From: Todd C. Miller Date: Sat, 15 Jun 1996 22:01:50 +0000 (+0000) Subject: updated wrt -u and NOPASSWD X-Git-Tag: SUDO_1_5_0~165 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=255e60f65fbd15f885e7572c68a285b0d9dbe879;p=sudo updated wrt -u and NOPASSWD --- diff --git a/sudoers.pod b/sudoers.pod index 95eb7c2fe..d9da36d55 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -19,10 +19,14 @@ will be used. user access_group [: access_group] ... - access_group ::= host_type = [op]cmnd_type [,[op]cmnd_type] ... + access_group ::= host_type = [(user_list)] [NOPASSWD:] [op]cmnd_type + [,[(user_list)] [NOPASSWD:] [op]cmnd_type] ... host_type ::= a lower-case hostname, netgroup, ip address, network number, or host alias. - cmnd_type ::= an command OR a command alias. + user_list ::= comma-separated list of users, uids, or + User_Aliases the user may run commands as + (default is root). + cmnd_type ::= a command OR a command alias. op ::= the logical "!" NOT operator. =head2 host alias section format: @@ -40,7 +44,7 @@ will be used. User_Alias ::= a keyword. USERALIAS ::= an upper-case alias name. - user-list ::= a comma separated list of users, groups and netgroups. + user-list ::= a comma separated list of users, groups, netgroups. =head2 command alias section format: @@ -68,8 +72,8 @@ backslash (\). =head2 wildcards (aka meta characters): B allows shell-style I along with command arguments -in the I file. Wildcard matching is done via Rich -$alz's C package. +in the I file. Wildcard matching is done via the B +C routine. =over 8 @@ -96,28 +100,51 @@ escape special characters such as: "*", "?", "[", and "}". =back +=head2 exceptions to wildcard rules: + +The following exceptions apply to the above rules: + +=over 8 + +=item C<""> + +If the empty string C<""> is the only command line argument in the +I entry it means that command may take B arguments. + +=item C<*> + +A C<*> by itself (separated by whitespace) as the B argument in +the I entry will match any and all remaining arguments on +the command line. + +=back + +=head2 other special characters and reserved words: + Text after a pound sign (B<#>) is considered a comment. Words that begin with a percent sign (B<%>) are assumed to be UN*X groups (%staff refers to users in the group I). Words that begin with a plus sign (B<+>) are assumed to be netgroups (B<+cshosts> refers to the netgroup I). Long lines can be newline escaped with the backslash B<\> character. -The reserved alias I can be used for both {Host,User,Cmnd}_Alias. +The reserved word B indicates that a user need not +enter a password for the command listed in that entry. +The reserved alias I can be used for both {Host,User,Cmnd}_Alias. B define an alias of I, it will B be used. Note that I implies the entire universe of hosts/users/commands. You can subtract elements from the universe by using the syntax: user host=ALL,!ALIAS1,!/etc/halt... Note that the "!" notation only works in a user's command list. You -may not use it to subtract elements in a User_Alias, Host_Alias, or -Cmnd_Alias. +may not use it to subtract elements in a User_Alias, Host_Alias, +Cmnd_Alias or user list. Commands may have optional command line arguments. If they do, then the arguments in the I file must exactly match those on the command line. It is also possible to have a command's arguments span multiple lines as long as the line continuance character "\" is used. The following characters must be escaped -with a "\" if used in command arguments: ",", ":", "=", "\". +with a "\" if used in command arguments: ",", ":", "=", "\", """. =head1 EXAMPLES @@ -140,7 +167,7 @@ with a "\" if used in command arguments: ",", ":", "=", "\". SHUTDOWN=/etc/halt,/etc/shutdown # User specification - FULLTIME ALL=ALL + FULLTIME ALL=(ALL) NOPASSWD:ALL %wheel ALL=ALL PARTTIME ALL=ALL,!SHELLS,!SU +interns +openlabs=ALL,!SHELLS,!SU @@ -183,7 +210,7 @@ command line arguments. The entries above should be self-explanatory. =item FULLTIME Full-time sysadmins in the C alias may run any -command on any host. +command on any host as any user without a password. =item %wheel @@ -258,4 +285,4 @@ will not run with a syntactically incorrect I file. =head1 SEE ALSO -sudo(8), visudo(8), su(1), wildmat(3). +sudo(8), visudo(8), su(1), fnmatch(3).