From: Todd C. Miller Date: Wed, 26 Jan 2000 21:21:28 +0000 (+0000) Subject: Expanded docs on sudoers 'defaults' options based on INSTALL file info. X-Git-Tag: SUDO_1_6_3~59 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=192d3383223003751ac00ec50b2e237d3486b65f;p=sudo Expanded docs on sudoers 'defaults' options based on INSTALL file info. --- diff --git a/sudoers.cat b/sudoers.cat index 936d734e5..6fe75ea7a 100644 --- a/sudoers.cat +++ b/sudoers.cat @@ -61,7 +61,7 @@ DDDDEEEESSSSCCCCRRRRIIIIPPPPTTTTIIIIOOOONNNN -23/Jan/2000 1.6.2 1 +26/Jan/2000 1.6.2 1 @@ -127,7 +127,7 @@ sudoers(5) FILE FORMATS sudoers(5) -23/Jan/2000 1.6.2 2 +26/Jan/2000 1.6.2 2 @@ -193,7 +193,7 @@ sudoers(5) FILE FORMATS sudoers(5) -23/Jan/2000 1.6.2 3 +26/Jan/2000 1.6.2 3 @@ -225,147 +225,284 @@ sudoers(5) FILE FORMATS sudoers(5) FFFFllllaaaaggggssss: long_otp_prompt - Put OTP prompt on its own line + When validating with a One Time Password + scheme (SSSS////KKKKeeeeyyyy or OOOOPPPPIIIIEEEE), a two-line prompt is + used to make it easier to cut and paste the + challenge to a local window. It's not as + pretty as the default but some people find it + more convenient. This flag is off by default. - ignore_dot Ignore '.' in $PATH + ignore_dot If set, ssssuuuuddddoooo will ignore '.' or '' (current + dir) in $PATH; the $PATH itself is not + modified. This flag is off by default. - mail_always Always send mail when sudo is run + mail_always Send mail to the _m_a_i_l_t_o user every time a + users runs sudo. This flag is off by default. mail_no_user - Send mail if the user is not in sudoers + If set, mail will be sent to the _m_a_i_l_t_o user + if the invoking user is not in the _s_u_d_o_e_r_s + file. This flag is on by default. mail_no_host - Send mail if the user is not in sudoers for - this host + If set, mail will be sent to the _m_a_i_l_t_o user + if the invoking user exists in the _s_u_d_o_e_r_s + file, but is not allowed to run commands on + the current host. This flag is off by + default. mail_no_perms - Send mail if the user is not allowed to run a - command + If set, mail will be sent to the _m_a_i_l_t_o user + if the invoking user allowed to use sudo but + the command they are trying is not listed in + their _s_u_d_o_e_r_s file entry. This flag is off by - tty_tickets Use a separate timestamp for each user/tty - combo - lecture Lecture user the first time they run sudo - authenticate - Require users to authenticate by default +26/Jan/2000 1.6.2 4 - root_sudo Root may run sudo - log_host Log the hostname in the (non-syslog) log file - log_year Log the year in the (non-syslog) log file +sudoers(5) FILE FORMATS sudoers(5) -23/Jan/2000 1.6.2 4 + default. + tty_tickets If set, users must authenticate on a per-tty + basis. Normally, ssssuuuuddddoooo uses a directory in the + ticket dir with the same name as the user + running it. With this flag enabled, ssssuuuuddddoooo will + use a file named for the tty the user is + logged in on in that directory. This flag is + off by default. + lecture If set, a user will receive a short lecture + the first time he/she runs ssssuuuuddddoooo. This flag is + on by default. + authenticate + If set, users must authenticate themselves via + a password (or other means of authentication) + before they may run commands. This default + may be overridden via the PASSWD and NOPASSWD + tags. This flag is on by default. + + root_sudo If set, root is allowed to run sudo too. + Disabling this prevents users from "chaining" + sudo commands to get a root shell by doing + something like "sudo sudo /bin/sh". This flag + is on by default. + + log_host If set, the hostname will be logged in the + (non-syslog) ssssuuuuddddoooo log file. This flag is off + by default. + + log_year If set, the four-digit year will be logged in + the (non-syslog) ssssuuuuddddoooo log file. This flag is + off by default. + shell_noargs + If set and ssssuuuuddddoooo is invoked with no arguments + it acts as if the -s flag had been given. + That is, it runs a shell as root (the shell is + determined by the SHELL environment variable + if it is set, falling back on the shell listed + in the invoking user's /etc/passwd entry if + not). This flag is off by default. -sudoers(5) FILE FORMATS sudoers(5) + set_home If set and ssssuuuuddddoooo is invoked with the -s flag + the HOME environment variable will be set to + the home directory of the target user (which + is root unless the -u option is used). This + effectively makes the -s flag imply -H. This + flag is off by default. + + path_info Normally, ssssuuuuddddoooo will tell the user when a + command could not be found in their $PATH. + Some sites may wish to disable this as