N\bNA\bAM\bME\bE
- sudo - execute a command as another user
+ sudo, sudoedit - execute a command as another user
S\bSY\bYN\bNO\bOP\bPS\bSI\bIS\bS
- s\bsu\bud\bdo\bo -\b-V\bV | -\b-h\bh | -\b-l\bl | -\b-L\bL | -\b-v\bv | -\b-k\bk | -\b-K\bK | -\b-s\bs | [ -\b-H\bH ] [-\b-P\bP ]
- [-\b-S\bS ] [ -\b-b\bb ] | [ -\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt ] [ -\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b- ] [ -\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be
- ] [ -\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd ] _\bc_\bo_\bm_\bm_\ba_\bn_\bd
+ s\bsu\bud\bdo\bo -\b-K\bK | -\b-L\bL | -\b-V\bV | -\b-h\bh | -\b-k\bk | -\b-l\bl | -\b-v\bv
+
+ s\bsu\bud\bdo\bo [-\b-H\bHP\bPS\bSb\bb] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-c\bc _\bc_\bl_\ba_\bs_\bs|_\b-] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt]
+ [-\b-u\bu _\bu_\bs_\be_\br_\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] {-\b-e\be file [...] | -\b-i\bi | -\b-s\bs | _\bc_\bo_\bm_\bm_\ba_\bn_\bd}
+
+ s\bsu\bud\bdo\boe\bed\bdi\bit\bt [-\b-S\bS] [-\b-a\ba _\ba_\bu_\bt_\bh_\b__\bt_\by_\bp_\be] [-\b-p\bp _\bp_\br_\bo_\bm_\bp_\bt] [-\b-u\bu _\bu_\bs_\be_\br_\b
+ _\bn_\ba_\bm_\be|_\b#_\bu_\bi_\bd] file [...]
D\bDE\bES\bSC\bCR\bRI\bIP\bPT\bTI\bIO\bON\bN
s\bsu\bud\bdo\bo allows a permitted user to execute a _\bc_\bo_\bm_\bm_\ba_\bn_\bd as the
the user may then use sudo without a password for a short
period of time (5 minutes unless overridden in _\bs_\bu_\bd_\bo_\be_\br_\bs).
+ When invoked as s\bsu\bud\bdo\boe\bed\bdi\bit\bt, the -\b-e\be option (described below),
+ is implied.
+
s\bsu\bud\bdo\bo determines who is an authorized user by consulting
the file _\b/_\be_\bt_\bc_\b/_\bs_\bu_\bd_\bo_\be_\br_\bs. By giving s\bsu\bud\bdo\bo the -\b-v\bv flag a user
can update the time stamp without running a _\bc_\bo_\bm_\bm_\ba_\bn_\bd_\b. The
-\b-v\bv flags. This allows users to determine for themselves
whether or not they are allowed to use s\bsu\bud\bdo\bo.
+ If s\bsu\bud\bdo\bo is run by root and the SUDO_USER environment vari
+ able is set, s\bsu\bud\bdo\bo will use this value to determine who the
+ actual user is. This can be used by a user to log com
+ mands through sudo even when a root shell has been
+ invoked. It also allows the -\b-e\be flag to remain useful even
+ when being run via a sudo-run script or program. Note
+ however, that the sudoers lookup is still done for root,
+ not the user specified by SUDO_USER.
+
s\bsu\bud\bdo\bo can log both successful and unsuccessful attempts (as
well as errors) to _\bs_\by_\bs_\bl_\bo_\bg(3), a log file, or both. By
+
+
+
+1.6.8 February 13, 2004 1
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
default s\bsu\bud\bdo\bo will log via _\bs_\by_\bs_\bl_\bo_\bg(3) but this is changeable
at configure time or via the _\bs_\bu_\bd_\bo_\be_\br_\bs file.
O\bOP\bPT\bTI\bIO\bON\bNS\bS
s\bsu\bud\bdo\bo accepts the following command line options:
+ -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment vari
+ able to the homedir of the target user (root by
+ default) as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). By default, s\bsu\bud\bdo\bo
+ does not modify HOME.
+
+ -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo removes the user's
+ timestamp entirely. Likewise, this option does not
+ require a password.
+
+ -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list out the param
+ eters that may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along with a
+ short description for each. This option is useful in
+ conjunction with _\bg_\br_\be_\bp(1).
+
+ -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
+ preserve the user's group vector unaltered. By
+ default, s\bsu\bud\bdo\bo will initialize the group vector to the
+ list of groups the target user is in. The real and
+ effective group IDs, however, are still set to match
+ the target user.
+
+ -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password
+ from standard input instead of the terminal device.
+
-V The -\b-V\bV (_\bv_\be_\br_\bs_\bi_\bo_\bn) option causes s\bsu\bud\bdo\bo to print the ver
sion number and exit. If the invoking user is already
root the -\b-V\bV option will print out a list of the
defaults s\bsu\bud\bdo\bo was compiled with as well as the
machine's local network addresses.
- -l The -\b-l\bl (_\bl_\bi_\bs_\bt) option will list out the allowed (and
- forbidden) commands for the user on the current host.
+ -a The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use
+ the specified authentication type when validating the
+ user, as allowed by /etc/login.conf. The system
+ administrator may specify a list of sudo-specific
+ authentication methods by adding an "auth-sudo" entry
+ in /etc/login.conf. This option is only available on
+ systems that support BSD authentication where s\bsu\bud\bdo\bo has
+ been configured with the --with-bsdauth option.
+
+ -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
+ command in the background. Note that if you use the
+ -\b-b\bb option you cannot use shell job control to manipu
+ late the process.
