Dq Li TSID= .
+.Pp
+Note that user input may contain sensitive information such as
+passwords (even if they are not echoed to the screen), which will
+be stored in the log file unencrypted.
+In most cases, logging the command output via
+.Em log_output
+is all that is required.
+.It log_output
+If set,
+.Nm sudo
+will run the command in a
+.Em pseudo tty
+and log all output that is sent to the screen, similar to the
+.Xr script 1
+command.
+If the standard output or standard error is not connected to the
+user's tty, due to I/O redirection or because the command is part
+of a pipeline, that output is also captured and stored in separate
+log files.
+.Pp
+Output is logged to the directory specified by the
+.Em iolog_dir
+option
+.Po
+.Pa @iolog_dir@
+by default
+.Pc
+using a unique session ID that is included in the normal
+.Nm sudo
+log line, prefixed with
+.Dq Li TSID= .
+.Pp
+Output logs may be viewed with the
+.Xr sudoreplay @mansectsu@
+utility, which can also be used to list or search the available logs.
+.It log_year
+If set, the four-digit year will be logged in the (non-syslog)
+.Nm sudo
+log file.
+This flag is
+.Em off
+by default.
+.It long_otp_prompt
+When validating with a One Time Password (OTP) scheme such as
+.Sy S/Key
+or
+.Sy OPIE ,
+a two-line prompt is used to make it easier
+to cut and paste the challenge to a local window.
+It's not as pretty as the default but some people find it more convenient.
+This flag is
+.Em @long_otp_prompt@
+by default.
+.It mail_always
+Send mail to the
+.Em mailto
+user every time a users runs
+.Nm sudo .
+This flag is
+.Em off
+by default.
+.It mail_badpass
+Send mail to the
+.Em mailto
+user if the user running
+.Nm sudo
+does not enter the correct password.
+If the command the user is attempting to run is not permitted by
+.Em sudoers
+and one of the
+.Em mail_always ,
+.Em mail_no_host ,
+.Em mail_no_perms
+or
+.Em mail_no_user
+flags are set, this flag will have no effect.
+This flag is
+.Em off
+by default.
+.It mail_no_host
+If set, mail will be sent to the
+.Em mailto
+user if the invoking user exists in the
+.Em sudoers
+file, but is not allowed to run commands on the current host.
+This flag is
+.Em @mail_no_host@
+by default.
+.It mail_no_perms
+If set, mail will be sent to the
+.Em mailto
+user if the invoking user is allowed to use
+.Nm sudo
+but the command they are trying is not listed in their
+.Em sudoers
+file entry or is explicitly denied.
+This flag is
+.Em @mail_no_perms@
+by default.
+.It mail_no_user
+If set, mail will be sent to the
+.Em mailto
+user if the invoking user is not in the
+.Em sudoers
+file.
+This flag is
+.Em @mail_no_user@
+by default.
+.It noexec
+If set, all commands run via
+.Nm sudo
+will behave as if the
+.Li NOEXEC
+tag has been set, unless overridden by a
+.Li EXEC
+tag.
+See the description of
+.Em NOEXEC and EXEC
+below as well as the
+.Sx Preventing Shell Escapes
+section at the end of this manual.
+This flag is
+.Em off
+by default.
+.It path_info
+Normally,
+.Nm sudo
+will tell the user when a command could not be
+found in their
+.Ev PATH
+environment variable.
+Some sites may wish to disable this as it could be used to gather
+information on the location of executables that the normal user does
+not have access to.
+The disadvantage is that if the executable is simply not in the user's
+.Ev PATH ,
+.Nm sudo
+will tell the user that they are not allowed to run it, which can be confusing.
+This flag is
+.Em @path_info@
+by default.
+.It passprompt_override
+The password prompt specified by
+.Em passprompt
+will normally only be used if the password prompt provided by systems
+such as PAM matches the string
+.Dq Password: .
+If
+.Em passprompt_override
+is set,
+.Em passprompt
+will always be used.
+This flag is
+.Em off
+by default.
+.It preserve_groups
+By default,
+.Nm sudo
+will initialize the group vector to the list of groups the target user is in.
+When
+.Em preserve_groups
+is set, the user's existing group vector is left unaltered.
+The real and effective group IDs, however, are still set to match the
+target user.
+This flag is
+.Em off
+by default.
+.It pwfeedback
+By default,
+.Nm sudo
+reads the password like most other Unix programs,
+by turning off echo until the user hits the return (or enter) key.
+Some users become confused by this as it appears to them that
+.Nm sudo
+has hung at this point.
+When
+.Em pwfeedback
+is set,
+.Nm sudo
+will provide visual feedback when the user presses a key.
+Note that this does have a security impact as an onlooker may be able to
+determine the length of the password being entered.
+This flag is
+.Em off
+by default.
+.It requiretty
+If set,
+.Nm sudo
+will only run when the user is logged in to a real tty.
+When this flag is set,
+.Nm sudo
+can only be run from a login session and not via other means such as
+.Xr cron @mansectsu@
+or cgi-bin scripts.
+This flag is
+.Em off
+by default.
+.It root_sudo
+If set, root is allowed to run
+.Nm sudo
+too.
+Disabling this prevents users from
+.Dq chaining
+.Nm sudo
+commands to get a root shell by doing something like
+.Dq Li sudo sudo /bin/sh .
+Note, however, that turning off
+.Em root_sudo
+will also prevent root from running
+.Nm sudoedit .
+Disabling
+.Em root_sudo
+provides no real additional security; it exists purely for historical reasons.
+This flag is
+.Em @root_sudo@
+by default.
+.It rootpw
+If set,
+.Nm sudo
+will prompt for the root password instead of the password of the invoking user.
+This flag is
+.Em off
+by default.
+.It runaspw
+If set,
+.Nm sudo
+will prompt for the password of the user defined by the
+.Em runas_default
+option (defaults to
+.Li @runas_default@ )
+instead of the password of the invoking user.
+This flag is
+.Em off
+by default.
+.It set_home
+If enabled and
+.Nm sudo
+is invoked with the
+.Fl s
+option the
+.Ev HOME
+environment variable will be set to the home directory of the target
+user (which is root unless the
+.Fl u
+option is used).
+This effectively makes the
+.Fl s
+option imply
+.Fl H .
+Note that
+.Ev HOME
+is already set when the the
+.Em env_reset
+option is enabled, so
+.Em set_home
+is only effective for configurations where either
+.Em env_reset
+is disabled
+or
+.Ev HOME
+is present in the
+.Em env_keep
+list.
+This flag is
+.Em off
+by default.
+.It set_logname
+Normally,
+.Nm sudo
+will set the
+.Ev LOGNAME ,
+.Ev USER
+and
+.Ev USERNAME
+environment variables to the name of the target user (usually root unless the
+.Fl u
+option is given).
+However, since some programs (including the RCS revision control system) use
+.Ev LOGNAME
+to determine the real identity of the user, it may be desirable to
+change this behavior.
+This can be done by negating the set_logname option.
+Note that if the
+.Em env_reset
+option has not been disabled, entries in the
+.Em env_keep
+list will override the value of
+.Em set_logname .
+This flag is
+.Em on
+by default.
+.It setenv
+Allow the user to disable the
+.Em env_reset
+option from the command line via the
+.Fl E
+option.
+Additionally, environment variables set via the command line are
+not subject to the restrictions imposed by
+.Em env_check ,
+.Em env_delete ,
+or
+.Em env_keep .
+As such, only trusted users should be allowed to set variables in this manner.
+This flag is
+.Em off
+by default.
+.It shell_noargs
+If set and
+.Nm sudo
+is invoked with no arguments it acts as if the
+.Fl s
+option had been given.
+That is, it runs a shell as root (the shell is determined by the
+.Ev SHELL
+environment variable if it is set, falling back on the shell listed
+in the invoking user's /etc/passwd entry if not).
+This flag is
+.Em off
+by default.
+.It stay_setuid
+Normally, when
+.Nm sudo
+executes a command the real and effective UIDs are set to the target
+user (root by default).
+This option changes that behavior such that the real UID is left
+as the invoking user's UID.
+In other words, this makes
+.Nm sudo
+act as a setuid wrapper.
+This can be useful on systems that disable some potentially
+dangerous functionality when a program is run setuid.
+This option is only effective on systems that support either the
+.Xr setreuid 2
+or
+.Xr setresuid 2
+system call.
+This flag is
+.Em off
+by default.
+.It targetpw
+If set,
+.Nm sudo
+will prompt for the password of the user specified
+by the
+.Fl u
+option (defaults to
+.Li root )
+instead of the password of the invoking user.
+In addition, the time stamp file name will include the target user's name.
+Note that this flag precludes the use of a uid not listed in the passwd
+database as an argument to the
+.Fl u
+option.
+This flag is
+.Em off
+by default.
+.It tty_tickets
+If set, users must authenticate on a per-tty basis.
+With this flag enabled,
+.Nm sudo
+will use a file named for the tty the user is
+logged in on in the user's time stamp directory.
+If disabled, the time stamp of the directory is used instead.
+This flag is
+.Em @tty_tickets@
+by default.
+.It umask_override
+If set,
+.Nm sudo
+will set the umask as specified by
+.Em sudoers
+without modification.
+This makes it possible to specify a more permissive umask in
+.Em sudoers
+than the user's own umask and matches historical behavior.
+If
+.Em umask_override
+is not set,
+.Nm sudo
+will set the umask to be the union of the user's umask and what is specified in
+.Em sudoers .
+This flag is
+.Em @umask_override@
+by default.
+.It use_loginclass
+If set,
+.Nm sudo
+will apply the defaults specified for the target user's login class
+if one exists.
+Only available if
+.Nm sudo
+is configured with the
+.Li --with-logincap
+option.
+This flag is
+.Em off
+by default.
+.It use_pty
+If set,
+.Nm sudo
+will run the command in a pseudo-pty even if no I/O logging is being gone.
+A malicious program run under
+.Nm sudo
+could conceivably fork a background process that retains to the user's
+terminal device after the main program has finished executing.
+Use of this option will make that impossible.
+This flag is
+.Em off
+by default.
+.It visiblepw
+By default,
+.Nm sudo
+will refuse to run if the user must enter a password but it is not
+possible to disable echo on the terminal.
+If the
+.Em visiblepw
+flag is set,
+.Nm sudo
+will prompt for a password even when it would be visible on the screen.
+This makes it possible to run things like
+.Dq Li ssh somehost sudo ls
+since by default,
+.Xr ssh 1
+does
+not allocate a tty when running a command.
+This flag is
+.Em off
+by default.
+.El
+.Pp
+.Sy Integers :
+.Bl -tag -width 16n
+.It closefrom
+Before it executes a command,
+.Nm sudo
+will close all open file descriptors other than standard input,
+standard output and standard error (ie: file descriptors 0-2).
+The
+.Em closefrom
+option can be used to specify a different file descriptor at which
+to start closing.
+The default is
+.Li 3 .
+.It passwd_tries
+The number of tries a user gets to enter his/her password before
+.Nm sudo
+logs the failure and exits.
+The default is
+.Li @passwd_tries@ .
+.El
+.Pp
+.Sy Integers that can be used in a boolean context :
+.Bl -tag -width 16n
+.It loglinelen
+Number of characters per line for the file log.
+This value is used to decide when to wrap lines for nicer log files.
+This has no effect on the syslog log file, only the file log.
+The default is
+.Li @loglen@
+(use 0 or negate the option to disable word wrap).
+.It passwd_timeout
+Number of minutes before the
+.Nm sudo
+password prompt times out, or
+.Li 0
+for no timeout.
+The timeout may include a fractional component
+if minute granularity is insufficient, for example
+.Li 2.5 .
+The
+default is
+.Li @password_timeout@ .
+.It timestamp_timeout
+Number of minutes that can elapse before
+.Nm sudo
+will ask for a passwd again.
+The timeout may include a fractional component if
+minute granularity is insufficient, for example
+.Li 2.5 .
+The default is
+.Li @timeout@ .
+Set this to
+.Li 0
+to always prompt for a password.
+If set to a value less than
+.Li 0
+the user's time stamp will never expire.
+This can be used to allow users to create or delete their own time stamps via
+.Dq Li sudo -v
+and
+.Dq Li sudo -k
+respectively.
+.It umask
+Umask to use when running the command.
+Negate this option or set it to 0777 to preserve the user's umask.
+The actual umask that is used will be the union of the user's umask
+and the value of the
+.Em umask
+option, which defaults to
+.Li @sudo_umask@ .
+This guarantees
+that
+.Nm sudo
+never lowers the umask when running a command.
+Note: on systems that use PAM, the default PAM configuration may specify
+its own umask which will override the value set in
+.Em sudoers .
+.El
+.Pp
+.Sy Strings :
+.Bl -tag -width 16n
+.It badpass_message
+Message that is displayed if a user enters an incorrect password.
+The default is
+.Li @badpass_message@
+unless insults are enabled.
+.It editor
+A colon
+.Pq Ql :\&
+separated list of editors allowed to be used with
+.Nm visudo .
+.Nm visudo
+will choose the editor that matches the user's
+.Ev EDITOR
+environment variable if possible, or the first editor in the
+list that exists and is executable.
+The default is
+.Pa @editor@ .
+.It iolog_dir
+The directory in which to store input/output logs when the
+.Em log_input
+or
+.Em log_output
+options are enabled or when the
+.Li LOG_INPUT
+or
+.Li LOG_OUTPUT
+tags are present for a command.
+The default is
+.Pa @iolog_dir@ .
+.It mailsub
+Subject of the mail sent to the
+.Em mailto
+user.
+The escape
+.Li %h
+will expand to the host name of the machine.
+Default is
+.Dq Li @mailsub@ .
+.It noexec_file
+The
+.Em noexec
+option specifies the the fully-qualified path to a shared library
+containing dummy versions of the
+.Fn execv ,
+.Fn execve
+and
+.Fn fexecve
+library functions that just return an error.
+This is used to implement the
+.Em noexec
+functionality on systems that support
+.Ev LD_PRELOAD
+or its equivalent.
+Defaults to
+.Pa @noexec_file@ .
+.It passprompt
+The default prompt to use when asking for a password; can be overridden via the
+.Fl p
+option or the
+.Ev SUDO_PROMPT
+environment variable.
+The following percent
+.Pq Ql %
+escape sequences are supported:
+.Bl -tag -width 4n
+.It Li %H
+expanded to the local host name including the domain name
+(only if the machine's host name is fully qualified or the
+.Em fqdn
+option is set)
+.It Li %h
+expanded to the local host name without the domain name
+.It Li %p
+expanded to the user whose password is being asked for (respects the
+.Em rootpw ,
+.Em targetpw
+and
+.Em runaspw
+flags in
+.Em sudoers )
+.It Li \&%U
+expanded to the login name of the user the command will
+be run as (defaults to root)
+.It Li %u
+expanded to the invoking user's login name
+.It Li %%
+two consecutive
+.Li %
+characters are collapsed into a single
+.Li %
+character
+.El
+.Pp
+The default value is
+.Dq Li @passprompt@ .
+.It role
+The default SELinux role to use when constructing a new security
+context to run the command.
+The default role may be overridden on a per-command basis in
+.Em sudoers
+or via command line options.
+This option is only available when
+.Nm sudo
+is built with SELinux support.
+.It runas_default
+The default user to run commands as if the
+.Fl u
+option is not specified on the command line.
+This defaults to
+.Li @runas_default@ .
+.It syslog_badpri
+Syslog priority to use when user authenticates unsuccessfully.
+Defaults to
+.Li @badpri@ .
+.Pp
+The following syslog priorities are supported:
+.Sy alert ,
+.Sy crit ,
+.Sy debug ,
+.Sy emerg ,
+.Sy err ,
+.Sy info ,
+.Sy notice ,
+and
+.Sy warning .
+.It syslog_goodpri
+Syslog priority to use when user authenticates successfully.
+Defaults to
+.Li @goodpri@ .
+.Pp
+See
+.Sx syslog_badpri
+for the list of supported syslog priorities.
+.It sudoers_locale
+Locale to use when parsing the sudoers file, logging commands, and
+sending email.
+Note that changing the locale may affect how sudoers is interpreted.
+Defaults to
+.Dq Li C .
+.It timestampdir
+The directory in which
+.Nm sudo
+stores its time stamp files.
+The default is
+.Pa @timedir@ .
+.It timestampowner
+The owner of the time stamp directory and the time stamps stored therein.
+The default is
+.Li root .
+.It type
+The default SELinux type to use when constructing a new security
+context to run the command.
+The default type may be overridden on a per-command basis in
+.Em sudoers
+or via command line options.
+This option is only available when
+.Nm sudo
+is built with SELinux support.
+.El
+.Pp
+.Sy Strings that can be used in a boolean context :
+.Bl -tag -width 12n
+.It askpass
+The
+.Em askpass
+option specifies the fully qualified path to a helper program used
+to read the user's password when no terminal is available.
+This may be the case when
+.Nm sudo
+is executed from a graphical (as opposed to text-based) application.
+The program specified by
+.Em askpass
+should display the argument passed to it as the prompt and write
+the user's password to the standard output.
+The value of
+.Em askpass
+may be overridden by the
+.Ev SUDO_ASKPASS
+environment variable.
+.It env_file
+The
+.Em env_file
+option specifies the fully qualified path to a file containing variables
+to be set in the environment of the program being run.
+Entries in this file should either be of the form
+.Dq Li VARIABLE=value
+or
+.Dq Li export VARIABLE=value .
+The value may optionally be surrounded by single or double quotes.
+Variables in this file are subject to other
+.Nm sudo
+environment settings such as
+.Em env_keep
+and
+.Em env_check .
+.It exempt_group
+Users in this group are exempt from password and PATH requirements.
+The group name specified should not include a
+.Li %
+prefix.
+This is not set by default.
+.It lecture
+This option controls when a short lecture will be printed along with
+the password prompt.
+It has the following possible values:
+.Bl -tag -width 6n
+.It always
+Always lecture the user.
+.It never
+Never lecture the user.
+.It once
+Only lecture the user the first time they run
+.Nm sudo .
+.El
+.Pp
+If no value is specified, a value of
+.Em once
+is implied.
+Negating the option results in a value of
+.Em never
+being used.
+The default value is
+.Em @lecture@ .
+.It lecture_file
+Path to a file containing an alternate
+.Nm sudo
+lecture that will be used in place of the standard lecture if the named
+file exists.
+By default,
+.Nm sudo
+uses a built-in lecture.
+.It listpw
+This option controls when a password will be required when a user runs
+.Nm sudo
+with the
+.Fl l
+option.
+It has the following possible values:
+.Bl -tag -width 8n
+.It all
+All the user's
+.Em sudoers
+entries for the current host must have
+the
+.Li NOPASSWD
+flag set to avoid entering a password.
+.It always
+The user must always enter a password to use the
+.Fl l
+option.
+.It any
+At least one of the user's
+.Em sudoers
+entries for the current host
+must have the
+.Li NOPASSWD
+flag set to avoid entering a password.
+.It never
+The user need never enter a password to use the
+.Fl l
+option.
+.El
+.Pp
+If no value is specified, a value of
+.Em any
+is implied.
+Negating the option results in a value of
+.Em never
+being used.
+The default value is
+.Em any .
+.It logfile
+Path to the
+.Nm sudo
+log file (not the syslog log file).
+Setting a path turns on logging to a file;
+negating this option turns it off.
+By default,
+.Nm sudo
+logs via syslog.
+.It mailerflags
+Flags to use when invoking mailer. Defaults to
+.Fl t .
+.It mailerpath
+Path to mail program used to send warning mail.
+Defaults to the path to sendmail found at configure time.
+.It mailfrom
+Address to use for the
+.Dq from
+address when sending warning and error mail.
+The address should be enclosed in double quotes
+.Pq \&""
+to protect against
+.Nm sudo
+interpreting the
+.Li @
+sign.
+Defaults to the name of the user running
+.Nm sudo .
+.It mailto
+Address to send warning and error mail to.
+The address should be enclosed in double quotes
+.Pq \&""
+to protect against
+.Nm sudo
+interpreting the
+.Li @
+sign.
+Defaults to
+.Li @mailto@ .
+.It secure_path
+Path used for every command run from
+.Nm sudo .
+If you don't trust the
+people running
+.Nm sudo
+to have a sane
+.Ev PATH
+environment variable you may want to use this.
+Another use is if you want to have the
+.Dq root path
+be separate from the
+.Dq user path .
+Users in the group specified by the
+.Em exempt_group
+option are not affected by
+.Em secure_path .
+This option is @secure_path@ by default.
+.It syslog
+Syslog facility if syslog is being used for logging (negate to
+disable syslog logging).
+Defaults to
+.Li @logfac@ .
+.Pp
+The following syslog facilities are supported:
+.Sy authpriv
+(if your
+OS supports it),
+.Sy auth ,
+.Sy daemon ,
+.Sy user ,
+.Sy local0 ,
+.Sy local1 ,
+.Sy local2 ,
+.Sy local3 ,
+.Sy local4 ,
+.Sy local5 ,
+.Sy local6 ,
+and
+.Sy local7 .
+.It verifypw
+This option controls when a password will be required when a user runs
+.Nm sudo
+with the
+.Fl v
+option.
+It has the following possible values:
+.Bl -tag -width 6n
+.It all
+All the user's
+.Em sudoers
+entries for the current host must have the
+.Li NOPASSWD
+flag set to avoid entering a password.
+.It always
+The user must always enter a password to use the
+.Fl v
+option.
+.It any
+At least one of the user's
+.Em sudoers
+entries for the current host must have the
+.Li NOPASSWD
+flag set to avoid entering a password.
+.It never
+The user need never enter a password to use the
+.Fl v
+option.
+.El
+.Pp
+If no value is specified, a value of
+.Em all
+is implied.
+Negating the option results in a value of
+.Em never
+being used.
+The default value is
+.Em all .
+.El
+.Pp
+.Sy Lists that can be used in a boolean context :
+.Bl -tag -width 16n
+.It env_check
+Environment variables to be removed from the user's environment if
+the variable's value contains
+.Ql %
+or
+.Ql /
+characters.
+This can be used to guard against printf-style format vulnerabilities
+in poorly-written programs.
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes.
+The list can be replaced, added to, deleted from, or disabled by using
+the
+.Li = ,
+.Li += ,
+.Li -= ,
+and
+.Li \&!
+operators respectively.
+Regardless of whether the
+.Li env_reset
+option is enabled or disabled, variables specified by
+.Li env_check
+will be preserved in the environment if they pass the aforementioned check.
+The default list of environment variables to check is displayed when
+.Nm sudo
+is run by root with
+the
+.Fl V
+option.
+.It env_delete
+Environment variables to be removed from the user's environment when the
+.Em env_reset
+option is not in effect.
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes.
+The list can be replaced, added to, deleted from, or disabled by using the
+.Li = ,
+.Li += ,
+.Li -= ,
+and
+.Li \&!
+operators respectively.
+The default list of environment variables to remove is displayed when
+.Nm sudo
+is run by root with the
+.Fl V
+option.
+Note that many operating systems will remove potentially dangerous
+variables from the environment of any setuid process (such as
+.Nm sudo ) .
+.It env_keep
+Environment variables to be preserved in the user's environment when the
+.Em env_reset
+option is in effect.
+This allows fine-grained control over the environment
+.Nm sudo Ns No -spawned
+processes will receive.
+The argument may be a double-quoted, space-separated list or a
+single value without double-quotes.
+The list can be replaced, added to, deleted from, or disabled by using the
+.Li = ,
+.Li += ,
+.Li -= ,
+and
+.Li \&!
+operators respectively.
+The default list of variables to keep
+is displayed when
+.Nm sudo
+is run by root with the
+.Fl V
+option.
+.El
+.Sh FILES
+.Bl -tag -width 24n
+.It Pa @sysconfdir@/sudoers
+List of who can run what
+.It Pa /etc/group
+Local groups file
+.It Pa /etc/netgroup
+List of network groups
+.It Pa @iolog_dir@
+I/O log files
+.El
+.Sh EXAMPLES
+Below are example
+.Em sudoers
+entries.
+Admittedly, some of these are a bit contrived.
+First, we allow a few environment variables to pass and then define our
+.Em aliases :
+.Bd -literal
+# Run X applications through sudo; HOME is used to find the
+# .Xauthority file. Note that other programs use HOME to find
+# configuration files and this may lead to privilege escalation!
+Defaults env_keep += "DISPLAY HOME"
+
+# User alias specification
+User_Alias FULLTIMERS = millert, mikef, dowdy
+User_Alias PARTTIMERS = bostley, jwfox, crawl
+User_Alias WEBMASTERS = will, wendy, wim
+
+# Runas alias specification
+Runas_Alias OP = root, operator
+Runas_Alias DB = oracle, sybase
+Runas_Alias ADMINGRP = adm, oper
+
+# Host alias specification
+Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e
+ SGI = grolsch, dandelion, black :\e
+ ALPHA = widget, thalamus, foobar :\e
+ HPPA = boa, nag, python
+Host_Alias CUNETS = 128.138.0.0/255.255.0.0
+Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
+Host_Alias SERVERS = master, mail, www, ns
+Host_Alias CDROM = orion, perseus, hercules
+
+# Cmnd alias specification
+Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e
+ /usr/sbin/restore, /usr/sbin/rrestore
+Cmnd_Alias KILL = /usr/bin/kill
+Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
+Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
+Cmnd_Alias HALT = /usr/sbin/halt
+Cmnd_Alias REBOOT = /usr/sbin/reboot
+Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\e
+ /usr/local/bin/tcsh, /usr/bin/rsh,\e
+ /usr/local/bin/zsh
+Cmnd_Alias SU = /usr/bin/su
+Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
+.Ed
+.Pp
+Here we override some of the compiled in default values.