it - shell_noargs - If sudo is invoked with no arguments, start a - shell - set_home Set $HOME to the target user when starting a - shell with -s +26/Jan/2000 1.6.2 5 - path_info Allow some information gathering to give - useful error messages - fqdn Require fully-qualified hostnames in the - sudoers file - insults Insult the user when they enter an incorrect - password - requiretty Only allow the user to run sudo if they have a - tty + +sudoers(5) FILE FORMATS sudoers(5) + + + could be used to gather information on the + location of executables that the normal user + does not have access to. The disadvantage is + that if the executable is simply not in the + user's $PATH, ssssuuuuddddoooo will tell the user that + they are not allowed to run it, which can be + confusing. This flag is off by default. + + fqdn Set this flag if you want to put fully + qualified hostnames in the _s_u_d_o_e_r_s file. Ie: + instead of myhost you would use + myhost.mydomain.edu. You may still use the + short form if you wish (and even mix the two). + Beware that turning on _f_q_d_n requires sudo to + make DNS lookups which may make ssssuuuuddddoooo unusable + if DNS stops working (for example if the + machine is not plugged into the network). + Also note that you must use the host's + official name as DNS knows it. That is, you + may not use a host alias (CNAME entry) due to + performance issues and the fact that there is + no way to get all aliases from DNS. If your + machine's hostname (as returned by the + hostname command) is already fully qualified + you shouldn't need to set _f_q_f_n. This flag is + off by default. + + insults If set, sudo will insult users when they enter + an incorrect password. This flag is off by + default. + + requiretty If set, sudo will only run when the user is + logged in to a real tty. This will disallow + things like "rsh somehost sudo ls" since + _r_s_h(1) does not allocate a tty. Because it is + not possible to turn of echo when there is no + tty present, some sites may with to set this + flag to prevent a user from entering a visible + password. This flag is off by default. IIIInnnntttteeeeggggeeeerrrrssss: passwd_tries - Number of tries to enter a password + The number of tries a user gets to enter + his/her password before sudo logs the failure + and exits. The default is 3. IIIInnnntttteeeeggggeeeerrrrssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt: - loglinelen Length at which to wrap log file lines (use 0 - or negate for no wrap) + loglinelen Number of characters per line for the file + log. This value is used to decide when to + wrap lines for nicer log files. This has no + effect on the syslog log file, only the file + log. The default is 80 (use 0 or negate to + + + +26/Jan/2000 1.6.2 6 + + + + + +sudoers(5) FILE FORMATS sudoers(5) + + + disable word wrap). timestamp_timeout - Authentication timestamp timeout + Number of minutes that can elapse before ssssuuuuddddoooo + will ask for a passwd again. The default is + 5, set this to 0 to always prompt for a + password. passwd_timeout - Password prompt timeout + Number of minutes before the sudo password + prompt times out. The default is 5, set this + to 0 for no password timeout. - umask Umask to use or 0777 to use user's + umask Umask to use when running the root command. + Set this to 0777 to not override the user's + umask. The default is 0022. SSSSttttrrrriiiinnnnggggssss: - mailsub Subject line for mail messages + mailsub Subject of the mail sent to the _m_a_i_l_t_o user. + The escape %h will expand to the hostname of + the machine. Default is "*** SECURITY + information for %h ***". badpass_message - Incorrect password message + Message that is displayed if a user enters an + incorrect password. The default is "Sorry, + try again." unless insults are enabled. timestampdir - Path to authentication timestamp dir - - passprompt Default password prompt + The directory in which ssssuuuuddddoooo stores its + timestamp files. The default is either + /var/run/sudo or /tmp/sudo. + + passprompt The default prompt to use when asking for a + password; can be overridden via the -p option + or the SUDO_PROMPT environment variable. + Supports two escapes: "%u" expands to the + user's login name and "%h" expands to the + local hostname. The default value is + "Password:". runas_default - Default user to run commands as + The default user to run commands as if the -u + flag is not specified on the command line. + This defaults to "root". syslog_goodpri Syslog priority to use when user authenticates + successfully. Defaults to "notice". + syslog_badpri + Syslog priority to use when user authenticates + unsuccessfully. Defaults