- -L The -\b-L\bL (_\bl_\bi_\bs_\bt defaults) option will list out the
+ -c The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
+ command with resources limited by the specified login
+ class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name
+ as defined in /etc/login.conf, or a single '-'
-1.6.7 March 13, 2003 1
+1.6.8 February 13, 2004 2
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- parameters that may be set in a _\bD_\be_\bf_\ba_\bu_\bl_\bt_\bs line along
- with a short description for each. This option is
- useful in conjunction with _\bg_\br_\be_\bp(1).
+ character. Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the
+ command should be run restricted by the default login
+ capabilities for the user the command is run as. If
+ the _\bc_\bl_\ba_\bs_\bs argument specifies an existing user class,
+ the command must be run as root, or the s\bsu\bud\bdo\bo command
+ must be run from a shell that is already root. This
+ option is only available on systems with BSD login
+ classes where s\bsu\bud\bdo\bo has been configured with the
+ --with-logincap option.
+
+ -e The -\b-e\be (_\be_\bd_\bi_\bt) option indicates that, instead of run
+ ning a command, the user wishes to edit one or more
+ files. In lieu of a command, the string _\b"_\bs_\bu_\bd_\bo_\be_\bd_\bi_\bt_\b" is
+ used when consulting the _\bs_\bu_\bd_\bo_\be_\br_\bs file. If the user is
+ authorized by _\bs_\bu_\bd_\bo_\be_\br_\bs the following steps are taken:
+
+ 1. Temporary copies are made of the files to be
+ edited, owned by the invoking user.
+
+ 2. The editor specified by the VISUAL or EDITOR
+ environment variables is run to edit the tem
+ porary files. If neither VISUAL nor EDITOR
+ are set, the program listed in the _\be_\bd_\bi_\bt_\bo_\br
+ _\bs_\bu_\bd_\bo_\be_\br_\bs variable is used.
+
+ 3. If they have been modified, the temporary
+ files are copied back to their original loca
+ tion and the temporary versions are removed.
+
+ If the specified file does not exist, it will be cre
+ ated. Note that unlike most commands run by s\bsu\bud\bdo\bo, the
+ editor is run with the invoking user's environment
+ unmodified. If, for some reason, s\bsu\bud\bdo\bo is unable to
+ update a file with its edited version, the user will
+ receive a warning and the edited copy will remain in a
+ temporary file.
-h The -\b-h\bh (_\bh_\be_\bl_\bp) option causes s\bsu\bud\bdo\bo to print a usage mes
sage and exit.
- -v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update
- the user's timestamp, prompting for the user's pass
- word if necessary. This extends the s\bsu\bud\bdo\bo timeout for
- another 5 minutes (or whatever the timeout is set to
- in _\bs_\bu_\bd_\bo_\be_\br_\bs) but does not run a command.
+ -i The -i (_\bs_\bi_\bm_\bu_\bl_\ba_\bt_\be _\bi_\bn_\bi_\bt_\bi_\ba_\bl _\bl_\bo_\bg_\bi_\bn) option runs the shell
+ specified in the passwd(4) entry of the user that the
+ command is being run as. The command name argument
+ given to the shell begins with a - to tell the shell
+ to run as a login shell. s\bsu\bud\bdo\bo attempts to change to
+ that user's home directory before running the shell.
+ It also initializes the environment, leaving _\bT_\bE_\bR_\bM
+ unchanged, setting _\bH_\bO_\bM_\bE, _\bS_\bH_\bE_\bL_\bL, _\bU_\bS_\bE_\bR, _\bL_\bO_\bG_\bN_\bA_\bM_\bE, and
+ _\bP_\bA_\bT_\bH, and unsetting all other environment variables.
+ Note that because the shell to use is determined
+ before the _\bs_\bu_\bd_\bo_\be_\br_\bs file is parsed, a _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt
+ setting in _\bs_\bu_\bd_\bo_\be_\br_\bs will specify the user to run the
+ shell as but will not affect which shell is actually
+ run.
+
+
+
+1.6.8 February 13, 2004 3
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
-k The -\b-k\bk (_\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo invalidates the user's
timestamp by setting the time on it to the epoch. The
to allow a user to revoke s\bsu\bud\bdo\bo permissions from a
.logout file.
- -K The -\b-K\bK (sure _\bk_\bi_\bl_\bl) option to s\bsu\bud\bdo\bo removes the user's
- timestamp entirely. Likewise, this option does not
- require a password.
-
- -b The -\b-b\bb (_\bb_\ba_\bc_\bk_\bg_\br_\bo_\bu_\bn_\bd) option tells s\bsu\bud\bdo\bo to run the given
- command in the background. Note that if you use the
- -\b-b\bb option you cannot use shell job control to manipu
- late the process.
+ -l The -\b-l\bl (_\bl_\bi_\bs_\bt) option will list out the allowed (and
+ forbidden) commands for the user on the current host.
-p The -\b-p\bp (_\bp_\br_\bo_\bm_\bp_\bt) option allows you to override the
default password prompt and use a custom one. The
fully qualified or the _\bf_\bq_\bd_\bn sudoers option is
set)
- %% two consecutive % characters are collaped into
- a single % character
-
- -c The -\b-c\bc (_\bc_\bl_\ba_\bs_\bs) option causes s\bsu\bud\bdo\bo to run the specified
- command with resources limited by the specified login
- class. The _\bc_\bl_\ba_\bs_\bs argument can be either a class name
- as defined in /etc/login.conf, or a single '-' charac
- ter. Specifying a _\bc_\bl_\ba_\bs_\bs of - indicates that the
-
-
-
-1.6.7 March 13, 2003 2
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
- command should be run restricted by the default login
- capabilities for the user the command is run as. If
- the _\bc_\bl_\ba_\bs_\bs argument specifies an existing user class,
- the command must be run as root, or the s\bsu\bud\bdo\bo command
- must be run from a shell that is already root. This
- option is only available on systems with BSD login
- classes where s\bsu\bud\bdo\bo has been configured with the
- --with-logincap option.