+We want
+.Nm sudo
+to log via
+.Xr syslog 3
+using the
+.Em auth
+facility in all cases.
+We don't want to subject the full time staff to the
+.Nm sudo
+lecture, user
+.Sy millert
+need not give a password, and we don't want to reset the
+.Ev LOGNAME ,
+.Ev USER
+or
+.Ev USERNAME
+environment variables when running commands as root.
+Additionally, on the machines in the
+.Em SERVERS
+.Li Host_Alias ,
+we keep an additional local log file and make sure we log the year
+in each log line since the log entries will be kept around for several years.
+Lastly, we disable shell escapes for the commands in the PAGERS
+.Li Cmnd_Alias
+.Po
+.Pa /usr/bin/more ,
+.Pa /usr/bin/pg
+and
+.Pa /usr/bin/less
+.Pc .
+.Bd -literal
+# Override built-in defaults
+Defaults syslog=auth
+Defaults>root !set_logname
+Defaults:FULLTIMERS !lecture
+Defaults:millert !authenticate
+Defaults@SERVERS log_year, logfile=/var/log/sudo.log
+Defaults!PAGERS noexec
+.Ed
+.Pp
+The
+.Em User specification
+is the part that actually determines who may run what.
+.Bd -literal
+root ALL = (ALL) ALL
+%wheel ALL = (ALL) ALL
+.Ed
+.Pp
+We let
+.Sy root
+and any user in group
+.Sy wheel
+run any command on any host as any user.
+.Bd -literal
+FULLTIMERS ALL = NOPASSWD: ALL
+.Ed
+.Pp
+Full time sysadmins
+.Po
+.Sy millert ,
+.Sy mikef ,
+and
+.Sy dowdy
+.Pc
+may run any command on any host without authenticating themselves.
+.Bd -literal
+PARTTIMERS ALL = ALL
+.Ed
+.Pp
+Part time sysadmins
+.Sy bostley ,
+.Sy jwfox ,
+and
+.Sy crawl )
+may run any command on any host but they must authenticate themselves
+first (since the entry lacks the
+.Li NOPASSWD
+tag).
+.Bd -literal
+jack CSNETS = ALL
+.Ed
+.Pp
+The user
+.Sy jack
+may run any command on the machines in the
+.Em CSNETS
+alias (the networks
+.Li 128.138.243.0 ,
+.Li 128.138.204.0 ,
+and
+.Li 128.138.242.0 ) .
+Of those networks, only
+.Li 128.138.204.0
+has an explicit netmask (in CIDR notation) indicating it is a class C network.
+For the other networks in
+.Em CSNETS ,
+the local machine's netmask will be used during matching.
+.Bd -literal
+lisa CUNETS = ALL
+.Ed
+.Pp
+The user
+.Sy lisa
+may run any command on any host in the
+.Em CUNETS
+alias (the class B network
+.Li 128.138.0.0 ) .
+.Bd -literal
+operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\e
+ sudoedit /etc/printcap, /usr/oper/bin/
+.Ed
+.Pp
+The
+.Sy operator
+user may run commands limited to simple maintenance.
+Here, those are commands related to backups, killing processes, the
+printing system, shutting down the system, and any commands in the
+directory
+.Pa /usr/oper/bin/ .
+.Bd -literal
+joe ALL = /usr/bin/su operator
+.Ed
+.Pp
+The user
+.Sy joe
+may only
+.Xr su 1
+to operator.
+.Bd -literal
+pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
+
+%opers ALL = (: ADMINGRP) /usr/sbin/
+.Ed
+.Pp
+Users in the
+.Sy opers
+group may run commands in
+.Pa /usr/sbin/
+as themselves
+with any group in the
+.Em ADMINGRP
+.Li Runas_Alias
+(the
+.Sy adm
+and
+.Sy oper
+groups).
+.Pp
+The user
+.Sy pete
+is allowed to change anyone's password except for
+root on the
+.Em HPPA
+machines.
+Note that this assumes
+.Xr passwd 1
+does not take multiple user names on the command line.
+.Bd -literal
+bob SPARC = (OP) ALL : SGI = (OP) ALL
+.Ed
+.Pp
+The user
+.Sy bob
+may run anything on the
+.Em SPARC
+and
+.Em SGI
+machines as any user listed in the
+.Em OP
+.Li Runas_Alias
+.Po
+.Sy root
+and
+.Sy operator .
+.Pc
+.Bd -literal
+jim +biglab = ALL
+.Ed
+.Pp
+The user
+.Sy jim
+may run any command on machines in the
+.Em biglab
+netgroup.
+.Nm sudo
+knows that
+.Dq biglab
+is a netgroup due to the
+.Ql +
+prefix.
+.Bd -literal
++secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
+.Ed
+.Pp
+Users in the
+.Sy secretaries
+netgroup need to help manage the printers as well as add and remove users,
+so they are allowed to run those commands on all machines.
+.Bd -literal
+fred ALL = (DB) NOPASSWD: ALL
+.Ed
+.Pp
+The user
+.Sy fred
+can run commands as any user in the
+.Em DB
+.Li Runas_Alias
+.Po
+.Sy oracle
+or
+.Sy sybase
+.Pc
+without giving a password.
+.Bd -literal
+john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
+.Ed
+.Pp
+On the
+.Em ALPHA
+machines, user
+.Sy john
+may su to anyone except root but he is not allowed to specify any options
+to the
+.Xr su 1
+command.
+.Bd -literal
+jen ALL, !SERVERS = ALL
+.Ed
+.Pp
+The user
+.Sy jen
+may run any command on any machine except for those in the
+.Em SERVERS
+.Li Host_Alias
+(master, mail, www and ns).
+.Bd -literal
+jill SERVERS = /usr/bin/, !SU, !SHELLS
+.Ed
+.Pp
+For any machine in the
+.Em SERVERS
+.Li Host_Alias ,
+.Sy jill
+may run
+any commands in the directory
+.Pa /usr/bin/
+except for those commands
+belonging to the
+.Em SU
+and
+.Em SHELLS
+.Li Cmnd_Aliases .
+.Bd -literal
+steve CSNETS = (operator) /usr/local/op_commands/
+.Ed
+.Pp
+The user
+.Sy steve
+may run any command in the directory /usr/local/op_commands/
+but only as user operator.
+.Bd -literal
+matt valkyrie = KILL
+.Ed
+.Pp
+On his personal workstation, valkyrie,
+.Sy matt
+needs to be able to kill hung processes.
+.Bd -literal
+WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
+.Ed
+.Pp
+On the host www, any user in the
+.Em WEBMASTERS
+.Li User_Alias
+(will, wendy, and wim), may run any command as user www (which owns the
+web pages) or simply
+.Xr su 1
+to www.
+.Bd -literal
+ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e
+ /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+.Ed
+.Pp
+Any user may mount or unmount a CD-ROM on the machines in the CDROM
+.Li Host_Alias
+(orion, perseus, hercules) without entering a password.
+This is a bit tedious for users to type, so it is a prime candidate
+for encapsulating in a shell script.
+.Sh SECURITY NOTES
+.Ss Limitations of the So !\& Sc operator
+It is generally not effective to
+.Dq subtract
+commands from
+.Sy ALL
+using the
+.Ql !\&
+operator.
+A user can trivially circumvent this by copying the desired command
+to a different name and then executing that.
+For example:
+.Bd -literal
+bill ALL = ALL, !SU, !SHELLS
+.Ed
+.Pp
+Doesn't really prevent
+.Sy bill
+from running the commands listed in
+.Em SU
+or
+.Em SHELLS
+since he can simply copy those commands to a different name, or use
+a shell escape from an editor or other program.
+Therefore, these kind of restrictions should be considered
+advisory at best (and reinforced by policy).
+.Pp
+In general, if a user has sudo
+.Sy ALL
+there is nothing to prevent them from creating their own program that gives
+them a root shell (or making their own copy of a shell) regardless of any
+.Ql !\&
+elements in the user specification.
+.Ss Security implications of Em fast_glob
+If the
+.Em fast_glob
+option is in use, it is not possible to reliably negate commands where the
+path name includes globbing (aka wildcard) characters.
+This is because the C library's
+.Xr fnmatch 3
+function cannot resolve relative paths.
+While this is typically only an inconvenience for rules that grant privileges,
+it can result in a security issue for rules that subtract or revoke privileges.
+.Pp
+For example, given the following
+.Em sudoers
+entry:
+.Bd -literal
+john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\e
+ /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
+.Ed
+.Pp
+User
+.Sy john
+can still run
+.Li /usr/bin/passwd root
+if
+.Em fast_glob
+is enabled by changing to
+.Pa /usr/bin
+and running
+.Li ./passwd root
+instead.
+.Ss Preventing Shell Escapes
+Once
+.Nm sudo
+executes a program, that program is free to do whatever
+it pleases, including run other programs.
+This can be a security issue since it is not uncommon for a program to
+allow shell escapes, which lets a user bypass
+.Nm sudo Ns No 's
+access control and logging.
+Common programs that permit shell escapes include shells (obviously),
+editors, paginators, mail and terminal programs.
+.Pp
+There are two basic approaches to this problem:
+.Bl -tag -width 8n
+.It restrict
+Avoid giving users access to commands that allow the user to run
+arbitrary commands.
+Many editors have a restricted mode where shell
+escapes are disabled, though
+.Nm sudoedit
+is a better solution to
+running editors via
+.Nm sudo .
+Due to the large number of programs that
+offer shell escapes, restricting users to the set of programs that
+do not is often unworkable.
+.It noexec
+Many systems that support shared libraries have the ability to
+override default library functions by pointing an environment
+variable (usually
+.Ev LD_PRELOAD )
+to an alternate shared library.
+On such systems,
+.Nm sudo Ns No 's
+.Em noexec
+functionality can be used to prevent a program run by
+.Nm sudo
+from executing any other programs.
+Note, however, that this applies only to native dynamically-linked
+executables.
+Statically-linked executables and foreign executables
+running under binary emulation are not affected.
+.Pp
+The
+.Em noexec
+feature is known to work on SunOS, Solaris, *BSD,
+Linux, IRIX, Tru64 UNIX, MacOS X, HP-UX 11.x and AIX 5.3 and above.
+It should be supported on most operating systems that support the
+.Ev LD_PRELOAD
+environment variable.
+Check your operating system's manual pages for the dynamic linker
+(usually ld.so, ld.so.1, dyld, dld.sl, rld, or loader) to see if
+.Ev LD_PRELOAD
+is supported.
+.Pp
+On Solaris 10 and higher,
+.Em noexec
+uses Solaris privileges instead of the
+.Ev LD_PRELOAD
+environment variable.
+.Pp
+To enable
+.Em noexec
+for a command, use the
+.Li NOEXEC
+tag as documented
+in the User Specification section above.
+Here is that example again:
+.Bd -literal
+aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+.Ed
+.Pp
+This allows user
+.Sy aaron
+to run
+.Pa /usr/bin/more
+and
+.Pa /usr/bin/vi
+with
+.Em noexec
+enabled.
+This will prevent those two commands from
+executing other commands (such as a shell).
+If you are unsure whether or not your system is capable of supporting
+.Em noexec
+you can always just try it out and check whether shell escapes work when
+.Em noexec
+is enabled.
+.El
+.Pp
+Note that restricting shell escapes is not a panacea.
+Programs running as root are still capable of many potentially hazardous
+operations (such as changing or overwriting files) that could lead
+to unintended privilege escalation.
+In the specific case of an editor, a safer approach is to give the
+user permission to run
+.Nm sudoedit .
+.Sh SEE ALSO
+.Xr ssh 1 ,
+.Xr su 1 ,
+.Xr fnmatch 3 ,
+.Xr glob 3 ,
+.Xr mktemp 3 ,
+.Xr strftime 3 ,
+.Xr sudoers.ldap @mansectform@ ,
+.Xr sudo @mansectsu@ ,
+.Xr visudo @mansectsu@
+.Sh CAVEATS
+The
+.Em sudoers
+file should
+.Sy always
+be edited by the
+.Nm visudo
+command which locks the file and does grammatical checking.
+It is
+imperative that
+.Em sudoers
+be free of syntax errors since
+.Nm sudo
+will not run with a syntactically incorrect
+.Em sudoers
+file.
+.Pp
+When using netgroups of machines (as opposed to users), if you
+store fully qualified host name in the netgroup (as is usually the
+case), you either need to have the machine's host name be fully qualified
+as returned by the
+.Li hostname
+command or use the
+.Em fqdn
+option in
+.Em sudoers .
+.Sh BUGS
+If you feel you have found a bug in
+.Nm sudo ,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
+.Sh SUPPORT
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+.Sh DISCLAIMER
+.Nm sudo
+is provided
+.Dq AS IS
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+.Nm sudo
+or http://www.sudo.ws/sudo/license.html for complete details.
+++ /dev/null
-Copyright (c) 1994-1996, 1998-2005, 2007-2011
- Todd C. Miller <Todd.Miller@courtesan.com>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-Sponsored in part by the Defense Advanced Research Projects
-Agency (DARPA) and Air Force Research Laboratory, Air Force
-Materiel Command, USAF, under agreement number F39502-99-1-0512.
-
-=pod
-
-=head1 NAME
-
-sudoers - list of which users may execute what
-
-=head1 DESCRIPTION
-
-The I<sudoers> file is composed of two types of entries: aliases
-(basically variables) and user specifications (which specify who
-may run what).
-
-When multiple entries match for a user, they are applied in order.
-Where there are multiple matches, the last match is used (which is
-not necessarily the most specific match).
-
-The I<sudoers> grammar will be described below in Extended Backus-Naur
-Form (EBNF). Don't despair if you don't know what EBNF is; it is
-fairly simple, and the definitions below are annotated.
-
-=head2 Quick guide to EBNF
-
-EBNF is a concise and exact way of describing the grammar of a language.
-Each EBNF definition is made up of I<production rules>. E.g.,
-
- symbol ::= definition | alternate1 | alternate2 ...
-
-Each I<production rule> references others and thus makes up a
-grammar for the language. EBNF also contains the following
-operators, which many readers will recognize from regular
-expressions. Do not, however, confuse them with "wildcard"
-characters, which have different meanings.
-
-=over 4
-
-=item C<?>
-
-Means that the preceding symbol (or group of symbols) is optional.
-That is, it may appear once or not at all.
-
-=item C<*>
-
-Means that the preceding symbol (or group of symbols) may appear
-zero or more times.
-
-=item C<+>
-
-Means that the preceding symbol (or group of symbols) may appear
-one or more times.
-
-=back
-
-Parentheses may be used to group symbols together. For clarity,
-we will use single quotes ('') to designate what is a verbatim character
-string (as opposed to a symbol name).
-
-=head2 Aliases
-
-There are four kinds of aliases: C<User_Alias>, C<Runas_Alias>,
-C<Host_Alias> and C<Cmnd_Alias>.
-
- Alias ::= 'User_Alias' User_Alias (':' User_Alias)* |
- 'Runas_Alias' Runas_Alias (':' Runas_Alias)* |
- 'Host_Alias' Host_Alias (':' Host_Alias)* |
- 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
-
- User_Alias ::= NAME '=' User_List
-
- Runas_Alias ::= NAME '=' Runas_List
-
- Host_Alias ::= NAME '=' Host_List
-
- Cmnd_Alias ::= NAME '=' Cmnd_List
-
- NAME ::= [A-Z]([A-Z][0-9]_)*
-
-Each I<alias> definition is of the form
-
- Alias_Type NAME = item1, item2, ...
-
-where I<Alias_Type> is one of C<User_Alias>, C<Runas_Alias>, C<Host_Alias>,
-or C<Cmnd_Alias>. A C<NAME> is a string of uppercase letters, numbers,
-and underscore characters ('_'). A C<NAME> B<must> start with an
-uppercase letter. It is possible to put several alias definitions
-of the same type on a single line, joined by a colon (':'). E.g.,
-
- Alias_Type NAME = item1, item2, item3 : NAME = item4, item5
-
-The definitions of what constitutes a valid I<alias> member follow.
-
- User_List ::= User |
- User ',' User_List
-
- User ::= '!'* user name |
- '!'* #uid |
- '!'* %group |
- '!'* %#gid |
- '!'* +netgroup |
- '!'* %:nonunix_group |
- '!'* %:#nonunix_gid |
- '!'* User_Alias
-
-A C<User_List> is made up of one or more user names, user ids
-(prefixed with '#'), system group names and ids (prefixed with '%'
-and '%#' respectively), netgroups (prefixed with '+'), non-Unix
-group names and IDs (prefixed with '%:' and '%:#' respectively) and
-C<User_Alias>es. Each list item may be prefixed with zero or more
-'!' operators. An odd number of '!' operators negate the value of
-the item; an even number just cancel each other out.
-
-A C<user name>, C<uid>, C<group>, C<gid>, C<netgroup>, C<nonunix_group>
-or C<nonunix_gid> may be enclosed in double quotes to avoid the
-need for escaping special characters. Alternately, special characters
-may be specified in escaped hex mode, e.g. \x20 for space. When
-using double quotes, any prefix characters must be included inside
-the quotes.
-
-The C<nonunix_group> and C<nonunix_gid> syntax depends on the
-underlying implementation. For instance, the QAS AD backend supports
-the following formats:
-
-=over 4
-
-=item *
-
-Group in the same domain: "%:Group Name"
-
-=item *
-
-Group in any domain: "%:Group Name@FULLY.QUALIFIED.DOMAIN"
-
-=item *
-
-Group SID: "%:S-1-2-34-5678901234-5678901234-5678901234-567"
-
-=back
-
-Note that quotes around group names are optional. Unquoted strings
-must use a backslash (\) to escape spaces and special characters.
-See L<"Other special characters and reserved words"> for a list of
-characters that need to be escaped.
-
- Runas_List ::= Runas_Member |
- Runas_Member ',' Runas_List
-
- Runas_Member ::= '!'* user name |
- '!'* #uid |
- '!'* %group |
- '!'* %#gid |
- '!'* %:nonunix_group |
- '!'* %:#nonunix_gid |
- '!'* +netgroup |
- '!'* Runas_Alias
-
-A C<Runas_List> is similar to a C<User_List> except that instead
-of C<User_Alias>es it can contain C<Runas_Alias>es. Note that
-user names and groups are matched as strings. In other words, two
-users (groups) with the same uid (gid) are considered to be distinct.
-If you wish to match all user names with the same uid (e.g.E<nbsp>root
-and toor), you can use a uid instead (#0 in the example given).
-
- Host_List ::= Host |
- Host ',' Host_List
-
- Host ::= '!'* host name |
- '!'* ip_addr |
- '!'* network(/netmask)? |
- '!'* +netgroup |
- '!'* Host_Alias
-
-A C<Host_List> is made up of one or more host names, IP addresses,
-network numbers, netgroups (prefixed with '+') and other aliases.
-Again, the value of an item may be negated with the '!' operator.
-If you do not specify a netmask along with the network number,
-B<sudo> will query each of the local host's network interfaces and,
-if the network number corresponds to one of the hosts's network
-interfaces, the corresponding netmask will be used. The netmask
-may be specified either in standard IP address notation
-(e.g.E<nbsp>255.255.255.0 or ffff:ffff:ffff:ffff::),
-or CIDR notation (number of bits, e.g.E<nbsp>24 or 64). A host name may
-include shell-style wildcards (see the L<Wildcards> section below),
-but unless the C<host name> command on your machine returns the fully
-qualified host name, you'll need to use the I<fqdn> option for
-wildcards to be useful. Note B<sudo> only inspects actual network
-interfaces; this means that IP address 127.0.0.1 (localhost) will
-never match. Also, the host name "localhost" will only match if
-that is the actual host name, which is usually only the case for
-non-networked systems.
-
- Cmnd_List ::= Cmnd |
- Cmnd ',' Cmnd_List
-
- commandname ::= file name |
- file name args |
- file name '""'
-
- Cmnd ::= '!'* commandname |
- '!'* directory |
- '!'* "sudoedit" |
- '!'* Cmnd_Alias
-
-A C<Cmnd_List> is a list of one or more commandnames, directories, and other
-aliases. A commandname is a fully qualified file name which may include
-shell-style wildcards (see the L<Wildcards> section below). A simple
-file name allows the user to run the command with any arguments he/she
-wishes. However, you may also specify command line arguments (including
-wildcards). Alternately, you can specify C<""> to indicate that the command
-may only be run B<without> command line arguments. A directory is a
-fully qualified path name ending in a '/'. When you specify a directory
-in a C<Cmnd_List>, the user will be able to run any file within that directory
-(but not in any subdirectories therein).
-
-If a C<Cmnd> has associated command line arguments, then the arguments
-in the C<Cmnd> must match exactly those given by the user on the command line
-(or match the wildcards if there are any). Note that the following
-characters must be escaped with a '\' if they are used in command
-arguments: ',', ':', '=', '\'. The special command C<"sudoedit">
-is used to permit a user to run B<sudo> with the B<-e> option (or
-as B<sudoedit>). It may take command line arguments just as
-a normal command does.
-
-=head2 Defaults
-
-Certain configuration options may be changed from their default
-values at runtime via one or more C<Default_Entry> lines. These
-may affect all users on any host, all users on a specific host, a
-specific user, a specific command, or commands being run as a specific user.
-Note that per-command entries may not include command line arguments.
-If you need to specify arguments, define a C<Cmnd_Alias> and reference
-that instead.
-
- Default_Type ::= 'Defaults' |
- 'Defaults' '@' Host_List |
- 'Defaults' ':' User_List |
- 'Defaults' '!' Cmnd_List |
- 'Defaults' '>' Runas_List
-
- Default_Entry ::= Default_Type Parameter_List
-
- Parameter_List ::= Parameter |
- Parameter ',' Parameter_List
-
- Parameter ::= Parameter '=' Value |
- Parameter '+=' Value |
- Parameter '-=' Value |
- '!'* Parameter
-
-Parameters may be B<flags>, B<integer> values, B<strings>, or B<lists>.
-Flags are implicitly boolean and can be turned off via the '!'
-operator. Some integer, string and list parameters may also be
-used in a boolean context to disable them. Values may be enclosed
-in double quotes (C<"">) when they contain multiple words. Special
-characters may be escaped with a backslash (C<\>).
-
-Lists have two additional assignment operators, C<+=> and C<-=>.
-These operators are used to add to and delete from a list respectively.
-It is not an error to use the C<-=> operator to remove an element
-that does not exist in a list.
-
-Defaults entries are parsed in the following order: generic, host
-and user Defaults first, then runas Defaults and finally command
-defaults.
-
-See L<"SUDOERS OPTIONS"> for a list of supported Defaults parameters.
-
-=head2 User Specification
-
- User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
- (':' Host_List '=' Cmnd_Spec_List)*
-
- Cmnd_Spec_List ::= Cmnd_Spec |
- Cmnd_Spec ',' Cmnd_Spec_List
-
- Cmnd_Spec ::= Runas_Spec? SELinux_Spec? Tag_Spec* Cmnd
-
- Runas_Spec ::= '(' Runas_List? (':' Runas_List)? ')'
-
- SELinux_Spec ::= ('ROLE=role' | 'TYPE=type')
-
- Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' |
- 'SETENV:' | 'NOSETENV:' | 'LOG_INPUT:' | 'NOLOG_INPUT:' |
- 'LOG_OUTPUT:' | 'NOLOG_OUTPUT:')
-
-A B<user specification> determines which commands a user may run
-(and as what user) on specified hosts. By default, commands are
-run as B<root>, but this can be changed on a per-command basis.
-
-The basic structure of a user specification is `who where = (as_whom)
-what'. Let's break that down into its constituent parts:
-
-=head2 Runas_Spec
-
-A C<Runas_Spec> determines the user and/or the group that a command
-may be run as. A fully-specified C<Runas_Spec> consists of two
-C<Runas_List>s (as defined above) separated by a colon (':') and
-enclosed in a set of parentheses. The first C<Runas_List> indicates
-which users the command may be run as via B<sudo>'s B<-u> option.
-The second defines a list of groups that can be specified via
-B<sudo>'s B<-g> option. If both C<Runas_List>s are specified, the
-command may be run with any combination of users and groups listed
-in their respective C<Runas_List>s. If only the first is specified,
-the command may be run as any user in the list but no B<-g> option
-may be specified. If the first C<Runas_List> is empty but the
-second is specified, the command may be run as the invoking user
-with the group set to any listed in the C<Runas_List>. If no
-C<Runas_Spec> is specified the command may be run as B<root> and
-no group may be specified.
-
-A C<Runas_Spec> sets the default for the commands that follow it.
-What this means is that for the entry:
-
- dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm
-
-The user B<dgb> may run F</bin/ls>, F</bin/kill>, and
-F</usr/bin/lprm> -- but only as B<operator>. E.g.,
-
- $ sudo -u operator /bin/ls
-
-It is also possible to override a C<Runas_Spec> later on in an
-entry. If we modify the entry like so:
-
- dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm
-
-Then user B<dgb> is now allowed to run F</bin/ls> as B<operator>,
-but F</bin/kill> and F</usr/bin/lprm> as B<root>.