to "alert". -23/Jan/2000 1.6.2 5 - +26/Jan/2000 1.6.2 7 -sudoers(5) FILE FORMATS sudoers(5) - successfully +sudoers(5) FILE FORMATS sudoers(5) - syslog_badpri - Syslog priority to use when user authenticates - unsuccessfully SSSSttttrrrriiiinnnnggggssss tttthhhhaaaatttt ccccaaaannnn bbbbeeee uuuusssseeeedddd iiiinnnn aaaa bbbboooooooolllleeeeaaaannnn ccccoooonnnntttteeeexxxxtttt: syslog Syslog facility if syslog is being used for - logging (negate to disable syslog) + logging (negate to disable syslog logging). + Defaults to "local2". - mailerpath Path to mail program + mailerpath Path to mail program used to send warning + mail. Defaults to the path to sendmail found + at configure time. - mailerflags Flags for mail program + mailerflags Flags to use when invoking mailer. Defaults to + -t. - mailto Address to send mail to + mailto Address to send warning and erorr mail to. + Defaults to "root". exempt_group Users in this group are exempt from password - and PATH requirements + and PATH requirements. This is not set by + default. - secure_path Value to override user's $PATH with + secure_path Path used for every command run from ssssuuuuddddoooo. If + you don't trust the people running sudo to + have a sane PATH environment variable you may + want to use this. Another use is if you want + to have the "root path" be separate from the + "user path." This is not set by default. verifypw This option controls when a password will be required when a user runs sudo with the ----vvvv. It has the following possible values: - all All the user's sudoers entries for the + all All the user's I entries for the current host must have the C flag set to avoid entering a password. - any At least one of the user's sudoers entries + any At least one of the user's I entries for the current host must have the C flag set to avoid entering a password. @@ -382,16 +519,11 @@ sudoers(5) FILE FORMATS sudoers(5) required when a user runs sudo with the ----llll. It has the following possible values: - all All the user's sudoers entries for the - current host must have the C - flag set to avoid entering a password. - - -23/Jan/2000 1.6.2 6 +26/Jan/2000 1.6.2 8 @@ -400,7 +532,11 @@ sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5) - any At least one of the user's sudoers entries + all All the user's I entries for the + current host must have the C + flag set to avoid entering a password. + + any At least one of the user's I entries for the current host must have the C flag set to avoid entering a password. @@ -450,14 +586,10 @@ sudoers(5) FILE FORMATS sudoers(5) commands that follow it. What this means is that for the entry: - dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who - - The user ddddggggbbbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m - -- but only as ooooppppeeeerrrraaaattttoooorrrr. Eg. -23/Jan/2000 1.6.2 7 +26/Jan/2000 1.6.2 9 @@ -466,6 +598,11 @@ sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5) + dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who + + The user ddddggggbbbb may run _/_b_i_n_/_l_s, _/_b_i_n_/_k_i_l_l, and _/_u_s_r_/_b_i_n_/_l_p_r_m + -- but only as ooooppppeeeerrrraaaattttoooorrrr. Eg. + sudo -u operator /bin/ls. It is also possible to override a Runas_Spec later on in @@ -515,22 +652,21 @@ sudoers(5) FILE FORMATS sudoers(5) * Matches any set of zero or more characters. - ? Matches any single character. - - [...] Matches any character in the specified range. +26/Jan/2000 1.6.2 10 -23/Jan/2000 1.6.2 8 +sudoers(5) FILE FORMATS sudoers(5) -sudoers(5) FILE FORMATS sudoers(5) + ? Matches any single character. + [...] Matches any character in the specified range. [!...] Matches any character nnnnooootttt in the specified range. @@ -583,13 +719,9 @@ sudoers(5) FILE FORMATS sudoers(5) Long lines can be continued with a backslash ('\') as the last character on the line. - Whitespace between elements in a list as well as specicial - syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', - '(', ')') is optional. - -23/Jan/2000 1.6.2 9 +26/Jan/2000 1.6.2 11 @@ -598,6 +730,10 @@ sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5) + Whitespace between elements in a list as well as specicial + syntactic characters in a _U_s_e_r _S_p_e_c_i_f_i_c_a_t_i_o_n ('=', ':', + '(', ')') is optional. + The following characters must be escaped with a backslash ('\') when used as part of a word (eg. a username or hostname): '@', '!', '=', ':', ',', '(', ')', '\'. @@ -647,15 +783,11 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS sure we log the year in each log line since the log entries will be kept around for several years. - # Override builtin defaults - Defaults syslog=auth - Defaults:FULLTIMERS !lecture - Defaults:millert !authenticate - Defaults@SERVERS log_year, logfile=/var/log/sudo.log -23/Jan/2000 1.6.2 10 + +26/Jan/2000 1.6.2 12 @@ -664,6 +796,12 @@ EEEEXXXXAAAAMMMMPPPPLLLLEEEESSSS sudoers(5) FILE FORMATS sudoers(5) + # Override builtin defaults + Defaults syslog=auth + Defaults:FULLTIMERS !lecture + Defaults:millert !authenticate + Defaults@SERVERS log_year, logfile=/var/log/sudo.log + The _U_s_e_r _s_p_e_c_i_f_i_c_a_t_i_o_n is the part that actually determines who may run what. @@ -713,15 +851,9 @@ sudoers(5) FILE FORMATS sudoers(5) pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root - The user ppppeeeetttteeee is allowed to change anyone's password - except for root on the _H_P_P_A machines. Note that this - assumes _p_a_s_s_w_d(1) does not take multiple usernames on the - command line. - - -23/Jan/2000 1.6.2 11 +26/Jan/2000 1.6.2 13 @@ -730,6 +862,11 @@ sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5) + The user ppppeeeetttteeee is allowed to change anyone's password + except for root on the _H_P_P_A machines. Note that this + assumes _p_a_s_s_w_d(1) does not take multiple usernames on the + command line. + bob SPARC = (OP) ALL : SGI = (OP) ALL The user bbbboooobbbb may run anything on the _S_P_A_R_C and _S_G_I @@ -780,14 +917,9 @@ sudoers(5) FILE FORMATS sudoers(5) On his personal workstation, valkyrie, mmmmaaaatttttttt needs to be able to kill hung processes. - WEBMASTERS www = (www) ALL, (root) /usr/bin/su www - - On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias - (will, wendy, and wim), may run any command as user www - -23/Jan/2000 1.6.2 12 +26/Jan/2000 1.6.2 14 @@ -796,6 +928,10 @@ sudoers(5) FILE FORMATS sudoers(5) sudoers(5) FILE FORMATS sudoers(5) + WEBMASTERS www = (www) ALL, (root) /usr/bin/su www + + On the host www, any user in the _W_E_B_M_A_S_T_E_R_S User_Alias + (will, wendy, and wim), may run any command as user www (which owns the web pages) or simply _s_u(1) to www. ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\ @@ -849,11 +985,7 @@ SSSSEEEEEEEE AAAALLLLSSSSOOOO - - - - -23/Jan/2000 1.6.2 13 +26/Jan/2000 1.6.2 15 @@ -919,6 +1051,6 @@ sudoers(5) FILE FORMATS sudoers(5) -23/Jan/2000 1.6.2 14 +26/Jan/2000 1.6.2 16 diff --git a/sudoers.man b/sudoers.man index 62a087d17..310c28852 100644 --- a/sudoers.man +++ b/sudoers.man @@ -2,8 +2,8 @@ ''' $RCSfile$$Revision$$Date$ ''' ''' $Log$ -''' Revision 1.22 2000/01/24 03:57:49 millert -''' Add netgroup caveat +''' Revision 1.23 2000/01/26 21:21:28 millert +''' Expanded docs on sudoers 'defaults' options based on INSTALL file info. ''' ''' .de Sh @@ -96,7 +96,7 @@ .nr % 0 .rr F .\} -.TH sudoers 5 "1.6.2" "23/Jan/2000" "FILE FORMATS" +.TH sudoers 5 "1.6.2" "26/Jan/2000" "FILE FORMATS" .UC .if n .hy 0 .if n .na @@ -376,96 +376,172 @@ be escaped with a backslash (\f(CW\e\fR). .PP \fBFlags\fR: .Ip "long_otp_prompt" 12 -Put \s-1OTP\s0 prompt on its own line +When validating with a One Time Password scheme (\fBS/Key\fR or \fB\s-1OPIE\s0\fR), +a two-line prompt is used to make it easier to cut and paste the +challenge to a local window. It's not as pretty as the default but +some people find it more convenient. This flag is off by default. .Ip "ignore_dot" 12 -Ignore \*(L'.\*(R' in \f(CW$PATH\fR +If set, \fBsudo\fR will ignore \*(L'.\*(R' or \*(L'\*(R' (current dir) in \f(CW$PATH\fR; +the \f(CW$PATH\fR itself is not modified. This flag is off by default. .Ip "mail_always" 12 -Always send mail when sudo is run +Send mail to the \fImailto\fR user every time a users runs sudo. +This flag is off by default. .Ip "mail_no_user" 12 -Send mail if the user is not in sudoers +If set, mail will be sent to the \fImailto\fR user if the invoking +user is not in the \fIsudoers\fR file. This flag is on by default. .Ip "mail_no_host" 12 -Send mail if the user is not in sudoers for this host +If set, mail will be sent to the \fImailto\fR user if the invoking +user exists in the \fIsudoers\fR file, but is not allowed to run +commands on the current host. This flag is off by default. .Ip "mail_no_perms" 12 -Send mail if the user is not allowed to run a command +If set, mail will be sent to the \fImailto\fR user if the invoking +user allowed to use sudo but the command they are trying is not +listed in their \fIsudoers\fR file entry. This flag is off by default. .Ip "tty_tickets" 12 -Use a separate timestamp for each user/tty combo +If set, users must authenticate on a per-tty basis. Normally, +\fBsudo\fR uses a directory in the ticket dir with the same name as +the user running it. With this flag enabled, \fBsudo\fR will use a +file named for the tty the user is logged in on in that