-
- -a The -\b-a\ba (_\ba_\bu_\bt_\bh_\be_\bn_\bt_\bi_\bc_\ba_\bt_\bi_\bo_\bn _\bt_\by_\bp_\be) option causes s\bsu\bud\bdo\bo to use
- the specified authentication type when validating the
- user, as allowed by /etc/login.conf. The system
- administrator may specify a list of sudo-specific
- authentication methods by adding an "auth-sudo" entry
- in /etc/login.conf. This option is only available on
- systems that support BSD authentication where s\bsu\bud\bdo\bo has
- been configured with the --with-bsdauth option.
-
- -u The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
- command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
- instead of a _\bu_\bs_\be_\br_\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd.
+ %% two consecutive % characters are collasped
+ into a single % character
-s The -\b-s\bs (_\bs_\bh_\be_\bl_\bl) option runs the shell specified by the
_\bS_\bH_\bE_\bL_\bL environment variable if it is set or the shell
as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4).
- -H The -\b-H\bH (_\bH_\bO_\bM_\bE) option sets the HOME environment vari
- able to the homedir of the target user (root by
- default) as specified in _\bp_\ba_\bs_\bs_\bw_\bd(4). By default, s\bsu\bud\bdo\bo
- does not modify HOME.
-
- -P The -\b-P\bP (_\bp_\br_\be_\bs_\be_\br_\bv_\be _\bg_\br_\bo_\bu_\bp _\bv_\be_\bc_\bt_\bo_\br) option causes s\bsu\bud\bdo\bo to
- preserve the user's group vector unaltered. By
- default, s\bsu\bud\bdo\bo will initialize the group vector to the
- list of groups the target user is in. The real and
- effective group IDs, however, are still set to match
- the target user.
+ -u The -\b-u\bu (_\bu_\bs_\be_\br) option causes s\bsu\bud\bdo\bo to run the specified
+ command as a user other than _\br_\bo_\bo_\bt. To specify a _\bu_\bi_\bd
+ instead of a _\bu_\bs_\be_\br_\bn_\ba_\bm_\be, use _\b#_\bu_\bi_\bd.
- -S The -\b-S\bS (_\bs_\bt_\bd_\bi_\bn) option causes s\bsu\bud\bdo\bo to read the password
- from standard input instead of the terminal device.
+ -v If given the -\b-v\bv (_\bv_\ba_\bl_\bi_\bd_\ba_\bt_\be) option, s\bsu\bud\bdo\bo will update
+ the user's timestamp, prompting for the user's pass
+ word if necessary. This extends the s\bsu\bud\bdo\bo timeout for
+ another 5 minutes (or whatever the timeout is set to
+ in _\bs_\bu_\bd_\bo_\be_\br_\bs) but does not run a command.
-- The -\b--\b- flag indicates that s\bsu\bud\bdo\bo should stop processing
command line arguments. It is most useful in conjunc
that was executed.
Otherwise, s\bsu\bud\bdo\bo quits with an exit value of 1 if there is
- a configuration/permission problem or if s\bsu\bud\bdo\bo cannot exe
- cute the given command. In the latter case the error
- string is printed to stderr. If s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one
-1.6.7 March 13, 2003 3
+1.6.8 February 13, 2004 4
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ a configuration/permission problem or if s\bsu\bud\bdo\bo cannot exe
+ cute the given command. In the latter case the error
+ string is printed to stderr. If s\bsu\bud\bdo\bo cannot _\bs_\bt_\ba_\bt(2) one
or more entries in the user's PATH an error is printed on
stderr. (If the directory does not exist or if it is not
really a directory, the entry is ignored and no error is
s\bsu\bud\bdo\bo is run. However, because s\bsu\bud\bdo\bo checks the ownership
and mode of the directory and its contents, the only dam
age that can be done is to "hide" files by putting them in
- the timestamp dir. This is unlikely to happen since once
- the timestamp dir is owned by root and inaccessible by any
- other user the user placing files there would be unable to
-1.6.7 March 13, 2003 4
+1.6.8 February 13, 2004 5
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+ the timestamp dir. This is unlikely to happen since once
+ the timestamp dir is owned by root and inaccessible by any
+ other user the user placing files there would be unable to
get them back out. To get around this issue you can use a
directory that is not world-writable for the timestamps
(_\b/_\bv_\ba_\br_\b/_\ba_\bd_\bm_\b/_\bs_\bu_\bd_\bo for instance) or create _\b/_\bv_\ba_\br_\b/_\br_\bu_\bn_\b/_\bs_\bu_\bd_\bo with
% sudo sh -c "cd /home ; du -s * | sort -rn > USAGE"
-E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
- s\bsu\bud\bdo\bo utilizes the following environment variables:
-
-1.6.7 March 13, 2003 5
+1.6.8 February 13, 2004 6
SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
- PATH Set to a sane value if SECURE_PATH is set
- SHELL Used to determine shell to run with -s option
- USER Set to the target user (root unless the -u option
- is specified)
+E\bEN\bNV\bVI\bIR\bRO\bON\bNM\bME\bEN\bNT\bT
+ s\bsu\bud\bdo\bo utilizes the following environment variables:
+
+ EDITOR Default editor to use in -e (sudoedit) mode if
+ VISUAL is not set
+
HOME In -s or -H mode (or if sudo was configured with
the --enable-shell-sets-home option), set to
- homedir of the target user.
