From: Todd C. Miller Date: Thu, 23 Mar 2000 00:17:30 +0000 (+0000) Subject: configure does substitution on these to produce *.man X-Git-Tag: SUDO_1_6_3~27 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=7cd18cf366f6b5f1c466727ee3ec8a456833a4cb;p=sudo configure does substitution on these to produce *.man --- diff --git a/sudo.man.in b/sudo.man.in new file mode 100644 index 000000000..c45b76d3b --- /dev/null +++ b/sudo.man.in @@ -0,0 +1,501 @@ +.rn '' }` +''' $RCSfile$$Revision$$Date$ +''' +''' $Log$ +''' Revision 1.1 2000/03/23 00:17:29 millert +''' configure does substitution on these to produce *.man +''' +''' +.de Sh +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp +.if t .sp .5v +.if n .sp +.. +.de Ip +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb +.ft CW +.nf +.ne \\$1 +.. +.de Ve +.ft R + +.fi +.. +''' +''' +''' Set up \*(-- to give an unbreakable dash; +''' string Tr holds user defined translation string. +''' Bell System Logo is used as a dummy character. +''' +.tr \(*W-|\(bv\*(Tr +.ie n \{\ +.ds -- \(*W- +.ds PI pi +.if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +.if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +.ds L" "" +.ds R" "" +''' \*(M", \*(S", \*(N" and \*(T" are the equivalent of +''' \*(L" and \*(R", except that they are used on ".xx" lines, +''' such as .IP and .SH, which do another additional levels of +''' double-quote interpretation +.ds M" """ +.ds S" """ +.ds N" """"" +.ds T" """"" +.ds L' ' +.ds R' ' +.ds M' ' +.ds S' ' +.ds N' ' +.ds T' ' +'br\} +.el\{\ +.ds -- \(em\| +.tr \*(Tr +.ds L" `` +.ds R" '' +.ds M" `` +.ds S" '' +.ds N" `` +.ds T" '' +.ds L' ` +.ds R' ' +.ds M' ` +.ds S' ' +.ds N' ` +.ds T' ' +.ds PI \(*p +'br\} +.\" If the F register is turned on, we'll generate +.\" index entries out stderr for the following things: +.\" TH Title +.\" SH Header +.\" Sh Subsection +.\" Ip Item +.\" X<> Xref (embedded +.\" Of course, you have to process the output yourself +.\" in some meaninful fashion. +.if \nF \{ +.de IX +.tm Index:\\$1\t\\n%\t"\\$2" +.. +.nr % 0 +.rr F +.\} +.TH sudo.pod.in @mansectsu@ "1.6.3" "22/Mar/2000" "MAINTENANCE COMMANDS" +.UC +.if n .hy 0 +.if n .na +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.de CQ \" put $1 in typewriter font +.ft CW +'if n "\c +'if t \\&\\$1\c +'if n \\&\\$1\c +'if n \&" +\\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7 +'.ft R +.. +.\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2 +. \" AM - accent mark definitions +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds ? ? +. ds ! ! +. ds / +. ds q +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10' +. ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +. ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#] +.ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u' +.ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u' +.ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#] +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +.ds oe o\h'-(\w'o'u*4/10)'e +.ds Oe O\h'-(\w'O'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds v \h'-1'\o'\(aa\(ga' +. ds _ \h'-1'^ +. ds . \h'-1'. +. ds 3 3 +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +. ds oe oe +. ds Oe OE +.\} +.rm #[ #] #H #V #F C +.SH "NAME" +sudo \- execute a command as another user +.SH "SYNOPSIS" +\fBsudo\fR \fB\-V\fR | \fB\-h\fR | \fB\-l\fR | \fB\-L\fR | \fB\-v\fR | \fB\-k\fR | \fB\-K\fR | \fB\-s\fR | +[ \fB\-H\fR ] [\fB\-S\fR ] [ \fB\-b\fR ] | [ \fB\-p\fR prompt ] [ \fB\-c\fR class|\- ] +[ \fB\-u\fR username/#uid ] \fIcommand\fR +.SH "DESCRIPTION" +\fBsudo\fR allows a permitted user to execute a \fIcommand\fR as the +superuser or another user, as specified in the sudoers file. The +real and effective uid and gid are set to match those of the target +user as specified in the passwd file (the group vector is also +initialized when the target user is not root). By default, \fBsudo\fR +requires that users authenticate themselves with a password +(NOTE: this is the user's password, not the root password). Once +a user has been authenticated, a timestamp is updated and the +user may then use sudo without a password for a short period of time +(five minutes by default). +.PP +\fBsudo\fR determines who is an authorized user by consulting the +file \fI@sysconfdir@/sudoers\fR. By giving \fBsudo\fR the \f(CW-v\fR flag a user +can update the time stamp without running a \fIcommand.\fR +The password prompt itself will also time out if the user's password is +not entered with N minutes (again, this is defined at configure +time and defaults to 5 minutes). +.PP +If a user that is not listed in the \fIsudoers\fR file tries to run +a command via \fBsudo\fR, mail is sent to the proper authorities, +as defined at configure time (defaults to root). Note that the +mail will not be sent if an unauthorized user tries to run sudo +with the \f(CW-l\fR or \f(CW-v\fR flags. This allows users to determine +for themselves whether or not they are allowed to use \fBsudo\fR. +.PP +\fBsudo\fR can log both successful an unsuccessful attempts (as well +as errors) to \fIsyslog\fR\|(3), a log file, or both. By default \fBsudo\fR +will log via \fIsyslog\fR\|(3) but this is changeable at configure time. +.SH "OPTIONS" +\fBsudo\fR accepts the following command line options: +.Ip "-V" 4 +The \f(CW-V\fR (\fIversion\fR) option causes \fBsudo\fR to print the +version number and exit. +.Ip "-l" 4 +The \f(CW-l\fR (\fIlist\fR) option will list out the allowed (and +forbidden) commands for the user on the current host. +.Ip "-L" 4 +The \f(CW-L\fR (\fIlist\fR defaults) option will list out the parameters +that may be set in a \fIDefaults\fR line along with a short description +for each. This option is useful in conjunction with \fIgrep\fR\|(1). +.Ip "-h" 4 +The \f(CW-h\fR (\fIhelp\fR) option causes \fBsudo\fR to print a usage message and exit. +.Ip "-v" 4 +If given the \f(CW-v\fR (\fIvalidate\fR) option, \fBsudo\fR will update the +user's timestamp, prompting for the user's password if necessary. +This extends the \fBsudo\fR timeout to for another N minutes +(where N is defined at installation time and defaults to 5 +minutes) but does not run a command. +.Ip "-k" 4 +The \f(CW-k\fR (\fIkill\fR) option to \fBsudo\fR invalidates the user's timestamp +by setting the time on it to the epoch. The next time \fBsudo\fR is +run a password will be required. This option does not require a password +and was added to allow a user to revoke \fBsudo\fR permissions from a .logout +file. +.Ip "-K" 4 +The \f(CW-K\fR (sure \fIkill\fR) option to \fBsudo\fR removes the user's timestamp +entirely. This option does not require a password. +.Ip "-b" 4 +The \f(CW-b\fR (\fIbackground\fR) option tells \fBsudo\fR to run the given +command in the background. Note that if you use the \f(CW-b\fR +option you cannot use shell job control to manipulate the command. +.Ip "-p" 4 +The \f(CW-p\fR (\fIprompt\fR) option allows you to override the default +password prompt and use a custom one. If the password prompt +contains the \f(CW%u\fR escape, \f(CW%u\fR will be replaced with the user's +login name. Similarly, \f(CW%h\fR will be replaced with the local +hostname. +.Ip "-c" 4 +The \f(CW-c\fR (\fIclass\fR) option causes \fBsudo\fR to run the specified command +with resources limited by the specified login class. The \fIclass\fR +argument can be either a class name as defined in /etc/login.conf, +or a single \*(L'\-\*(R' character. Specifying the \fIclass\fR as \*(L'\-\*(R' means +that the command should be run restricted by the default login +capibilities of the user the command is run as. If the \fIclass\fR +argument specifies an existing user class, the command must be run +as root, or the \fBsudo\fR command must be run from a shell that is already +root. This option is only available on systems with \s-1BSD\s0 login classes +where \fBsudo\fR has been configured with the --with-logincap option. +.Ip "-u" 4 +The \f(CW-u\fR (\fIuser\fR) option causes \fBsudo\fR to run the specified command +as a user other than \fIroot\fR. To specify a \fIuid\fR instead of a +\fIusername\fR, use \*(L"#uid\*(R". +.Ip "-s" 4 +The \f(CW-s\fR (\fIshell\fR) option runs the shell specified by the \fI\s-1SHELL\s0\fR +environment variable if it is set or the shell as specified +in \fIpasswd\fR\|(5). +.Ip "-H" 4 +The \f(CW-H\fR (\fI\s-1HOME\s0\fR) option sets the \fI\s-1HOME\s0\fR environment variable +to the homedir of the target user (root by default) as specified +in \fIpasswd\fR\|(5). By default, \fBsudo\fR does not modify \fI\s-1HOME\s0\fR. +.Ip "-S" 4 +The \f(CW-S\fR (\fIstdin\fR) option causes \fBsudo\fR to read the password from +standard input instead of the terminal device. +.Ip "--" 4 +The \f(CW--\fR flag indicates that \fBsudo\fR should stop processing command +line arguments. It is most useful in conjunction with the \f(CW-s\fR flag. +.SH "RETURN VALUES" +\fBsudo\fR quits with an exit value of 1 if there is a +configuration/permission problem or if \fBsudo\fR cannot execute the +given command. In the latter case the error string is printed to +stderr. If \fBsudo\fR cannot \fIstat\fR\|(2) one or more entries in the user's +\f(CWPATH\fR an error is printed on stderr. (If the directory does not +exist or if it is not really a directory, the entry is ignored and +no error is printed.) This should not happen under normal +circumstances. The most common reason for \fIstat\fR\|(2) to return +\*(L"permission denied\*(R" is if you are running an automounter and one +of the directories in your \f(CWPATH\fR is on a machine that is currently +unreachable. +.SH "SECURITY NOTES" +\fBsudo\fR tries to be safe when executing external commands. Variables +that control how dynamic loading and binding is done can be used +to subvert the program that \fBsudo\fR runs. To combat this the +\f(CWLD_*\fR, \f(CW_RLD_*\fR, \f(CWSHLIB_PATH\fR (HP\-UX only), and \f(CWLIBPATH\fR (AIX +only) environment variables are removed from the environment passed +on to all commands executed. \fBsudo\fR will also remove the \f(CWIFS\fR, +\f(CWENV\fR, \f(CWBASH_ENV\fR, \f(CWKRB_CONF\fR, \f(CWKRB5_CONFIG\fR, \f(CWLOCALDOMAIN\fR, +\f(CWRES_OPTIONS\fR and \f(CWHOSTALIASES\fR variables as they too can pose a +threat. +.PP +To prevent command spoofing, \fBsudo\fR checks "." and "" (both denoting +current directory) last when searching for a command in the user's +PATH (if one or both are in the PATH). Note, however, that the +actual \f(CWPATH\fR environment variable is \fInot\fR modified and is passed +unchanged to the program that \fBsudo\fR executes. +.PP +For security reasons, if your OS supports shared libraries and does +not disable user-defined library search paths for setuid programs +(most do), you should either use a linker option that disables this +behavior or link \fBsudo\fR statically. +.PP +\fBsudo\fR will check the ownership of its timestamp directory (\fI@TIMEDIR@\fR) +and ignore the directory's contents if it is not owned by root and +only writable by root. On systems that allow non-root users to +give away files via \fIchown\fR\|(2), if the timestamp directory is located +in a directory writable by anyone (eg: \fI/tmp\fR), it is possible for +a user to create the timestamp directory before \fBsudo\fR is run. +However, because \fBsudo\fR checks the ownership and mode of the +directory and its contents, the only damage that can be done is to +\*(L"hide\*(R" files by putting them in the timestamp dir. This is unlikely +to happen since once the timestamp dir is owned by root and +inaccessible by any other user the user placing files there would +be unable to get them back out. To get around this issue you can +use a directory that is not world-writable for the timestamps +(\fI/var/adm/sudo\fR for instance) or create \fI@TIMEDIR@\fR with the +appropriate owner (root) and permissions (0700) in the system startup +files. +.PP +\fBsudo\fR will not honor timestamps set far in the future. +Timestamps with a date greater than current_time + 2 * \f(CWTIMEOUT\fR +will be ignored and sudo will log and complain. This is done to +keep a user from creating his/her own timestamp with a bogus +date on system that allow users to give away files. +.SH "EXAMPLES" +Note: the following examples assume suitable \fIsudoers\fR\|(5) entries. +.PP +To get a file listing of an unreadable directory: +.PP +.Vb 1 +\& % sudo ls /usr/local/protected +.Ve +To list the home directory of user yazza on a machine where the +filesystem holding ~yazza is not exported as root: +.PP +.Vb 1 +\& % sudo -u yazza ls ~yazza +.Ve +To edit the \fIindex.html\fR file as user www: +.PP +.Vb 1 +\& % sudo -u www vi ~www/htdocs/index.html +.Ve +To shutdown a machine: +.PP +.Vb 1 +\& % sudo shutdown -r +15 "quick reboot" +.Ve +To make a usage listing of the directories in the /home +partition. Note that this runs the commands in a sub-shell +to make the \f(CWcd\fR and file redirection work. +.PP +.Vb 1 +\& % sudo sh -c "cd /home ; du -s * | sort -rn > USAGE" +.Ve +.SH "ENVIRONMENT" +\fBsudo\fR utilizes the following environment variables: +.PP +.Vb 13 +\& PATH Set to a sane value if SECURE_PATH is set +\& SHELL Used to determine shell to run with -s option +\& USER Set to the target user (root unless the -u option +\& is specified) +\& HOME In -s or -H mode (or if sudo was configured with +\& the --enable-shell-sets-home option), set to +\& homedir of the target user. +\& SUDO_PROMPT Used as the default password prompt +\& SUDO_COMMAND Set to the command run by sudo +\& SUDO_USER Set to the login of the user who invoked sudo +\& SUDO_UID Set to the uid of the user who invoked sudo +\& SUDO_GID Set to the gid of the user who invoked sudo +\& SUDO_PS1 If set, PS1 will be set to its value +.Ve +.SH "FILES" +.PP +.Vb 2 +\& @sysconfdir@/sudoers List of who can run what +\& @TIMEDIR@ Directory containing timestamps +.Ve +.SH "AUTHORS" +Many people have worked on \fBsudo\fR over the years, this +version consists of code written primarily by: +.PP +.Vb 2 +\& Todd Miller +\& Chris Jepeway +.Ve +See the HISTORY file in the \fBsudo\fR distribution for a short history +of \fBsudo\fR. +.SH "BUGS" +If you feel you have found a bug in sudo, please submit a bug report +at http://www.courtesan.com/sudo/bugs/ +.SH "DISCLAIMER" +\fBSudo\fR is provided ``AS IS'\*(R' and any express or implied warranties, +including, but not limited to, the implied warranties of merchantability +and fitness for a particular purpose are disclaimed. +See the LICENSE file distributed with \fBsudo\fR for complete details. +.SH "CAVEATS" +There is no easy way to prevent a user from gaining a root shell if +that user has access to commands allowing shell escapes. +.PP +If users have sudo \f(CWALL\fR there is nothing to prevent them from creating +their own program that gives them a root shell regardless of any \*(L'!