directory. +This flag is off by default. .Ip "lecture" 12 -Lecture user the first time they run sudo +If set, a user will receive a short lecture the first time he/she +runs \fBsudo\fR. This flag is on by default. .Ip "authenticate" 12 -Require users to authenticate by default +If set, users must authenticate themselves via a password (or other +means of authentication) before they may run commands. This default +may be overridden via the \f(CWPASSWD\fR and \f(CWNOPASSWD\fR tags. +This flag is on by default. .Ip "root_sudo" 12 -Root may run sudo +If set, root is allowed to run sudo too. Disabling this prevents users +from \*(L"chaining\*(R" sudo commands to get a root shell by doing something +like \f(CW"sudo sudo /bin/sh"\fR. +This flag is on by default. .Ip "log_host" 12 -Log the hostname in the (non-syslog) log file +If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file. +This flag is off by default. .Ip "log_year" 12 -Log the year in the (non-syslog) log file +If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file. +This flag is off by default. .Ip "shell_noargs" 12 -If sudo is invoked with no arguments, start a shell +If set and \fBsudo\fR is invoked with no arguments it acts as if the +\f(CW-s\fR flag had been given. That is, it runs a shell as root (the +shell is determined by the \f(CWSHELL\fR environment variable if it is +set, falling back on the shell listed in the invoking user's +/etc/passwd entry if not). This flag is off by default. .Ip "set_home" 12 -Set \f(CW$HOME\fR to the target user when starting a shell with \f(CW-s\fR +If set and \fBsudo\fR is invoked with the \f(CW-s\fR flag the \f(CWHOME\fR +environment variable will be set to the home directory of the target +user (which is root unless the \f(CW-u\fR option is used). This effectively +makes the \f(CW-s\fR flag imply \f(CW-H\fR. This flag is off by default. .Ip "path_info" 12 -Allow some information gathering to give useful error messages +Normally, \fBsudo\fR will tell the user when a command could not be +found in their \f(CW$PATH\fR. Some sites may wish to disable this as +it could be used to gather information on the location of executables +that the normal user does not have access to. The disadvantage is +that if the executable is simply not in the user's \f(CW$PATH\fR, \fBsudo\fR +will tell the user that they are not allowed to run it, which can +be confusing. This flag is off by default. .Ip "fqdn" 12 -Require fully-qualified hostnames in the sudoers file +Set this flag if you want to put fully qualified hostnames in the +\fIsudoers\fR file. Ie: instead of myhost you would use myhost.mydomain.edu. +You may still use the short form if you wish (and even mix the two). +Beware that turning on \fIfqdn\fR requires sudo to make \s-1DNS\s0 lookups +which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example +if the machine is not plugged into the network). Also note that +you must use the host's official name as \s-1DNS\s0 knows it. That is, +you may not use a host alias (\f(CWCNAME\fR entry) due to performance +issues and the fact that there is no way to get all aliases from +\s-1DNS\s0. If your machine's hostname (as returned by the \f(CWhostname\fR +command) is already fully qualified you shouldn't need to set +\fIfqfn\fR. This flag is off by default. .Ip "insults" 12 -Insult the user when they enter an incorrect password +If set, sudo will insult users when they enter an incorrect +password. This flag is off by default. .Ip "requiretty" 12 -Only allow the user to run sudo if they have a tty +If set, sudo will only run when the user is logged in to a real +tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since +\fIrsh\fR\|(1) does not allocate a tty. Because it is not possible to turn +of echo when there is no tty present, some sites may with to set +this flag to prevent a user from entering a visible password. This +flag is off by default. .PP \fBIntegers\fR: .Ip "passwd_tries" 12 -Number of tries to enter a password +The number of tries a user gets to enter his/her password before +sudo logs the failure and exits. The default is 3. .PP \fBIntegers that can be used in a boolean context\fR: .Ip "loglinelen" 12 -Length at which to wrap log file lines (use 0 or negate for no wrap) +Number of characters per line for the file log. This value is used +to decide when to wrap lines for nicer log files. This has no +effect on the syslog log file, only the file log. The default is +80 (use 0 or negate to disable word wrap). .Ip "timestamp_timeout" 12 -Authentication timestamp timeout +Number of minutes that can elapse before \fBsudo\fR will ask for a passwd +again. The default is 5, set this to 0 to always