+ homedir of the target user
+
+ PATH Set to a sane value if SECURE_PATH is set
+
+ SHELL Used to determine shell to run with -s option
+
SUDO_PROMPT Used as the default password prompt
+
SUDO_COMMAND Set to the command run by sudo
+
SUDO_USER Set to the login of the user who invoked sudo
+
SUDO_UID Set to the uid of the user who invoked sudo
+
SUDO_GID Set to the gid of the user who invoked sudo
+
SUDO_PS1 If set, PS1 will be set to its value
-F\bFI\bIL\bLE\bES\bS
+ USER Set to the target user (root unless the -u option
+ is specified)
+
+ VISUAL Default editor to use in -e (sudoedit) mode
+ =head1 FILES
+
/etc/sudoers List of who can run what
/var/run/sudo Directory containing timestamps
S\bSu\bud\bdo\bo is provided ``AS IS'' and any express or implied war
ranties, including, but not limited to, the implied war
ranties of merchantability and fitness for a particular
+
+
+
+1.6.8 February 13, 2004 7
+
+
+
+
+
+SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
+
+
purpose are disclaimed. See the LICENSE file distributed
with s\bsu\bud\bdo\bo for complete details.
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
There is no easy way to prevent a user from gaining a root
- shell if that user has access to commands allowing shell
- escapes.
+ shell if that user is allowed to run arbitrary commands
+ via s\bsu\bud\bdo\bo. Also, many programs (such as editors) allow the
+ user to run commands via shell escapes, thus avoiding
+ s\bsu\bud\bdo\bo's checks. However, on most systems it is possible to
+ prevent shell escapes with s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc functionality.
+ See the _\bs_\bu_\bd_\bo_\be_\br_\bs(4) manual for details.
If users have sudo ALL there is nothing to prevent them
from creating their own program that gives them a root
ing systems (if your OS supports the /dev/fd/ directory,
setuid shell scripts are generally safe).
-
-
-1.6.7 March 13, 2003 6
-
-
-
-
-
-SUDO(1m) MAINTENANCE COMMANDS SUDO(1m)
-
-
S\bSE\bEE\bE A\bAL\bLS\bSO\bO
_\bg_\br_\be_\bp(1), _\bs_\bu(1), _\bs_\bt_\ba_\bt(2), _\bl_\bo_\bg_\bi_\bn_\b__\bc_\ba_\bp(3), _\bs_\bu_\bd_\bo_\be_\br_\bs(4),
_\bp_\ba_\bs_\bs_\bw_\bd(5), _\bv_\bi_\bs_\bu_\bd_\bo(1m)
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.6.7 March 13, 2003 7
+1.6.8 February 13, 2004 8
-1.6.7 March 13, 2003 1
+1.6.8 May 16, 2004 1
'!'* '+'netgroup |
'!'* User_Alias
- A User_List is made up of one or more usernames, uids
- (prefixed with '#'), System groups (prefixed with '%'),
- netgroups (prefixed with '+') and other aliases. Each
- list item may be prefixed with one or more '!' operators.
- An odd number of '!' operators negate the value of the
- item; an even number just cancel each other out.
+ A User_List is made up of one or more usernames, system
+ groups (prefixed with '%'), netgroups (prefixed with '+')
+ and other aliases. Each list item may be prefixed with
+ one or more '!' operators. An odd number of '!' operators
+ negate the value of the item; an even number just cancel
+ each other out.
Runas_List ::= Runas_User |
Runas_User ',' Runas_List
A Runas_List is similar to a User_List except that it can
also contain uids (prefixed with '#') and instead of
- User_Aliases it can contain Runas_Aliases.
-
- Host_List ::= Host |
- Host ',' Host_List
-
-
+ User_Aliases it can contain Runas_Aliases. Note that
+ usernames and groups are matched as strings. In other
+ words, two users (groups) with the same uid (gid) are con
+ sidered to be distinct. If you wish to match all user
+ names with the same uid (e.g. root and toor), you can use
+ a uid instead (#0 in the example given).
-1.6.7 March 13, 2003 2
+1.6.8 May 16, 2004 2
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Host_List ::= Host |
+ Host ',' Host_List
+
Host ::= '!'* hostname |
'!'* ip_addr |
'!'* network(/netmask)? |
Cmnd ::= '!'* commandname |
'!'* directory |
+ '!'* "sudoedit" |
'!'* Cmnd_Alias
A Cmnd_List is a list of one or more commandnames, direc
the user on the command line (or match the wildcards if
there are any). Note that the following characters must
be escaped with a '\' if they are used in command argu
- ments: ',', ':', '=', '\'.
-
-
+ ments: ',', ':', '=', '\'. The special command "sudoedit"
-
-
-1.6.7 March 13, 2003 3
+1.6.8 May 16, 2004 3
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ is used to permit a user to run s\bsu\bud\bdo\bo with the -\b-e\be flag (or
+ as s\bsu\bud\bdo\boe\bed\bdi\bit\bt). It may take command line arguments just as
+ a normal command does.
+
D\bDe\bef\bfa\bau\bul\blt\bts\bs
Certain configuration options may be changed from their
applied in order. Where there are conflicting values, the
last value on a matching line takes effect.
- Default_Type ::= 'Defaults' ||
- 'Defaults' '@' Host ||
- 'Defaults' ':' User ||
+ Default_Type ::= 'Defaults' |
+ 'Defaults' '@' Host |
+ 'Defaults' ':' User |
'Defaults' '>' RunasUser
Default_Entry ::= Default_Type Parameter_List
- Parameter ::= Parameter '=' Value ||
- Parameter '+=' Value ||
- Parameter '-=' Value ||
- '!'* Parameter ||
+ Parameter_List ::= Parameter |
+ Parameter ',' Parameter_List
+
+ Parameter ::= Parameter '=' Value |
+ Parameter '+=' Value |
+ Parameter '-=' Value |
+ '!'* Parameter
Parameters may be f\bfl\bla\bag\bgs\bs, i\bin\bnt\bte\beg\bge\ber\br values, s\bst\btr\bri\bin\bng\bgs\bs, or
l\bli\bis\bst\bts\bs. Flags are implicitly boolean and can be turned off
used to make it easier to cut and paste the
challenge to a local window. It's not as
pretty as the default but some people find it
- more convenient. This flag is _\bo_\bf_\bf by default.
- ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current
- dir) in the PATH environment variable; the
- PATH itself is not modified. This flag is _\bo_\bf_\bf
- by default.
+1.6.8 May 16, 2004 4
-1.6.7 March 13, 2003 4
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ more convenient. This flag is _\bo_\bf_\bf by default.
+ ignore_dot If set, s\bsu\bud\bdo\bo will ignore '.' or '' (current
+ dir) in the PATH environment variable; the
+ PATH itself is not modified. This flag is _\bo_\bf_\bf
+ by default. Currently, while it is possible
+ to set _\bi_\bg_\bn_\bo_\br_\be_\b__\bd_\bo_\bt in _\bs_\bu_\bd_\bo_\be_\br_\bs, its value is not
+ used. This option should be considered read-
+ only (it will be fixed in a future version of
+ s\bsu\bud\bdo\bo).
mail_always Send mail to the _\bm_\ba_\bi_\bl_\bt_\bo user every time a
users runs s\bsu\bud\bdo\bo. This flag is _\bo_\bf_\bf by default.
logged in on in that directory. This flag is
_\bo_\bf_\bf by default.
- lecture If set, a user will receive a short lecture
- the first time he/she runs s\bsu\bud\bdo\bo. This flag is
- _\bo_\bn by default.
-
authenticate
If set, users must authenticate themselves via
a password (or other means of authentication)
may be overridden via the PASSWD and NOPASSWD
tags. This flag is _\bo_\bn by default.
- root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too. Dis
- abling this prevents users from "chaining"
- s\bsu\bud\bdo\bo commands to get a root shell by doing
- something like "sudo sudo /bin/sh". This flag
- is _\bo_\bn by default.
-
- log_host If set, the hostname will be logged in the
- (non-syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf
+ root_sudo If set, root is allowed to run s\bsu\bud\bdo\bo too.
-1.6.7 March 13, 2003 5
+1.6.8 May 16, 2004 5
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Disabling this prevents users from "chaining"
+ s\bsu\bud\bdo\bo commands to get a root shell by doing
+ something like "sudo sudo /bin/sh". Note,
+ however, that turning off _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo will also
+ prevent root and from running s\bsu\bud\bdo\boe\bed\bdi\bit\bt. Dis
+ abling _\br_\bo_\bo_\bt_\b__\bs_\bu_\bd_\bo provides no real additional
+ security; it exists purely for historical rea
+ sons. This flag is _\bo_\bn by default.
+
+ log_host If set, the hostname will be logged in the
+ (non-syslog) s\bsu\bud\bdo\bo log file. This flag is _\bo_\bf_\bf
by default.
log_year If set, the four-digit year will be logged in
be confusing. This flag is _\bo_\bf_\bf by default.
preserve_groups
- By default s\bsu\bud\bdo\bo will initialize the group vec
- tor to the list of groups the target user is
- in. When _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the user's
- existing group vector is left unaltered. The
- real and effective group IDs, however, are
- still set to match the target user. This flag
- is _\bo_\bf_\bf by default.
-
- fqdn Set this flag if you want to put fully quali
- fied hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e.,
- instead of myhost you would use myhost.mydo
- main.edu. You may still use the short form if
+ By default s\bsu\bud\bdo\bo will initialize the group
-1.6.7 March 13, 2003 6
+1.6.8 May 16, 2004 6
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ vector to the list of groups the target user
+ is in. When _\bp_\br_\be_\bs_\be_\br_\bv_\be_\b__\bg_\br_\bo_\bu_\bp_\bs is set, the
+ user's existing group vector is left unal
+ tered. The real and effective group IDs, how
+ ever, are still set to match the target user.
+ This flag is _\bo_\bf_\bf by default.
+
+ fqdn Set this flag if you want to put fully quali
+ fied hostnames in the _\bs_\bu_\bd_\bo_\be_\br_\bs file. I.e.,
+ instead of myhost you would use myhost.mydo
+ main.edu. You may still use the short form if
you wish (and even mix the two). Beware that
turning on _\bf_\bq_\bd_\bn requires s\bsu\bud\bdo\bo to make DNS
lookups which may make s\bsu\bud\bdo\bo unusable if DNS
instead of the password of the invoking user.
This flag is _\bo_\bf_\bf by default.
- runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of
- the user defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option
- (defaults to root) instead of the password of
- the invoking user. This flag is _\bo_\bf_\bf by
- default.
- targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of
- the user specified by the -\b-u\bu flag (defaults to
- root) instead of the password of the invoking
- user. This flag is _\bo_\bf_\bf by default.
+1.6.8 May 16, 2004 7
-1.6.7 March 13, 2003 7
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ runaspw If set, s\bsu\bud\bdo\bo will prompt for the password of
+ the user defined by the _\br_\bu_\bn_\ba_\bs_\b__\bd_\be_\bf_\ba_\bu_\bl_\bt option
+ (defaults to root) instead of the password of
+ the invoking user. This flag is _\bo_\bf_\bf by
+ default.
+ targetpw If set, s\bsu\bud\bdo\bo will prompt for the password of
+ the user specified by the -\b-u\bu flag (defaults to
+ root) instead of the password of the invoking
+ user. This flag is _\bo_\bf_\bf by default.
set_logname Normally, s\bsu\bud\bdo\bo will set the LOGNAME and USER
environment variables to the name of the tar
for the target user's login class if one
exists. Only available if s\bsu\bud\bdo\bo is configured
with the --with-logincap option. This flag is
- _\bo_\bf_\bf by default.