-
-We can extend this to allow B<dgb> to run C</bin/ls> with either
-the user or group set to B<operator>:
-
- dgb boulder = (operator : operator) /bin/ls, (root) /bin/kill,\
- /usr/bin/lprm
-
-Note that while the group portion of the C<Runas_Spec> permits the
-user to run as command with that group, it does not force the user
-to do so. If no group is specified on the command line, the command
-will run with the group listed in the target user's password database
-entry. The following would all be permitted by the sudoers entry above:
-
- $ sudo -u operator /bin/ls
- $ sudo -u operator -g operator /bin/ls
- $ sudo -g operator /bin/ls
-
-In the following example, user B<tcm> may run commands that access
-a modem device file with the dialer group.
-
- tcm boulder = (:dialer) /usr/bin/tip, /usr/bin/cu,\
- /usr/local/bin/minicom
-
-Note that in this example only the group will be set, the command
-still runs as user B<tcm>. E.g.
-
- $ sudo -g dialer /usr/bin/cu
-
-Multiple users and groups may be present in a C<Runas_Spec>, in
-which case the user may select any combination of users and groups
-via the B<-u> and B<-g> options. In this example:
-
- alan ALL = (root, bin : operator, system) ALL
-
-user B<alan> may run any command as either user root or bin,
-optionally setting the group to operator or system.
-
-=head2 SELinux_Spec
-
-On systems with SELinux support, I<sudoers> entries may optionally have
-an SELinux role and/or type associated with a command. If a role or
-type is specified with the command it will override any default values
-specified in I<sudoers>. A role or type specified on the command line,
-however, will supercede the values in I<sudoers>.
-
-=head2 Tag_Spec
-
-A command may have zero or more tags associated with it. There are
-ten possible tag values, C<NOPASSWD>, C<PASSWD>, C<NOEXEC>,
-C<EXEC>, C<SETENV>, C<NOSETENV>, C<LOG_INPUT>, C<NOLOG_INPUT>,
-C<LOG_OUTPUT> and C<NOLOG_OUTPUT>. Once a tag is set on a C<Cmnd>,
-subsequent C<Cmnd>s in the C<Cmnd_Spec_List>, inherit the tag unless
-it is overridden by the opposite tag (in other words, C<PASSWD> overrides
-C<NOPASSWD> and C<NOEXEC> overrides C<EXEC>).
-
-=head3 NOPASSWD and PASSWD
-
-By default, B<sudo> requires that a user authenticate him or herself
-before running a command. This behavior can be modified via the
-C<NOPASSWD> tag. Like a C<Runas_Spec>, the C<NOPASSWD> tag sets
-a default for the commands that follow it in the C<Cmnd_Spec_List>.
-Conversely, the C<PASSWD> tag can be used to reverse things.
-For example:
-
- ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm
-
-would allow the user B<ray> to run F</bin/kill>, F</bin/ls>, and
-F</usr/bin/lprm> as B<root> on the machine rushmore without
-authenticating himself. If we only want B<ray> to be able to
-run F</bin/kill> without a password the entry would be:
-
- ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
-
-Note, however, that the C<PASSWD> tag has no effect on users who are
-in the group specified by the I<exempt_group> option.
-
-By default, if the C<NOPASSWD> tag is applied to any of the entries
-for a user on the current host, he or she will be able to run
-C<sudo -l> without a password. Additionally, a user may only run
-C<sudo -v> without a password if the C<NOPASSWD> tag is present
-for all a user's entries that pertain to the current host.
-This behavior may be overridden via the verifypw and listpw options.
-
-=head3 NOEXEC and EXEC
-
-If B<sudo> has been compiled with I<noexec> support and the underlying
-operating system supports it, the C<NOEXEC> tag can be used to prevent
-a dynamically-linked executable from running further commands itself.
-
-In the following example, user B<aaron> may run F</usr/bin/more>
-and F</usr/bin/vi> but shell escapes will be disabled.
-
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
-See the L<PREVENTING SHELL ESCAPES> section below for more details
-on how C<NOEXEC> works and whether or not it will work on your system.
-
-=head3 SETENV and NOSETENV
-
-These tags override the value of the I<setenv> option on a per-command
-basis. Note that if C<SETENV> has been set for a command, the user
-may disable the I<env_reset> option from the command line via the
-B<-E> option. Additionally, environment variables set on the command
-line are not subject to the restrictions imposed by I<env_check>,
-I<env_delete>, or I<env_keep>. As such, only trusted users should
-be allowed to set variables in this manner. If the command matched
-is B<ALL>, the C<SETENV> tag is implied for that command; this
-default may be overridden by use of the C<NOSETENV> tag.
-
-=head3 LOG_INPUT and NOLOG_INPUT
-
-These tags override the value of the I<log_input> option on a
-per-command basis. For more information, see the description of
-I<log_input> in the L<"SUDOERS OPTIONS"> section below.
-
-=head3 LOG_OUTPUT and NOLOG_OUTPUT
-
-These tags override the value of the I<log_output> option on a
-per-command basis. For more information, see the description of
-I<log_output> in the L<"SUDOERS OPTIONS"> section below.
-
-=head2 Wildcards
-
-B<sudo> allows shell-style I<wildcards> (aka meta or glob characters)
-to be used in host names, path names and command line arguments in
-the I<sudoers> file. Wildcard matching is done via the B<POSIX>
-L<glob(3)> and L<fnmatch(3)> routines. Note that these are I<not>
-regular expressions.
-
-=over 8
-
-=item C<*>
-
-Matches any set of zero or more characters.
-
-=item C<?>
-
-Matches any single character.
-
-=item C<[...]>
-
-Matches any character in the specified range.
-
-=item C<[!...]>
-
-Matches any character B<not> in the specified range.
-
-=item C<\x>
-
-For any character "x", evaluates to "x". This is used to
-escape special characters such as: "*", "?", "[", and "]".
-
-=back
-
-POSIX character classes may also be used if your system's L<glob(3)>
-and L<fnmatch(3)> functions support them. However, because the
-C<':'> character has special meaning in I<sudoers>, it must be
-escaped. For example:
-
- /bin/ls [[\:alpha\:]]*
-
-Would match any file name beginning with a letter.
-
-Note that a forward slash ('/') will B<not> be matched by
-wildcards used in the path name. When matching the command
-line arguments, however, a slash B<does> get matched by
-wildcards. This is to make a path like:
-
- /usr/bin/*
-
-match F</usr/bin/who> but not F</usr/bin/X11/xterm>.
-
-=head2 Exceptions to wildcard rules
-
-The following exceptions apply to the above rules:
-
-=over 8
-
-=item C<"">
-
-If the empty string C<""> is the only command line argument in the
-I<sudoers> entry it means that command is not allowed to be run
-with B<any> arguments.
-
-=back
-
-=head2 Including other files from within sudoers
-
-It is possible to include other I<sudoers> files from within the
-I<sudoers> file currently being parsed using the C<#include> and
-C<#includedir> directives.
-
-This can be used, for example, to keep a site-wide I<sudoers> file
-in addition to a local, per-machine file. For the sake of this
-example the site-wide I<sudoers> will be F</etc/sudoers> and the
-per-machine one will be F</etc/sudoers.local>. To include
-F</etc/sudoers.local> from within F</etc/sudoers> we would use the
-following line in F</etc/sudoers>:
-
-=over 4
-
-C<#include /etc/sudoers.local>
-
-=back
-
-When B<sudo> reaches this line it will suspend processing of the
-current file (F</etc/sudoers>) and switch to F</etc/sudoers.local>.
-Upon reaching the end of F</etc/sudoers.local>, the rest of
-F</etc/sudoers> will be processed. Files that are included may
-themselves include other files. A hard limit of 128 nested include
-files is enforced to prevent include file loops.
-
-If the path to the include file is not fully-qualified (does not
-begin with a C</>), it must be located in the same directory as the
-sudoers file it was included from. For example, if F</etc/sudoers>
-contains the line:
-
-=over 4
-
-C<#include sudoers.local>
-
-=back
-
-the file that will be included is F</etc/sudoers.local>.
-
-The file name may also include the C<%h> escape, signifying the short form
-of the host name. In other words, if the machine's host name is "xerxes", then
-
-C<#include /etc/sudoers.%h>
-
-will cause B<sudo> to include the file F</etc/sudoers.xerxes>.
-
-The C<#includedir> directive can be used to create a F<sudo.d>
-directory that the system package manager can drop I<sudoers> rules
-into as part of package installation. For example, given:
-
-C<#includedir /etc/sudoers.d>
-
-B<sudo> will read each file in F</etc/sudoers.d>, skipping file
-names that end in C<~> or contain a C<.> character to avoid causing
-problems with package manager or editor temporary/backup files.
-Files are parsed in sorted lexical order. That is,
-F</etc/sudoers.d/01_first> will be parsed before
-F</etc/sudoers.d/10_second>. Be aware that because the sorting is
-lexical, not numeric, F</etc/sudoers.d/1_whoops> would be loaded
-B<after> F</etc/sudoers.d/10_second>. Using a consistent number
-of leading zeroes in the file names can be used to avoid such
-problems.
-
-Note that unlike files included via C<#include>, B<visudo> will not
-edit the files in a C<#includedir> directory unless one of them
-contains a syntax error. It is still possible to run B<visudo>
-with the B<-f> flag to edit the files directly.
-
-=head2 Other special characters and reserved words
-
-The pound sign ('#') is used to indicate a comment (unless it is
-part of a #include directive or unless it occurs in the context of
-a user name and is followed by one or more digits, in which case
-it is treated as a uid). Both the comment character and any text
-after it, up to the end of the line, are ignored.
-
-The reserved word B<ALL> is a built-in I<alias> that always causes
-a match to succeed. It can be used wherever one might otherwise
-use a C<Cmnd_Alias>, C<User_Alias>, C<Runas_Alias>, or C<Host_Alias>.
-You should not try to define your own I<alias> called B<ALL> as the
-built-in alias will be used in preference to your own. Please note
-that using B<ALL> can be dangerous since in a command context, it
-allows the user to run B<any> command on the system.
-
-An exclamation point ('!') can be used as a logical I<not> operator
-both in an I<alias> and in front of a C<Cmnd>. This allows one to
-exclude certain values. Note, however, that using a C<!> in
-conjunction with the built-in C<ALL> alias to allow a user to
-run "all but a few" commands rarely works as intended (see SECURITY
-NOTES below).
-
-Long lines can be continued with a backslash ('\') as the last
-character on the line.
-
-Whitespace between elements in a list as well as special syntactic
-characters in a I<User Specification> ('=', ':', '(', ')') is optional.
-
-The following characters must be escaped with a backslash ('\') when
-used as part of a word (e.g.E<nbsp>a user name or host name):
-'!', '=', ':', ',', '(', ')', '\'.
-
-=head1 SUDOERS OPTIONS
-
-B<sudo>'s behavior can be modified by C<Default_Entry> lines, as
-explained earlier. A list of all supported Defaults parameters,
-grouped by type, are listed below.
-
-B<Boolean Flags>:
-
-=over 16
-
-=item always_set_home
-
-If enabled, B<sudo> will set the C<HOME> environment variable to the
-home directory of the target user (which is root unless the B<-u>
-option is used). This effectively means that the B<-H> option is
-always implied. Note that C<HOME> is already set when the the
-I<env_reset> option is enabled, so I<always_set_home> is only
-effective for configurations where either I<env_reset> is disabled
-or C<HOME> is present in the I<env_keep> list.
-This flag is I<off> by default.
-
-=item authenticate
-
-If set, users must authenticate themselves via a password (or other
-means of authentication) before they may run commands. This default
-may be overridden via the C<PASSWD> and C<NOPASSWD> tags.
-This flag is I<on> by default.
-
-=item closefrom_override
-
-If set, the user may use B<sudo>'s B<-C> option which
-overrides the default starting point at which B<sudo> begins
-closing open file descriptors. This flag is I<off> by default.
-
-=item compress_io
-
-If set, and B<sudo> is configured to log a command's input or output,
-the I/O logs will be compressed using B<zlib>. This flag is I<on>
-by default when B<sudo> is compiled with B<zlib> support.
-
-=item env_editor
-
-If set, B<visudo> will use the value of the EDITOR or VISUAL
-environment variables before falling back on the default editor list.
-Note that this may create a security hole as it allows the user to
-run any arbitrary command as root without logging. A safer alternative
-is to place a colon-separated list of editors in the C<editor>
-variable. B<visudo> will then only use the EDITOR or VISUAL if
-they match a value specified in C<editor>. This flag is I<@env_editor@> by
-default.
-
-=item env_reset
-
-If set, B<sudo> will run the command in a minimal environment
-containing the C<TERM>, C<PATH>, C<HOME>, C<MAIL>, C<SHELL>,
-C<LOGNAME>, C<USER>, C<USERNAME> and C<SUDO_*> variables. Any
-variables in the caller's environment that match the C<env_keep>
-and C<env_check> lists are then added, followed by any variables
-present in the file specified by the I<env_file> option (if any).
-The default contents of the C<env_keep> and C<env_check> lists are
-displayed when B<sudo> is run by root with the B<-V> option. If
-the I<secure_path> option is set, its value will be used for the
-C<PATH> environment variable. This flag is I<@env_reset@> by
-default.
-
-=item fast_glob
-
-Normally, B<sudo> uses the L<glob(3)> function to do shell-style
-globbing when matching path names. However, since it accesses the
-file system, L<glob(3)> can take a long time to complete for some
-patterns, especially when the pattern references a network file
-system that is mounted on demand (automounted). The I<fast_glob>
-option causes B<sudo> to use the L<fnmatch(3)> function, which does
-not access the file system to do its matching. The disadvantage
-of I<fast_glob> is that it is unable to match relative path names
-such as F<./ls> or F<../bin/ls>. This has security implications
-when path names that include globbing characters are used with the
-negation operator, C<'!'>, as such rules can be trivially bypassed.
-As such, this option should not be used when I<sudoers> contains rules
-that contain negated path names which include globbing characters.
-This flag is I<off> by default.
-
-=item fqdn
-
-Set this flag if you want to put fully qualified host names in the
-I<sudoers> file.
-In other words, instead of myhost you would use myhost.mydomain.edu.
-You may still use the short form if you wish (and even mix the two).
-Beware that turning on I<fqdn> requires B<sudo> to make DNS lookups
-which may make B<sudo> unusable if DNS stops working (for example
-if the machine is not plugged into the network). Also note that
-you must use the host's official name as DNS knows it. That is,
-you may not use a host alias (C<CNAME> entry) due to performance
-issues and the fact that there is no way to get all aliases from
-DNS. If your machine's host name (as returned by the C<hostname>
-command) is already fully qualified you shouldn't need to set
-I<fqdn>. This flag is I<@fqdn@> by default.
-
-=item ignore_dot
-
-If set, B<sudo> will ignore "." or "" (current dir) in the C<PATH>
-environment variable; the C<PATH> itself is not modified. This
-flag is I<@ignore_dot@> by default.
-
-=item ignore_local_sudoers
-
-If set via LDAP, parsing of F<@sysconfdir@/sudoers> will be skipped.
-This is intended for Enterprises that wish to prevent the usage of local
-sudoers files so that only LDAP is used. This thwarts the efforts of
-rogue operators who would attempt to add roles to F<@sysconfdir@/sudoers>.
-When this option is present, F<@sysconfdir@/sudoers> does not even need to
-exist. Since this option tells B<sudo> how to behave when no specific LDAP
-entries have been matched, this sudoOption is only meaningful for the
-C<cn=defaults> section. This flag is I<off> by default.
-
-=item insults
-
-If set, B<sudo> will insult users when they enter an incorrect
-password. This flag is I<@insults@> by default.
-
-=item log_host
-
-If set, the host name will be logged in the (non-syslog) B<sudo> log file.
-This flag is I<off> by default.
-
-=item log_input
-
-If set, B<sudo> will run the command in a I<pseudo tty> and log all
-user input.
-If the standard input is not connected to the user's tty, due to
-I/O redirection or because the command is part of a pipeline, that
-input is also captured and stored in a separate log file.
-
-Input is logged to the directory specified by the I<iolog_dir>
-option (F<@iolog_dir@> by default) using a unique session ID that
-is included in the normal B<sudo> log line, prefixed with "C<TSID=>".
-
-Note that user input may contain sensitive information such as
-passwords (even if they are not echoed to the screen), which will
-be stored in the log file unencrypted. In most cases, logging the
-command output via I<log_output> is all that is required.
-
-=item log_output
-
-If set, B<sudo> will run the command in a I<pseudo tty> and log all
-output that is sent to the screen, similar to the script(1) command.
-If the standard output or standard error is not connected to the
-user's tty, due to I/O redirection or because the command is part
-of a pipeline, that output is also captured and stored in separate
-log files.
-
-Output is logged to the directory specified by the I<iolog_dir>
-option (F<@iolog_dir@> by default) using a unique session ID that
-is included in the normal B<sudo> log line, prefixed with "C<TSID=>".
-
-Output logs may be viewed with the L<sudoreplay(8)> utility, which
-can also be used to list or search the available logs.
-
-=item log_year
-
-If set, the four-digit year will be logged in the (non-syslog) B<sudo> log file.
-This flag is I<off> by default.
-
-=item long_otp_prompt
-
-When validating with a One Time Password (OTP) scheme such as
-B<S/Key> or B<OPIE>, a two-line prompt is used to make it easier
-to cut and paste the challenge to a local window. It's not as
-pretty as the default but some people find it more convenient. This
-flag is I<@long_otp_prompt@> by default.
-
-=item mail_always
-
-Send mail to the I<mailto> user every time a users runs B<sudo>.
-This flag is I<off> by default.
-
-=item mail_badpass
-
-Send mail to the I<mailto> user if the user running B<sudo> does not
-enter the correct password. This flag is I<off> by default.
-
-=item mail_no_host
-
-If set, mail will be sent to the I<mailto> user if the invoking
-user exists in the I<sudoers> file, but is not allowed to run
-commands on the current host. This flag is I<@mail_no_host@> by default.
-
-=item mail_no_perms
-
-If set, mail will be sent to the I<mailto> user if the invoking
-user is allowed to use B<sudo> but the command they are trying is not
-listed in their I<sudoers> file entry or is explicitly denied.
-This flag is I<@mail_no_perms@> by default.
-
-=item mail_no_user
-
-If set, mail will be sent to the I<mailto> user if the invoking
-user is not in the I<sudoers> file. This flag is I<@mail_no_user@>
-by default.
-
-=item noexec
-
-If set, all commands run via B<sudo> will behave as if the C<NOEXEC>
-tag has been set, unless overridden by a C<EXEC> tag. See the
-description of I<NOEXEC and EXEC> below as well as the L<PREVENTING SHELL
-ESCAPES> section at the end of this manual. This flag is I<off> by default.
-
-=item path_info
-
-Normally, B<sudo> will tell the user when a command could not be
-found in their C<PATH> environment variable. Some sites may wish
-to disable this as it could be used to gather information on the
-location of executables that the normal user does not have access
-to. The disadvantage is that if the executable is simply not in
-the user's C<PATH>, B<sudo> will tell the user that they are not
-allowed to run it, which can be confusing. This flag is I<@path_info@>
-by default.
-
-=item passprompt_override
-
-The password prompt specified by I<passprompt> will normally only
-be used if the password prompt provided by systems such as PAM matches
-the string "Password:". If I<passprompt_override> is set, I<passprompt>
-will always be used. This flag is I<off> by default.
-
-=item preserve_groups
-
-By default, B<sudo> will initialize the group vector to the list of
-groups the target user is in. When I<preserve_groups> is set, the
-user's existing group vector is left unaltered. The real and
-effective group IDs, however, are still set to match the target
-user. This flag is I<off> by default.
-
-=item pwfeedback
-
-By default, B<sudo> reads the password like most other Unix programs,
-by turning off echo until the user hits the return (or enter) key.
-Some users become confused by this as it appears to them that B<sudo>
-has hung at this point. When I<pwfeedback> is set, B<sudo> will
-provide visual feedback when the user presses a key. Note that
-this does have a security impact as an onlooker may be able to
-determine the length of the password being entered.
-This flag is I<off> by default.
-
-=item requiretty
-
-If set, B<sudo> will only run when the user is logged in to a real
-tty. When this flag is set, B<sudo> can only be run from a login
-session and not via other means such as L<cron(8)> or cgi-bin scripts.
-This flag is I<off> by default.
-
-=item root_sudo
-
-If set, root is allowed to run B<sudo> too. Disabling this prevents users
-from "chaining" B<sudo> commands to get a root shell by doing something
-like C<"sudo sudo /bin/sh">. Note, however, that turning off I<root_sudo>
-will also prevent root from running B<sudoedit>.
-Disabling I<root_sudo> provides no real additional security; it
-exists purely for historical reasons.
-This flag is I<@root_sudo@> by default.
-
-=item rootpw
-
-If set, B<sudo> will prompt for the root password instead of the password
-of the invoking user. This flag is I<off> by default.
-
-=item runaspw
-
-If set, B<sudo> will prompt for the password of the user defined by the
-I<runas_default> option (defaults to C<@runas_default@>) instead of the
-password of the invoking user. This flag is I<off> by default.
-
-=item set_home
-
-If enabled and B<sudo> is invoked with the B<-s> option the C<HOME>
-environment variable will be set to the home directory of the target
-user (which is root unless the B<-u> option is used). This effectively
-makes the B<-s> option imply B<-H>. Note that C<HOME> is already
-set when the the I<env_reset> option is enabled, so I<set_home> is
-only effective for configurations where either I<env_reset> is disabled
-or C<HOME> is present in the I<env_keep> list.
-This flag is I<off> by default.
-
-=item set_logname
-
-Normally, B<sudo> will set the C<LOGNAME>, C<USER> and C<USERNAME>
-environment variables to the name of the target user (usually root
-unless the B<-u> option is given). However, since some programs
-(including the RCS revision control system) use C<LOGNAME> to
-determine the real identity of the user, it may be desirable to
-change this behavior. This can be done by negating the set_logname
-option. Note that if the I<env_reset> option has not been disabled,
-entries in the I<env_keep> list will override the value of
-I<set_logname>. This flag is I<on> by default.
-
-=item setenv
-
-Allow the user to disable the I<env_reset> option from the command
-line. Additionally, environment variables set via the command line
-are not subject to the restrictions imposed by I<env_check>,
-I<env_delete>, or I<env_keep>. As such, only trusted users should
-be allowed to set variables in this manner. This flag is I<off>
-by default.
-
-=item shell_noargs
-
-If set and B<sudo> is invoked with no arguments it acts as if the
-B<-s> option had been given. That is, it runs a shell as root (the
-shell is determined by the C<SHELL> environment variable if it is
-set, falling back on the shell listed in the invoking user's
-/etc/passwd entry if not). This flag is I<off> by default.
-
-=item stay_setuid
-
-Normally, when B<sudo> executes a command the real and effective
-UIDs are set to the target user (root by default). This option
-changes that behavior such that the real UID is left as the invoking
-user's UID. In other words, this makes B<sudo> act as a setuid
-wrapper. This can be useful on systems that disable some potentially
-dangerous functionality when a program is run setuid. This option
-is only effective on systems with either the setreuid() or setresuid()
-function. This flag is I<off> by default.
-
-=item targetpw
-
-If set, B<sudo> will prompt for the password of the user specified
-by the B<-u> option (defaults to C<root>) instead of the password
-of the invoking user. In addition, the timestamp file name will
-include the target user's name. Note that this flag precludes the
-use of a uid not listed in the passwd database as an argument to
-the B<-u> option. This flag is I<off> by default.
-
-=item tty_tickets
-
-If set, users must authenticate on a per-tty basis. With this flag
-enabled, B<sudo> will use a file named for the tty the user is
-logged in on in the user's time stamp directory. If disabled, the
-time stamp of the directory is used instead. This flag is
-I<@tty_tickets@> by default.
-
-=item umask_override
-
-If set, B<sudo> will set the umask as specified by I<sudoers> without
-modification. This makes it possible to specify a more permissive
-umask in I<sudoers> than the user's own umask and matches historical
-behavior. If I<umask_override> is not set, B<sudo> will set the
-umask to be the union of the user's umask and what is specified in
-I<sudoers>. This flag is I<@umask_override@> by default.
-
-=item use_loginclass
-
-If set, B<sudo> will apply the defaults specified for the target user's
-login class if one exists. Only available if B<sudo> is configured with
-the --with-logincap option. This flag is I<off> by default.
-
-=item use_pty
-
-If set, B<sudo> will run the command in a pseudo-pty even if no I/O
-logging is being gone. A malicious program run under B<sudo> could
-conceivably fork a background process that retains to the user's
-terminal device after the main program has finished executing. Use
-of this option will make that impossible.
-
-=item visiblepw
-
-By default, B<sudo> will refuse to run if the user must enter a
-password but it is not possible to disable echo on the terminal.
-If the I<visiblepw> flag is set, B<sudo> will prompt for a password
-even when it would be visible on the screen. This makes it possible
-to run things like C<"ssh somehost sudo ls"> since by default, L<ssh(1)> does
-not allocate a tty when running a command. This flag is I<off> by default.
-
-=back
-
-B<Integers>:
-
-=over 16
-
-=item closefrom
-
-Before it executes a command, B<sudo> will close all open file
-descriptors other than standard input, standard output and standard
-error (ie: file descriptors 0-2). The I<closefrom> option can be used
-to specify a different file descriptor at which to start closing.