prompt for a password. .Ip "passwd_timeout" 12 -Password prompt timeout +Number of minutes before the sudo password prompt times out. +The default is 5, set this to 0 for no password timeout. .Ip "umask" 12 -Umask to use or 0777 to use user's +Umask to use when running the root command. Set this to 0777 to +not override the user's umask. The default is 0022. .PP \fBStrings\fR: .Ip "mailsub" 12 -Subject line for mail messages +Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR +will expand to the hostname of the machine. +Default is \*(L"*** \s-1SECURITY\s0 information for \f(CW%h\fR ***\*(R". .Ip "badpass_message" 12 -Incorrect password message +Message that is displayed if a user enters an incorrect password. +The default is \*(L"Sorry, try again.\*(R" unless insults are enabled. .Ip "timestampdir" 12 -Path to authentication timestamp dir +The directory in which \fBsudo\fR stores its timestamp files. +The default is either \f(CW/var/run/sudo\fR or \f(CW/tmp/sudo\fR. .Ip "passprompt" 12 -Default password prompt +The default prompt to use when asking for a password; can be overridden +via the \f(CW-p\fR option or the \f(CWSUDO_PROMPT\fR environment variable. Supports +two escapes: \*(L"%u\*(R" expands to the user's login name and \*(L"%h\*(R" expands +to the local hostname. The default value is \*(L"Password:\*(R". .Ip "runas_default" 12 -Default user to run commands as +The default user to run commands as if the \f(CW-u\fR flag is not specified +on the command line. This defaults to \*(L"root\*(R". .Ip "syslog_goodpri" 12 -Syslog priority to use when user authenticates successfully +Syslog priority to use when user authenticates successfully. +Defaults to \*(L"notice\*(R". .Ip "syslog_badpri" 12 -Syslog priority to use when user authenticates unsuccessfully +Syslog priority to use when user authenticates unsuccessfully. +Defaults to \*(L"alert\*(R". .PP \fBStrings that can be used in a boolean context\fR: .Ip "syslog" 12 -Syslog facility if syslog is being used for logging (negate to disable syslog) +Syslog facility if syslog is being used for logging (negate to +disable syslog logging). Defaults to \*(L"local2\*(R". .Ip "mailerpath" 12 -Path to mail program +Path to mail program used to send warning mail. +Defaults to the path to sendmail found at configure time. .Ip "mailerflags" 12 -Flags for mail program +Flags to use when invoking mailer. Defaults to \f(CW-t\fR. .Ip "mailto" 12 -Address to send mail to +Address to send warning and erorr mail to. Defaults to \*(L"root\*(R". .Ip "exempt_group" 12 -Users in this group are exempt from password and \s-1PATH\s0 requirements +Users in this group are exempt from password and \s-1PATH\s0 requirements. +This is not set by default. .Ip "secure_path" 12 -Value to override user's \f(CW$PATH\fR with +Path used for every command run from \fBsudo\fR. If you don't trust the +people running sudo to have a sane \f(CWPATH\fR environment variable you may +want to use this. Another use is if you want to have the \*(L"root path\*(R" +be separate from the \*(L"user path.\*(R" This is not set by default. .Ip "verifypw" 12 This option controls when a password will be required when a user runs sudo with the \fB\-v\fR. It has the following possible values: .Sp .Vb 3 -\& all All the user's sudoers entries for the +\& all All the user's I entries for the \& current host must have the C \& flag set to avoid entering a password. .Ve .Vb 4 -\& any At least one of the user's sudoers entries +\& any At least one of the user's I entries \& for the current host must have the \& C flag set to avoid entering a \& password. @@ -484,12 +560,12 @@ This option controls when a password will be required when a user runs sudo with the \fB\-l\fR. It has the following possible values: .Sp .Vb 3 -\& all All the user's sudoers entries for the +\& all All the user's I entries for the \& current host must have the C \& flag set to avoid entering a password. .Ve .Vb 4 -\& any At least one of the user's sudoers entries +\& any At least one of the user's I entries \& for the current host must have the \& C flag set to avoid entering a \& password. diff --git a/sudoers.pod b/sudoers.pod index 23ec6a006..851dac58e 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -223,75 +223,128 @@ B: =item long_otp_prompt -Put OTP prompt on its own line +When validating with a One Time Password scheme (B or B), +a two-line prompt is used to make it easier to cut and paste the +challenge to a local window. It's not as pretty as the default but +some people find it more convenient. This flag is off by default. =item ignore_dot -Ignore '.' in $PATH +If set, B will ignore '.' or '' (current dir) in