- I\bIn\bnt\bte\beg\bge\ber\brs\bs:
- passwd_tries
- The number of tries a user gets to enter
- his/her password before s\bsu\bud\bdo\bo logs the failure
- and exits. The default is 3.
- I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+1.6.8 May 16, 2004 8
-1.6.7 March 13, 2003 8
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ _\bo_\bf_\bf by default.
+ noexec If set, all commands run via sudo will behave
+ as if the NOEXEC tag has been set, unless
+ overridden by a EXEC tag. See the description
+ of _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC below as well as the P\bPR\bRE\bE\b
+ V\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS section at the end of
+ this manual. This flag is _\bo_\bf_\bf by default.
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs:
+
+ passwd_tries
+ The number of tries a user gets to enter
+ his/her password before s\bsu\bud\bdo\bo logs the failure
+ and exits. The default is 3.
+ I\bIn\bnt\bte\beg\bge\ber\brs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
loglinelen Number of characters per line for the file
log. This value is used to decide when to
badpass_message
Message that is displayed if a user enters an
incorrect password. The default is Sorry, try
+
+
+
+1.6.8 May 16, 2004 9
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
again. unless insults are enabled.
timestampdir
%u expanded to the invoking user's login
name
-
-
-1.6.7 March 13, 2003 9
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
%U expanded to the login name of the user
the command will be run as (defaults
to root)
allowed to be used with v\bvi\bis\bsu\bud\bdo\bo. v\bvi\bis\bsu\bud\bdo\bo will
choose the editor that matches the user's USER
environment variable if possible, or the first
- editor in the list that exists and is exe
- cutable. The default is the path to vi on
+ editor in the list that exists and is
+
+
+
+1.6.8 May 16, 2004 10
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
+ executable. The default is the path to vi on
your system.
+ noexec_file Path to a shared library containing dummy ver
+ sions of the _\be_\bx_\be_\bc_\bv_\b(_\b), _\be_\bx_\be_\bc_\bv_\be_\b(_\b) and _\bf_\be_\bx_\be_\bc_\bv_\be_\b(_\b)
+ library functions that just return an error.
+ This is used to implement the _\bn_\bo_\be_\bx_\be_\bc function
+ ality on systems that support LD_PRELOAD or
+ its equivalent. Defaults to
+ _\b/_\bu_\bs_\br_\b/_\bl_\bo_\bc_\ba_\bl_\b/_\bl_\bi_\bb_\be_\bx_\be_\bc_\b/_\bs_\bu_\bd_\bo_\b__\bn_\bo_\be_\bx_\be_\bc_\b._\bs_\bo.
+
S\bSt\btr\bri\bin\bng\bgs\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ lecture This option controls when a short lecture will
+ be printed along with the password prompt. It
+ has the following possible values:
+
+ never Never lecture the user.
+
+ once Only lecture the user the first time
+ they run s\bsu\bud\bdo\bo.
+
+ always Always lecture the user.
+
+ The default value is _\bo_\bn_\bc_\be.
+
+ lecture_file
+ Path to a file containing an alternate sudo
+ lecture that will be used in place of the
+ standard lecture if the named file exists.
+
logfile Path to the s\bsu\bud\bdo\bo log file (not the syslog log
file). Setting a path turns on logging to a
file; negating this option turns it off.
mailerflags Flags to use when invoking mailer. Defaults to
-\b-t\bt.
+ mailto Address to send warning and error mail to.
+ The address should be enclosed in double
+ quotes (") to protect against sudo interpret
+ ing the @ sign. Defaults to root.
+ exempt_group
+ Users in this group are exempt from password
+ and PATH requirements. This is not set by
-1.6.7 March 13, 2003 10
+1.6.8 May 16, 2004 11
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- mailto Address to send warning and error mail to.
- The address should be enclosed in double
- quotes (") to protect against sudo interpret
- ing the @ sign. Defaults to root.
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
- exempt_group
- Users in this group are exempt from password
- and PATH requirements. This is not set by
default.
verifypw This option controls when a password will be
L\bLi\bis\bst\bts\bs t\bth\bha\bat\bt c\bca\ban\bn b\bbe\be u\bus\bse\bed\bd i\bin\bn a\ba b\bbo\boo\bol\ble\bea\ban\bn c\bco\bon\bnt\bte\bex\bxt\bt:
+ env_check Environment variables to be removed from the
+ user's environment if the variable's value
+ contains % or / characters. This can be used
+ to guard against printf-style format vulnera
+ bilities in poorly-written programs. The
+ argument may be a double-quoted, space-sepa
+ rated list or a single value without dou
+ ble-quotes. The list can be replaced, added
-1.6.7 March 13, 2003 11
+1.6.8 May 16, 2004 12
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- env_check Environment variables to be removed from the
- user's environment if the variable's value
- contains % or / characters. This can be used
- to guard against printf-style format vulnera
- bilities in poorly-written programs. The
- argument may be a double-quoted, space-sepa
- rated list or a single value without dou
- ble-quotes. The list can be replaced, added
to, deleted from, or disabled by using the =,
+=, -=, and ! operators respectively. The
default list of environment variables to check
U\bUs\bse\ber\br S\bSp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn
- User_Spec ::= User_list Host_List '=' Cmnd_Spec_List \
- (':' User_Spec)*
+ User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \
+ (':' Host_List '=' Cmnd_Spec_List)*
Cmnd_Spec_List ::= Cmnd_Spec |
Cmnd_Spec ',' Cmnd_Spec_List
+ Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd
+ Runas_Spec ::= '(' Runas_List ')'
-1.6.7 March 13, 2003 12
+ Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:')
+ A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may
+1.6.8 May 16, 2004 13
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
- Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd
- Runas_Spec ::= '(' Runas_List ')'
- A u\bus\bse\ber\br s\bsp\bpe\bec\bci\bif\bfi\bic\bca\bat\bti\bio\bon\bn determines which commands a user may
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
run (and as what user) on specified hosts. By default,
commands are run as r\bro\boo\bot\bt, but this can be changed on a
per-command basis.