\*(R' +elements in the user specification. +.PP +Running shell scripts via \fBsudo\fR can expose the same kernel bugs +that make setuid shell scripts unsafe on some operating systems +(if your OS supports the /dev/fd/ directory, setuid shell scripts +are generally safe). +.SH "SEE ALSO" +\fIlogin_cap\fR\|(3), \fIsudoers\fR\|(5), \fIvisudo\fR\|(8), \fIsu\fR\|(1). + +.rn }` '' +.IX Title "sudo.pod.in @mansectsu@" +.IX Name "sudo - execute a command as another user" + +.IX Header "NAME" + +.IX Header "SYNOPSIS" + +.IX Header "DESCRIPTION" + +.IX Header "OPTIONS" + +.IX Item "-V" + +.IX Item "-l" + +.IX Item "-L" + +.IX Item "-h" + +.IX Item "-v" + +.IX Item "-k" + +.IX Item "-K" + +.IX Item "-b" + +.IX Item "-p" + +.IX Item "-c" + +.IX Item "-u" + +.IX Item "-s" + +.IX Item "-H" + +.IX Item "-S" + +.IX Item "--" + +.IX Header "RETURN VALUES" + +.IX Header "SECURITY NOTES" + +.IX Header "EXAMPLES" + +.IX Header "ENVIRONMENT" + +.IX Header "FILES" + +.IX Header "AUTHORS" + +.IX Header "BUGS" + +.IX Header "DISCLAIMER" + +.IX Header "CAVEATS" + +.IX Header "SEE ALSO" + diff --git a/sudoers.man.in b/sudoers.man.in new file mode 100644 index 000000000..79d1279f8 --- /dev/null +++ b/sudoers.man.in @@ -0,0 +1,1115 @@ +.rn '' }` +''' $RCSfile$$Revision$$Date$ +''' +''' $Log$ +''' Revision 1.1 2000/03/23 00:17:29 millert +''' configure does substitution on these to produce *.man +''' +''' +.de Sh +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp +.if t .sp .5v +.if n .sp +.. +.de Ip +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb +.ft CW +.nf +.ne \\$1 +.. +.de Ve +.ft R + +.fi +.. +''' +''' +''' Set up \*(-- to give an unbreakable dash; +''' string Tr holds user defined translation string. +''' Bell System Logo is used as a dummy character. +''' +.tr \(*W-|\(bv\*(Tr +.ie n \{\ +.ds -- \(*W- +.ds PI pi +.if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +.if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +.ds L" "" +.ds R" "" +''' \*(M", \*(S", \*(N" and \*(T" are the equivalent of +''' \*(L" and \*(R", except that they are used on ".xx" lines, +''' such as .IP and .SH, which do another additional levels of +''' double-quote interpretation +.ds M" """ +.ds S" """ +.ds N" """"" +.ds T" """"" +.ds L' ' +.ds R' ' +.ds M' ' +.ds S' ' +.ds N' ' +.ds T' ' +'br\} +.el\{\ +.ds -- \(em\| +.tr \*(Tr +.ds L" `` +.ds R" '' +.ds M" `` +.ds S" '' +.ds N" `` +.ds T" '' +.ds L' ` +.ds R' ' +.ds M' ` +.ds S' ' +.ds N' ` +.ds T' ' +.ds PI \(*p +'br\} +.\" If the F register is turned on, we'll generate +.\" index entries out stderr for the following things: +.\" TH Title +.\" SH Header +.\" Sh Subsection +.\" Ip Item +.\" X<> Xref (embedded +.\" Of course, you have to process the output yourself +.\" in some meaninful fashion. +.if \nF \{ +.de IX +.tm Index:\\$1\t\\n%\t"\\$2" +.. +.nr % 0 +.rr F +.\} +.TH sudoers.pod.in @mansectform@ "1.6.3" "22/Mar/2000" "FILE FORMATS" +.UC +.if n .hy 0 +.if n .na +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.de CQ \" put $1 in typewriter font +.ft CW +'if n "\c +'if t \\&\\$1\c +'if n \\&\\$1\c +'if n \&" +\\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7 +'.ft R +.. +.\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2 +. \" AM - accent mark definitions +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds ? ? +. ds ! ! +. ds / +. ds q +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10' +. ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +. ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#] +.ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u' +.ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u' +.ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#] +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +.ds oe o\h'-(\w'o'u*4/10)'e +.ds Oe O\h'-(\w'O'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds v \h'-1'\o'\(aa\(ga' +. ds _ \h'-1'^ +. ds . \h'-1'. +. ds 3 3 +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +. ds oe oe +. ds Oe OE +.\} +.rm #[ #] #H #V #F C +.SH "NAME" +sudoers \- list of which users may execute what +.SH "DESCRIPTION" +The \fIsudoers\fR file is composed two types of entries: +aliases (basically variables) and user specifications +(which specify who may run what). The grammar of \fIsudoers\fR +will be described below in Extended Backus-Naur Form (EBNF). +Don't despair if you don't know what EBNF is, it is fairly +simple and the definitions below are annotated. +.Sh "Quick guide to \s-1EBNF\s0" +\s-1EBNF\s0 is a concise and exact way of describing the grammar of a language. +Each \s-1EBNF\s0 definition is made up of \fIproduction rules\fR. Eg. +.PP +.Vb 1 +\& symbol ::= definition | alternate1 | alternate2 ... +.Ve +Each \fIproduction rule\fR references others and thus makes up a +grammar for the language. \s-1EBNF\s0 also contains the following +operators, which many readers will recognize from regular +expressions. Do not, however, confuse them with \*(L"wildcard\*(R" +characters, which have different meanings. +.Ip "\f(CW?\fR" 8 +Means that the preceding symbol (or group of symbols) is optional. +That is, it may appear once or not at all. +.Ip "\f(CW*\fR" 8 +Means that the preceding symbol (or group of symbols) may appear +zero or more times. +.Ip "\f(CW+\fR" 8 +Means that the preceding symbol (or group of symbols) may appear +one or more times. +.PP +Parentheses may be used to group symbols together. For clarity, +we will use single quotes ('') to designate what is a verbatim character +string (as opposed to a symbol name). +.Sh "Aliases" +There are four kinds of aliases: the \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, +\f(CWHost_Alias\fR and \f(CWCmnd_Alias\fR. +.PP +.Vb 4 +\& Alias ::= 'User_Alias' = User_Alias (':' User_Alias)* | +\& 'Runas_Alias' = Runas_Alias (':' Runas_Alias)* | +\& 'Host_Alias' = Host_Alias (':' Host_Alias)* | +\& 'Cmnd_Alias' = Cmnd_Alias (':' Cmnd_Alias)* +.Ve +.Vb 1 +\& User_Alias ::= NAME '=' User_List +.Ve +.Vb 1 +\& Runas_Alias ::= NAME '=' Runas_User_List +.Ve +.Vb 1 +\& Host_Alias ::= NAME '=' Host_List +.Ve +.Vb 1 +\& Cmnd_Alias ::= NAME '=' Cmnd_List +.Ve +.Vb 1 +\& NAME ::= [A-Z]([A-Z][0-9]_)* +.Ve +Each \fIalias\fR definition is of the form +.PP +.Vb 1 +\& Alias_Type NAME = item1, item2, ... +.Ve +where \fIAlias_Type\fR is one of \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, \f(CWHost_Alias\fR, +or \f(CWCmnd_Alias\fR. A \f(CWNAME\fR is a string of upper case letters, numbers, +and the underscore characters ('_'). A \f(CWNAME\fR \fBmust\fR start with an +upper case letter. It is possible to put several alias definitions +of the same type on a single line, joined by a semicolon (':'). Eg. +.PP +.Vb 1 +\& Alias_Type NAME = item1, item2, item3 : NAME = item4, item5 +.Ve +The definitions of what constitutes a valid \fIalias\fR member follow. +.PP +.Vb 2 +\& User_List ::= User | +\& User ',' User_List +.Ve +.Vb 5 +\& User ::= '!'* username | +\& '!'* '#'uid | +\& '!'* '%'group | +\& '!'* '+'netgroup | +\& '!'* User_Alias +.Ve +A \f(CWUser_List\fR is made up of one or more usernames, uids +(prefixed with \*(L'#'), System groups (prefixed with \*(L'%'), +netgroups (prefixed with \*(L'+') and other aliases. Each list +item may be prefixed with one or more \*(L'!\*(R' operators. An odd number +of \*(L'!\*(R' operators negates the value of the item; an even number +just cancel each other out. +.PP +.Vb 2 +\& Runas_List ::= Runas_User | +\& Runas_User ',' Runas_List +.Ve +.Vb 5 +\& Runas_User ::= '!'