C<$PATH>; +the C<$PATH> itself is not modified. This flag is off by default. =item mail_always -Always send mail when sudo is run +Send mail to the I user every time a users runs sudo. +This flag is off by default. =item mail_no_user -Send mail if the user is not in sudoers +If set, mail will be sent to the I user if the invoking +user is not in the I file. This flag is on by default. =item mail_no_host -Send mail if the user is not in sudoers for this host +If set, mail will be sent to the I user if the invoking +user exists in the I file, but is not allowed to run +commands on the current host. This flag is off by default. =item mail_no_perms -Send mail if the user is not allowed to run a command +If set, mail will be sent to the I user if the invoking +user allowed to use sudo but the command they are trying is not +listed in their I file entry. This flag is off by default. =item tty_tickets -Use a separate timestamp for each user/tty combo +If set, users must authenticate on a per-tty basis. Normally, +B uses a directory in the ticket dir with the same name as +the user running it. With this flag enabled, B will use a +file named for the tty the user is logged in on in that directory. +This flag is off by default. =item lecture -Lecture user the first time they run sudo +If set, a user will receive a short lecture the first time he/she +runs B. This flag is on by default. =item authenticate -Require users to authenticate by default +If set, users must authenticate themselves via a password (or other +means of authentication) before they may run commands. This default +may be overridden via the C and C tags. +This flag is on by default. =item root_sudo -Root may run sudo +If set, root is allowed to run sudo too. Disabling this prevents users +from "chaining" sudo commands to get a root shell by doing something +like C<"sudo sudo /bin/sh">. +This flag is on by default. =item log_host -Log the hostname in the (non-syslog) log file +If set, the hostname will be logged in the (non-syslog) B log file. +This flag is off by default. =item log_year -Log the year in the (non-syslog) log file +If set, the four-digit year will be logged in the (non-syslog) B log file. +This flag is off by default. =item shell_noargs -If sudo is invoked with no arguments, start a shell +If set and B is invoked with no arguments it acts as if the +C<-s> flag had been given. That is, it runs a shell as root (the +shell is determined by the C environment variable if it is +set, falling back on the shell listed in the invoking user's +/etc/passwd entry if not). This flag is off by default. =item set_home -Set $HOME to the target user when starting a shell with C<-s> +If set and B is invoked with the C<-s> flag the C +environment variable will be set to the home directory of the target +user (which is root unless the C<-u> option is used). This effectively +makes the C<-s> flag imply C<-H>. This flag is off by default. =item path_info -Allow some information gathering to give useful error messages +Normally, B will tell the user when a command could not be +found in their C<$PATH>. Some sites may wish to disable this as +it could be used to gather information on the location of executables +that the normal user does not have access to. The disadvantage is +that if the executable is simply not in the user's C<$PATH>, B +will tell the user that they are not allowed to run it, which can +be confusing. This flag is off by default. =item fqdn -Require fully-qualified hostnames in the sudoers file +Set this flag if you want to put fully qualified hostnames in the +I file. Ie: instead of myhost you would use myhost.mydomain.edu. +You may still use the short form if you wish (and even mix the two). +Beware that turning on I requires sudo to make DNS lookups +which may make B unusable if DNS stops working (for example +if the machine is not plugged into the network). Also note that +you must use the host's official name as DNS knows it. That is, +you may not use a host alias (C entry) due to performance +issues and the fact that there is no way to get all aliases from +DNS. If your machine's hostname (as returned by the C +command) is already fully qualified you shouldn't need to set +I. This flag is off by default. =item insults -Insult the user when they enter an incorrect password +If set, sudo will insult users when they enter an incorrect +password. This flag is off by default. =item requiretty -Only allow the user to run sudo if they have a tty +If set, sudo will only run when the user is logged in to a real +tty. This will disallow things like C<"rsh somehost sudo ls"> since +rsh(1) does not allocate a tty. Because it is not possible