Then user d\bdg\bgb\bb is now allowed to run _\b/_\bb_\bi_\bn_\b/_\bl_\bs as o\bop\bpe\ber\bra\bat\bto\bor\br,
but _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as r\bro\boo\bot\bt.
- N\bNO\bOP\bPA\bAS\bSS\bSW\bWD\bD a\ban\bnd\bd P\bPA\bAS\bSS\bSW\bWD\bD
+ T\bTa\bag\bg_\b_S\bSp\bpe\bec\bc
+
+ A command may have zero or more tags associated with it.
+ There are four possible tag values, NOPASSWD, PASSWD,
+ NOEXEC, EXEC. Once a tag is set on a Cmnd, subsequent
+ Cmnds in the Cmnd_Spec_List, inherit the tag unless it is
+ overridden by the opposite tag (ie: PASSWD overrides
+ NOPASSWD and EXEC overrides NOEXEC).
+
+ _\bN_\bO_\bP_\bA_\bS_\bS_\bW_\bD _\ba_\bn_\bd _\bP_\bA_\bS_\bS_\bW_\bD
By default, s\bsu\bud\bdo\bo requires that a user authenticate him or
herself before running a command. This behavior can be
_\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bl_\bp_\br_\bm as root on the machine rushmore as r\bro\boo\bot\bt
without authenticating himself. If we only want r\bra\bay\by to be
able to run _\b/_\bb_\bi_\bn_\b/_\bk_\bi_\bl_\bl without a password the entry would
- be:
- ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
+1.6.8 May 16, 2004 14
-1.6.7 March 13, 2003 13
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ be:
+ ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm
Note, however, that the PASSWD tag has no effect on users
who are in the group specified by the exempt_group option.
tain to the current host. This behavior may be overridden
via the verifypw and listpw options.
+ _\bN_\bO_\bE_\bX_\bE_\bC _\ba_\bn_\bd _\bE_\bX_\bE_\bC
+
+ If sudo has been compiled with _\bn_\bo_\be_\bx_\be_\bc support and the
+ underlying operating system support it, the NOEXEC tag can
+ be used to prevent a dynamically-linked executable from
+ running further commands itself.
+
+ In the following example, user a\baa\bar\bro\bon\bn may run _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bm_\bo_\br_\be
+ and _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bv_\bi but shell escapes will be disabled.
+
+ aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi
+
+ See the P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS section below for more
+ details on how _\bn_\bo_\be_\bx_\be_\bc works and whether or not it will
+ work on your system.
+
W\bWi\bil\bld\bdc\bca\bar\brd\bds\bs (\b(a\bak\bka\ba m\bme\bet\bta\ba c\bch\bha\bar\bra\bac\bct\bte\ber\brs\bs)\b):\b:
s\bsu\bud\bdo\bo allows shell-style _\bw_\bi_\bl_\bd_\bc_\ba_\br_\bd_\bs to be used in pathnames
line arguments, however, a slash d\bdo\boe\bes\bs get matched by wild
cards. This is to make a path like:
+
+
+1.6.8 May 16, 2004 15
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
/usr/bin/*
- match /usr/bin/who but not /usr/bin/X11/xterm.
+ match _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bw_\bh_\bo but not _\b/_\bu_\bs_\br_\b/_\bb_\bi_\bn_\b/_\bX_\b1_\b1_\b/_\bx_\bt_\be_\br_\bm.
E\bEx\bxc\bce\bep\bpt\bti\bio\bon\bns\bs t\bto\bo w\bwi\bil\bld\bdc\bca\bar\brd\bd r\bru\bul\ble\bes\bs:\b:
Both the comment character and any text after it, up to
the end of the line, are ignored.
-
-
-1.6.7 March 13, 2003 14
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
- The reserved word A\bAL\bLL\bL is a built in _\ba_\bl_\bi_\ba_\bs that always
+ The reserved word A\bAL\bLL\bL is a built-in _\ba_\bl_\bi_\ba_\bs that always
causes a match to succeed. It can be used wherever one
might otherwise use a Cmnd_Alias, User_Alias, Runas_Alias,
or Host_Alias. You should not try to define your own
- _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built in alias will be used in
+ _\ba_\bl_\bi_\ba_\bs called A\bAL\bLL\bL as the built-in alias will be used in
preference to your own. Please note that using A\bAL\bLL\bL can be
dangerous since in a command context, it allows the user
to run a\ban\bny\by command on the system.
An exclamation point ('!') can be used as a logical _\bn_\bo_\bt
operator both in an _\ba_\bl_\bi_\ba_\bs and in front of a Cmnd. This
allows one to exclude certain values. Note, however, that
- using a ! in conjunction with the built in ALL alias to
+ using a ! in conjunction with the built-in ALL alias to
allow a user to run "all but a few" commands rarely works
as intended (see SECURITY NOTES below).
Below are example _\bs_\bu_\bd_\bo_\be_\br_\bs entries. Admittedly, some of
these are a bit contrived. First, we define our _\ba_\bl_\bi_\ba_\bs_\be_\bs:
+
+
+
+
+
+
+1.6.8 May 16, 2004 16
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
# User alias specification
User_Alias FULLTIMERS = millert, mikef, dowdy
User_Alias PARTTIMERS = bostley, jwfox, crawl
Host_Alias SERVERS = master, mail, www, ns
Host_Alias CDROM = orion, perseus, hercules
-
-
-
-
-
-
-
-1.6.7 March 13, 2003 15
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
# Cmnd alias specification
Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\
/usr/sbin/restore, /usr/sbin/rrestore
the year in each log line since the log entries will be
kept around for several years.