* username | +\& '!'* '#'uid | +\& '!'* '%'group | +\& '!'* +netgroup | +\& '!'* Runas_Alias +.Ve +Likewise, a \f(CWRunas_List\fR has the same possible elements +as a \f(CWUser_List\fR, except that it can include a \f(CWRunas_Alias\fR, +instead of a \f(CWUser_Alias\fR. +.PP +.Vb 2 +\& Host_List ::= Host | +\& Host ',' Host_List +.Ve +.Vb 5 +\& Host ::= '!'* hostname | +\& '!'* ip_addr | +\& '!'* network(/netmask)? | +\& '!'* '+'netgroup | +\& '!'* Host_Alias +.Ve +A \f(CWHost_List\fR is made up of one or more hostnames, \s-1IP\s0 addresses, +network numbers, netgroups (prefixed with \*(L'+') and other aliases. +Again, the value of an item may be negated with the \*(L'!\*(R' operator. +If you do not specify a netmask with a network number, the netmask +of the host's ethernet \fIinterface\fR\|(s) will be used when matching. +The netmask may be specified either in dotted quad notation (eg. +255.255.255.0) or \s-1CIDR\s0 notation (number of bits, eg. 24). +.PP +.Vb 2 +\& Cmnd_List ::= Cmnd | +\& Cmnd ',' Cmnd_List +.Ve +.Vb 3 +\& commandname ::= filename | +\& filename args | +\& filename '""' +.Ve +.Vb 3 +\& Cmnd ::= '!'* commandname | +\& '!'* directory | +\& '!'* Cmnd_Alias +.Ve +A \f(CWCmnd_List\fR is a list of one or more commandnames, directories, and other +aliases. A commandname is a fully-qualified filename which may include +shell-style wildcards (see `Wildcards\*(R' section below). A simple +filename allows the user to run the command with any arguments he/she +wishes. However, you may also command line arguments (including wildcards). +Alternately, you can specify \f(CW""\fR to indicate that the command +may only be run \fBwithout\fR command line arguments. A directory is a +fully qualified pathname ending in a \*(L'/\*(R'. When you specify a directory +in a \f(CWCmnd_List\fR, the user will be able to run any file within that directory +(but not in any subdirectories therein). +.PP +If a \f(CWCmnd\fR has associated command line arguments, then the arguments +in the \f(CWCmnd\fR must match exactly those given by the user on the command line +(or match the wildcards if there are any). Note that the following +characters must be escaped with a \*(L'\e\*(R' if they are used in command +arguments: \*(L',\*(R', \*(L':\*(R', \*(L'=\*(R', \*(L'\e\*(R'. +.Sh "Defaults" +Certain configuration options may be changed from their default +values at runtime via one or more \f(CWDefault_Entry\fR lines. These +may affect all users on any host, all users on a specific host, +or just a specific user. When multiple entries match, they are +applied in order. Where there are conflicting values, the last +value on a matching line takes effect. +.PP +.Vb 3 +\& Default_Type ::= 'Defaults' || +\& 'Defaults' ':' User || +\& 'Defaults' '@' Host +.Ve +.Vb 1 +\& Default_Entry ::= Default_Type Parameter_List +.Ve +.Vb 2 +\& Parameter ::= Parameter '=' Value || +\& '!'* Parameter || +.Ve +Parameters may be \fBflags\fR, \fBinteger\fR values, or \fBstrings\fR. Flags +are implicitly boolean and can be turned off via the \*(L'!\*(R' operator. +Some integer and string parameters may also be used in a boolean +context to disable them. Values may be enclosed in double quotes +(\f(CW"\fR) when they contain multiple words. Special characters may +be escaped with a backslash (\f(CW\e\fR). +.PP +\fBFlags\fR: +.Ip "long_otp_prompt" 12 +When validating with a One Time Password scheme (\fBS/Key\fR or \fB\s-1OPIE\s0\fR), +a two-line prompt is used to make it easier to cut and paste the +challenge to a local window. It's not as pretty as the default but +some people find it more convenient. This flag is off by default. +.Ip "ignore_dot" 12 +If set, \fBsudo\fR will ignore \*(L'.\*(R' or \*(L'\*(R' (current dir) in \f(CW$PATH\fR; +the \f(CW$PATH\fR itself is not modified. This flag is off by default. +.Ip "mail_always" 12 +Send mail to the \fImailto\fR user every time a users runs sudo. +This flag is off by default. +.Ip "mail_no_user" 12 +If set, mail will be sent to the \fImailto\fR user if the invoking +user is not in the \fIsudoers\fR file. This flag is on by default. +.Ip "mail_no_host" 12 +If set, mail will be sent to the \fImailto\fR user if the invoking +user exists in the \fIsudoers\fR file, but is not allowed to run +commands on the current host. This flag is off by default. +.Ip "mail_no_perms" 12 +If set, mail will be sent to the \fImailto\fR user if the invoking +user allowed to use sudo but the command they are trying is not +listed in their \fIsudoers\fR file entry. This flag is off by default. +.Ip "tty_tickets" 12 +If set, users must authenticate on a per-tty basis. Normally, +\fBsudo\fR uses a directory in the ticket dir with the same name as +the user running it. With this flag enabled, \fBsudo\fR will use a +file named for the tty the user is logged in on in that directory. +This flag is off by default. +.Ip "lecture" 12 +If set, a user will receive a short lecture the first time he/she +runs \fBsudo\fR. This flag is on by default. +.Ip "authenticate" 12 +If set, users must authenticate themselves via a password (or other +means of authentication) before they may run commands. This default +may be overridden via the \f(CWPASSWD\fR and \f(CWNOPASSWD\fR tags. +This flag is on by default. +.Ip "root_sudo" 12 +If set, root is allowed to run sudo too. Disabling this prevents users +from \*(L"chaining\*(R" sudo commands to get a root shell by doing something +like \f(CW"sudo sudo /bin/sh"\fR. +This flag is on by default. +.Ip "log_host" 12 +If set, the hostname will be logged in the (non-syslog) \fBsudo\fR log file. +This flag is off by default. +.Ip "log_year" 12 +If set, the four-digit year will be logged in the (non-syslog) \fBsudo\fR log file. +This flag is off by default. +.Ip "shell_noargs" 12 +If set and \fBsudo\fR is invoked with no arguments it acts as if the +\f(CW-s\fR flag had been given. That is, it runs a shell as root (the +shell is determined by the \f(CWSHELL\fR environment variable if it is +set, falling back on the shell listed in the invoking user's +/etc/passwd entry if not). This flag is off by default. +.Ip "set_home" 12 +If set and \fBsudo\fR is invoked with the \f(CW-s\fR flag the \f(CWHOME\fR +environment variable will be set to the home directory of the target +user (which is root unless the \f(CW-u\fR option is used). This effectively +makes the \f(CW-s\fR flag imply \f(CW-H\fR. This flag is off by default. +.Ip "path_info" 12 +Normally, \fBsudo\fR will tell the user when a command could not be +found in their \f(CW$PATH\fR. Some sites may wish to disable this as +it could be used to gather information on the location of executables +that the normal user does not have access to. The disadvantage is +that if the executable is simply not in the user's \f(CW$PATH\fR, \fBsudo\fR +will tell the user that they are not allowed to run it, which can +be confusing. This flag is off by default. +.Ip "fqdn" 12 +Set this flag if you want to put fully qualified hostnames in the +\fIsudoers\fR file. Ie: instead of myhost you would use myhost.mydomain.edu. +You may still use the short form if you wish (and even mix the two). +Beware that turning on \fIfqdn\fR requires sudo to make \s-1DNS\s0 lookups +which may make \fBsudo\fR unusable if \s-1DNS\s0 stops working (for example +if the machine is not plugged into the network). Also note that +you must use the host's official name as \s-1DNS\s0 knows it. That is, +you