-The default is C<3>.
-
-=item passwd_tries
-
-The number of tries a user gets to enter his/her password before
-B<sudo> logs the failure and exits. The default is C<@passwd_tries@>.
-
-=back
-
-B<Integers that can be used in a boolean context>:
-
-=over 16
-
-=item loglinelen
-
-Number of characters per line for the file log. This value is used
-to decide when to wrap lines for nicer log files. This has no
-effect on the syslog log file, only the file log. The default is
-C<@loglen@> (use 0 or negate the option to disable word wrap).
-
-=item passwd_timeout
-
-Number of minutes before the B<sudo> password prompt times out, or
-C<0> for no timeout. The timeout may include a fractional component
-if minute granularity is insufficient, for example C<2.5>. The
-default is C<@password_timeout@>.
-
-=item timestamp_timeout
-
-Number of minutes that can elapse before B<sudo> will ask for a
-passwd again. The timeout may include a fractional component if
-minute granularity is insufficient, for example C<2.5>. The default
-is C<@timeout@>. Set this to C<0> to always prompt for a password.
-If set to a value less than C<0> the user's timestamp will never
-expire. This can be used to allow users to create or delete their
-own timestamps via C<sudo -v> and C<sudo -k> respectively.
-
-=item umask
-
-Umask to use when running the command. Negate this option or set
-it to 0777 to preserve the user's umask. The actual umask that is
-used will be the union of the user's umask and the value of the
-I<umask> option, which defaults to C<@sudo_umask@>. This guarantees
-that B<sudo> never lowers the umask when running a command. Note
-on systems that use PAM, the default PAM configuration may specify
-its own umask which will override the value set in I<sudoers>.
-
-=back
-
-B<Strings>:
-
-=over 16
-
-=item badpass_message
-
-Message that is displayed if a user enters an incorrect password.
-The default is C<@badpass_message@> unless insults are enabled.
-
-=item editor
-
-A colon (':') separated list of editors allowed to be used with
-B<visudo>. B<visudo> will choose the editor that matches the user's
-EDITOR environment variable if possible, or the first editor in the
-list that exists and is executable. The default is C<"@editor@">.
-
-=item iolog_dir
-
-The directory in which to store input/output logs when the I<log_input>
-or I<log_output> options are enabled or when the C<LOG_INPUT> or
-C<LOG_OUTPUT> tags are present for a command.
-The default is C<"@iolog_dir@">.
-
-=item mailsub
-
-Subject of the mail sent to the I<mailto> user. The escape C<%h>
-will expand to the host name of the machine.
-Default is "C<@mailsub@>".
-
-=item noexec_file
-
-Path to a shared library containing dummy versions of the execv(),
-execve() and fexecve() library functions that just return an error.
-This is used to implement the I<noexec> functionality on systems that
-support C<LD_PRELOAD> or its equivalent. Defaults to F<@noexec_file@>.
-
-=item passprompt
-
-The default prompt to use when asking for a password; can be overridden
-via the B<-p> option or the C<SUDO_PROMPT> environment variable.
-The following percent (`C<%>') escapes are supported:
-
-=over 4
-
-=item C<%H>
-
-expanded to the local host name including the domain name
-(on if the machine's host name is fully qualified or the I<fqdn>
-option is set)
-
-=item C<%h>
-
-expanded to the local host name without the domain name
-
-=item C<%p>
-
-expanded to the user whose password is being asked for (respects the
-I<rootpw>, I<targetpw> and I<runaspw> flags in I<sudoers>)
-
-=item C<%U>
-
-expanded to the login name of the user the command will
-be run as (defaults to root)
-
-=item C<%u>
-
-expanded to the invoking user's login name
-
-=item C<%%>
-
-two consecutive C<%> characters are collapsed into a single C<%> character
-
-=back
-
-The default value is "C<@passprompt@>".
-
-=item role
-
-The default SELinux role to use when constructing a new security
-context to run the command. The default role may be overridden on
-a per-command basis in I<sudoers> or via command line options.
-This option is only available whe B<sudo> is built with SELinux support.
-
-=item runas_default
-
-The default user to run commands as if the B<-u> option is not specified
-on the command line. This defaults to C<@runas_default@>.
-
-=item syslog_badpri
-
-Syslog priority to use when user authenticates unsuccessfully.
-Defaults to C<@badpri@>.
-
-The following syslog priorities are supported: B<alert>, B<crit>,
-B<debug>, B<emerg>, B<err>, B<info>, B<notice>, and B<warning>.
-
-=item syslog_goodpri
-
-Syslog priority to use when user authenticates successfully.
-Defaults to C<@goodpri@>.
-
-See L<syslog_badpri> for the list of supported syslog priorities.
-
-=item sudoers_locale
-
-Locale to use when parsing the sudoers file, logging commands, and
-sending email. Note that changing the locale may affect how sudoers
-is interpreted. Defaults to C<"C">.
-
-=item timestampdir
-
-The directory in which B<sudo> stores its timestamp files.
-The default is F<@timedir@>.
-
-=item timestampowner
-
-The owner of the timestamp directory and the timestamps stored therein.
-The default is C<root>.
-
-=item type
-
-The default SELinux type to use when constructing a new security
-context to run the command. The default type may be overridden on
-a per-command basis in I<sudoers> or via command line options.
-This option is only available whe B<sudo> is built with SELinux support.
-
-=back
-
-B<Strings that can be used in a boolean context>:
-
-=over 12
-
-=item askpass
-
-The I<askpass> option specifies the fully qualified path to a helper
-program used to read the user's password when no terminal is
-available. This may be the case when B<sudo> is executed from a
-graphical (as opposed to text-based) application. The program
-specified by I<askpass> should display the argument passed to it
-as the prompt and write the user's password to the standard output.
-The value of I<askpass> may be overridden by the C<SUDO_ASKPASS>
-environment variable.
-
-=item env_file
-
-The I<env_file> option specifies the fully qualified path to a
-file containing variables to be set in the environment of the program
-being run. Entries in this file should either be of the form
-C<VARIABLE=value> or C<export VARIABLE=value>. The value may
-optionally be surrounded by single or double quotes. Variables in
-this file are subject to other B<sudo> environment settings such
-as I<env_keep> and I<env_check>.
-
-=item exempt_group
-
-Users in this group are exempt from password and PATH requirements.
-The group name specified should not include a C<%> prefix.
-This is not set by default.
-
-=item lecture
-
-This option controls when a short lecture will be printed along with
-the password prompt. It has the following possible values:
-
-=over 8
-
-=item always
-
-Always lecture the user.
-
-=item never
-
-Never lecture the user.
-
-=item once
-
-Only lecture the user the first time they run B<sudo>.
-
-=back
-
-If no value is specified, a value of I<once> is implied.
-Negating the option results in a value of I<never> being used.
-The default value is I<@lecture@>.
-
-=item lecture_file
-
-Path to a file containing an alternate B<sudo> lecture that will
-be used in place of the standard lecture if the named file exists.
-By default, B<sudo> uses a built-in lecture.
-
-=item listpw
-
-This option controls when a password will be required when a
-user runs B<sudo> with the B<-l> option. It has the following possible values:
-
-=over 8
-
-=item all
-
-All the user's I<sudoers> entries for the current host must have
-the C<NOPASSWD> flag set to avoid entering a password.
-
-=item always
-
-The user must always enter a password to use the B<-l> option.
-
-=item any
-
-At least one of the user's I<sudoers> entries for the current host
-must have the C<NOPASSWD> flag set to avoid entering a password.
-
-=item never
-
-The user need never enter a password to use the B<-l> option.
-
-=back
-
-If no value is specified, a value of I<any> is implied.
-Negating the option results in a value of I<never> being used.
-The default value is I<any>.
-
-=item logfile
-
-Path to the B<sudo> log file (not the syslog log file). Setting a path
-turns on logging to a file; negating this option turns it off.
-By default, B<sudo> logs via syslog.
-
-=item mailerflags
-
-Flags to use when invoking mailer. Defaults to B<-t>.
-
-=item mailerpath
-
-Path to mail program used to send warning mail.
-Defaults to the path to sendmail found at configure time.
-
-=item mailfrom
-
-Address to use for the "from" address when sending warning and error
-mail. The address should be enclosed in double quotes (C<"">) to
-protect against B<sudo> interpreting the C<@> sign. Defaults to
-the name of the user running B<sudo>.
-
-=item mailto
-
-Address to send warning and error mail to. The address should
-be enclosed in double quotes (C<"">) to protect against B<sudo>
-interpreting the C<@> sign. Defaults to C<@mailto@>.
-
-=item secure_path
-
-Path used for every command run from B<sudo>. If you don't trust the
-people running B<sudo> to have a sane C<PATH> environment variable you may
-want to use this. Another use is if you want to have the "root path"
-be separate from the "user path." Users in the group specified by the
-I<exempt_group> option are not affected by I<secure_path>.
-This option is @secure_path@ by default.
-
-=item syslog
-
-Syslog facility if syslog is being used for logging (negate to
-disable syslog logging). Defaults to C<@logfac@>.
-
-The following syslog facilities are supported: B<authpriv> (if your
-OS supports it), B<auth>, B<daemon>, B<user>, B<local0>, B<local1>,
-B<local2>, B<local3>, B<local4>, B<local5>, B<local6>, and B<local7>.
-
-=item verifypw
-
-This option controls when a password will be required when a user runs
-B<sudo> with the B<-v> option. It has the following possible values:
-
-=over 8
-
-=item all
-
-All the user's I<sudoers> entries for the current host must have
-the C<NOPASSWD> flag set to avoid entering a password.
-
-=item always
-
-The user must always enter a password to use the B<-v> option.
-
-=item any
-
-At least one of the user's I<sudoers> entries for the current host
-must have the C<NOPASSWD> flag set to avoid entering a password.
-
-=item never
-
-The user need never enter a password to use the B<-v> option.
-
-=back
-
-If no value is specified, a value of I<all> is implied.
-Negating the option results in a value of I<never> being used.
-The default value is I<all>.
-
-=back
-
-B<Lists that can be used in a boolean context>:
-
-=over 16
-
-=item env_check
-
-Environment variables to be removed from the user's environment if
-the variable's value contains C<%> or C</> characters. This can
-be used to guard against printf-style format vulnerabilities in
-poorly-written programs. The argument may be a double-quoted,
-space-separated list or a single value without double-quotes. The
-list can be replaced, added to, deleted from, or disabled by using
-the C<=>, C<+=>, C<-=>, and C<!> operators respectively. Regardless
-of whether the C<env_reset> option is enabled or disabled, variables
-specified by C<env_check> will be preserved in the environment if
-they pass the aforementioned check. The default list of environment
-variables to check is displayed when B<sudo> is run by root with
-the B<-V> option.
-
-=item env_delete
-
-Environment variables to be removed from the user's environment
-when the I<env_reset> option is not in effect. The argument may
-be a double-quoted, space-separated list or a single value without
-double-quotes. The list can be replaced, added to, deleted from,
-or disabled by using the C<=>, C<+=>, C<-=>, and C<!> operators
-respectively. The default list of environment variables to remove
-is displayed when B<sudo> is run by root with the B<-V> option.
-Note that many operating systems will remove potentially dangerous
-variables from the environment of any setuid process (such as
-B<sudo>).
-
-=item env_keep
-
-Environment variables to be preserved in the user's environment
-when the I<env_reset> option is in effect. This allows fine-grained
-control over the environment B<sudo>-spawned processes will receive.
-The argument may be a double-quoted, space-separated list or a
-single value without double-quotes. The list can be replaced, added
-to, deleted from, or disabled by using the C<=>, C<+=>, C<-=>, and
-C<!> operators respectively. The default list of variables to keep
-is displayed when B<sudo> is run by root with the B<-V> option.
-
-=back
-
-=head1 FILES
-
-=over 24
-
-=item F<@sysconfdir@/sudoers>
-
-List of who can run what
-
-=item F</etc/group>
-
-Local groups file
-
-=item F</etc/netgroup>
-
-List of network groups
-
-=item F<@iolog_dir@>
-
-I/O log files
-
-=back
-
-=head1 EXAMPLES
-
-Below are example I<sudoers> entries. Admittedly, some of
-these are a bit contrived. First, we allow a few environment
-variables to pass and then define our I<aliases>:
-
- # Run X applications through sudo; HOME is used to find the
- # .Xauthority file. Note that other programs use HOME to find
- # configuration files and this may lead to privilege escalation!
- Defaults env_keep += "DISPLAY HOME"
-
- # User alias specification
- User_Alias FULLTIMERS = millert, mikef, dowdy
- User_Alias PARTTIMERS = bostley, jwfox, crawl
- User_Alias WEBMASTERS = will, wendy, wim
-
- # Runas alias specification
- Runas_Alias OP = root, operator
- Runas_Alias DB = oracle, sybase
- Runas_Alias ADMINGRP = adm, oper
-
- # Host alias specification
- Host_Alias SPARC = bigtime, eclipse, moet, anchor :\
- SGI = grolsch, dandelion, black :\
- ALPHA = widget, thalamus, foobar :\
- HPPA = boa, nag, python
- Host_Alias CUNETS = 128.138.0.0/255.255.0.0
- Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0
- Host_Alias SERVERS = master, mail, www, ns
- Host_Alias CDROM = orion, perseus, hercules
-
- # Cmnd alias specification
- Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
- /usr/sbin/restore, /usr/sbin/rrestore
- Cmnd_Alias KILL = /usr/bin/kill
- Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm
- Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown
- Cmnd_Alias HALT = /usr/sbin/halt
- Cmnd_Alias REBOOT = /usr/sbin/reboot
- Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh,\
- /usr/local/bin/tcsh, /usr/bin/rsh,\
- /usr/local/bin/zsh
- Cmnd_Alias SU = /usr/bin/su
- Cmnd_Alias PAGERS = /usr/bin/more, /usr/bin/pg, /usr/bin/less
-
-Here we override some of the compiled in default values. We want
-B<sudo> to log via L<syslog(3)> using the I<auth> facility in all
-cases. We don't want to subject the full time staff to the B<sudo>
-lecture, user B<millert> need not give a password, and we don't
-want to reset the C<LOGNAME>, C<USER> or C<USERNAME> environment
-variables when running commands as root. Additionally, on the
-machines in the I<SERVERS> C<Host_Alias>, we keep an additional
-local log file and make sure we log the year in each log line since
-the log entries will be kept around for several years. Lastly, we
-disable shell escapes for the commands in the PAGERS C<Cmnd_Alias>
-(F</usr/bin/more>, F</usr/bin/pg> and F</usr/bin/less>).
-
- # Override built-in defaults
- Defaults syslog=auth
- Defaults>root !set_logname
- Defaults:FULLTIMERS !lecture
- Defaults:millert !authenticate
- Defaults@SERVERS log_year, logfile=/var/log/sudo.log
- Defaults!PAGERS noexec
-
-The I<User specification> is the part that actually determines who may
-run what.
-
- root ALL = (ALL) ALL
- %wheel ALL = (ALL) ALL
-
-We let B<root> and any user in group B<wheel> run any command on any
-host as any user.
-
- FULLTIMERS ALL = NOPASSWD: ALL
-
-Full time sysadmins (B<millert>, B<mikef>, and B<dowdy>) may run any
-command on any host without authenticating themselves.
-
- PARTTIMERS ALL = ALL
-
-Part time sysadmins (B<bostley>, B<jwfox>, and B<crawl>) may run any
-command on any host but they must authenticate themselves first
-(since the entry lacks the C<NOPASSWD> tag).
-
- jack CSNETS = ALL
-
-The user B<jack> may run any command on the machines in the I<CSNETS> alias
-(the networks C<128.138.243.0>, C<128.138.204.0>, and C<128.138.242.0>).
-Of those networks, only C<128.138.204.0> has an explicit netmask (in
-CIDR notation) indicating it is a class C network. For the other
-networks in I<CSNETS>, the local machine's netmask will be used
-during matching.
-
- lisa CUNETS = ALL
-
-The user B<lisa> may run any command on any host in the I<CUNETS> alias
-(the class B network C<128.138.0.0>).
-
- operator ALL = DUMPS, KILL, SHUTDOWN, HALT, REBOOT, PRINTING,\
- sudoedit /etc/printcap, /usr/oper/bin/
-
-The B<operator> user may run commands limited to simple maintenance.
-Here, those are commands related to backups, killing processes, the
-printing system, shutting down the system, and any commands in the
-directory F</usr/oper/bin/>.
-
- joe ALL = /usr/bin/su operator
-
-The user B<joe> may only L<su(1)> to operator.
-
- pete HPPA = /usr/bin/passwd [A-Za-z]*, !/usr/bin/passwd root
-
- %opers ALL = (: ADMINGRP) /usr/sbin/
-
-Users in the B<opers> group may run commands in F</usr/sbin/> as themselves
-with any group in the I<ADMINGRP> C<Runas_Alias> (the B<adm> and B<oper>
-groups).
-
-The user B<pete> is allowed to change anyone's password except for
-root on the I<HPPA> machines. Note that this assumes L<passwd(1)>
-does not take multiple user names on the command line.
-
- bob SPARC = (OP) ALL : SGI = (OP) ALL
-
-The user B<bob> may run anything on the I<SPARC> and I<SGI> machines
-as any user listed in the I<OP> C<Runas_Alias> (B<root> and B<operator>).
-
- jim +biglab = ALL
-
-The user B<jim> may run any command on machines in the I<biglab> netgroup.
-B<sudo> knows that "biglab" is a netgroup due to the '+' prefix.
-
- +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser
-
-Users in the B<secretaries> netgroup need to help manage the printers
-as well as add and remove users, so they are allowed to run those
-commands on all machines.
-
- fred ALL = (DB) NOPASSWD: ALL
-
-The user B<fred> can run commands as any user in the I<DB> C<Runas_Alias>
-(B<oracle> or B<sybase>) without giving a password.
-
- john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
-
-On the I<ALPHA> machines, user B<john> may su to anyone except root
-but he is not allowed to specify any options to the L<su(1)> command.
-
- jen ALL, !SERVERS = ALL
-
-The user B<jen> may run any command on any machine except for those
-in the I<SERVERS> C<Host_Alias> (master, mail, www and ns).
-
- jill SERVERS = /usr/bin/, !SU, !SHELLS
-
-For any machine in the I<SERVERS> C<Host_Alias>, B<jill> may run
-any commands in the directory F</usr/bin/> except for those commands
-belonging to the I<SU> and I<SHELLS> C<Cmnd_Aliases>.
-
- steve CSNETS = (operator) /usr/local/op_commands/
-
-The user B<steve> may run any command in the directory /usr/local/op_commands/
-but only as user operator.
-
- matt valkyrie = KILL
-
-On his personal workstation, valkyrie, B<matt> needs to be able to
-kill hung processes.
-
- WEBMASTERS www = (www) ALL, (root) /usr/bin/su www
-
-On the host www, any user in the I<WEBMASTERS> C<User_Alias> (will,
-wendy, and wim), may run any command as user www (which owns the
-web pages) or simply L<su(1)> to www.
-
- ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
- /sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
-
-Any user may mount or unmount a CD-ROM on the machines in the CDROM
-C<Host_Alias> (orion, perseus, hercules) without entering a password.
-This is a bit tedious for users to type, so it is a prime candidate
-for encapsulating in a shell script.
-
-=head1 SECURITY NOTES
-
-It is generally not effective to "subtract" commands from C<ALL>
-using the '!' operator. A user can trivially circumvent this
-by copying the desired command to a different name and then
-executing that. For example:
-
- bill ALL = ALL, !SU, !SHELLS
-
-Doesn't really prevent B<bill> from running the commands listed in
-I<SU> or I<SHELLS> since he can simply copy those commands to a
-different name, or use a shell escape from an editor or other
-program. Therefore, these kind of restrictions should be considered
-advisory at best (and reinforced by policy).
-
-Furthermore, if the I<fast_glob> option is in use, it is not possible
-to reliably negate commands where the path name includes globbing
-(aka wildcard) characters. This is because the C library's
-L<fnmatch(3)> function cannot resolve relative paths. While this
-is typically only an inconvenience for rules that grant privileges,
-it can result in a security issue for rules that subtract or revoke
-privileges.
-
-For example, given the following I<sudoers> entry:
-
- john ALL = /usr/bin/passwd [a-zA-Z0-9]*, /usr/bin/chsh [a-zA-Z0-9]*,\
- /usr/bin/chfn [a-zA-Z0-9]*, !/usr/bin/* root
-
-User B<john> can still run C</usr/bin/passwd root> if I<fast_glob> is
-enabled by changing to F</usr/bin> and running C<./passwd root> instead.
-
-=head1 PREVENTING SHELL ESCAPES
-
-Once B<sudo> executes a program, that program is free to do whatever
-it pleases, including run other programs. This can be a security
-issue since it is not uncommon for a program to allow shell escapes,
-which lets a user bypass B<sudo>'s access control and logging.
-Common programs that permit shell escapes include shells (obviously),
-editors, paginators, mail and terminal programs.
-
-There are two basic approaches to this problem:
-
-=over 10
-
-=item restrict
-
-Avoid giving users access to commands that allow the user to run
-arbitrary commands. Many editors have a restricted mode where shell
-escapes are disabled, though B<sudoedit> is a better solution to
-running editors via B<sudo>. Due to the large number of programs that
-offer shell escapes, restricting users to the set of programs that
-do not is often unworkable.
-
-=item noexec
-
-Many systems that support shared libraries have the ability to
-override default library functions by pointing an environment
-variable (usually C<LD_PRELOAD>) to an alternate shared library.
-On such systems, B<sudo>'s I<noexec> functionality can be used to
-prevent a program run by B<sudo> from executing any other programs.
-Note, however, that this applies only to native dynamically-linked
-executables. Statically-linked executables and foreign executables
-running under binary emulation are not affected.
-
-To tell whether or not B<sudo> supports I<noexec>, you can run
-the following as root:
-
- sudo -V | grep "dummy exec"
-
-If the resulting output contains a line that begins with:
-
- File containing dummy exec functions:
-
-then B<sudo> may be able to replace the exec family of functions
-in the standard library with its own that simply return an error.
-Unfortunately, there is no foolproof way to know whether or not
-I<noexec> will work at compile-time. I<noexec> should work on
-SunOS, Solaris, *BSD, Linux, IRIX, Tru64 UNIX, MacOS X, and HP-UX
-11.x. It is known B<not> to work on AIX and UnixWare. I<noexec>
-is expected to work on most operating systems that support the
-C<LD_PRELOAD> environment variable. Check your operating system's
-manual pages for the dynamic linker (usually ld.so, ld.so.1, dyld,
-dld.sl, rld, or loader) to see if C<LD_PRELOAD> is supported.
-
-To enable I<noexec> for a command, use the C<NOEXEC> tag as documented
-in the User Specification section above. Here is that example again:
-
- aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
-
-This allows user B<aaron> to run F</usr/bin/more> and F</usr/bin/vi>
-with I<noexec> enabled. This will prevent those two commands from
-executing other commands (such as a shell). If you are unsure
-whether or not your system is capable of supporting I<noexec> you
-can always just try it out and see if it works.
-
-=back
-
-Note that restricting shell escapes is not a panacea. Programs
-running as root are still capable of many potentially hazardous
-operations (such as changing or overwriting files) that could lead
-to unintended privilege escalation. In the specific case of an
-editor, a safer approach is to give the user permission to run
-B<sudoedit>.
-
-=head1 SEE ALSO
-
-L<rsh(1)>, L<su(1)>, L<fnmatch(3)>, L<glob(3)>, L<sudo(8)>, L<visudo(8)>
-
-=head1 CAVEATS
-
-The I<sudoers> file should B<always> be edited by the B<visudo>
-command which locks the file and does grammatical checking. It is
-imperative that I<sudoers> be free of syntax errors since B<sudo>
-will not run with a syntactically incorrect I<sudoers> file.
-
-When using netgroups of machines (as opposed to users), if you
-store fully qualified host name in the netgroup (as is usually the
-case), you either need to have the machine's host name be fully qualified
-as returned by the C<hostname> command or use the I<fqdn> option in
-I<sudoers>.
-
-=head1 BUGS
-
-If you feel you have found a bug in B<sudo>, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
-
-=head1 SUPPORT
-
-Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
-search the archives.
-
-=head1 DISCLAIMER
-
-B<sudo> is provided ``AS IS'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the LICENSE
-file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
-for complete details.
-SUDOREPLAY(1m) MAINTENANCE COMMANDS SUDOREPLAY(1m)
-
-
+SUDOREPLAY(1m) System Manager's Manual SUDOREPLAY(1m)
N\bNA\bAM\bME\bE
- sudoreplay - replay sudo session logs
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by - replay sudo session logs
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] [-\b-f\bf _\bf_\bi_\bl_\bt_\be_\br] [-\b-m\bm _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt]
- [-\b-s\bs _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br] ID
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] [-\b-f\bf _\bf_\bi_\bl_\bt_\be_\br] [-\b-m\bm _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt]
+ [-\b-s\bs _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br] ID
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] -l [search expression]
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by [-\b-h\bh] [-\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by] -\b-l\bl [search expression]
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by plays back or lists the session logs created by s\bsu\bud\bdo\bo. When
- replaying, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can play the session back in real-time, or the
- playback speed may be adjusted (faster or slower) based on the command
- line options. The _\bI_\bD should be a six character sequence of digits and
- upper case letters, e.g. 0100A5, which is logged by s\bsu\bud\bdo\bo when a
- command is run with session logging enabled.
