.\" Agency (DARPA) and Air Force Research Laboratory, Air Force
.\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
.\"
-.TH "SUDOERS" "5" "February 17, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "February 26, 2015" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
.nh
.if n .ad l
.SH "NAME"
.fi
.PP
Without the
-\(lq\fR=()*\fR\(rq
+\(Lq\fR=()*\fR\(Rq
suffix, this would not match, as old-style
\fBbash\fR
shell functions are not preserved by default.
The complete list of environment variables that
\fBsudo\fR
allows or denies is contained in the output of
-\(lq\fRsudo -V\fR\(rq
+\(Lq\fRsudo -V\fR\(Rq
when run as root.
Please note that this list varies based on the operating system
\fBsudo\fR
operators, which many readers will recognize from regular
expressions.
Do not, however, confuse them with
-\(lqwildcard\(rq
+\(Lqwildcard\(Rq
characters, which have different meanings.
.TP 6n
\fR\&?\fR
.RE
.fi
.PP
+It is a syntax error to redefine an existing
+\fIalias\fR.
+It is possible to use the same name for
+\fIaliases\fR
+of different types, but this is not recommended.
+.PP
The definitions of what constitutes a valid
\fIalias\fR
member follow.
only inspects actual network interfaces; this means that IP address
127.0.0.1 (localhost) will never match.
Also, the host name
-\(lqlocalhost\(rq
+\(Lqlocalhost\(Rq
will only match if that is the actual host name, which is usually
only the case for non-networked systems.
.nf
\(oq=\&\(cq,
\(oq\e\(cq.
The built-in command
-\(lq\fRsudoedit\fR\(rq
+\(Lq\fRsudoedit\fR\(Rq
is used to permit a user to run
\fBsudo\fR
with the
\fBsudoedit\fR).
It may take command line arguments just as a normal command does.
Note that
-\(lq\fRsudoedit\fR\(rq
+\(Lq\fRsudoedit\fR\(Rq
is a command built into
\fBsudo\fR
itself and must be specified in
but this can be changed on a per-command basis.
.PP
The basic structure of a user specification is
-\(lqwho where = (as_whom) what\(rq.
+\(Lqwho where = (as_whom) what\(Rq.
Let's break that down into its constituent parts:
.SS "Runas_Spec"
A
.fi
.PP
In addition, there are several
-\(lqspecial\(rq
+\(Lqspecial\(Rq
privilege strings:
.TP 10n
none
\fRNOPASSWD\fR
tag is applied to any of the entries for a user on the current host,
he or she will be able to run
-\(lq\fRsudo -l\fR\(rq
+\(Lq\fRsudo -l\fR\(Rq
without a password.
Additionally, a user may only run
-\(lq\fRsudo -v\fR\(rq
+\(Lq\fRsudo -v\fR\(Rq
without a password if the
\fRNOPASSWD\fR
tag is present for all a user's entries that pertain to the current host.
and
fnmatch(3)
functions as specified by
-IEEE Std 1003.1 (\(lqPOSIX.1\(rq).
+IEEE Std 1003.1 (\(LqPOSIX.1\(Rq).
Note that these are
\fInot\fR
regular expressions.
\fR%h\fR
escape, signifying the short form of the host name.
In other words, if the machine's host name is
-\(lqxerxes\(rq,
+\(Lqxerxes\(Rq,
then
.nf
.sp
\fBvisudo\fR
with the
\fB\-f\fR
-flag to edit the files directly.
+flag to edit the files directly, but this will not catch the
+redefinition of an
+\fIalias\fR
+that is also present in a different file.
.SS "Other special characters and reserved words"
The pound sign
(\(oq#\(cq)
.PP
it would explicitly deny root but not match any other users.
This is different from a true
-\(lqnegation\(rq
+\(Lqnegation\(Rq
operator.
.PP
Note, however, that using a
in conjunction with the built-in
\fBALL\fR
alias to allow a user to run
-\(lqall but a few\(rq
+\(Lqall but a few\(Rq
commands rarely works as intended (see
\fISECURITY NOTES\fR
below).
In other words, instead of myhost you would use myhost.mydomain.edu.
You may still use the short form if you wish (and even mix the two).
This option is only effective when the
-\(lqcanonical\(rq
+\(Lqcanonical\(Rq
host name, as returned by the
\fBgetaddrinfo\fR()
or
If the system is configured to use the
\fI/etc/hosts\fR
file in preference to DNS, the
-\(lqcanonical\(rq
+\(Lqcanonical\(Rq
host name may not be fully-qualified.
The order that sources are queried for host name resolution
is usually specified in the
In the
\fI/etc/hosts\fR
file, the first host name of the entry is considered to be the
-\(lqcanonical\(rq
+\(Lqcanonical\(Rq
name; subsequent names are aliases that are not used by
\fBsudoers\fR.