may not use a host alias (\f(CWCNAME\fR entry) due to performance +issues and the fact that there is no way to get all aliases from +\s-1DNS\s0. If your machine's hostname (as returned by the \f(CWhostname\fR +command) is already fully qualified you shouldn't need to set +\fIfqfn\fR. This flag is off by default. +.Ip "insults" 12 +If set, sudo will insult users when they enter an incorrect +password. This flag is off by default. +.Ip "requiretty" 12 +If set, sudo will only run when the user is logged in to a real +tty. This will disallow things like \f(CW"rsh somehost sudo ls"\fR since +\fIrsh\fR\|(1) does not allocate a tty. Because it is not possible to turn +of echo when there is no tty present, some sites may with to set +this flag to prevent a user from entering a visible password. This +flag is off by default. +.Ip "env_editor" 12 +If set, visudo will use the value of the \s-1EDITOR\s0 or \s-1VISUAL\s0 environment +falling back on the default editor. Note that this may create a +security hole as most editors allow a user to get a shell (which +would be a root shell and not be logged). +.Ip "rootpw" 12 +If set, sudo will prompt for the root password instead of the password +of the invoking user. +.Ip "runaspw" 12 +If set, sudo will prompt for the password of the user defined by the +\fIrunas_default\fR option (defaults to root) instead of the password +of the invoking user. +.Ip "targetpw" 12 +If set, sudo will prompt for the password of the user specified by +the \f(CW-u\fR flag (defaults to root) instead of the password of the +invoking user. +.Ip "use_loginclass" 12 +If set, sudo will apply the defaults specified for the target user's +login class if one exists. Only available if sudo is configured with +the --with-logincap option. +.PP +\fBIntegers\fR: +.Ip "passwd_tries" 12 +The number of tries a user gets to enter his/her password before +sudo logs the failure and exits. The default is 3. +.PP +\fBIntegers that can be used in a boolean context\fR: +.Ip "loglinelen" 12 +Number of characters per line for the file log. This value is used +to decide when to wrap lines for nicer log files. This has no +effect on the syslog log file, only the file log. The default is +80 (use 0 or negate to disable word wrap). +.Ip "timestamp_timeout" 12 +Number of minutes that can elapse before \fBsudo\fR will ask for a passwd +again. The default is 5, set this to 0 to always prompt for a password. +.Ip "passwd_timeout" 12 +Number of minutes before the sudo password prompt times out. +The default is 5, set this to 0 for no password timeout. +.Ip "umask" 12 +Umask to use when running the root command. Set this to 0777 to +not override the user's umask. The default is 0022. +.PP +\fBStrings\fR: +.Ip "mailsub" 12 +Subject of the mail sent to the \fImailto\fR user. The escape \f(CW%h\fR +will expand to the hostname of the machine. +Default is \*(L"*** \s-1SECURITY\s0 information for \f(CW%h\fR ***\*(R". +.Ip "badpass_message" 12 +Message that is displayed if a user enters an incorrect password. +The default is \*(L"Sorry, try again.\*(R" unless insults are enabled. +.Ip "timestampdir" 12 +The directory in which \fBsudo\fR stores its timestamp files. +The default is \fI@\s-1TIMEDIR\s0@\fR. +.Ip "passprompt" 12 +The default prompt to use when asking for a password; can be overridden +via the \f(CW-p\fR option or the \f(CWSUDO_PROMPT\fR environment variable. Supports +two escapes: \*(L"%u\*(R" expands to the user's login name and \*(L"%h\*(R" expands +to the local hostname. The default value is \*(L"Password:\*(R". +.Ip "runas_default" 12 +The default user to run commands as if the \f(CW-u\fR flag is not specified +on the command line. This defaults to \*(L"root\*(R". +.Ip "syslog_goodpri" 12 +Syslog priority to use when user authenticates successfully. +Defaults to \*(L"notice\*(R". +.Ip "syslog_badpri" 12 +Syslog priority to use when user authenticates unsuccessfully. +Defaults to \*(L"alert\*(R". +.Ip "editor" 12 +Path to the editor to be used by visudo. The default is the path +to vi on your system. +.PP +\fBStrings that can be used in a boolean context\fR: +.Ip "logfile" 12 +Path to the sudo log file (not the syslog log file). Setting a path +turns on logging to a file, negating this option turns it off. +.Ip "syslog" 12 +Syslog facility if syslog is being used for logging (negate to +disable syslog logging). Defaults to \*(L"local2\*(R". +.Ip "mailerpath" 12 +Path to mail program used to send warning mail. +Defaults to the path to sendmail found at configure time. +.Ip "mailerflags" 12 +Flags to use when invoking mailer. Defaults to \f(CW-t\fR. +.Ip "mailto" 12 +Address to send warning and erorr mail to. Defaults to \*(L"root\*(R". +.Ip "exempt_group" 12 +Users in this group are exempt from password and \s-1PATH\s0 requirements. +This is not set by default. +.Ip "secure_path" 12 +Path used for every command run from \fBsudo\fR. If you don't trust the +people running sudo to have a sane \f(CWPATH\fR environment variable you may +want to use this. Another use is if you want to have the \*(L"root path\*(R" +be separate from the \*(L"user path.\*(R" This is not set by default. +.Ip "verifypw" 12 +This option controls when a password will be required when a +user runs sudo with the \fB\-v\fR. It has the following possible values: +.Sp +.Vb 3 +\& all All the user's I entries for the +\& current host must have the C +\& flag set to avoid entering a password. +.Ve +.Vb 4 +\& any At least one of the user's I entries +\& for the current host must have the +\& C flag set to avoid entering a +\& password. +.Ve +.Vb 2 +\& never The user need never enter a password to use +\& the B<-v> flag. +.Ve +.Vb 2 +\& always The user must always enter a password to use +\& the B<-v> flag. +.Ve +The default value is `all\*(R'. +.Ip "listpw" 12 +This option controls when a password will be required when a +user runs sudo with the \fB\-l\fR. It has the following possible values: +.Sp +.Vb 3 +\& all All the user's I entries for the +\& current host must have the C +\& flag set to avoid entering a password. +.Ve +.Vb 4 +\& any At least one of the user's I entries +\& for the current host must have the +\& C flag set to avoid entering a +\& password. +.Ve +.Vb 2 +\& never The user need never enter a password to use +\& the B<-l> flag. +.Ve +.Vb 2 +\& always The user must always enter a password to use +\& the B<-l> flag. +.Ve +The default value is `any\*(R'. +.PP +When logging via \fIsyslog\fR\|(3), sudo accepts the following values for the syslog +facility (the value of the \fBsyslog\fR Parameter): \fBauthpriv\fR (if your \s-1OS\s0 +supports it), \fBauth\fR, \fBdaemon\fR, \fBuser\fR, \fBlocal0\fR, \fBlocal1\fR, \fBlocal2\fR, +\fBlocal3\fR, \fBlocal4\fR, \fBlocal5\fR, \fBlocal6\fR, and \fBlocal7\fR. The following +syslog priorities are supported: \fBalert\fR, \fBcrit\fR, \fBdebug\fR, \fBemerg\fR, +\fBerr\fR, \fBinfo\fR, \fBnotice\fR, and \fBwarning\fR. +.Sh "User Specification" +.PP +.Vb 2 +\& User_Spec ::= User_list Host_List '=' User_List Cmnd_Spec_List \e +\& (':' User_Spec)* +.Ve +.Vb 2 +\& Cmnd_Spec_List ::= Cmnd_Spec | +\& Cmnd_Spec ',' Cmnd_Spec_List +.Ve +.Vb 1 +\& Cmnd_Spec ::= Runas_Spec? ('NOPASSWD:' | 'PASSWD:')? Cmnd +.Ve +.Vb 1 +\& Runas_Spec ::= '(' Runas_List ')' +.Ve +A \fBuser specification\fR determines which commands a user may run +(and as what user) on specified hosts. By default, commands are +run as \fBroot\fR but this