- # Override built in defaults
+ # Override built-in defaults
Defaults syslog=auth
Defaults>root !set_logname
Defaults:FULLTIMERS !lecture
The _\bU_\bs_\be_\br _\bs_\bp_\be_\bc_\bi_\bf_\bi_\bc_\ba_\bt_\bi_\bo_\bn is the part that actually deter
mines who may run what.
+
+
+
+
+1.6.8 May 16, 2004 17
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
root ALL = (ALL) ALL
%wheel ALL = (ALL) ALL
jack CSNETS = ALL
The user j\bja\bac\bck\bk may run any command on the machines in the
-
-
-
-1.6.7 March 13, 2003 16
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
_\bC_\bS_\bN_\bE_\bT_\bS alias (the networks 128.138.243.0, 128.138.204.0,
and 128.138.242.0). Of those networks, only 128.138.204.0
has an explicit netmask (in CIDR notation) indicating it
The user b\bbo\bob\bb may run anything on the _\bS_\bP_\bA_\bR_\bC and _\bS_\bG_\bI
machines as any user listed in the _\bO_\bP Runas_Alias (r\bro\boo\bot\bt
+
+
+
+1.6.8 May 16, 2004 18
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
and o\bop\bpe\ber\bra\bat\bto\bor\br).
jim +biglab = ALL
john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root*
-
-
-1.6.7 March 13, 2003 17
-
-
-
-
-
-SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
-
-
On the _\bA_\bL_\bP_\bH_\bA machines, user j\bjo\boh\bhn\bn may su to anyone except
root but he is not allowed to give _\bs_\bu(1) any flags.
ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\
/sbin/mount -o nosuid\,nodev /dev/cd0a /CDROM
+
+
+1.6.8 May 16, 2004 19
+
+
+
+
+
+SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+
+
Any user may mount or unmount a CD-ROM on the machines in
the CDROM Host_Alias (orion, perseus, hercules) without
entering a password. This is a bit tedious for users to
restrictions should be considered advisory at best (and
reinforced by policy).
+P\bPR\bRE\bEV\bVE\bEN\bNT\bTI\bIN\bNG\bG S\bSH\bHE\bEL\bLL\bL E\bES\bSC\bCA\bAP\bPE\bES\bS
+ Once s\bsu\bud\bdo\bo executes a program, that program is free to do
+ whatever it pleases, including run other programs. This
+ can be a security issue since it is not uncommon for a
+ program to allow shell escapes, which lets a user bypass
+ s\bsu\bud\bdo\bo's restrictions. Common programs that permit shell
+ escapes include shells (obviously), editors, paginators,
+ mail and terminal programs.
+
+ Many systems that support shared libraries have the abil
+ ity to override default library functions by pointing an
+ environment variable (usually LD_PRELOAD) to an alternate
+ shared library. On such systems, s\bsu\bud\bdo\bo's _\bn_\bo_\be_\bx_\be_\bc function
+ ality can be used to prevent a program run by sudo from
+ executing any other programs. Note, however, that this
+ applies only to native dynamically-linked executables.
+ Statically-linked executables and foreign executables run
+ ning under binary emulation are not affected.
+
+ To tell whether or not s\bsu\bud\bdo\bo supports _\bn_\bo_\be_\bx_\be_\bc, you can run
+ the following as root:
+ # sudo -V | grep "dummy exec"
-1.6.7 March 13, 2003 18
+ If the resulting output contains a line that begins with:
+
+ File containing dummy exec functions:
+
+ then s\bsu\bud\bdo\bo may be able to replace the exec family of func
+ tions in the standard library with its own that simply
+ return an error. Unfortunately, there is no foolproof way
+ to know whether or not _\bn_\bo_\be_\bx_\be_\bc will work at compile-time.
+ _\bN_\bo_\be_\bx_\be_\bc should work on SunOS, Solaris, *BSD, Linux, IRIX,
+
+
+
+1.6.8 May 16, 2004 20
SUDOERS(4) MAINTENANCE COMMANDS SUDOERS(4)
+ Tru64 UNIX, MacOS X, and HP-UX 11.x. It is known n\bno\bot\bt to
+ work on AIX and UnixWare. _\bN_\bo_\be_\bx_\be_\bc is expected to work on
+ most operating systems that support the LD_PRELOAD envi
+ ronment variable. Check your operating system's manual
+ pages for the dynamic linker (usually ld.so, ld.so.1,
+ dyld, dld.sl, rld, or loader) to see if LD_PRELOAD is sup
+ ported.
+
+ To enable _\bn_\bo_\be_\bx_\be_\bc for a command, use the NOEXEC tag as doc
+ umented in the User Specification section above. If you
+ are unsure whether or not your system is capable of sup
+ porting _\bn_\bo_\be_\bx_\be_\bc you can always just try it out and see if
+ it works.
+
+ Note that disabling shell escapes is not a panacea. Pro
+ grams running as root are still capable of many poten
+ tially hazardous operations (such as chaning or overwrit
+ ing files) that could lead to unintended privilege escala
+ tion. In the specific case of an editor, a safer approach
+ is to give the user permission to run the s\bsu\bud\bdo\boe\bed\bdi\bit\bt pro
+ gram.
+
C\bCA\bAV\bVE\bEA\bAT\bTS\bS
The _\bs_\bu_\bd_\bo_\be_\br_\bs file should a\bal\blw\bwa\bay\bys\bs be edited by the v\bvi\bis\bsu\bud\bdo\bo
command which locks the file and does grammatical check
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-1.6.7 March 13, 2003 19
+1.6.8 May 16, 2004 21
projects / sudo / commitdiff