For example, the following hosts file line for the machine
-\(lqxyzzy\(rq
+\(Lqxyzzy\(Rq
has the fully-qualified domain name as the
-\(lqcanonical\(rq
+\(Lqcanonical\(Rq
host name, and the short version as an alias.
.sp
.RS 24n
unusable if DNS stops working (for example if the machine is disconnected
from the network).
Also note that just like with the hosts file, you must use the
-\(lqcanonical\(rq
+\(Lqcanonical\(Rq
name as DNS knows it.
That is, you may not use a host alias
(\fRCNAME\fR
using a unique session ID that is included in the normal
\fBsudo\fR
log line, prefixed with
-\(lq\fRTSID=\fR\(rq.
+\(Lq\fRTSID=\fR\(Rq.
The
\fIiolog_file\fR
option may be used to control the format of the session ID.
using a unique session ID that is included in the normal
\fBsudo\fR
log line, prefixed with
-\(lq\fRTSID=\fR\(rq.
+\(Lq\fRTSID=\fR\(Rq.
The
\fIiolog_file\fR
option may be used to control the format of the session ID.
\fIpassprompt\fR
will normally only be used if the password prompt provided by systems
such as PAM matches the string
-\(lqPassword:\(rq.
+\(LqPassword:\(Rq.
If
\fIpassprompt_override\fR
is set,
\fBsudo\fR
too.
Disabling this prevents users from
-\(lqchaining\(rq
+\(Lqchaining\(Rq
\fBsudo\fR
commands to get a root shell by doing something like
-\(lq\fRsudo sudo /bin/sh\fR\(rq.
+\(Lq\fRsudo sudo /bin/sh\fR\(Rq.
Note, however, that turning off
\fIroot_sudo\fR
will also prevent root from running
\fBsudo\fR
will prompt for a password even when it would be visible on the screen.
This makes it possible to run things like
-\(lq\fRssh somehost sudo ls\fR\(rq
+\(Lq\fRssh somehost sudo ls\fR\(Rq
since by default,
ssh(1)
does
\fR0\fR
the user's time stamp will never expire.
This can be used to allow users to create or delete their own time stamps via
-\(lq\fRsudo -v\fR\(rq
+\(Lq\fRsudo -v\fR\(Rq
and
-\(lq\fRsudo -k\fR\(rq
+\(Lq\fRsudo -k\fR\(Rq
respectively.
.TP 18n
umask
\fIiolog_file\fR
may contain directory components.
The default is
-\(lq\fR%{seq}\fR\(rq.
+\(Lq\fR%{seq}\fR\(Rq.
.sp
See the
\fIiolog_dir\fR
\fR%h\fR
will expand to the host name of the machine.
Default is
-\(lq\fR@mailsub@\fR\(rq.
+\(Lq\fR@mailsub@\fR\(Rq.
.TP 18n
maxseq
The maximum sequence number that will be substituted for the
-\(lq\fR%{seq}\fR\(rq
+\(Lq\fR%{seq}\fR\(Rq
escape in the I/O log file (see the
\fIiolog_dir\fR
description above for more information).
While the value substituted for
-\(lq\fR%{seq}\fR\(rq
+\(Lq\fR%{seq}\fR\(Rq
is in base 36,
\fImaxseq\fR
itself should be expressed in decimal.
Values larger than 2176782336 (which corresponds to the
base 36 sequence number
-\(lqZZZZZZ\(rq)
+\(LqZZZZZZ\(Rq)
will be silently truncated to 2176782336.
The default value is 2176782336.
.sp
Once the local sequence number reaches the value of
\fImaxseq\fR,
it will
-\(lqroll over\(rq
+\(Lqroll over\(Rq
to zero, after which
\fBsudoers\fR
will truncate and re-use any existing I/O log path names.
\fB\-i\fR
option is specified.
The default value is
-\(lq\fR@pam_login_service@\fR\(rq.
+\(Lq\fR@pam_login_service@\fR\(Rq.
See the description of
\fIpam_service\fR
for more information.
\fI/etc/pam.d\fR
directory.
The default value is
-\(lq\fRsudo\fR\(rq.
+\(Lq\fRsudo\fR\(Rq.
.sp
This setting is only supported by version 1.8.8 or higher.
.TP 18n
character
.PP
The default value is
-\(lq\fR@passprompt@\fR\(rq.
+\(Lq\fR@passprompt@\fR\(Rq.
.RE
.TP 18n
privs
sending email.
Note that changing the locale may affect how sudoers is interpreted.
Defaults to
-\(lq\fRC\fR\(rq.
+\(Lq\fRC\fR\(Rq.