can be changed on a per-command basis. +.PP +Let's break that down into its constituent parts: +.Sh "Runas_Spec" +A \f(CWRunas_Spec\fR is simply a \f(CWRunas_List\fR (as defined above) +enclosed in a set of parentheses. If you do not specify a +\f(CWRunas_Spec\fR in the user specification, a default \f(CWRunas_Spec\fR +of \fBroot\fR will be used. A \f(CWRunas_Spec\fR sets the default for +commands that follow it. What this means is that for the entry: +.PP +.Vb 1 +\& dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/who +.Ve +The user \fBdgb\fR may run \fI/bin/ls\fR, \fI/bin/kill\fR, and +\fI/usr/bin/lprm\fR -- but only as \fBoperator\fR. Eg. +.PP +.Vb 1 +\& sudo -u operator /bin/ls. +.Ve +It is also possible to override a \f(CWRunas_Spec\fR later on in an +entry. If we modify the entry like so: +.PP +.Vb 1 +\& dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm +.Ve +Then user \fBdgb\fR is now allowed to run \fI/bin/ls\fR as \fBoperator\fR, +but \fI/bin/kill\fR and \fI/usr/bin/lprm\fR as \fBroot\fR. +.Sh "\s-1NOPASSWD\s0 and \s-1PASSWD\s0" +By default, \fBsudo\fR requires that a user authenticate him or herself +before running a command. This behavior can be modified via the +\f(CWNOPASSWD\fR tag. Like a \f(CWRunas_Spec\fR, the \f(CWNOPASSWD\fR tag sets +a default for the commands that follow it in the \f(CWCmnd_Spec_List\fR. +Conversely, the \f(CWPASSWD\fR tag can be used to reverse things. +For example: +.PP +.Vb 1 +\& ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm +.Ve +would allow the user \fBray\fR to run \fI/bin/kill\fR, \fI/bin/ls\fR, and +\fI/usr/bin/lprm\fR as root on the machine rushmore as \fBroot\fR without +authenticating himself. If we only want \fBray\fR to be able to +run \fI/bin/kill\fR without a password the entry would be: +.PP +.Vb 1 +\& ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm +.Ve +Note however, that the \f(CWPASSWD\fR tag has no effect on users who are +in the group specified by the exempt_group option. +.PP +By default, if the \f(CWNOPASSWD\fR tag is applied to any of the entries +for a user on the current host, he or she will be able to run +\f(CWsudo -l\fR without a password. Additionally, a user may only run +\f(CWsudo -v\fR without a password if the \f(CWNOPASSWD\fR tag is present +for all a user's entries that pertain to the current host. +This behavior may be overridden via the verifypw and listpw options. +.Sh "Wildcards (aka meta characters):" +\fBsudo\fR allows shell-style \fIwildcards\fR to be used in pathnames +as well as command line arguments in the \fIsudoers\fR file. Wildcard +matching is done via the \fB\s-1POSIX\s0\fR \f(CWfnmatch(3)\fR routine. Note that +these are \fInot\fR regular expressions. +.Ip "\f(CW*\fR" 8 +Matches any set of zero or more characters. +.Ip "\f(CW?\fR" 8 +Matches any single character. +.Ip "\f(CW[...]\fR" 8 +Matches any character in the specified range. +.Ip "\f(CW[!...]\fR" 8 +Matches any character \fBnot\fR in the specified range. +.Ip "\f(CW\ex\fR" 8 +For any character \*(L"x\*(R", evaluates to \*(L"x\*(R". This is used to +escape special characters such as: \*(L"*\*(R", \*(L"?\*(R", \*(L"[\*(R", and \*(L"}\*(R". +.PP +Note that a forward slash ('/') will \fBnot\fR be matched by +wildcards used in the pathname. When matching the command +line arguments, however, as slash \fBdoes\fR get matched by +wildcards. This is to make a path like: +.PP +.Vb 1 +\& /usr/bin/* +.Ve +match \f(CW/usr/bin/who\fR but not \f(CW/usr/bin/X11/xterm\fR. +.Sh "Exceptions to wildcard rules:" +The following exceptions apply to the above rules: +.Ip \f(CW""\fR 8 +If the empty string \f(CW""\fR is the only command line argument in the +\fIsudoers\fR entry it means that command is not allowed to be run +with \fBany\fR arguments. +.Sh "Other special characters and reserved words:" +The pound sign ('#') is used to indicate a comment (unless it +occurs in the context of a user name and is followed by one or +more digits, in which case it is treated as a uid). Both the +comment character and any text after it, up to the end of the line, +are ignored. +.PP +The reserved word \fB\s-1ALL\s0\fR is a built in \fIalias\fR that always causes +a match to succeed. It can be used wherever one might otherwise +use a \f(CWCmnd_Alias\fR, \f(CWUser_Alias\fR, \f(CWRunas_Alias\fR, or \f(CWHost_Alias\fR. +You should not try to define your own \fIalias\fR called \fB\s-1ALL\s0\fR as the +built in alias will be used in preference to your own. Please note +that using \fB\s-1ALL\s0\fR can be dangerous since in a command context, it +allows the user to run \fBany\fR command on the system. +.PP +An exclamation point (\*(R'!') can be used as a logical \fInot\fR operator +both in an \fIalias\fR and in front of a \f(CWCmnd\fR. This allows one to +exclude certain values. Note, however, that using a \f(CW!\fR in +conjunction with the built in \f(CWALL\fR alias to allow a user to +run \*(L"all but a few\*(R" commands rarely works as intended (see \s-1SECURITY\s0 +\s-1NOTES\s0 below). +.PP +Long lines can be continued with a backslash (\*(R'\e') as the last +character on the line. +.PP +Whitespace between elements in a list as well as specicial syntactic +characters in a \fIUser Specification\fR ('=\*(R', \*(L':\*(R', \*(L'(\*(R', \*(L')') is optional. +.PP +The following characters must be escaped with a backslash (\*(R'\e') when +used as part of a word (eg. a username or hostname): +\&'@\*(R', \*(L'!\*(R', \*(L'=\*(R', \*(L':\*(R', \*(L',\*(R', \*(L'(\*(R', \*(L')\*(R', \*(L'\e\*(R'. +.SH "EXAMPLES" +Below are example \fIsudoers\fR entries. Admittedly, some of +these are a bit contrived. First, we define our \fIaliases\fR: +.PP +.Vb 4 +\& # User alias specification +\& User_Alias FULLTIMERS = millert, mikef, dowdy +\& User_Alias PARTTIMERS = bostley, jwfox, crawl +\& User_Alias WEBMASTERS = will, wendy, wim +.Ve +.Vb 3 +\& # Runas alias specification +\& Runas_Alias OP = root, operator +\& Runas_Alias DB = oracle, sybase +.Ve +.Vb 9 +\& # Host alias specification +\& Host_Alias SPARC = bigtime, eclipse, moet, anchor :\e +\& SGI = grolsch, dandelion, black :\e +\& ALPHA = widget, thalamus, foobar :\e +\& HPPA = boa, nag, python +\& Host_Alias CUNETS = 128.138.0.0/255.255.0.0 +\& Host_Alias CSNETS = 128.138.243.0, 128.138.204.0/24, 128.138.242.0 +\& Host_Alias SERVERS = master, mail, www, ns +\& Host_Alias CDROM = orion, perseus, hercules +.Ve +.Vb 12 +\& # Cmnd alias specification +\& Cmnd_Alias DUMPS = /usr/bin/mt, /usr/sbin/dump, /usr/sbin/rdump,\e +\& /usr/sbin/restore, /usr/sbin/rrestore +\& Cmnd_Alias KILL = /usr/bin/kill +\& Cmnd_Alias PRINTING = /usr/sbin/lpc, /usr/bin/lprm +\& Cmnd_Alias SHUTDOWN = /usr/sbin/shutdown +\& Cmnd_Alias HALT = /usr/sbin/halt, /usr/sbin/fasthalt +\& Cmnd_Alias REBOOT = /usr/sbin/reboot, /usr/sbin/fastboot +\& Cmnd_Alias SHELLS = /usr/bin/sh, /usr/bin/csh, /usr/bin/ksh, \e +\& /usr/local/bin/tcsh, /usr/bin/rsh, \e +\& /usr/local/bin/zsh +\& Cmnd_Alias SU = /usr/bin/su +.Ve +Here we override some of the compiled in default values. We want +sudo to log via \fIsyslog\fR\|(3) using the \fIauth\fR facility in all cases. +We don't want to subject the full time staff to the \fBsudo\fR lecture, +and user \fBmillert\fR need not give a password. In addition, on the +machines in the \fISERVERS\fR \f(CWHost_Alias\fR, we keep an additional +local log file and make sure we log the year in each log line since +the log entries will be kept around