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by plays back or lists the output logs created by s\bsu\bud\bdo\bo. When
+ replaying, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can play the session back in real-time, or the
+ playback speed may be adjusted (faster or slower) based on the command
+ line options.
+
+ The _\bI_\bD should be a six character sequence of digits and upper case
+ letters, e.g. 0100A5. When a command is run via s\bsu\bud\bdo\bo with _\bl_\bo_\bg_\b__\bo_\bu_\bt_\bp_\bu_\bt
+ enabled in the _\bs_\bu_\bd_\bo_\be_\br_\bs file, a TSID=ID string is logged via syslog or to
+ the s\bsu\bud\bdo\bo log file. The _\bI_\bD may also be determined using s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by's list
+ mode.
- In list mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can be used to find the ID of a session based
- on a number of criteria such as the user, tty or command run.
+ In list mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by can be used to find the ID of a session based on
+ a number of criteria such as the user, tty or command run.
- In replay mode, if the standard output has not been redirected,
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will act on the following keys:
+ In replay mode, if the standard output has not been redirected,
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will act on the following keys:
- ' ' (space)
- Pause output; press any key to resume.
+ ` ' (space) Pause output; press any key to resume.
- '<' Reduce the playback speed by one half.
+ `<' Reduce the playback speed by one half.
- '>' Double the playback speed.
+ `>' Double the playback speed.
-O\bOP\bPT\bTI\bIO\bON\bNS\bS
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by accepts the following command line options:
+ The options are as follows:
- -d _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by
- Use _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by to for the session logs instead of the
+ -\b-d\bd _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by Use _\bd_\bi_\br_\be_\bc_\bt_\bo_\br_\by to for the session logs instead of the
default, _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo.
- -f _\bf_\bi_\bl_\bt_\be_\br By default, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will play back the command's
- standard output, standard error and tty output. The _\b-_\bf
+ -\b-f\bf _\bf_\bi_\bl_\bt_\be_\br By default, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will play back the command's
+ standard output, standard error and tty output. The -\b-f\bf
option can be used to select which of these to output. The
_\bf_\bi_\bl_\bt_\be_\br argument is a comma-separated list, consisting of
one or more of following: _\bs_\bt_\bd_\bo_\bu_\bt, _\bs_\bt_\bd_\be_\br_\br, and _\bt_\bt_\by_\bo_\bu_\bt.
- -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to print a short
+ -\b-h\bh The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to print a short
help message to the standard output and exit.
- -l [_\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn]
- Enable "list mode". In this mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will list
+ -\b-l\bl [_\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn]
+ Enable ``list mode''. In this mode, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will list
available sessions in a format similar to the s\bsu\bud\bdo\bo log file
format, sorted by file name (or sequence number). If a
_\bs_\be_\ba_\br_\bc_\bh _\be_\bx_\bp_\br_\be_\bs_\bs_\bi_\bo_\bn is specified, it will be used to restrict
fromdate _\bd_\ba_\bt_\be
Evaluates to true if the command was run on or
- after _\bd_\ba_\bt_\be. See "Date and time format" for a
+ after _\bd_\ba_\bt_\be. See _\bD_\ba_\bt_\be _\ba_\bn_\bd _\bt_\bi_\bm_\be _\bf_\bo_\br_\bm_\ba_\bt for a
description of supported date and time formats.
group _\br_\bu_\bn_\ba_\bs_\b__\bg_\br_\bo_\bu_\bp
todate _\bd_\ba_\bt_\be
Evaluates to true if the command was run on or
- prior to _\bd_\ba_\bt_\be. See "Date and time format" for a
+ prior to _\bd_\ba_\bt_\be. See _\bD_\ba_\bt_\be _\ba_\bn_\bd _\bt_\bi_\bm_\be _\bf_\bo_\br_\bm_\ba_\bt for a
description of supported date and time formats.
tty _\bt_\bt_\by _\bn_\ba_\bm_\be
Evaluates to true if the command was run on the
specified terminal device. The _\bt_\bt_\by _\bn_\ba_\bm_\be should be
- specified without the _\b/_\bd_\be_\bv_\b/ prefix, e.g. _\bt_\bt_\by_\b0_\b1
+ specified without the _\b/_\bd_\be_\bv_\b/ prefix, e.g. _\bt_\bt_\by_\b0_\b1
instead of _\b/_\bd_\be_\bv_\b/_\bt_\bt_\by_\b0_\b1.
user _\bu_\bs_\be_\br _\bn_\ba_\bm_\be
character).
Predicates may be combined using _\ba_\bn_\bd, _\bo_\br and _\b! operators as
- well as '(' and ')' for grouping (note that parentheses
- must generally be escaped from the shell). The _\ba_\bn_\bd
- operator is optional, adjacent predicates have an implied
- _\ba_\bn_\bd unless separated by an _\bo_\br.
+ well as `(' and `)' grouping (note that parentheses must
+ generally be escaped from the shell). The _\ba_\bn_\bd operator is
+ optional, adjacent predicates have an implied _\ba_\bn_\bd unless
+ separated by an _\bo_\br.
- -m _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt Specify an upper bound on how long to wait between key
+ -\b-m\bm _\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt Specify an upper bound on how long to wait between key
presses or output data. By default, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will
accurately reproduce the delays between key presses or
program output. However, this can be tedious when the
- session includes long pauses. When the _\b-_\bm option is
+ session includes long pauses. When the -\b-m\bm option is
specified, s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by will limit these pauses to at most
_\bm_\ba_\bx_\b__\bw_\ba_\bi_\bt seconds. The value may be specified as a floating
point number, e.g. _\b2_\b._\b5.
- -s _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br
+ -\b-s\bs _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br
This option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to adjust the number of
seconds it will wait between key presses or program output.
This can be used to slow down or speed up the display. For
fast whereas a _\bs_\bp_\be_\be_\bd_\b__\bf_\ba_\bc_\bt_\bo_\br of _\b._\b5 would make the output
twice as slow.
- -V The -\b-V\bV (version) option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to print its
+ -\b-V\bV The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by to print its
version number and exit.
D\bDa\bat\bte\be a\ban\bnd\bd t\bti\bim\bme\be f\bfo\bor\brm\bma\bat\bt
- The time and date may be specified multiple ways, common formats
- include:
+ The time and date may be specified multiple ways, common formats include:
- HH:MM:SS am MM/DD/CCYY timezone
- 24 hour time may be used in place of am/pm.
+ HH:MM:SS am MM/DD/CCYY timezone
+ 24 hour time may be used in place of am/pm.
- HH:MM:SS am Month, Day Year timezone
- 24 hour time may be used in place of am/pm, and month and day
- names may be abbreviated. Note that month and day of the week
- names must be specified in English.
+ HH:MM:SS am Month, Day Year timezone
+ 24 hour time may be used in place of am/pm, and month and day
+ names may be abbreviated. Note that month and day of the week
+ names must be specified in English.
- CCYY-MM-DD HH:MM:SS
- ISO time format
+ CCYY-MM-DD HH:MM:SS
+ ISO time format
- DD Month CCYY HH:MM:SS
- The month name may be abbreviated.
+ DD Month CCYY HH:MM:SS
+ The month name may be abbreviated.
- Either time or date may be omitted, the am/pm and timezone are
- optional. If no date is specified, the current day is assumed; if no
- time is specified, the first second of the specified date is used. The
- less significant parts of both time and date may also be omitted, in
- which case zero is assumed.
+ Either time or date may be omitted, the am/pm and timezone are optional.
+ If no date is specified, the current day is assumed; if no time is
+ specified, the first second of the specified date is used. The less
+ significant parts of both time and date may also be omitted, in which
+ case zero is assumed.
- The following are all valid time and date specifications:
+ The following are all valid time and date specifications:
- now The current time and date.
+ now The current time and date.
- tomorrow
- Exactly one day from now.
+ tomorrow
+ Exactly one day from now.
- yesterday
- 24 hours ago.
+ yesterday
+ 24 hours ago.
- 2 hours ago
- 2 hours ago.
+ 2 hours ago
+ 2 hours ago.
- next Friday
- The first second of the next Friday.
+ next Friday
+ The first second of the next Friday.
- this week
- The current time but the first day of the coming week.
+ this week
+ The current time but the first day of the coming week.
- a fortnight ago
- The current time but 14 days ago.
+ a fortnight ago
+ The current time but 14 days ago.
- 10:01 am 9/17/2009
- 10:01 am, September 17, 2009.
+ 10:01 am 9/17/2009
+ 10:01 am, September 17, 2009.
- 10:01 am
- 10:01 am on the current day.
+ 10:01 am
+ 10:01 am on the current day.
- 10 10:00 am on the current day.
+ 10 10:00 am on the current day.
- 9/17/2009
- 00:00 am, September 17, 2009.
+ 9/17/2009
+ 00:00 am, September 17, 2009.
- 10:01 am Sep 17, 2009
- 10:01 am, September 17, 2009.
+ 10:01 am Sep 17, 2009
+ 10:01 am, September 17, 2009.
F\bFI\bIL\bLE\bES\bS
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo The default I/O log directory.
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo The default I/O log directory.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bl_\bo_\bg
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bl_\bo_\bg
Example session log info.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\bi_\bn
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\bi_\bn
Example session standard input log.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\bo_\bu_\bt
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\bo_\bu_\bt
Example session standard output log.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\be_\br_\br
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bs_\bt_\bd_\be_\br_\br
Example session standard error log.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bt_\by_\bi_\bn
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bt_\by_\bi_\bn
Example session tty input file.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bt_\by_\bo_\bu_\bt
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bt_\by_\bo_\bu_\bt
Example session tty output file.
- _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bi_\bm_\bi_\bn_\bg
+ _\b/_\bv_\ba_\br_\b/_\bl_\bo_\bg_\b/_\bs_\bu_\bd_\bo_\b-_\bi_\bo_\b/_\b0_\b0_\b/_\b0_\b0_\b/_\b0_\b1_\b/_\bt_\bi_\bm_\bi_\bn_\bg
Example session timing file.
- Note that the _\bs_\bt_\bd_\bi_\bn, _\bs_\bt_\bd_\bo_\bu_\bt and _\bs_\bt_\bd_\be_\br_\br files will be empty unless s\bsu\bud\bdo\bo
- was used as part of a pipeline for a particular command.
+ Note that the _\bs_\bt_\bd_\bi_\bn, _\bs_\bt_\bd_\bo_\bu_\bt and _\bs_\bt_\bd_\be_\br_\br files will be empty unless s\bsu\bud\bdo\bo
+ was used as part of a pipeline for a particular command.
E\bEX\bXA\bAM\bMP\bPL\bLE\bES\bS
- List sessions run by user _\bm_\bi_\bl_\bl_\be_\br_\bt:
+ List sessions run by user _\bm_\bi_\bl_\bl_\be_\br_\bt:
- # sudoreplay -l user millert
+ # sudoreplay -l user millert
- List sessions run by user _\bb_\bo_\bb with a command containing the string vi:
+ List sessions run by user _\bb_\bo_\bb with a command containing the string vi:
- # sudoreplay -l user bob command vi
+ # sudoreplay -l user bob command vi
- List sessions run by user _\bj_\be_\bf_\bf that match a regular expression:
+ List sessions run by user _\bj_\be_\bf_\bf that match a regular expression:
- # sudoreplay -l user jeff command '/bin/[a-z]*sh'
+ # sudoreplay -l user jeff command '/bin/[a-z]*sh'
- List sessions run by jeff or bob on the console:
+ List sessions run by jeff or bob on the console:
- # sudoreplay -l ( user jeff or user bob ) tty console
+ # sudoreplay -l ( user jeff or user bob ) tty console
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bs_\bu_\bd_\bo(1m), _\bs_\bc_\br_\bi_\bp_\bt(1)
+ sudo(1m), script(1)
A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Todd C. Miller
+ Todd C. Miller
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by, please submit a bug
- report at http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by, please submit a bug
+ report at http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
+ archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of
- merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
- http://www.sudo.ws/sudo/license.html for complete details.
-
-
+ s\bsu\bud\bdo\bor\bre\bep\bpl\bla\bay\by is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
+ complete details.
-1.7.10 July 18, 2012 SUDOREPLAY(1m)
+Sudo 1.7.10 July 12, 2012 Sudo 1.7.10
-.\" Copyright (c) 2009-2010 Todd C. Miller <Todd.Miller@courtesan.com>
-.\"
+.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
+.\" IT IS GENERATED AUTOMATICALLY FROM sudoreplay.mdoc.in
+.\"
+.\" Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
-.\"
+.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
-. ds C`
-. ds C'
-'br\}
-.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
-.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD. Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
-..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
-..
-.\}
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
.\"
-.IX Title "SUDOREPLAY @mansectsu@"
-.TH SUDOREPLAY @mansectsu@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
+.TH "SUDOREPLAY" "@mansectsu@" "July 12, 2012" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
+.if n .ad l
.SH "NAME"
-sudoreplay \- replay sudo session logs
+\fBsudoreplay\fR
+\- replay sudo session logs
.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR\ \fIdirectory\fR] [\fB\-f\fR\ \fIfilter\fR] [\fB\-m\fR\ \fImax_wait\fR] [\fB\-s\fR\ \fIspeed_factor\fR] \s-1ID\s0
-.PP
-\&\fBsudoreplay\fR [\fB\-h\fR] [\fB\-d\fR\ \fIdirectory\fR] \-l [search\ expression]
+.HP 11n
+\fBsudoreplay\fR
+[\fB\-h\fR]
+[\fB\-d\fR\ \fIdirectory\fR]
+[\fB\-f\fR\ \fIfilter\fR]
+[\fB\-m\fR\ \fImax_wait\fR]
+[\fB\-s\fR\ \fIspeed_factor\fR]
+ID
+.HP 11n
+\fBsudoreplay\fR
+[\fB\-h\fR]
+[\fB\-d\fR\ \fIdirectory\fR]
+\fB\-l\fR
+[search expression]
.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-\&\fBsudoreplay\fR plays back or lists the session logs created by
-\&\fBsudo\fR. When replaying, \fBsudoreplay\fR can play the session back
-in real-time, or the playback speed may be adjusted (faster or
-slower) based on the command line options. The \fI\s-1ID\s0\fR should be
-a six character sequence of digits and upper case letters, e.g.
-0100A5, which is logged by \fBsudo\fR when a command is run with
-session logging enabled.
+\fBsudoreplay\fR
+plays back or lists the output logs created by
+\fBsudo\fR.
+When replaying,
+\fBsudoreplay\fR
+can play the session back in real-time, or the playback speed may be
+adjusted (faster or slower) based on the command line options.
+.PP
+The
+\fIID\fR
+should be a six character sequence of digits and
+upper case letters, e.g.\&
+\fR0100A5\fR.
+When a command is run via
+\fBsudo\fR
+with
+\fIlog_output\fR
+enabled in the
+\fIsudoers\fR
+file, a
+\fRTSID=ID\fR
+string is logged via syslog or to the
+\fBsudo\fR
+log file.
+The
+\fIID\fR
+may also be determined using
+\fBsudoreplay\fR's
+list mode.
.PP
-In list mode, \fBsudoreplay\fR can be used to find the \s-1ID\s0 of a session
-based on a number of criteria such as the user, tty or command run.
+In list mode,
+\fBsudoreplay\fR
+can be used to find the ID of a session based on a number of criteria
+such as the user, tty or command run.
.PP
In replay mode, if the standard output has not been redirected,
-\&\fBsudoreplay\fR will act on the following keys:
-.IP "' ' (space)" 8
-.IX Item "' ' (space)"
+\fBsudoreplay\fR
+will act on the following keys:
+.TP 14n
+`\fR\ \fR' (space)
Pause output; press any key to resume.
-.IP "'<'" 8
+.TP 14n
+`<'
Reduce the playback speed by one half.
-.IP "'>'" 8
+.TP 14n
+`>'
Double the playback speed.
-.SH "OPTIONS"
-.IX Header "OPTIONS"
-\&\fBsudoreplay\fR accepts the following command line options:
-.IP "\-d \fIdirectory\fR" 12
-.IX Item "-d directory"
-Use \fIdirectory\fR to for the session logs instead of the default,
-\&\fI@iolog_dir@\fR.
-.IP "\-f \fIfilter\fR" 12
-.IX Item "-f filter"
-By default, \fBsudoreplay\fR will play back the command's standard
-output, standard error and tty output. The \fI\-f\fR option can be
-used to select which of these to output. The \fIfilter\fR argument
-is a comma-separated list, consisting of one or more of following:
-\&\fIstdout\fR, \fIstderr\fR, and \fIttyout\fR.
-.IP "\-h" 12
-.IX Item "-h"
-The \fB\-h\fR (\fIhelp\fR) option causes \fBsudoreplay\fR to print a short
-help message to the standard output and exit.
-.IP "\-l [\fIsearch expression\fR]" 12
-.IX Item "-l [search expression]"
-Enable \*(L"list mode\*(R". In this mode, \fBsudoreplay\fR will list available
-sessions in a format similar to the \fBsudo\fR log file format, sorted
-by file name (or sequence number). If a \fIsearch expression\fR is
-specified, it will be used to restrict the IDs that are displayed.
+.PP
+The options are as follows:
+.TP 14n
+\fB\-d\fR \fIdirectory\fR
+.br
+Use
+\fIdirectory\fR
+to for the session logs instead of the default,
+\fI@iolog_dir@\fR.
+.TP 14n
+\fB\-f\fR \fIfilter\fR
+By default,
+\fBsudoreplay\fR
+will play back the command's standard output, standard error and tty output.
+The
+\fB\-f\fR
+option can be used to select which of these to output.
+The
+\fIfilter\fR
+argument is a comma-separated list, consisting of one or more of following:
+\fIstdout\fR,
+\fIstderr\fR,
+and
+\fIttyout\fR.
+.TP 14n
+\fB\-h\fR
+The
+\fB\-h\fR (\fIhelp\fR)
+option causes
+\fBsudoreplay\fR
+to print a short help message to the standard output and exit.
+.TP 14n
+\fB\-l\fR [\fIsearch expression\fR]
+Enable
+``list mode''.
+In this mode,
+\fBsudoreplay\fR
+will list available sessions in a format similar to the
+\fBsudo\fR
+log file format, sorted by file name (or sequence number).
+If a
+\fIsearch expression\fR
+is specified, it will be used to restrict the IDs that are displayed.
An expression is composed of the following predicates:
-.RS 12
-.IP "command \fIpattern\fR" 8
-.IX Item "command pattern"
-Evaluates to true if the command run matches \fIpattern\fR.
-On systems with \s-1POSIX\s0 regular expression support, the pattern may
-be an extended regular expression. On systems without \s-1POSIX\s0 regular
-expression support, a simple substring match is performed instead.
-.IP "cwd \fIdirectory\fR" 8
-.IX Item "cwd directory"
+.RS
+.TP 8n
+command \fIpattern\fR
+Evaluates to true if the command run matches
+\fIpattern\fR.
+On systems with POSIX regular expression support, the pattern may
+be an extended regular expression.
+On systems without POSIX regular expression support, a simple substring
+match is performed instead.
+.TP 8n
+cwd \fIdirectory\fR
Evaluates to true if the command was run with the specified current
working directory.
-.IP "fromdate \fIdate\fR" 8
-.IX Item "fromdate date"
-Evaluates to true if the command was run on or after \fIdate\fR.
-See \*(L"Date and time format\*(R" for a description of supported
-date and time formats.
-.IP "group \fIrunas_group\fR" 8
-.IX Item "group runas_group"
+.TP 8n
+fromdate \fIdate\fR
+Evaluates to true if the command was run on or after
+\fIdate\fR.
+See
+\fIDate and time format\fR
+for a description of supported date and time formats.
+.TP 8n
+group \fIrunas_group\fR
Evaluates to true if the command was run with the specified
-\&\fIrunas_group\fR. Note that unless a \fIrunas_group\fR was explicitly
-specified when \fBsudo\fR was run this field will be empty in the log.
-.IP "runas \fIrunas_user\fR" 8
-.IX Item "runas runas_user"
-Evaluates to true if the command was run as the specified \fIrunas_user\fR.
-Note that \fBsudo\fR runs commands as user \fIroot\fR by default.
-.IP "todate \fIdate\fR" 8
-.IX Item "todate date"
-Evaluates to true if the command was run on or prior to \fIdate\fR.
-See \*(L"Date and time format\*(R" for a description of supported
-date and time formats.
-.IP "tty \fItty name\fR" 8
-.IX Item "tty tty name"
-Evaluates to true if the command was run on the specified terminal
-device. The \fItty name\fR should be specified without the \fI/dev/\fR prefix,
-e.g. \fItty01\fR instead of \fI/dev/tty01\fR.
-.IP "user \fIuser name\fR" 8
-.IX Item "user user name"
-Evaluates to true if the \s-1ID\s0 matches a command run by \fIuser name\fR.
-.RE
-.RS 12
-.Sp
+\fIrunas_group\fR.
+Note that unless a
+\fIrunas_group\fR
+was explicitly specified when
+\fBsudo\fR
+was run this field will be empty in the log.
+.TP 8n
+runas \fIrunas_user\fR
+Evaluates to true if the command was run as the specified
+\fIrunas_user\fR.
+Note that
+\fBsudo\fR
+runs commands as user
+\fIroot\fR
+by default.
+.TP 8n
+todate \fIdate\fR
+Evaluates to true if the command was run on or prior to
+\fIdate\fR.
+See
+\fIDate and time format\fR
+for a description of supported date and time formats.
+.TP 8n
+tty \fItty name\fR
+Evaluates to true if the command was run on the specified terminal device.
+The
+\fItty name\fR
+should be specified without the
+\fI/dev/\fR
+prefix, e.g.\&
+\fItty01\fR
+instead of
+\fI/dev/tty01\fR.
+.TP 8n
+user \fIuser name\fR
+Evaluates to true if the ID matches a command run by
+\fIuser name\fR.
+.PP
Predicates may be abbreviated to the shortest unique string (currently
all predicates may be shortened to a single character).
-.Sp
-Predicates may be combined using \fIand\fR, \fIor\fR and \fI!\fR operators
-as well as \f(CW\*(Aq(\*(Aq\fR and \f(CW\*(Aq)\*(Aq\fR for grouping (note that parentheses
-must generally be escaped from the shell). The \fIand\fR operator is
-optional, adjacent predicates have an implied \fIand\fR unless separated
-by an \fIor\fR.
+.sp
+Predicates may be combined using
+\fIand\fR,
+\fIor\fR
+and
+\fI\&!\fR
+operators as well as
+`\&('
+and
+`\&)'
+grouping (note that parentheses must generally be escaped from the shell).
+The
+\fIand\fR
+operator is optional, adjacent predicates have an implied
+\fIand\fR
+unless separated by an
+\fIor\fR.
+.PP
.RE
-.IP "\-m \fImax_wait\fR" 12
-.IX Item "-m max_wait"
-Specify an upper bound on how long to wait between key presses or
-output data. By default, \fBsudoreplay\fR will accurately reproduce
-the delays between key presses or program output. However, this
-can be tedious when the session includes long pauses. When the
-\&\fI\-m\fR option is specified, \fBsudoreplay\fR will limit these pauses
-to at most \fImax_wait\fR seconds. The value may be specified as a
-floating point number, e.g. \fI2.5\fR.
-.IP "\-s \fIspeed_factor\fR" 12
-.IX Item "-s speed_factor"
-This option causes \fBsudoreplay\fR to adjust the number of seconds
-it will wait between key presses or program output. This can be
-used to slow down or speed up the display. For example, a
-\&\fIspeed_factor\fR of \fI2\fR would make the output twice as fast whereas
-a \fIspeed_factor\fR of \fI.5\fR would make the output twice as slow.
-.IP "\-V" 12
-.IX Item "-V"
-The \fB\-V\fR (version) option causes \fBsudoreplay\fR to print its version number
+.PD 0
+.TP 14n
+\fB\-m\fR \fImax_wait\fR
+Specify an upper bound on how long to wait between key presses or output data.
+By default,
+\fBsudoreplay\fR
+will accurately reproduce the delays between key presses or program output.
+However, this can be tedious when the session includes long pauses.
+When the
+\fB\-m\fR
+option is specified,
+\fBsudoreplay\fR
+will limit these pauses to at most
+\fImax_wait\fR
+seconds.
+The value may be specified as a floating point number, e.g.\&
+\fI2.5\fR.
+.PD
+.TP 14n
+\fB\-s\fR \fIspeed_factor\fR
+This option causes
+\fBsudoreplay\fR
+to adjust the number of seconds it will wait between key presses or
+program output.
+This can be used to slow down or speed up the display.
+For example, a
+\fIspeed_factor\fR
+of
+\fI2\fR
+would make the output twice as fast whereas a
+\fIspeed_factor\fR
+of
+\fI.5\fR
+would make the output twice as slow.
+.TP 14n
+\fB\-V\fR
+The
+\fB\-V\fR (\fIversion\fR)
+option causes
+\fBsudoreplay\fR
+to print its version number
and exit.
.SS "Date and time format"
-.IX Subsection "Date and time format"
The time and date may be specified multiple ways, common formats include:
-.IP "\s-1HH:MM:SS\s0 am \s-1MM/DD/CCYY\s0 timezone" 8
-.IX Item "HH:MM:SS am MM/DD/CCYY timezone"
+.TP 8n
+HH:MM:SS am MM/DD/CCYY timezone
24 hour time may be used in place of am/pm.