.TP 18n
timestampdir
The directory in which
option specifies the fully qualified path to a file containing variables
to be set in the environment of the program being run.
Entries in this file should either be of the form
-\(lq\fRVARIABLE=value\fR\(rq
+\(Lq\fRVARIABLE=value\fR\(Rq
or
-\(lq\fRexport VARIABLE=value\fR\(rq.
+\(Lq\fRexport VARIABLE=value\fR\(Rq.
The value may optionally be surrounded by single or double quotes.
Variables in this file are subject to other
\fBsudo\fR
.TP 14n
mailfrom
Address to use for the
-\(lqfrom\(rq
+\(Lqfrom\(Rq
address when sending warning and error mail.
The address should be enclosed in double quotes
(\&"")
\fRPATH\fR
environment variable you may want to use this.
Another use is if you want to have the
-\(lqroot path\(rq
+\(Lqroot path\(Rq
be separate from the
-\(lquser path\(rq.
+\(Lquser path\(Rq.
Users in the group specified by the
\fIexempt_group\fR
option are not affected by
env_check
Environment variables to be removed from the user's environment
unless they are considered
-\(lqsafe\(rq.
+\(Lqsafe\(Rq.
For all variables except
\fRTZ\fR,
-\(lqsafe\(rq
+\(Lqsafe\(Rq
means that the variable's value does not contain any
\(oq%\(cq
or
date
The date the command was run.
Typically, this is in the format
-\(lqMMM, DD, HH:MM:SS\(rq.
+\(LqMMM, DD, HH:MM:SS\(Rq.
If logging via
syslog(3),
the actual date format is controlled by the syslog daemon.
.TP 14n
ttyname
The short name of the terminal (e.g.\&
-\(lqconsole\(rq,
-\(lqtty01\(rq,
+\(Lqconsole\(Rq,
+\(Lqtty01\(Rq,
or
-\(lqpts/0\(rq)
+\(Lqpts/0\(Rq)
\fBsudo\fR
was run on, or
-\(lqunknown\(rq
+\(Lqunknown\(Rq
if there was no terminal present.
.TP 14n
cwd
Messages are logged using the locale specified by
\fIsudoers_locale\fR,
which defaults to the
-\(lq\fRC\fR\(rq
+\(Lq\fRC\fR\(Rq
locale.
.SS "Denied command log entries"
If the user is not allowed to run the command, the reason for the denial
Consider either changing the ownership of
\fI@sysconfdir@/sudoers\fR
or adding an argument like
-\(lqsudoers_uid=N\(rq
+\(Lqsudoers_uid=N\(Rq
(where
\(oqN\(cq
is the user ID that owns the
If you wish to change the
\fIsudoers\fR
file owner, please add
-\(lqsudoers_uid=N\(rq
+\(Lqsudoers_uid=N\(Rq
(where
\(oqN\(cq
is the user ID that owns the
file must not be world-writable, the default file mode
is 0440 (readable by owner and group, writable by none).
The default mode may be changed via the
-\(lqsudoers_mode\(rq
+\(Lqsudoers_mode\(Rq
option to the
\fBsudoers\fR
\fRPlugin\fR
If you wish to change the
\fIsudoers\fR
file group ownership, please add
-\(lqsudoers_gid=N\(rq
+\(Lqsudoers_gid=N\(Rq
(where
\(oqN\(cq
is the group ID that owns the
\fBsudoers\fR
will split up log messages that are larger than 960 characters
(not including the date, hostname, and the string
-\(lqsudo\(rq).
+\(Lqsudo\(Rq).
When a message is split, additional parts will include the string
-\(lq(command continued)\(rq
+\(Lq(command continued)\(Rq
after the user name and before the continued command line arguments.
.SS "Notes on logging to a file"
If the
netgroup.
\fBsudo\fR
knows that
-\(lqbiglab\(rq
+\(Lqbiglab\(Rq
is a netgroup due to the
\(oq+\(cq
prefix.
.SH "SECURITY NOTES"
.SS "Limitations of the \(oq!\&\(cq operator"
It is generally not effective to
-\(lqsubtract\(rq
+\(Lqsubtract\(Rq
commands from
\fBALL\fR
using the
without a leading path.
However, it may take command line arguments just as a normal command does.
For example, to allow user operator to edit the
-\(lqmessage of the day\(rq
+\(Lqmessage of the day\(Rq
file:
.nf
.sp
.SH "DISCLAIMER"
\fBsudo\fR
is provided
-\(lqAS IS\(rq
+\(LqAS IS\(Rq
and any express or implied warranties, including, but not limited
to, the implied warranties of merchantability and fitness for a
particular purpose are disclaimed.
projects / sudo / commitdiff