for several years. +.PP +.Vb 5 +\& # Override builtin defaults +\& Defaults syslog=auth +\& Defaults:FULLTIMERS !lecture +\& Defaults:millert !authenticate +\& Defaults@SERVERS log_year, logfile=/var/log/sudo.log +.Ve +The \fIUser specification\fR is the part that actually determines who may +run what. +.PP +.Vb 2 +\& root ALL = (ALL) ALL +\& %wheel ALL = (ALL) ALL +.Ve +We let \fBroot\fR and any user in group \fBwheel\fR run any command on any +host as any user. +.PP +.Vb 1 +\& FULLTIMERS ALL = NOPASSWD: ALL +.Ve +Full time sysadmins (\fBmillert\fR, \fBmikef\fR, and \fBdowdy\fR) may run any +command on any host without authenticating themselves. +.PP +.Vb 1 +\& PARTTIMERS ALL = ALL +.Ve +Part time sysadmins (\fBbostley\fR, \fBjwfox\fR, and \fBcrawl\fR) may run any +command on any host but they must authenticate themselves first +(since the entry lacks the \f(CWNOPASSWD\fR tag). +.PP +.Vb 1 +\& jack CSNETS = ALL +.Ve +The user \fBjack\fR may run any command on the machines in the \fICSNETS\fR alias +(the networks \f(CW128.138.243.0\fR, \f(CW128.138.204.0\fR, and \f(CW128.138.242.0\fR). +Of those networks, only <128.138.204.0> has an explicit netmask (in +CIDR notation) indicating it is a class C network. For the other +networks in \fICSNETS\fR, the local machine's netmask will be used +during matching. +.PP +.Vb 1 +\& lisa CUNETS = ALL +.Ve +The user \fBlisa\fR may run any command on any host in the \fICUNETS\fR alias +(the class B network \f(CW128.138.0.0\fR). +.PP +.Vb 2 +\& operator ALL = DUMPS, KILL, PRINTING, SHUTDOWN, HALT, REBOOT,\e +\& /usr/oper/bin/ +.Ve +The \fBoperator\fR user may run commands limited to simple maintenance. +Here, those are commands related to backups, killing processes, the +printing system, shutting down the system, and any commands in the +directory \fI/usr/oper/bin/\fR. +.PP +.Vb 1 +\& joe ALL = /usr/bin/su operator +.Ve +The user \fBjoe\fR may only \fIsu\fR\|(1) to operator. +.PP +.Vb 1 +\& pete HPPA = /usr/bin/passwd [A-z]*, !/usr/bin/passwd root +.Ve +The user \fBpete\fR is allowed to change anyone's password except for +root on the \fIHPPA\fR machines. Note that this assumes \fIpasswd\fR\|(1) +does not take multiple usernames on the command line. +.PP +.Vb 1 +\& bob SPARC = (OP) ALL : SGI = (OP) ALL +.Ve +The user \fBbob\fR may run anything on the \fISPARC\fR and \fISGI\fR machines +as any user listed in the \fIOP\fR \f(CWRunas_Alias\fR (\fBroot\fR and \fBoperator\fR). +.PP +.Vb 1 +\& jim +biglab = ALL +.Ve +The user \fBjim\fR may run any command on machines in the \fIbiglab\fR netgroup. +\fBSudo\fR knows that \*(L"biglab\*(R" is a netgroup due to the \*(L'+\*(R' prefix. +.PP +.Vb 1 +\& +secretaries ALL = PRINTING, /usr/bin/adduser, /usr/bin/rmuser +.Ve +Users in the \fBsecretaries\fR netgroup need to help manage the printers +as well as add and remove users, so they are allowed to run those +commands on all machines. +.PP +.Vb 1 +\& fred ALL = (DB) NOPASSWD: ALL +.Ve +The user \fBfred\fR can run commands as any user in the \fIDB\fR \f(CWRunas_Alias\fR +(\fBoracle\fR or \fBsybase\fR) without giving a password. +.PP +.Vb 1 +\& john ALPHA = /usr/bin/su [!-]*, !/usr/bin/su *root* +.Ve +On the \fIALPHA\fR machines, user \fBjohn\fR may su to anyone except root +but he is not allowed to give \fIsu\fR\|(1) any flags. +.PP +.Vb 1 +\& jen ALL, !SERVERS = ALL +.Ve +The user \fBjen\fR may run any command on any machine except for those +in the \fISERVERS\fR \f(CWHost_Alias\fR (master, mail, www and ns). +.PP +.Vb 1 +\& jill SERVERS = /usr/bin/, !SU, !SHELLS +.Ve +For any machine in the \fISERVERS\fR \f(CWHost_Alias\fR, \fBjill\fR may run +any commands in the directory /usr/bin/ except for those commands +belonging to the \fISU\fR and \fISHELLS\fR \f(CWCmnd_Aliases\fR. +.PP +.Vb 1 +\& steve CSNETS = (operator) /usr/local/op_commands/ +.Ve +The user \fBsteve\fR may run any command in the directory /usr/local/op_commands/ +but only as user operator. +.PP +.Vb 1 +\& matt valkyrie = KILL +.Ve +On his personal workstation, valkyrie, \fBmatt\fR needs to be able to +kill hung processes. +.PP +.Vb 1 +\& WEBMASTERS www = (www) ALL, (root) /usr/bin/su www +.Ve +On the host www, any user in the \fIWEBMASTERS\fR \f(CWUser_Alias\fR (will, +wendy, and wim), may run any command as user www (which owns the +web pages) or simply \fIsu\fR\|(1) to www. +.PP +.Vb 2 +\& ALL CDROM = NOPASSWD: /sbin/umount /CDROM,\e +\& /sbin/mount -o nosuid\e,nodev /dev/cd0a /CDROM +.Ve +Any user may mount or unmount a CD\-ROM on the machines in the CDROM +\f(CWHost_Alias\fR (orion, perseus, hercules) without entering a password. +This is a bit tedious for users to type, so it is a prime candiate +for encapsulating in a shell script. +.SH "SECURITY NOTES" +It is generally not effective to \*(L"subtract\*(R" commands from \f(CWALL\fR +using the \*(L'!\*(R' operator. A user can trivially circumvent this +by copying the desired command to a different name and then +executing that. For example: +.PP +.Vb 1 +\& bill ALL = ALL, !SU, !SHELLS +.Ve +Doesn't really prevent \fBbill\fR from running the commands listed in +\fISU\fR or \fISHELLS\fR since he can simply copy those commands to a +different name, or use a shell escape from an editor or other +program. Therefore, these kind of restrictions should be considered +advisory at best (and reinforced by policy). +.SH "CAVEATS" +The \fIsudoers\fR file should \fBalways\fR be edited by the \fBvisudo\fR +command which locks the file and does grammatical checking. It is +imperative that \fIsudoers\fR be free of syntax errors since \fBsudo\fR +will not run with a syntactically incorrect \fIsudoers\fR file. +.PP +When using netgroups of machines (as opposed to users), if you +store fully-qualified hostnames in the netgroup (as is usually the +case), you either need to have the machine's hostname be fully-qualified +as returned by the \f(CWhostname\fR command or use the \fIfqdn\fR option in +\fIsudoers\fR. +.SH "FILES" +.PP +.Vb 3 +\& @sysconfdir@/sudoers List of who can run what +\& /etc/group Local groups file +\& /etc/netgroup List of network groups +.Ve +.SH "SEE ALSO" +\fIsudo\fR\|(8), \fIvisudo\fR\|(8), \fIsu\fR\|(1), \fIfnmatch\fR\|(3). + +.rn }` '' +.IX Title "sudoers.pod.in @mansectform@" +.IX Name "sudoers - list of which users may execute what" + +.IX Header "NAME" + +.IX Header "DESCRIPTION" + +.IX Subsection "Quick guide to \s-1EBNF\s0" + +.IX Item "\f(CW?\fR" + +.IX Item "\f(CW*\fR" + +.IX Item "\f(CW+\fR" + +.IX Subsection "Aliases" + +.IX Subsection "Defaults" + +.IX Item "long_otp_prompt" + +.IX Item "ignore_dot" + +.IX Item "mail_always" + +.IX Item "mail_no_user" + +.IX Item "mail_no_host" + +.IX Item "mail_no_perms" + +.IX Item "tty_tickets" + +.IX Item "lecture" + +.IX Item "authenticate" + +.IX Item "root_sudo" + +.IX Item "log_host" + +.IX Item "log_year" + +.IX Item "shell_noargs" + +.IX Item "set_home" + +.IX Item "path_info" + +.IX Item "fqdn" + +.IX Item "insults" + +.IX Item "requiretty" + +.IX Item "env_editor" + +.IX Item "rootpw" + +.IX Item "runaspw" + +.IX Item "targetpw" + +.IX Item "use_loginclass" + +.IX Item "passwd_tries" + +.IX Item "loglinelen" + +.IX Item "timestamp_timeout" + +.IX Item "passwd_timeout" + +.IX Item "umask" + +.IX Item "mailsub" + +.IX Item "badpass_message" + +.IX Item "timestampdir" + +.IX Item "passprompt" + +.IX Item "runas_default" + +.IX Item "syslog_goodpri" + +.IX Item "syslog_badpri" + +.IX Item "editor" + +.IX Item "logfile" + +.IX Item "syslog" + +.IX Item "mailerpath" + +.IX Item "mailerflags" + +.IX Item "mailto" + +.IX Item "exempt_group" + +.IX Item "secure_path" + +.IX Item "verifypw" + +.IX Item "listpw" + +.IX Subsection "User Specification" + +.IX Subsection "Runas_Spec" + +.IX Subsection "\s-1NOPASSWD\s0 and \s-1PASSWD\s0" + +.IX Subsection "Wildcards (aka meta characters):" + +.IX Item "\f(CW*\fR" + +.IX Item "\f(CW?