-.IP "\s-1HH:MM:SS\s0 am Month, Day Year timezone" 8
-.IX Item "HH:MM:SS am Month, Day Year timezone"
+.TP 8n
+HH:MM:SS am Month, Day Year timezone
24 hour time may be used in place of am/pm, and month and day names
-may be abbreviated. Note that month and day of the week names must
-be specified in English.
-.IP "CCYY-MM-DD \s-1HH:MM:SS\s0" 8
-.IX Item "CCYY-MM-DD HH:MM:SS"
-\&\s-1ISO\s0 time format
-.IP "\s-1DD\s0 Month \s-1CCYY\s0 \s-1HH:MM:SS\s0" 8
-.IX Item "DD Month CCYY HH:MM:SS"
+may be abbreviated.
+Note that month and day of the week names must be specified in English.
+.TP 8n
+CCYY-MM-DD HH:MM:SS
+ISO time format
+.TP 8n
+DD Month CCYY HH:MM:SS
The month name may be abbreviated.
.PP
-Either time or date may be omitted, the am/pm and timezone are
-optional. If no date is specified, the current day is assumed; if
-no time is specified, the first second of the specified date is
-used. The less significant parts of both time and date may also
-be omitted, in which case zero is assumed.
+Either time or date may be omitted, the am/pm and timezone are optional.
+If no date is specified, the current day is assumed; if no time is
+specified, the first second of the specified date is used.
+The less significant parts of both time and date may also be omitted,
+in which case zero is assumed.
.PP
The following are all valid time and date specifications:
-.IP "now" 8
-.IX Item "now"
+.TP 8n
+now
The current time and date.
-.IP "tomorrow" 8
-.IX Item "tomorrow"
+.TP 8n
+tomorrow
Exactly one day from now.
-.IP "yesterday" 8
-.IX Item "yesterday"
+.TP 8n
+yesterday
24 hours ago.
-.IP "2 hours ago" 8
-.IX Item "2 hours ago"
+.TP 8n
+2 hours ago
2 hours ago.
-.IP "next Friday" 8
-.IX Item "next Friday"
+.TP 8n
+next Friday
The first second of the next Friday.
-.IP "this week" 8
-.IX Item "this week"
+.TP 8n
+this week
The current time but the first day of the coming week.
-.IP "a fortnight ago" 8
-.IX Item "a fortnight ago"
+.TP 8n
+a fortnight ago
The current time but 14 days ago.
-.IP "10:01 am 9/17/2009" 8
-.IX Item "10:01 am 9/17/2009"
+.TP 8n
+10:01 am 9/17/2009
10:01 am, September 17, 2009.
-.IP "10:01 am" 8
-.IX Item "10:01 am"
+.TP 8n
+10:01 am
10:01 am on the current day.
-.IP "10" 8
-.IX Item "10"
+.TP 8n
+10
10:00 am on the current day.
-.IP "9/17/2009" 8
-.IX Item "9/17/2009"
+.TP 8n
+9/17/2009
00:00 am, September 17, 2009.
-.IP "10:01 am Sep 17, 2009" 8
-.IX Item "10:01 am Sep 17, 2009"
+.TP 8n
+10:01 am Sep 17, 2009
10:01 am, September 17, 2009.
.SH "FILES"
-.IX Header "FILES"
-.ie n .IP "\fI@iolog_dir@\fR" 24
-.el .IP "\fI@iolog_dir@\fR" 24
-.IX Item "@iolog_dir@"
+.TP 26n
+\fI@iolog_dir@\fR
The default I/O log directory.
-.ie n .IP "\fI@iolog_dir@/00/00/01/log\fR" 24
-.el .IP "\fI@iolog_dir@/00/00/01/log\fR" 24
-.IX Item "@iolog_dir@/00/00/01/log"
+.TP 26n
+\fI@iolog_dir@/00/00/01/log\fR
Example session log info.
-.ie n .IP "\fI@iolog_dir@/00/00/01/stdin\fR" 24
-.el .IP "\fI@iolog_dir@/00/00/01/stdin\fR" 24
-.IX Item "@iolog_dir@/00/00/01/stdin"
+.TP 26n
+\fI@iolog_dir@/00/00/01/stdin\fR
Example session standard input log.
-.ie n .IP "\fI@iolog_dir@/00/00/01/stdout\fR" 24
-.el .IP "\fI@iolog_dir@/00/00/01/stdout\fR" 24
-.IX Item "@iolog_dir@/00/00/01/stdout"
+.TP 26n
+\fI@iolog_dir@/00/00/01/stdout\fR
Example session standard output log.
-.ie n .IP "\fI@iolog_dir@/00/00/01/stderr\fR" 24
-.el .IP "\fI@iolog_dir@/00/00/01/stderr\fR" 24
-.IX Item "@iolog_dir@/00/00/01/stderr"
+.TP 26n
+\fI@iolog_dir@/00/00/01/stderr\fR
Example session standard error log.
-.ie n .IP "\fI@iolog_dir@/00/00/01/ttyin\fR" 24
-.el .IP "\fI@iolog_dir@/00/00/01/ttyin\fR" 24
-.IX Item "@iolog_dir@/00/00/01/ttyin"
+.TP 26n
+\fI@iolog_dir@/00/00/01/ttyin\fR
Example session tty input file.
-.ie n .IP "\fI@iolog_dir@/00/00/01/ttyout\fR" 24
-.el .IP "\fI@iolog_dir@/00/00/01/ttyout\fR" 24
-.IX Item "@iolog_dir@/00/00/01/ttyout"
+.TP 26n
+\fI@iolog_dir@/00/00/01/ttyout\fR
Example session tty output file.
-.ie n .IP "\fI@iolog_dir@/00/00/01/timing\fR" 24
-.el .IP "\fI@iolog_dir@/00/00/01/timing\fR" 24
-.IX Item "@iolog_dir@/00/00/01/timing"
+.TP 26n
+\fI@iolog_dir@/00/00/01/timing\fR
Example session timing file.
.PP
-Note that the \fIstdin\fR, \fIstdout\fR and \fIstderr\fR files will be empty
-unless \fBsudo\fR was used as part of a pipeline for a particular
-command.
+Note that the
+\fIstdin\fR,
+\fIstdout\fR
+and
+\fIstderr\fR
+files will be empty unless
+\fBsudo\fR
+was used as part of a pipeline for a particular command.
.SH "EXAMPLES"
-.IX Header "EXAMPLES"
-List sessions run by user \fImillert\fR:
-.PP
-.Vb 1
-\& # sudoreplay \-l user millert
-.Ve
-.PP
-List sessions run by user \fIbob\fR with a command containing the string vi:
-.PP
-.Vb 1
-\& # sudoreplay \-l user bob command vi
-.Ve
+List sessions run by user
+\fImillert\fR:
+.nf
+.sp
+.RS 6n
+# sudoreplay -l user millert
+.RE
+.fi
.PP
-List sessions run by user \fIjeff\fR that match a regular expression:
+List sessions run by user
+\fIbob\fR
+with a command containing the string vi:
+.nf
+.sp
+.RS 6n
+# sudoreplay -l user bob command vi
+.RE
+.fi
.PP
-.Vb 1
-\& # sudoreplay \-l user jeff command \*(Aq/bin/[a\-z]*sh\*(Aq
-.Ve
+List sessions run by user
+\fIjeff\fR
+that match a regular expression:
+.nf
+.sp
+.RS 6n
+# sudoreplay -l user jeff command '/bin/[a-z]*sh'
+.RE
+.fi
.PP
List sessions run by jeff or bob on the console:
-.PP
-.Vb 1
-\& # sudoreplay \-l ( user jeff or user bob ) tty console
-.Ve
+.nf
+.sp
+.RS 6n
+# sudoreplay -l ( user jeff or user bob ) tty console
+.RE
+.fi
.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIsudo\fR\|(@mansectsu@), \fIscript\fR\|(1)
+sudo(@mansectsu@),
+script(1)
.SH "AUTHORS"
-.IX Header "AUTHORS"
Todd C. Miller
.SH "BUGS"
-.IX Header "BUGS"
-If you feel you have found a bug in \fBsudoreplay\fR, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
+If you feel you have found a bug in
+\fBsudoreplay\fR,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
-.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
-.IX Header "DISCLAIMER"
-\&\fBsudoreplay\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
-file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
-for complete details.
+\fBsudoreplay\fR
+is provided
+``AS IS''
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+\fBsudo\fR
+or http://www.sudo.ws/sudo/license.html for complete details.
--- /dev/null
+.\"
+.\" Copyright (c) 2009-2012 Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.Dd July 12, 2012
+.Dt SUDOREPLAY @mansectsu@
+.Os Sudo @PACKAGE_VERSION@
+.Sh NAME
+.Nm sudoreplay
+.Nd replay sudo session logs
+.Sh SYNOPSIS
+.Nm sudoreplay
+.Op Fl h
+.Bk -words
+.Op Fl d Ar directory
+.Ek
+.Bk -words
+.Op Fl f Ar filter
+.Ek
+.Bk -words
+.Op Fl m Ar max_wait
+.Ek
+.Bk -words
+.Op Fl s Ar speed_factor
+.Ek
+ID
+.Pp
+.Nm sudoreplay
+.Op Fl h
+.Bk -words
+.Op Fl d Ar directory
+.Ek
+.Fl l
+.Op search expression
+.Sh DESCRIPTION
+.Nm sudoreplay
+plays back or lists the output logs created by
+.Nm sudo .
+When replaying,
+.Nm sudoreplay
+can play the session back in real-time, or the playback speed may be
+adjusted (faster or slower) based on the command line options.
+.Pp
+The
+.Em ID
+should be a six character sequence of digits and
+upper case letters, e.g.\&
+.Li 0100A5 .
+When a command is run via
+.Nm sudo
+with
+.Em log_output
+enabled in the
+.Em sudoers
+file, a
+.Li TSID=ID
+string is logged via syslog or to the
+.Nm sudo
+log file.
+The
+.Em ID
+may also be determined using
+.Nm sudoreplay Ns No 's
+list mode.
+.Pp
+In list mode,
+.Nm sudoreplay
+can be used to find the ID of a session based on a number of criteria
+such as the user, tty or command run.
+.Pp
+In replay mode, if the standard output has not been redirected,
+.Nm sudoreplay
+will act on the following keys:
+.Bl -tag -width 12n
+.It So Li \ Sc No (space)
+Pause output; press any key to resume.
+.It Ql <
+Reduce the playback speed by one half.
+.It Ql >
+Double the playback speed.
+.El
+.Pp
+The options are as follows:
+.Bl -tag -width 12n
+.It Fl d Ar directory
+Use
+.Ar directory
+to for the session logs instead of the default,
+.Pa @iolog_dir@ .
+.It Fl f Ar filter
+By default,
+.Nm sudoreplay
+will play back the command's standard output, standard error and tty output.
+The
+.Fl f
+option can be used to select which of these to output.
+The
+.Ar filter
+argument is a comma-separated list, consisting of one or more of following:
+.Em stdout ,
+.Em stderr ,
+and
+.Em ttyout .
+.It Fl h
+The
+.Fl h No ( Em help Ns No )
+option causes
+.Nm sudoreplay
+to print a short help message to the standard output and exit.
+.It Fl l Op Ar search expression
+Enable
+.Dq list mode .
+In this mode,
+.Nm sudoreplay
+will list available sessions in a format similar to the
+.Nm sudo
+log file format, sorted by file name (or sequence number).
+If a
+.Ar search expression
+is specified, it will be used to restrict the IDs that are displayed.
+An expression is composed of the following predicates:
+.Bl -tag -width 6n
+.It command Ar pattern
+Evaluates to true if the command run matches
+.Ar pattern .
+On systems with POSIX regular expression support, the pattern may
+be an extended regular expression.
+On systems without POSIX regular expression support, a simple substring
+match is performed instead.
+.It cwd Ar directory
+Evaluates to true if the command was run with the specified current
+working directory.
+.It fromdate Ar date
+Evaluates to true if the command was run on or after
+.Ar date .
+See
+.Sx Date and time format
+for a description of supported date and time formats.
+.It group Ar runas_group
+Evaluates to true if the command was run with the specified
+.Ar runas_group .
+Note that unless a
+.Ar runas_group
+was explicitly specified when
+.Nm sudo
+was run this field will be empty in the log.
+.It runas Ar runas_user
+Evaluates to true if the command was run as the specified
+.Ar runas_user .
+Note that
+.Nm sudo
+runs commands as user
+.Em root
+by default.
+.It todate Ar date
+Evaluates to true if the command was run on or prior to
+.Ar date .
+See
+.Sx Date and time format
+for a description of supported date and time formats.
+.It tty Ar tty name
+Evaluates to true if the command was run on the specified terminal device.
+The
+.Ar tty name
+should be specified without the
+.Pa /dev/
+prefix, e.g.\&
+.Pa tty01
+instead of
+.Pa /dev/tty01 .
+.It user Ar user name
+Evaluates to true if the ID matches a command run by
+.Ar user name .
+.El
+.Pp
+Predicates may be abbreviated to the shortest unique string (currently
+all predicates may be shortened to a single character).
+.Pp
+Predicates may be combined using
+.Em and ,
+.Em or
+and
+.Em \&!
+operators as well as
+.Ql \&(
+and
+.Ql \&)
+grouping (note that parentheses must generally be escaped from the shell).
+The
+.Em and
+operator is optional, adjacent predicates have an implied
+.Em and
+unless separated by an
+.Em or .
+.It Fl m Ar max_wait
+Specify an upper bound on how long to wait between key presses or output data.
+By default,
+.Nm sudoreplay
+will accurately reproduce the delays between key presses or program output.
+However, this can be tedious when the session includes long pauses.
+When the
+.Fl m
+option is specified,
+.Nm sudoreplay
+will limit these pauses to at most
+.Em max_wait
+seconds.
+The value may be specified as a floating point number, e.g.\&
+.Em 2.5 .
+.It Fl s Ar speed_factor
+This option causes
+.Nm sudoreplay
+to adjust the number of seconds it will wait between key presses or
+program output.
+This can be used to slow down or speed up the display.
+For example, a
+.Ar speed_factor
+of
+.Em 2
+would make the output twice as fast whereas a
+.Ar speed_factor
+of
+.Em .5
+would make the output twice as slow.
+.It Fl V
+The
+.Fl V No ( Em version Ns No )
+option causes
+.Nm sudoreplay
+to print its version number
+and exit.
+.El
+.Ss Date and time format
+The time and date may be specified multiple ways, common formats include:
+.Bl -tag -width 6n
+.It HH:MM:SS am MM/DD/CCYY timezone
+24 hour time may be used in place of am/pm.
+.It HH:MM:SS am Month, Day Year timezone
+24 hour time may be used in place of am/pm, and month and day names
+may be abbreviated.
+Note that month and day of the week names must be specified in English.
+.It CCYY-MM-DD HH:MM:SS
+ISO time format
+.It DD Month CCYY HH:MM:SS
+The month name may be abbreviated.
+.El
+.Pp
+Either time or date may be omitted, the am/pm and timezone are optional.
+If no date is specified, the current day is assumed; if no time is
+specified, the first second of the specified date is used.
+The less significant parts of both time and date may also be omitted,
+in which case zero is assumed.
+.Pp
+The following are all valid time and date specifications:
+.Bl -tag -width 6n
+.It now
+The current time and date.
+.It tomorrow
+Exactly one day from now.
+.It yesterday
+24 hours ago.
+.It 2 hours ago
+2 hours ago.
+.It next Friday
+The first second of the next Friday.
+.It this week
+The current time but the first day of the coming week.
+.It a fortnight ago
+The current time but 14 days ago.
+.It 10:01 am 9/17/2009
+10:01 am, September 17, 2009.
+.It 10:01 am
+10:01 am on the current day.
+.It 10
+10:00 am on the current day.
+.It 9/17/2009
+00:00 am, September 17, 2009.
+.It 10:01 am Sep 17, 2009
+10:01 am, September 17, 2009.
+.El
+.Sh FILES
+.Bl -tag -width 24n
+.It Pa @iolog_dir@
+The default I/O log directory.
+.It Pa @iolog_dir@/00/00/01/log
+Example session log info.
+.It Pa @iolog_dir@/00/00/01/stdin
+Example session standard input log.
+.It Pa @iolog_dir@/00/00/01/stdout
+Example session standard output log.
+.It Pa @iolog_dir@/00/00/01/stderr
+Example session standard error log.
+.It Pa @iolog_dir@/00/00/01/ttyin
+Example session tty input file.
+.It Pa @iolog_dir@/00/00/01/ttyout
+Example session tty output file.
+.It Pa @iolog_dir@/00/00/01/timing
+Example session timing file.
+.El
+.Pp
+Note that the
+.Em stdin ,
+.Em stdout
+and
+.Em stderr
+files will be empty unless
+.Nm sudo
+was used as part of a pipeline for a particular command.
+.Sh EXAMPLES
+List sessions run by user
+.Em millert :
+.Bd -literal -offset indent
+# sudoreplay -l user millert
+.Ed
+.Pp
+List sessions run by user
+.Em bob
+with a command containing the string vi:
+.Bd -literal -offset indent
+# sudoreplay -l user bob command vi
+.Ed
+.Pp
+List sessions run by user
+.Em jeff
+that match a regular expression:
+.Bd -literal -offset indent
+# sudoreplay -l user jeff command '/bin/[a-z]*sh'
+.Ed
+.Pp
+List sessions run by jeff or bob on the console:
+.Bd -literal -offset indent
+# sudoreplay -l ( user jeff or user bob ) tty console
+.Ed
+.Sh SEE ALSO
+.Xr sudo @mansectsu@ ,
+.Xr script 1
+.Sh AUTHORS
+Todd C. Miller
+.Sh BUGS
+If you feel you have found a bug in
+.Nm sudoreplay ,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
+.Sh SUPPORT
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+.Sh DISCLAIMER
+.Nm sudoreplay
+is provided
+.Dq AS IS
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+.Nm sudo
+or http://www.sudo.ws/sudo/license.html for complete details.
+++ /dev/null
-Copyright (c) 2009-2010 Todd C. Miller <Todd.Miller@courtesan.com>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-=pod
-
-=head1 NAME
-
-sudoreplay - replay sudo session logs
-
-=head1 SYNOPSIS
-
-B<sudoreplay> [B<-h>] S<[B<-d> I<directory>]> S<[B<-f> I<filter>]> S<[B<-m> I<max_wait>]> S<[B<-s> I<speed_factor>]> ID
-
-B<sudoreplay> [B<-h>] S<[B<-d> I<directory>]> -l S<[search expression]>
-
-=head1 DESCRIPTION
-
-B<sudoreplay> plays back or lists the session logs created by
-B<sudo>. When replaying, B<sudoreplay> can play the session back
-in real-time, or the playback speed may be adjusted (faster or
-slower) based on the command line options. The I<ID> should be
-a six character sequence of digits and upper case letters, e.g.
-0100A5, which is logged by B<sudo> when a command is run with
-session logging enabled.
-
-In list mode, B<sudoreplay> can be used to find the ID of a session
-based on a number of criteria such as the user, tty or command run.
-
-In replay mode, if the standard output has not been redirected,
-B<sudoreplay> will act on the following keys:
-
-=over 8
-
-=item ' ' (space)
-
-Pause output; press any key to resume.
-
-=item '<'
-
-Reduce the playback speed by one half.
-
-=item '>'
-
-Double the playback speed.
-
-=back
-
-=head1 OPTIONS
-
-B<sudoreplay> accepts the following command line options:
-
-=over 12
-
-=item -d I<directory>
-
-Use I<directory> to for the session logs instead of the default,
-F<@iolog_dir@>.
-
-=item -f I<filter>
-
-By default, B<sudoreplay> will play back the command's standard
-output, standard error and tty output. The I<-f> option can be
-used to select which of these to output. The I<filter> argument
-is a comma-separated list, consisting of one or more of following:
-I<stdout>, I<stderr>, and I<ttyout>.
-
-=item -h
-
-The B<-h> (I<help>) option causes B<sudoreplay> to print a short
-help message to the standard output and exit.
-
-=item -l [I<search expression>]
-
-Enable "list mode". In this mode, B<sudoreplay> will list available
-sessions in a format similar to the B<sudo> log file format, sorted
-by file name (or sequence number). If a I<search expression> is
-specified, it will be used to restrict the IDs that are displayed.
-An expression is composed of the following predicates:
-
-=over 8
-
-=item command I<pattern>
-
-Evaluates to true if the command run matches I<pattern>.
-On systems with POSIX regular expression support, the pattern may
-be an extended regular expression. On systems without POSIX regular
-expression support, a simple substring match is performed instead.
-
-=item cwd I<directory>
-
-Evaluates to true if the command was run with the specified current
-working directory.
-
-=item fromdate I<date>
-
-Evaluates to true if the command was run on or after I<date>.
-See L<"Date and time format"> for a description of supported
-date and time formats.
-
-=item group I<runas_group>
-
-Evaluates to true if the command was run with the specified
-I<runas_group>. Note that unless a I<runas_group> was explicitly
-specified when B<sudo> was run this field will be empty in the log.
-
-=item runas I<runas_user>
-
-Evaluates to true if the command was run as the specified I<runas_user>.
-Note that B<sudo> runs commands as user I<root> by default.
-
-=item todate I<date>
-
-Evaluates to true if the command was run on or prior to I<date>.
-See L<"Date and time format"> for a description of supported
-date and time formats.
-
-=item tty I<tty name>
-
-Evaluates to true if the command was run on the specified terminal
-device. The I<tty name> should be specified without the F</dev/> prefix,
-e.g. F<tty01> instead of F</dev/tty01>.
-
-=item user I<user name>
-
-Evaluates to true if the ID matches a command run by I<user name>.
-
-=back
-
-Predicates may be abbreviated to the shortest unique string (currently
-all predicates may be shortened to a single character).
-
-Predicates may be combined using I<and>, I<or> and I<!> operators
-as well as C<'('> and C<')'> for grouping (note that parentheses
-must generally be escaped from the shell). The I<and> operator is
-optional, adjacent predicates have an implied I<and> unless separated
-by an I<or>.
-
-=item -m I<max_wait>
-
-Specify an upper bound on how long to wait between key presses or
-output data. By default, B<sudoreplay> will accurately reproduce
-the delays between key presses or program output. However, this
-can be tedious when the session includes long pauses. When the
-I<-m> option is specified, B<sudoreplay> will limit these pauses
-to at most I<max_wait> seconds. The value may be specified as a
-floating point number, e.g. I<2.5>.
-
-=item -s I<speed_factor>
-
-This option causes B<sudoreplay> to adjust the number of seconds
-it will wait between key presses or program output. This can be
-used to slow down or speed up the display. For example, a
-I<speed_factor> of I<2> would make the output twice as fast whereas
-a I<speed_factor> of I<.5> would make the output twice as slow.
-
-=item -V
-
-The B<-V> (version) option causes B<sudoreplay> to print its version number
-and exit.
-
-=back
-
-=head2 Date and time format
-
-The time and date may be specified multiple ways, common formats include:
-
-=over 8
-
-=item HH:MM:SS am MM/DD/CCYY timezone
-
-24 hour time may be used in place of am/pm.
-
-=item HH:MM:SS am Month, Day Year timezone
-
-24 hour time may be used in place of am/pm, and month and day names
-may be abbreviated. Note that month and day of the week names must
-be specified in English.
-
-=item CCYY-MM-DD HH:MM:SS
-
-ISO time format
-
-=item DD Month CCYY HH:MM:SS
-
-The month name may be abbreviated.
-
-=back
-
-Either time or date may be omitted, the am/pm and timezone are
-optional. If no date is specified, the current day is assumed; if
-no time is specified, the first second of the specified date is
-used. The less significant parts of both time and date may also
-be omitted, in which case zero is assumed.
-
-The following are all valid time and date specifications:
-
-=over 8
-
-=item now
-
-The current time and date.
-
-=item tomorrow
-
-Exactly one day from now.
-
-=item yesterday
-
-24 hours ago.
-
-=item 2 hours ago
-
-2 hours ago.
-
-=item next Friday
-
-The first second of the next Friday.
-
-=item this week
-
-The current time but the first day of the coming week.
-
-=item a fortnight ago
-
-The current time but 14 days ago.
-
-=item 10:01 am 9/17/2009
-
-10:01 am, September 17, 2009.
-
-=item 10:01 am
-
-10:01 am on the current day.
-
-=item 10
-
-10:00 am on the current day.
-
-=item 9/17/2009
-
-00:00 am, September 17, 2009.
-
-=item 10:01 am Sep 17, 2009
-
-10:01 am, September 17, 2009.
-
-=back
-
-=head1 FILES
-
-=over 24
-
-=item F<@iolog_dir@>
-
-The default I/O log directory.
-
-=item F<@iolog_dir@/00/00/01/log>
-
-Example session log info.
-
-=item F<@iolog_dir@/00/00/01/stdin>
-
-Example session standard input log.
-
-=item F<@iolog_dir@/00/00/01/stdout>
-
-Example session standard output log.
-
-=item F<@iolog_dir@/00/00/01/stderr>
-
-Example session standard error log.
-
-=item F<@iolog_dir@/00/00/01/ttyin>
-
-Example session tty input file.
-
-=item F<@iolog_dir@/00/00/01/ttyout>
-
-Example session tty output file.
-
-=item F<@iolog_dir@/00/00/01/timing>
-
-Example session timing file.