to turn +of echo when there is no tty present, some sites may with to set +this flag to prevent a user from entering a visible password. This +flag is off by default. =back @@ -301,7 +354,8 @@ B: =item passwd_tries -Number of tries to enter a password +The number of tries a user gets to enter his/her password before +sudo logs the failure and exits. The default is 3. =back @@ -311,19 +365,25 @@ B: =item loglinelen -Length at which to wrap log file lines (use 0 or negate for no wrap) +Number of characters per line for the file log. This value is used +to decide when to wrap lines for nicer log files. This has no +effect on the syslog log file, only the file log. The default is +80 (use 0 or negate to disable word wrap). =item timestamp_timeout -Authentication timestamp timeout +Number of minutes that can elapse before B will ask for a passwd +again. The default is 5, set this to 0 to always prompt for a password. =item passwd_timeout -Password prompt timeout +Number of minutes before the sudo password prompt times out. +The default is 5, set this to 0 for no password timeout. =item umask -Umask to use or 0777 to use user's +Umask to use when running the root command. Set this to 0777 to +not override the user's umask. The default is 0022. =back @@ -333,31 +393,41 @@ B: =item mailsub -Subject line for mail messages +Subject of the mail sent to the I user. The escape C<%h> +will expand to the hostname of the machine. +Default is "*** SECURITY information for %h ***". =item badpass_message -Incorrect password message +Message that is displayed if a user enters an incorrect password. +The default is "Sorry, try again." unless insults are enabled. =item timestampdir -Path to authentication timestamp dir +The directory in which B stores its timestamp files. +The default is either C or C. =item passprompt -Default password prompt +The default prompt to use when asking for a password; can be overridden +via the C<-p> option or the C environment variable. Supports +two escapes: "%u" expands to the user's login name and "%h" expands +to the local hostname. The default value is "Password:". =item runas_default -Default user to run commands as +The default user to run commands as if the C<-u> flag is not specified +on the command line. This defaults to "root". =item syslog_goodpri -Syslog priority to use when user authenticates successfully +Syslog priority to use when user authenticates successfully. +Defaults to "notice". =item syslog_badpri -Syslog priority to use when user authenticates unsuccessfully +Syslog priority to use when user authenticates unsuccessfully. +Defaults to "alert". =back 12 @@ -367,38 +437,44 @@ B: =item syslog -Syslog facility if syslog is being used for logging (negate to disable syslog) +Syslog facility if syslog is being used for logging (negate to +disable syslog logging). Defaults to "local2". =item mailerpath -Path to mail program +Path to mail program used to send warning mail. +Defaults to the path to sendmail found at configure time. =item mailerflags -Flags for mail program +Flags to use when invoking mailer. Defaults to C<-t>. =item mailto -Address to send mail to +Address to send warning and erorr mail to. Defaults to "root". =item exempt_group -Users in this group are exempt from password and PATH requirements +Users in this group are exempt from password and PATH requirements. +This is not set by default. =item secure_path -Value to override user's $PATH with +Path used for every command run from B. If you don't trust the +people running sudo to have a sane C environment variable you may +want to use this. Another use is if you want to have the "root path" +be separate from the "user path." This is not set by default. =item verifypw This option controls when a password will be required when a user runs sudo with the B<-v>. It has the following possible values: - all All the user's sudoers entries for the + all All the user's I entries for the current host must have the C flag set to avoid entering a password. - any At least one of the user's sudoers entries + any At least one of the user's I entries for the current host must have the C flag set to avoid entering a password. @@ -416,11 +492,11 @@ The default value is `all'. This option controls when a password will be required when a user runs sudo with the B<-l>. It has the following possible values: - all All the user's sudoers entries for the + all All the user's I entries for the current host must have the C flag set to avoid entering a password. - any At least one of the user's sudoers entries + any At least one of the user's I entries for the current host must have the C flag set to avoid entering a password.