-
-=back
-
-Note that the I<stdin>, I<stdout> and I<stderr> files will be empty
-unless B<sudo> was used as part of a pipeline for a particular
-command.
-
-=head1 EXAMPLES
-
-List sessions run by user I<millert>:
-
- # sudoreplay -l user millert
-
-List sessions run by user I<bob> with a command containing the string vi:
-
- # sudoreplay -l user bob command vi
-
-List sessions run by user I<jeff> that match a regular expression:
-
- # sudoreplay -l user jeff command '/bin/[a-z]*sh'
-
-List sessions run by jeff or bob on the console:
-
- # sudoreplay -l ( user jeff or user bob ) tty console
-
-=head1 SEE ALSO
-
-L<sudo(8)>, L<script(1)>
-
-=head1 AUTHORS
-
-Todd C. Miller
-
-=head1 BUGS
-
-If you feel you have found a bug in B<sudoreplay>, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
-
-=head1 SUPPORT
-
-Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
-search the archives.
-
-=head1 DISCLAIMER
-
-B<sudoreplay> is provided ``AS IS'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the LICENSE
-file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
-for complete details.
-VISUDO(1m) MAINTENANCE COMMANDS VISUDO(1m)
-
-
+VISUDO(1m) System Manager's Manual VISUDO(1m)
N\bNA\bAM\bME\bE
- visudo - edit the sudoers file
+ v\bvi\bis\bsu\bud\bdo\bo - edit the sudoers file
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- v\bvi\bis\bsu\bud\bdo\bo [-\b-c\bch\bhq\bqs\bsV\bV] [-\b-f\bf _\bs_\bu_\bd_\bo_\be_\br_\bs]
+ v\bvi\bis\bsu\bud\bdo\bo [-\b-c\bch\bhq\bqs\bsV\bV] [-\b-f\bf _\bs_\bu_\bd_\bo_\be_\br_\bs]
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
- v\bvi\bis\bsu\bud\bdo\bo edits the _\bs_\bu_\bd_\bo_\be_\br_\bs file in a safe fashion, analogous to _\bv_\bi_\bp_\bw(1m).
- v\bvi\bis\bsu\bud\bdo\bo locks the _\bs_\bu_\bd_\bo_\be_\br_\bs file against multiple simultaneous edits,
- provides basic sanity checks, and checks for parse errors. If the
- _\bs_\bu_\bd_\bo_\be_\br_\bs file is currently being edited you will receive a message to
- try again later.
-
- There is a hard-coded list of one or more editors that v\bvi\bis\bsu\bud\bdo\bo will use
- set at compile-time that may be overridden via the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs
- Default variable. This list defaults to "vi". Normally, v\bvi\bis\bsu\bud\bdo\bo does
- not honor the VISUAL or EDITOR environment variables unless they
- contain an editor in the aforementioned editors list. However, if
- v\bvi\bis\bsu\bud\bdo\bo is configured with the _\b-_\b-_\bw_\bi_\bt_\bh_\b-_\be_\bn_\bv_\b-_\be_\bd_\bi_\bt_\bo_\br option or the
- _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br Default variable is set in _\bs_\bu_\bd_\bo_\be_\br_\bs, v\bvi\bis\bsu\bud\bdo\bo will use any the
- editor defines by VISUAL or EDITOR. Note that this can be a security
- hole since it allows the user to execute any program they wish simply
- by setting VISUAL or EDITOR.
-
- v\bvi\bis\bsu\bud\bdo\bo parses the _\bs_\bu_\bd_\bo_\be_\br_\bs file after the edit and will not save the
- changes if there is a syntax error. Upon finding an error, v\bvi\bis\bsu\bud\bdo\bo will
- print a message stating the line number(s) where the error occurred and
- the user will receive the "What now?" prompt. At this point the user
- may enter "e" to re-edit the _\bs_\bu_\bd_\bo_\be_\br_\bs file, "x" to exit without saving
- the changes, or "Q" to quit and save changes. The "Q" option should be
- used with extreme care because if v\bvi\bis\bsu\bud\bdo\bo believes there to be a parse
- error, so will s\bsu\bud\bdo\bo and no one will be able to s\bsu\bud\bdo\bo again until the
- error is fixed. If "e" is typed to edit the _\bs_\bu_\bd_\bo_\be_\br_\bs file after a
- parse error has been detected, the cursor will be placed on the line
- where the error occurred (if the editor supports this feature).
-
-O\bOP\bPT\bTI\bIO\bON\bNS\bS
- v\bvi\bis\bsu\bud\bdo\bo accepts the following command line options:
-
- -c Enable c\bch\bhe\bec\bck\bk-\b-o\bon\bnl\bly\by mode. The existing _\bs_\bu_\bd_\bo_\be_\br_\bs file will be
- checked for syntax and a message will be printed to the
- standard output detailing the status of _\bs_\bu_\bd_\bo_\be_\br_\bs. If the
- syntax check completes successfully, v\bvi\bis\bsu\bud\bdo\bo will exit with
- a value of 0. If a syntax error is encountered, v\bvi\bis\bsu\bud\bdo\bo
- will exit with a value of 1.
-
- -f _\bs_\bu_\bd_\bo_\be_\br_\bs Specify and alternate _\bs_\bu_\bd_\bo_\be_\br_\bs file location. With this
- option v\bvi\bis\bsu\bud\bdo\bo will edit (or check) the _\bs_\bu_\bd_\bo_\be_\br_\bs file of your
- choice, instead of the default, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. The lock
- file used is the specified _\bs_\bu_\bd_\bo_\be_\br_\bs file with ".tmp"
- appended to it. In c\bch\bhe\bec\bck\bk-\b-o\bon\bnl\bly\by mode only, the argument to
- -\b-f\bf may be "-", indicating that _\bs_\bu_\bd_\bo_\be_\br_\bs will be read from
- the standard input.
-
- -h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes v\bvi\bis\bsu\bud\bdo\bo to print a short help
- message to the standard output and exit.
-
- -q Enable q\bqu\bui\bie\bet\bt mode. In this mode details about syntax
- errors are not printed. This option is only useful when
- combined with the -\b-c\bc option.
-
- -s Enable s\bst\btr\bri\bic\bct\bt checking of the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If an alias is
- used before it is defined, v\bvi\bis\bsu\bud\bdo\bo will consider this a
- parse error. Note that it is not possible to differentiate
- between an alias and a host name or user name that consists
- solely of uppercase letters, digits, and the underscore
- ('_') character.
-
- -V The -\b-V\bV (version) option causes v\bvi\bis\bsu\bud\bdo\bo to print its version
- number and exit.
+ v\bvi\bis\bsu\bud\bdo\bo edits the _\bs_\bu_\bd_\bo_\be_\br_\bs file in a safe fashion, analogous to vipw(1m).
+ v\bvi\bis\bsu\bud\bdo\bo locks the _\bs_\bu_\bd_\bo_\be_\br_\bs file against multiple simultaneous edits,
+ provides basic sanity checks, and checks for parse errors. If the
+ _\bs_\bu_\bd_\bo_\be_\br_\bs file is currently being edited you will receive a message to try
+ again later.
+
+ There is a hard-coded list of one or more editors that v\bvi\bis\bsu\bud\bdo\bo will use
+ set at compile-time that may be overridden via the _\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs Default
+ variable. This list defaults to vi. Normally, v\bvi\bis\bsu\bud\bdo\bo does not honor the
+ VISUAL or EDITOR environment variables unless they contain an editor in
+ the aforementioned editors list. However, if v\bvi\bis\bsu\bud\bdo\bo is configured with
+ the --with-env-editor option or the _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br Default variable is set in
+ _\bs_\bu_\bd_\bo_\be_\br_\bs, v\bvi\bis\bsu\bud\bdo\bo will use any the editor defines by VISUAL or EDITOR.
+ Note that this can be a security hole since it allows the user to execute
+ any program they wish simply by setting VISUAL or EDITOR.
+
+ v\bvi\bis\bsu\bud\bdo\bo parses the _\bs_\bu_\bd_\bo_\be_\br_\bs file after the edit and will not save the
+ changes if there is a syntax error. Upon finding an error, v\bvi\bis\bsu\bud\bdo\bo will
+ print a message stating the line number(s) where the error occurred and
+ the user will receive the ``What now?'' prompt. At this point the user
+ may enter `e' to re-edit the _\bs_\bu_\bd_\bo_\be_\br_\bs file, `x' to exit without saving the
+ changes, or `Q' to quit and save changes. The `Q' option should be used
+ with extreme care because if v\bvi\bis\bsu\bud\bdo\bo believes there to be a parse error,
+ so will s\bsu\bud\bdo\bo and no one will be able to s\bsu\bud\bdo\bo again until the error is
+ fixed. If `e' is typed to edit the _\bs_\bu_\bd_\bo_\be_\br_\bs file after a parse error has
+ been detected, the cursor will be placed on the line where the error
+ occurred (if the editor supports this feature).
+
+ The options are as follows:
+
+ -\b-c\bc Enable _\bc_\bh_\be_\bc_\bk_\b-_\bo_\bn_\bl_\by mode. The existing _\bs_\bu_\bd_\bo_\be_\br_\bs file will be
+ checked for syntax errors, owner and mode. A message will be
+ printed to the standard output describing the status of
+ _\bs_\bu_\bd_\bo_\be_\br_\bs unless the -\b-q\bq option was specified. If the check
+ completes successfully, v\bvi\bis\bsu\bud\bdo\bo will exit with a value of 0.
+ If an error is encountered, v\bvi\bis\bsu\bud\bdo\bo will exit with a value of
+ 1.
+
+ -\b-f\bf _\bs_\bu_\bd_\bo_\be_\br_\bs Specify and alternate _\bs_\bu_\bd_\bo_\be_\br_\bs file location. With this
+ option v\bvi\bis\bsu\bud\bdo\bo will edit (or check) the _\bs_\bu_\bd_\bo_\be_\br_\bs file of your
+ choice, instead of the default, _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. The lock file
+ used is the specified _\bs_\bu_\bd_\bo_\be_\br_\bs file with ``.tmp'' appended to
+ it. In _\bc_\bh_\be_\bc_\bk_\b-_\bo_\bn_\bl_\by mode only, the argument to -\b-f\bf may be `-',
+ indicating that _\bs_\bu_\bd_\bo_\be_\br_\bs will be read from the standard input.
+
+ -\b-h\bh The -\b-h\bh (_\bh_\be_\bl_\bp) option causes v\bvi\bis\bsu\bud\bdo\bo to print a short help
+ message to the standard output and exit.
+
+ -\b-q\bq Enable _\bq_\bu_\bi_\be_\bt mode. In this mode details about syntax errors
+ are not printed. This option is only useful when combined
+ with the -\b-c\bc option.
+
+ -\b-s\bs Enable _\bs_\bt_\br_\bi_\bc_\bt checking of the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If an alias is
+ used before it is defined, v\bvi\bis\bsu\bud\bdo\bo will consider this a parse
+ error. Note that it is not possible to differentiate between
+ an alias and a host name or user name that consists solely of
+ uppercase letters, digits, and the underscore (`_')
+ character.
+
+ -\b-V\bV The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes v\bvi\bis\bsu\bud\bdo\bo to print its version
+ number and exit.
E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
- The following environment variables may be consulted depending on the
- value of the _\be_\bd_\bi_\bt_\bo_\br and _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs variables:
+ The following environment variables may be consulted depending on the
+ value of the _\be_\bd_\bi_\bt_\bo_\br and _\be_\bn_\bv_\b__\be_\bd_\bi_\bt_\bo_\br _\bs_\bu_\bd_\bo_\be_\br_\bs settings:
- VISUAL Invoked by visudo as the editor to use
+ VISUAL Invoked by v\bvi\bis\bsu\bud\bdo\bo as the editor to use
- EDITOR Used by visudo if VISUAL is not set
+ EDITOR Used by v\bvi\bis\bsu\bud\bdo\bo if VISUAL is not set
F\bFI\bIL\bLE\bES\bS
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs List of who can run what
- _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bt_\bm_\bp Lock file for visudo
+ _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs_\b._\bt_\bm_\bp Lock file for visudo
D\bDI\bIA\bAG\bGN\bNO\bOS\bST\bTI\bIC\bCS\bS
- sudoers file busy, try again later.
+ sudoers file busy, try again later.
Someone else is currently editing the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
- /etc/sudoers.tmp: Permission denied
+ /etc/sudoers.tmp: Permission denied
You didn't run v\bvi\bis\bsu\bud\bdo\bo as root.
- Can't find you in the passwd database
+ Can't find you in the passwd database
Your user ID does not appear in the system passwd file.
- Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
+ Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
Either you are trying to use an undeclared
{User,Runas,Host,Cmnd}_Alias or you have a user or host name listed
that consists solely of uppercase letters, digits, and the
- underscore ('_') character. In the latter case, you can ignore the
+ underscore (`_') character. In the latter case, you can ignore the
warnings (s\bsu\bud\bdo\bo will not complain). In -\b-s\bs (strict) mode these are
errors, not warnings.
- Warning: unused {User,Runas,Host,Cmnd}_Alias
+ Warning: unused {User,Runas,Host,Cmnd}_Alias
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
used. You may wish to comment out or remove the unused alias. In
-\b-s\bs (strict) mode this is an error, not a warning.
+ Warning: cycle in {User,Runas,Host,Cmnd}_Alias
+ The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
+ itself, either directly or through an alias it includes. This is
+ only a warning by default as s\bsu\bud\bdo\bo will ignore cycles when parsing
+ the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
+
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
- _\bv_\bi(1), _\bs_\bu_\bd_\bo_\be_\br_\bs(4), _\bs_\bu_\bd_\bo(1m), _\bv_\bi_\bp_\bw(8)
+ vi(1), sudoers(4), sudo(1m), vipw(1m)
A\bAU\bUT\bTH\bHO\bOR\bRS\bS
- Many people have worked on _\bs_\bu_\bd_\bo over the years; this version of v\bvi\bis\bsu\bud\bdo\bo
- was written by:
+ Many people have worked on s\bsu\bud\bdo\bo over the years; this version consists of
+ code written primarily by:
- Todd C. Miller
+ Todd C. Miller
- See the HISTORY file in the sudo distribution or visit
- http://www.sudo.ws/sudo/history.html for more details.
+ See the CONTRIBUTORS file in the s\bsu\bud\bdo\bo distribution
+ (http://www.sudo.ws/sudo/contributors.html) for an exhaustive list of
+ people who have contributed to s\bsu\bud\bdo\bo.
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
- There is no easy way to prevent a user from gaining a root shell if the
- editor used by v\bvi\bis\bsu\bud\bdo\bo allows shell escapes.
+ There is no easy way to prevent a user from gaining a root shell if the
+ editor used by v\bvi\bis\bsu\bud\bdo\bo allows shell escapes.
B\bBU\bUG\bGS\bS
- If you feel you have found a bug in v\bvi\bis\bsu\bud\bdo\bo, please submit a bug report
- at http://www.sudo.ws/sudo/bugs/
+ If you feel you have found a bug in v\bvi\bis\bsu\bud\bdo\bo, please submit a bug report at
+ http://www.sudo.ws/sudo/bugs/
S\bSU\bUP\bPP\bPO\bOR\bRT\bT
- Limited free support is available via the sudo-users mailing list, see
- http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search
- the archives.
+ Limited free support is available via the sudo-users mailing list, see
+ http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or search the
+ archives.
D\bDI\bIS\bSC\bCL\bLA\bAI\bIM\bME\bER\bR
- v\bvi\bis\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
- including, but not limited to, the implied warranties of
- merchantability and fitness for a particular purpose are disclaimed.
- See the LICENSE file distributed with s\bsu\bud\bdo\bo or
- http://www.sudo.ws/sudo/license.html for complete details.
-
-
+ v\bvi\bis\bsu\bud\bdo\bo is provided ``AS IS'' and any express or implied warranties,
+ including, but not limited to, the implied warranties of merchantability
+ and fitness for a particular purpose are disclaimed. See the LICENSE
+ file distributed with s\bsu\bud\bdo\bo or http://www.sudo.ws/sudo/license.html for
+ complete details.
-1.7.10 July 18, 2012 VISUDO(1m)
+Sudo 1.7.10 July 12, 2012 Sudo 1.7.10
-.\" Copyright (c) 1996,1998-2005, 2007-2010
-.\" Todd C. Miller <Todd.Miller@courtesan.com>
-.\"
+.\" DO NOT EDIT THIS FILE, IT IS NOT THE MASTER!
+.\" IT IS GENERATED AUTOMATICALLY FROM visudo.mdoc.in
+.\"
+.\" Copyright (c) 1996,1998-2005, 2007-2012
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
-.\"
+.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
+.\"
.\" Sponsored in part by the Defense Advanced Research Projects
.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
-.\"
-.\" Automatically generated by Pod::Man 2.23 (Pod::Simple 3.14)
-.\"
-.\" Standard preamble:
-.\" ========================================================================
-.de Sp \" Vertical space (when we can't use .PP)
-.if t .sp .5v
-.if n .sp
-..
-.de Vb \" Begin verbatim text
-.ft CW
-.nf
-.ne \\$1
-..
-.de Ve \" End verbatim text
-.ft R
-.fi
-..
-.\" Set up some character translations and predefined strings. \*(-- will
-.\" give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
-.\" double quote, and \*(R" will give a right double quote. \*(C+ will
-.\" give a nicer C++. Capital omega is used to do unbreakable dashes and
-.\" therefore won't be available. \*(C` and \*(C' expand to `' in nroff,
-.\" nothing in troff, for use with C<>.
-.tr \(*W-
-.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p'
-.ie n \{\
-. ds -- \(*W-
-. ds PI pi
-. if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch
-. if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch
-. ds L" ""
-. ds R" ""
-. ds C`
-. ds C'
-'br\}
-.el\{\
-. ds -- \|\(em\|
-. ds PI \(*p
-. ds L" ``
-. ds R" ''
-'br\}
-.\"
-.\" Escape single quotes in literal strings from groff's Unicode transform.
-.ie \n(.g .ds Aq \(aq
-.el .ds Aq '
.\"
-.\" If the F register is turned on, we'll generate index entries on stderr for
-.\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
-.\" entries marked with X<> in POD. Of course, you'll have to process the
-.\" output yourself in some meaningful fashion.
-.ie \nF \{\
-. de IX
-. tm Index:\\$1\t\\n%\t"\\$2"
-..
-. nr % 0
-. rr F
-.\}
-.el \{\
-. de IX
-..
-.\}
-.\"
-.\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
-.\" Fear. Run. Save yourself. No user-serviceable parts.
-. \" fudge factors for nroff and troff
-.if n \{\
-. ds #H 0
-. ds #V .8m
-. ds #F .3m
-. ds #[ \f1
-. ds #] \fP
-.\}
-.if t \{\
-. ds #H ((1u-(\\\\n(.fu%2u))*.13m)
-. ds #V .6m
-. ds #F 0
-. ds #[ \&
-. ds #] \&
-.\}
-. \" simple accents for nroff and troff
-.if n \{\
-. ds ' \&
-. ds ` \&
-. ds ^ \&
-. ds , \&
-. ds ~ ~
-. ds /
-.\}
-.if t \{\
-. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u"
-. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u'
-. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u'
-. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u'
-. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u'
-. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u'
-.\}
-. \" troff and (daisy-wheel) nroff accents
-.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V'
-.ds 8 \h'\*(#H'\(*b\h'-\*(#H'
-.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#]
-.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H'
-.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u'
-.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#]
-.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#]
-.ds ae a\h'-(\w'a'u*4/10)'e
-.ds Ae A\h'-(\w'A'u*4/10)'E
-. \" corrections for vroff
-.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u'
-.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u'
-. \" for low resolution devices (crt and lpr)
-.if \n(.H>23 .if \n(.V>19 \
-\{\
-. ds : e
-. ds 8 ss
-. ds o a
-. ds d- d\h'-1'\(ga
-. ds D- D\h'-1'\(hy
-. ds th \o'bp'
-. ds Th \o'LP'
-. ds ae ae
-. ds Ae AE
-.\}
-.rm #[ #] #H #V #F C
-.\" ========================================================================
-.\"
-.IX Title "VISUDO @mansectsu@"
-.TH VISUDO @mansectsu@ "July 18, 2012" "1.7.10" "MAINTENANCE COMMANDS"
-.\" For nroff, turn off justification. Always turn off hyphenation; it makes
-.\" way too many mistakes in technical documents.
-.if n .ad l
+.TH "VISUDO" "@mansectsu@" "July 12, 2012" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
.nh
+.if n .ad l
.SH "NAME"
-visudo \- edit the sudoers file
+\fBvisudo\fR
+\- edit the sudoers file
.SH "SYNOPSIS"
-.IX Header "SYNOPSIS"
-\&\fBvisudo\fR [\fB\-chqsV\fR] [\fB\-f\fR \fIsudoers\fR]
+.HP 7n
+\fBvisudo\fR
+[\fB\-chqsV\fR]
+[\fB\-f\fR\ \fIsudoers\fR]
.SH "DESCRIPTION"
-.IX Header "DESCRIPTION"
-\&\fBvisudo\fR edits the \fIsudoers\fR file in a safe fashion, analogous to
-\&\fIvipw\fR\|(@mansectsu@). \fBvisudo\fR locks the \fIsudoers\fR file against multiple
-simultaneous edits, provides basic sanity checks, and checks
-for parse errors. If the \fIsudoers\fR file is currently being
-edited you will receive a message to try again later.
+\fBvisudo\fR
+edits the
+\fIsudoers\fR
+file in a safe fashion, analogous to
+vipw(@mansectsu@).
+\fBvisudo\fR
+locks the
+\fIsudoers\fR
+file against multiple simultaneous edits, provides basic sanity checks,
+and checks for parse errors.
+If the
+\fIsudoers\fR
+file is currently being edited you will receive a message to try again later.
.PP
-There is a hard-coded list of one or more editors that \fBvisudo\fR will
-use set at compile-time that may be overridden via the \fIeditor\fR \fIsudoers\fR
-\&\f(CW\*(C`Default\*(C'\fR variable. This list defaults to \f(CW"@editor@"\fR. Normally,
-\&\fBvisudo\fR does not honor the \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR environment
-variables unless they contain an editor in the aforementioned editors
-list. However, if \fBvisudo\fR is configured with the \fI\-\-with\-env\-editor\fR
-option or the \fIenv_editor\fR \f(CW\*(C`Default\*(C'\fR variable is set in \fIsudoers\fR,
-\&\fBvisudo\fR will use any the editor defines by \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR.
+There is a hard-coded list of one or more editors that
+\fBvisudo\fR
+will use set at compile-time that may be overridden via the
+\fIeditor\fR
+\fIsudoers\fR
+\fRDefault\fR
+variable.
+This list defaults to
+\fR@editor@\fR.
+Normally,
+\fBvisudo\fR
+does not honor the
+\fRVISUAL\fR
+or
+\fREDITOR\fR
+environment variables unless they contain an editor in the aforementioned
+editors list.
+However, if
+\fBvisudo\fR
+is configured with the
+\fR--with-env-editor\fR
+option or the
+\fIenv_editor\fR
+\fRDefault\fR
+variable is set in
+\fIsudoers\fR,
+\fBvisudo\fR
+will use any the editor defines by
+\fRVISUAL\fR
+or
+\fREDITOR\fR.
Note that this can be a security hole since it allows the user to
-execute any program they wish simply by setting \f(CW\*(C`VISUAL\*(C'\fR or \f(CW\*(C`EDITOR\*(C'\fR.
+execute any program they wish simply by setting
+\fRVISUAL\fR
+or
+\fREDITOR\fR.
.PP
-\&\fBvisudo\fR parses the \fIsudoers\fR file after the edit and will
-not save the changes if there is a syntax error. Upon finding
-an error, \fBvisudo\fR will print a message stating the line number(s)
+\fBvisudo\fR
+parses the
+\fIsudoers\fR
+file after the edit and will
+not save the changes if there is a syntax error.
+Upon finding an error,
+\fBvisudo\fR
+will print a message stating the line number(s)
where the error occurred and the user will receive the
-\&\*(L"What now?\*(R" prompt. At this point the user may enter \*(L"e\*(R"
-to re-edit the \fIsudoers\fR file, \*(L"x\*(R" to exit without
-saving the changes, or \*(L"Q\*(R" to quit and save changes. The
-\&\*(L"Q\*(R" option should be used with extreme care because if \fBvisudo\fR
-believes there to be a parse error, so will \fBsudo\fR and no one
-will be able to \fBsudo\fR again until the error is fixed.
-If \*(L"e\*(R" is typed to edit the \fIsudoers\fR file after a parse error
-has been detected, the cursor will be placed on the line where the
-error occurred (if the editor supports this feature).
-.SH "OPTIONS"
-.IX Header "OPTIONS"
-\&\fBvisudo\fR accepts the following command line options:
-.IP "\-c" 12
-.IX Item "-c"
-Enable \fBcheck-only\fR mode. The existing \fIsudoers\fR file will be
-checked for syntax and a message will be printed to the
-standard output detailing the status of \fIsudoers\fR.
-If the syntax check completes successfully, \fBvisudo\fR will
-exit with a value of 0. If a syntax error is encountered,
-\&\fBvisudo\fR will exit with a value of 1.
-.IP "\-f \fIsudoers\fR" 12
-.IX Item "-f sudoers"
-Specify and alternate \fIsudoers\fR file location. With this option
-\&\fBvisudo\fR will edit (or check) the \fIsudoers\fR file of your choice,
-instead of the default, \fI@sysconfdir@/sudoers\fR. The lock file used
-is the specified \fIsudoers\fR file with \*(L".tmp\*(R" appended to it.
-In \fBcheck-only\fR mode only, the argument to \fB\-f\fR may be \*(L"\-\*(R",
-indicating that \fIsudoers\fR will be read from the standard input.
-.IP "\-h" 12
-.IX Item "-h"
-The \fB\-h\fR (\fIhelp\fR) option causes \fBvisudo\fR to print a short help message
+``What now?''
+prompt.
+At this point the user may enter
+`e'
+to re-edit the
+\fIsudoers\fR
+file,
+`x'
+to exit without saving the changes, or
+`Q'
+to quit and save changes.
+The
+`Q'
+option should be used with extreme care because if
+\fBvisudo\fR
+believes there to be a parse error, so will
+\fBsudo\fR
+and no one
+will be able to
+\fBsudo\fR
+again until the error is fixed.
+If
+`e'
+is typed to edit the
+\fIsudoers\fR
+file after a parse error has been detected, the cursor will be placed on
+the line where the error occurred (if the editor supports this feature).
+.PP
+The options are as follows:
+.TP 12n
+\fB\-c\fR
+Enable
+\fIcheck-only\fR
+mode.
+The existing
+\fIsudoers\fR
+file will be
+checked for syntax errors, owner and mode.
+A message will be printed to the standard output describing the status of
+\fIsudoers\fR
+unless the
+\fB\-q\fR
+option was specified.
+If the check completes successfully,
+\fBvisudo\fR
+will exit with a value of 0.
+If an error is encountered,
+\fBvisudo\fR
+will exit with a value of 1.
+.TP 12n
+\fB\-f\fR \fIsudoers\fR
+.br
+Specify and alternate
+\fIsudoers\fR
+file location.
+With this option
+\fBvisudo\fR
+will edit (or check) the
+\fIsudoers\fR
+file of your choice,
+instead of the default,
+\fI@sysconfdir@/sudoers\fR.
+The lock file used is the specified
+\fIsudoers\fR
+file with
+``\.tmp''
+appended to it.
+In
+\fIcheck-only\fR
+mode only, the argument to
+\fB\-f\fR
+may be
+`-',
+indicating that
+\fIsudoers\fR
+will be read from the standard input.
+.TP 12n
+\fB\-h\fR
+The
+\fB\-h\fR (\fIhelp\fR)
+option causes
+\fBvisudo\fR
+to print a short help message
to the standard output and exit.
-.IP "\-q" 12
-.IX Item "-q"
-Enable \fBquiet\fR mode. In this mode details about syntax errors
-are not printed. This option is only useful when combined with
-the \fB\-c\fR option.
-.IP "\-s" 12
-.IX Item "-s"
-Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is
-used before it is defined, \fBvisudo\fR will consider this a parse
-error. Note that it is not possible to differentiate between an
+.TP 12n
+\fB\-q\fR
+Enable
+\fIquiet\fR
+mode.
+In this mode details about syntax errors are not printed.
+This option is only useful when combined with
+the
+\fB\-c\fR
+option.
+.TP 12n
+\fB\-s\fR
+Enable
+\fIstrict\fR
+checking of the
+\fIsudoers\fR
+file.
+If an alias is used before it is defined,
+\fBvisudo\fR
+will consider this a parse error.
+Note that it is not possible to differentiate between an
alias and a host name or user name that consists solely of uppercase
-letters, digits, and the underscore ('_') character.
-.IP "\-V" 12
-.IX Item "-V"
-The \fB\-V\fR (version) option causes \fBvisudo\fR to print its version number
+letters, digits, and the underscore
+(`_')
+character.
+.TP 12n
+\fB\-V\fR
+The
+\fB\-V\fR (\fIversion\fR)
+option causes
+\fBvisudo\fR
+to print its version number
and exit.
.SH "ENVIRONMENT"
-.IX Header "ENVIRONMENT"
The following environment variables may be consulted depending on
-the value of the \fIeditor\fR and \fIenv_editor\fR \fIsudoers\fR variables:
-.ie n .IP "\*(C`VISUAL\*(C'" 16
-.el .IP "\f(CW\*(C`VISUAL\*(C'\fR" 16
-.IX Item "VISUAL"
-Invoked by visudo as the editor to use
-.ie n .IP "\*(C`EDITOR\*(C'" 16
-.el .IP "\f(CW\*(C`EDITOR\*(C'\fR" 16
-.IX Item "EDITOR"
-Used by visudo if \s-1VISUAL\s0 is not set
+the value of the
+\fIeditor\fR
+and
+\fIenv_editor\fR
+\fIsudoers\fR
+settings:
+.TP 17n
+\fRVISUAL\fR
+Invoked by
+\fBvisudo\fR
+as the editor to use
+.TP 17n
+\fREDITOR\fR
+Used by
+\fBvisudo\fR
+if
+\fRVISUAL\fR
+is not set
.SH "FILES"
-.IX Header "FILES"
-.ie n .IP "\fI@sysconfdir@/sudoers\fR" 24
-.el .IP "\fI@sysconfdir@/sudoers\fR" 24
-.IX Item "@sysconfdir@/sudoers"
+.TP 26n
+\fI@sysconfdir@/sudoers\fR
List of who can run what
-.ie n .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24
-.el .IP "\fI@sysconfdir@/sudoers.tmp\fR" 24
-.IX Item "@sysconfdir@/sudoers.tmp"
+.TP 26n
+\fI@sysconfdir@/sudoers.tmp\fR
Lock file for visudo
.SH "DIAGNOSTICS"
-.IX Header "DIAGNOSTICS"
-.IP "sudoers file busy, try again later." 4
-.IX Item "sudoers file busy, try again later."
-Someone else is currently editing the \fIsudoers\fR file.
-.ie n .IP "@sysconfdir@/sudoers.tmp: Permission denied" 4
-.el .IP "\f(CW@sysconfdir\fR@/sudoers.tmp: Permission denied" 4
-.IX Item "@sysconfdir@/sudoers.tmp: Permission denied"
-You didn't run \fBvisudo\fR as root.
-.IP "Can't find you in the passwd database" 4
-.IX Item "Can't find you in the passwd database"
-Your user \s-1ID\s0 does not appear in the system passwd file.
-.IP "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined" 4
-.IX Item "Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined"
+.TP 6n
+\fRsudoers file busy, try again later.\fR
+Someone else is currently editing the
+\fIsudoers\fR
+file.
+.TP 6n
+\fR@sysconfdir@/sudoers.tmp: Permission denied\fR
+You didn't run
+\fBvisudo\fR
+as root.
+.TP 6n
+\fRCan't find you in the passwd database\fR
+Your user ID does not appear in the system passwd file.
+.TP 6n
+\fRWarning: {User,Runas,Host,Cmnd}_Alias referenced but not defined\fR
Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
or you have a user or host name listed that consists solely of
-uppercase letters, digits, and the underscore ('_') character. In
-the latter case, you can ignore the warnings (\fBsudo\fR will not
-complain). In \fB\-s\fR (strict) mode these are errors, not warnings.
-.IP "Warning: unused {User,Runas,Host,Cmnd}_Alias" 4
-.IX Item "Warning: unused {User,Runas,Host,Cmnd}_Alias"
+uppercase letters, digits, and the underscore
+(`_')
+character.
+In the latter case, you can ignore the warnings
+(\fBsudo\fR
+will not complain)
+\&.
+In
+\fB\-s\fR
+(strict) mode these are errors, not warnings.
+.TP 6n
+\fRWarning: unused {User,Runas,Host,Cmnd}_Alias\fR
The specified {User,Runas,Host,Cmnd}_Alias was defined but never
-used. You may wish to comment out or remove the unused alias. In
-\&\fB\-s\fR (strict) mode this is an error, not a warning.
+used.
+You may wish to comment out or remove the unused alias.
+In
+\fB\-s\fR
+(strict) mode this is an error, not a warning.
+.TP 6n
+\fRWarning: cycle in {User,Runas,Host,Cmnd}_Alias\fR
+The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
+itself, either directly or through an alias it includes.
+This is only a warning by default as
+\fBsudo\fR
+will ignore cycles when parsing
+the
+\fIsudoers\fR
+file.
.SH "SEE ALSO"
-.IX Header "SEE ALSO"
-\&\fIvi\fR\|(1), \fIsudoers\fR\|(@mansectform@), \fIsudo\fR\|(@mansectsu@), \fIvipw\fR\|(8)
+vi(1),
+sudoers(@mansectform@),
+sudo(@mansectsu@),
+vipw(@mansectsu@)
.SH "AUTHORS"
-.IX Header "AUTHORS"
-Many people have worked on \fIsudo\fR over the years; this version of
-\&\fBvisudo\fR was written by:
-.PP
-.Vb 1
-\& Todd C. Miller
-.Ve
+Many people have worked on
+\fBsudo\fR
+over the years; this version consists of code written primarily by:
+.sp
+.RS 6n
+Todd C. Miller
+.RE
.PP
-See the \s-1HISTORY\s0 file in the sudo distribution or visit
-http://www.sudo.ws/sudo/history.html for more details.
+See the CONTRIBUTORS file in the
+\fBsudo\fR
+distribution (http://www.sudo.ws/sudo/contributors.html) for an
+exhaustive list of people who have contributed to
+\fBsudo\fR.
.SH "CAVEATS"
-.IX Header "CAVEATS"
-There is no easy way to prevent a user from gaining a root shell if
-the editor used by \fBvisudo\fR allows shell escapes.
+There is no easy way to prevent a user from gaining a root shell if
+the editor used by
+\fBvisudo\fR
+allows shell escapes.
.SH "BUGS"
-.IX Header "BUGS"
-If you feel you have found a bug in \fBvisudo\fR, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
+If you feel you have found a bug in
+\fBvisudo\fR,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
.SH "SUPPORT"
-.IX Header "SUPPORT"
Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo\-users to subscribe or
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
search the archives.
.SH "DISCLAIMER"
-.IX Header "DISCLAIMER"
-\&\fBvisudo\fR is provided ``\s-1AS\s0 \s-1IS\s0'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the \s-1LICENSE\s0
-file distributed with \fBsudo\fR or http://www.sudo.ws/sudo/license.html
-for complete details.
+\fBvisudo\fR
+is provided
+``AS IS''
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+\fBsudo\fR
+or http://www.sudo.ws/sudo/license.html for complete details.
--- /dev/null
+.\"
+.\" Copyright (c) 1996,1998-2005, 2007-2012
+.\" Todd C. Miller <Todd.Miller@courtesan.com>
+.\"
+.\" Permission to use, copy, modify, and distribute this software for any
+.\" purpose with or without fee is hereby granted, provided that the above
+.\" copyright notice and this permission notice appear in all copies.
+.\"
+.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.\" ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+.\"
+.\" Sponsored in part by the Defense Advanced Research Projects
+.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
+.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
+.\"
+.Dd July 12, 2012
+.Dt VISUDO @mansectsu@
+.Os Sudo @PACKAGE_VERSION@
+.Sh NAME
+.Nm visudo
+.Nd edit the sudoers file
+.Sh SYNOPSIS
+.Nm visudo
+.Op Fl chqsV
+.Bk -words
+.Op Fl f Ar sudoers
+.Ek
+.Sh DESCRIPTION
+.Nm visudo
+edits the
+.Em sudoers
+file in a safe fashion, analogous to
+.Xr vipw @mansectsu@ .
+.Nm visudo
+locks the
+.Em sudoers
+file against multiple simultaneous edits, provides basic sanity checks,
+and checks for parse errors.
+If the
+.Em sudoers
+file is currently being edited you will receive a message to try again later.
+.Pp
+There is a hard-coded list of one or more editors that
+.Nm visudo
+will use set at compile-time that may be overridden via the
+.Em editor
+.Em sudoers
+.Li Default
+variable.
+This list defaults to
+.Li "@editor@" .
+Normally,
+.Nm visudo
+does not honor the
+.Ev VISUAL
+or
+.Ev EDITOR
+environment variables unless they contain an editor in the aforementioned
+editors list.
+However, if
+.Nm visudo
+is configured with the
+.Li --with-env-editor
+option or the
+.Em env_editor
+.Li Default
+variable is set in
+.Em sudoers ,
+.Nm visudo
+will use any the editor defines by
+.Ev VISUAL
+or
+.Ev EDITOR .
+Note that this can be a security hole since it allows the user to
+execute any program they wish simply by setting
+.Ev VISUAL
+or
+.Ev EDITOR .
+.Pp
+.Nm visudo
+parses the
+.Em sudoers
+file after the edit and will
+not save the changes if there is a syntax error.
+Upon finding an error,
+.Nm visudo
+will print a message stating the line number(s)
+where the error occurred and the user will receive the
+.Dq What now?
+prompt.
+At this point the user may enter
+.Ql e
+to re-edit the
+.Em sudoers
+file,
+.Ql x
+to exit without saving the changes, or
+.Ql Q
+to quit and save changes.
+The
+.Ql Q
+option should be used with extreme care because if
+.Nm visudo
+believes there to be a parse error, so will
+.Nm sudo
+and no one
+will be able to
+.Nm sudo
+again until the error is fixed.
+If
+.Ql e
+is typed to edit the
+.Em sudoers
+file after a parse error has been detected, the cursor will be placed on
+the line where the error occurred (if the editor supports this feature).
+.Pp
+The options are as follows:
+.Bl -tag -width Fl
+.It Fl c
+Enable
+.Em check-only
+mode.
+The existing
+.Em sudoers
+file will be
+checked for syntax errors, owner and mode.
+A message will be printed to the standard output describing the status of
+.Em sudoers
+unless the
+.Fl q
+option was specified.
+If the check completes successfully,
+.Nm visudo
+will exit with a value of 0.
+If an error is encountered,
+.Nm visudo
+will exit with a value of 1.
+.It Fl f Ar sudoers
+Specify and alternate
+.Em sudoers
+file location.
+With this option
+.Nm visudo
+will edit (or check) the
+.Em sudoers
+file of your choice,
+instead of the default,
+.Pa @sysconfdir@/sudoers .
+The lock file used is the specified
+.Em sudoers
+file with
+.Dq \.tmp
+appended to it.
+In
+.Em check-only
+mode only, the argument to
+.Fl f
+may be
+.Ql - ,
+indicating that
+.Em sudoers
+will be read from the standard input.
+.It Fl h
+The
+.Fl h No ( Em help Ns No )
+option causes
+.Nm visudo
+to print a short help message
+to the standard output and exit.
+.It Fl q
+Enable
+.Em quiet
+mode.
+In this mode details about syntax errors are not printed.
+This option is only useful when combined with
+the
+.Fl c
+option.
+.It Fl s
+Enable
+.Em strict
+checking of the
+.Em sudoers
+file.
+If an alias is used before it is defined,
+.Nm visudo
+will consider this a parse error.
+Note that it is not possible to differentiate between an
+alias and a host name or user name that consists solely of uppercase
+letters, digits, and the underscore
+.Pq Ql _
+character.
+.It Fl V
+The
+.Fl V ( Em version Ns No )
+option causes
+.Nm visudo
+to print its version number
+and exit.
+.El
+.Sh ENVIRONMENT
+The following environment variables may be consulted depending on
+the value of the
+.Em editor
+and
+.Em env_editor
+.Em sudoers
+settings:
+.Bl -tag -width 15n
+.It Ev VISUAL
+Invoked by
+.Nm visudo
+as the editor to use
+.It Ev EDITOR
+Used by
+.Nm visudo
+if
+.Ev VISUAL
+is not set
+.El
+.Sh FILES
+.Bl -tag -width 24n
+.It Pa @sysconfdir@/sudoers
+List of who can run what
+.It Pa @sysconfdir@/sudoers.tmp
+Lock file for visudo
+.El
+.Sh DIAGNOSTICS
+.Bl -tag -width 4n
+.It Li sudoers file busy, try again later.
+Someone else is currently editing the
+.Em sudoers
+file.
+.It Li @sysconfdir@/sudoers.tmp: Permission denied
+You didn't run
+.Nm visudo
+as root.
+.It Li Can't find you in the passwd database
+Your user ID does not appear in the system passwd file.
+.It Li Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
+Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
+or you have a user or host name listed that consists solely of
+uppercase letters, digits, and the underscore
+.Pq Ql _
+character.
+In the latter case, you can ignore the warnings
+.Po
+.Nm sudo
+will not complain
+.Pc .
+In
+.Fl s
+(strict) mode these are errors, not warnings.
+.It Li Warning: unused {User,Runas,Host,Cmnd}_Alias
+The specified {User,Runas,Host,Cmnd}_Alias was defined but never
+used.
+You may wish to comment out or remove the unused alias.
+In
+.Fl s
+(strict) mode this is an error, not a warning.
+.It Li Warning: cycle in {User,Runas,Host,Cmnd}_Alias
+The specified {User,Runas,Host,Cmnd}_Alias includes a reference to
+itself, either directly or through an alias it includes.
+This is only a warning by default as
+.Nm sudo
+will ignore cycles when parsing
+the
+.Em sudoers
+file.
+.El
+.Sh SEE ALSO
+.Xr vi 1 ,
+.Xr sudoers @mansectform@ ,
+.Xr sudo @mansectsu@ ,
+.Xr vipw @mansectsu@
+.Sh AUTHORS
+Many people have worked on
+.Nm sudo
+over the years; this version consists of code written primarily by:
+.Bd -ragged -offset indent
+Todd C. Miller
+.Ed
+.Pp
+See the CONTRIBUTORS file in the
+.Nm sudo
+distribution (http://www.sudo.ws/sudo/contributors.html) for an
+exhaustive list of people who have contributed to
+.Nm sudo .
+.Sh CAVEATS
+There is no easy way to prevent a user from gaining a root shell if
+the editor used by
+.Nm visudo
+allows shell escapes.
+.Sh BUGS
+If you feel you have found a bug in
+.Nm visudo ,
+please submit a bug report at http://www.sudo.ws/sudo/bugs/
+.Sh SUPPORT
+Limited free support is available via the sudo-users mailing list,
+see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
+search the archives.
+.Sh DISCLAIMER
+.Nm visudo
+is provided
+.Dq AS IS
+and any express or implied warranties, including, but not limited
+to, the implied warranties of merchantability and fitness for a
+particular purpose are disclaimed.
+See the LICENSE file distributed with
+.Nm sudo
+or http://www.sudo.ws/sudo/license.html for complete details.
+++ /dev/null
-Copyright (c) 1996,1998-2005, 2007-2010
- Todd C. Miller <Todd.Miller@courtesan.com>
-
-Permission to use, copy, modify, and distribute this software for any
-purpose with or without fee is hereby granted, provided that the above
-copyright notice and this permission notice appear in all copies.
-
-THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
-WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
-MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
-ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
-ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
-OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-Sponsored in part by the Defense Advanced Research Projects
-Agency (DARPA) and Air Force Research Laboratory, Air Force
-Materiel Command, USAF, under agreement number F39502-99-1-0512.
-
-=pod
-
-=head1 NAME
-
-visudo - edit the sudoers file
-
-=head1 SYNOPSIS
-
-B<visudo> [B<-chqsV>] [B<-f> I<sudoers>]
-
-=head1 DESCRIPTION
-
-B<visudo> edits the I<sudoers> file in a safe fashion, analogous to
-L<vipw(8)>. B<visudo> locks the I<sudoers> file against multiple
-simultaneous edits, provides basic sanity checks, and checks
-for parse errors. If the I<sudoers> file is currently being
-edited you will receive a message to try again later.
-
-There is a hard-coded list of one or more editors that B<visudo> will
-use set at compile-time that may be overridden via the I<editor> I<sudoers>
-C<Default> variable. This list defaults to C<"@editor@">. Normally,
-B<visudo> does not honor the C<VISUAL> or C<EDITOR> environment
-variables unless they contain an editor in the aforementioned editors
-list. However, if B<visudo> is configured with the I<--with-env-editor>
-option or the I<env_editor> C<Default> variable is set in I<sudoers>,
-B<visudo> will use any the editor defines by C<VISUAL> or C<EDITOR>.
-Note that this can be a security hole since it allows the user to
-execute any program they wish simply by setting C<VISUAL> or C<EDITOR>.
-
-B<visudo> parses the I<sudoers> file after the edit and will
-not save the changes if there is a syntax error. Upon finding
-an error, B<visudo> will print a message stating the line number(s)
-where the error occurred and the user will receive the
-"What now?" prompt. At this point the user may enter "e"
-to re-edit the I<sudoers> file, "x" to exit without
-saving the changes, or "Q" to quit and save changes. The
-"Q" option should be used with extreme care because if B<visudo>
-believes there to be a parse error, so will B<sudo> and no one
-will be able to B<sudo> again until the error is fixed.
-If "e" is typed to edit the I<sudoers> file after a parse error
-has been detected, the cursor will be placed on the line where the
-error occurred (if the editor supports this feature).
-
-=head1 OPTIONS
-
-B<visudo> accepts the following command line options:
-
-=over 12
-
-=item -c
-
-Enable B<check-only> mode. The existing I<sudoers> file will be
-checked for syntax and a message will be printed to the
-standard output detailing the status of I<sudoers>.
-If the syntax check completes successfully, B<visudo> will
-exit with a value of 0. If a syntax error is encountered,
-B<visudo> will exit with a value of 1.
-
-=item -f I<sudoers>
-
-Specify and alternate I<sudoers> file location. With this option
-B<visudo> will edit (or check) the I<sudoers> file of your choice,
-instead of the default, F<@sysconfdir@/sudoers>. The lock file used
-is the specified I<sudoers> file with ".tmp" appended to it.
-In B<check-only> mode only, the argument to B<-f> may be "-",
-indicating that I<sudoers> will be read from the standard input.
-
-=item -h
-
-The B<-h> (I<help>) option causes B<visudo> to print a short help message
-to the standard output and exit.
-
-=item -q
-
-Enable B<quiet> mode. In this mode details about syntax errors
-are not printed. This option is only useful when combined with
-the B<-c> option.
-
-=item -s
-
-Enable B<strict> checking of the I<sudoers> file. If an alias is
-used before it is defined, B<visudo> will consider this a parse
-error. Note that it is not possible to differentiate between an
-alias and a host name or user name that consists solely of uppercase
-letters, digits, and the underscore ('_') character.
-
-=item -V
-
-The B<-V> (version) option causes B<visudo> to print its version number
-and exit.
-
-=back
-
-=head1 ENVIRONMENT
-
-The following environment variables may be consulted depending on
-the value of the I<editor> and I<env_editor> I<sudoers> variables:
-
-=over 16
-
-=item C<VISUAL>
-
-Invoked by visudo as the editor to use
-
-=item C<EDITOR>
-
-Used by visudo if VISUAL is not set
-
-=back
-
-=head1 FILES
-
-=over 24
-
-=item F<@sysconfdir@/sudoers>
-
-List of who can run what
-
-=item F<@sysconfdir@/sudoers.tmp>
-
-Lock file for visudo
-
-=back
-
-=head1 DIAGNOSTICS
-
-=over 4
-
-=item sudoers file busy, try again later.
-
-Someone else is currently editing the I<sudoers> file.
-
-=item @sysconfdir@/sudoers.tmp: Permission denied
-
-You didn't run B<visudo> as root.
-
-=item Can't find you in the passwd database
-
-Your user ID does not appear in the system passwd file.
-
-=item Warning: {User,Runas,Host,Cmnd}_Alias referenced but not defined
-
-Either you are trying to use an undeclared {User,Runas,Host,Cmnd}_Alias
-or you have a user or host name listed that consists solely of
-uppercase letters, digits, and the underscore ('_') character. In
-the latter case, you can ignore the warnings (B<sudo> will not
-complain). In B<-s> (strict) mode these are errors, not warnings.
-
-=item Warning: unused {User,Runas,Host,Cmnd}_Alias
-
-The specified {User,Runas,Host,Cmnd}_Alias was defined but never
-used. You may wish to comment out or remove the unused alias. In
-B<-s> (strict) mode this is an error, not a warning.
-
-=back
-
-=head1 SEE ALSO
-
-L<vi(1)>, L<sudoers(5)>, L<sudo(8)>, L<vipw(8)>
-
-=head1 AUTHORS
-
-Many people have worked on I<sudo> over the years; this version of
-B<visudo> was written by:
-
- Todd C. Miller
-
-See the HISTORY file in the sudo distribution or visit
-http://www.sudo.ws/sudo/history.html for more details.
-
-=head1 CAVEATS
-
-There is no easy way to prevent a user from gaining a root shell if
-the editor used by B<visudo> allows shell escapes.
-
-=head1 BUGS
-
-If you feel you have found a bug in B<visudo>, please submit a bug report
-at http://www.sudo.ws/sudo/bugs/
-
-=head1 SUPPORT
-
-Limited free support is available via the sudo-users mailing list,
-see http://www.sudo.ws/mailman/listinfo/sudo-users to subscribe or
-search the archives.
-
-=head1 DISCLAIMER
-
-B<visudo> is provided ``AS IS'' and any express or implied warranties,
-including, but not limited to, the implied warranties of merchantability
-and fitness for a particular purpose are disclaimed. See the LICENSE
-file distributed with B<sudo> or http://www.sudo.ws/sudo/license.html
-for complete details.
projects / sudo / commitdiff