\fR" + +.IX Item "\f(CW[...]\fR" + +.IX Item "\f(CW[!...]\fR" + +.IX Item "\f(CW\ex\fR" + +.IX Subsection "Exceptions to wildcard rules:" + +.IX Item \f(CW""\fR + +.IX Subsection "Other special characters and reserved words:" + +.IX Header "EXAMPLES" + +.IX Header "SECURITY NOTES" + +.IX Header "CAVEATS" + +.IX Header "FILES" + +.IX Header "SEE ALSO" + diff --git a/visudo.man.in b/visudo.man.in new file mode 100644 index 000000000..0edd2adad --- /dev/null +++ b/visudo.man.in @@ -0,0 +1,321 @@ +.rn '' }` +''' $RCSfile$$Revision$$Date$ +''' +''' $Log$ +''' Revision 1.1 2000/03/23 00:17:30 millert +''' configure does substitution on these to produce *.man +''' +''' +.de Sh +.br +.if t .Sp +.ne 5 +.PP +\fB\\$1\fR +.PP +.. +.de Sp +.if t .sp .5v +.if n .sp +.. +.de Ip +.br +.ie \\n(.$>=3 .ne \\$3 +.el .ne 3 +.IP "\\$1" \\$2 +.. +.de Vb +.ft CW +.nf +.ne \\$1 +.. +.de Ve +.ft R + +.fi +.. +''' +''' +''' Set up \*(-- to give an unbreakable dash; +''' string Tr holds user defined translation string. +''' Bell System Logo is used as a dummy character. +''' +.tr \(*W-|\(bv\*(Tr +.ie n \{\ +.ds -- \(*W- +.ds PI pi +.if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch +.if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch +.ds L" "" +.ds R" "" +''' \*(M", \*(S", \*(N" and \*(T" are the equivalent of +''' \*(L" and \*(R", except that they are used on ".xx" lines, +''' such as .IP and .SH, which do another additional levels of +''' double-quote interpretation +.ds M" """ +.ds S" """ +.ds N" """"" +.ds T" """"" +.ds L' ' +.ds R' ' +.ds M' ' +.ds S' ' +.ds N' ' +.ds T' ' +'br\} +.el\{\ +.ds -- \(em\| +.tr \*(Tr +.ds L" `` +.ds R" '' +.ds M" `` +.ds S" '' +.ds N" `` +.ds T" '' +.ds L' ` +.ds R' ' +.ds M' ` +.ds S' ' +.ds N' ` +.ds T' ' +.ds PI \(*p +'br\} +.\" If the F register is turned on, we'll generate +.\" index entries out stderr for the following things: +.\" TH Title +.\" SH Header +.\" Sh Subsection +.\" Ip Item +.\" X<> Xref (embedded +.\" Of course, you have to process the output yourself +.\" in some meaninful fashion. +.if \nF \{ +.de IX +.tm Index:\\$1\t\\n%\t"\\$2" +.. +.nr % 0 +.rr F +.\} +.TH visudo.pod.in @mansectsu@ "1.6.3" "18/Mar/2000" "MAINTENANCE COMMANDS" +.UC +.if n .hy 0 +.if n .na +.ds C+ C\v'-.1v'\h'-1p'\s-2+\h'-1p'+\s0\v'.1v'\h'-1p' +.de CQ \" put $1 in typewriter font +.ft CW +'if n "\c +'if t \\&\\$1\c +'if n \\&\\$1\c +'if n \&" +\\&\\$2 \\$3 \\$4 \\$5 \\$6 \\$7 +'.ft R +.. +.\" @(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2 +. \" AM - accent mark definitions +.bd B 3 +. \" fudge factors for nroff and troff +.if n \{\ +. ds #H 0 +. ds #V .8m +. ds #F .3m +. ds #[ \f1 +. ds #] \fP +.\} +.if t \{\ +. ds #H ((1u-(\\\\n(.fu%2u))*.13m) +. ds #V .6m +. ds #F 0 +. ds #[ \& +. ds #] \& +.\} +. \" simple accents for nroff and troff +.if n \{\ +. ds ' \& +. ds ` \& +. ds ^ \& +. ds , \& +. ds ~ ~ +. ds ? ? +. ds ! ! +. ds / +. ds q +.\} +.if t \{\ +. ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" +. ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' +. ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' +. ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' +. ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' +. ds ? \s-2c\h'-\w'c'u*7/10'\u\h'\*(#H'\zi\d\s+2\h'\w'c'u*8/10' +. ds ! \s-2\(or\s+2\h'-\w'\(or'u'\v'-.8m'.\v'.8m' +. ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' +. ds q o\h'-\w'o'u*8/10'\s-4\v'.4m'\z\(*i\v'-.4m'\s+4\h'\w'o'u*8/10' +.\} +. \" troff and (daisy-wheel) nroff accents +.ds : \\k:\h'-(\\n(.wu*8/10-\*(#H+.1m+\*(#F)'\v'-\*(#V'\z.\h'.2m+\*(#F'.\h'|\\n:u'\v'\*(#V' +.ds 8 \h'\*(#H'\(*b\h'-\*(#H' +.ds v \\k:\h'-(\\n(.wu*9/10-\*(#H)'\v'-\*(#V'\*(#[\s-4v\s0\v'\*(#V'\h'|\\n:u'\*(#] +.ds _ \\k:\h'-(\\n(.wu*9/10-\*(#H+(\*(#F*2/3))'\v'-.4m'\z\(hy\v'.4m'\h'|\\n:u' +.ds . \\k:\h'-(\\n(.wu*8/10)'\v'\*(#V*4/10'\z.\v'-\*(#V*4/10'\h'|\\n:u' +.ds 3 \*(#[\v'.2m'\s-2\&3\s0\v'-.2m'\*(#] +.ds o \\k:\h'-(\\n(.wu+\w'\(de'u-\*(#H)/2u'\v'-.3n'\*(#[\z\(de\v'.3n'\h'|\\n:u'\*(#] +.ds d- \h'\*(#H'\(pd\h'-\w'~'u'\v'-.25m'\f2\(hy\fP\v'.25m'\h'-\*(#H' +.ds D- D\\k:\h'-\w'D'u'\v'-.11m'\z\(hy\v'.11m'\h'|\\n:u' +.ds th \*(#[\v'.3m'\s+1I\s-1\v'-.3m'\h'-(\w'I'u*2/3)'\s-1o\s+1\*(#] +.ds Th \*(#[\s+2I\s-2\h'-\w'I'u*3/5'\v'-.3m'o\v'.3m'\*(#] +.ds ae a\h'-(\w'a'u*4/10)'e +.ds Ae A\h'-(\w'A'u*4/10)'E +.ds oe o\h'-(\w'o'u*4/10)'e +.ds Oe O\h'-(\w'O'u*4/10)'E +. \" corrections for vroff +.if v .ds ~ \\k:\h'-(\\n(.wu*9/10-\*(#H)'\s-2\u~\d\s+2\h'|\\n:u' +.if v .ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'\v'-.4m'^\v'.4m'\h'|\\n:u' +. \" for low resolution devices (crt and lpr) +.if \n(.H>23 .if \n(.V>19 \ +\{\ +. ds : e +. ds 8 ss +. ds v \h'-1'\o'\(aa\(ga' +. ds _ \h'-1'^ +. ds . \h'-1'. +. ds 3 3 +. ds o a +. ds d- d\h'-1'\(ga +. ds D- D\h'-1'\(hy +. ds th \o'bp' +. ds Th \o'LP' +. ds ae ae +. ds Ae AE +. ds oe oe +. ds Oe OE +.\} +.rm #[ #] #H #V #F C +.SH "NAME" +visudo \- edit the sudoers file +.SH "SYNOPSIS" +\fBvisudo\fR [ \fB\-s\fR ] [ \fB\-V\fR ] +.SH "DESCRIPTION" +\fBvisudo\fR edits the \fIsudoers\fR file in a safe fashion, analogous to +\fIvipw\fR\|(8). \fBvisudo\fR locks the \fIsudoers\fR file against multiple +simultaneous edits, provides basic sanity checks, and checks +for parse errors. If the \fIsudoers\fR file is currently being +edited you will receive a message to try again later. In the +default configuration, the \fIvi\fR\|(1) editor is used, but there is +a compile time option to allow use of whatever editor the +environment variables \f(CWEDITOR\fR or \f(CWVISUAL\fR are set to. +.PP +\fBvisudo\fR parses the \fIsudoers\fR file after the edit and will +not save the changes if there is a syntax error. Upon finding +an error, a message will be printed stating the line \fInumber\fR\|(s) +that the error occurred on and the user will receive the +\*(L"What now?\*(R" prompt. At this point the user may enter \*(L"e\*(R" +to re-edit the \fIsudoers\fR file, enter \*(L"x\*(R" to exit without +saving the changes, or \*(L"Q\*(R" to quit and save changes. The +\*(L"Q\*(R" option should be used with extreme care because if \fBvisudo\fR +believes there to be a parse error, so will \fBsudo\fR and no one +will be able to execute \fBsudo\fR again until the error is fixed. +Any other command at this prompt will print a short help message. +When editing the \fIsudoers\fR file after a parse error has been +detected the cursor will be placed on the line where the error +occurred (if the editor supports this feature). +.SH "OPTIONS" +\fBvisudo\fR accepts the following command line option: +.Ip "-s" 4 +Enable \fBstrict\fR checking of the \fIsudoers\fR file. If an alias is +used before it is defined, \fBvisudo\fR will consider this a parse +error. Note that it is not possible to differentiate between an +alias and a hostname or username that consists solely of upper case +letters, digits, and the underscore ('_') character. +.Ip "-V" 4 +The \f(CW-V\fR (version) option causes \fBvisudo\fR to print the version number +and exit. +.SH "ERRORS" +.Ip "sudoers file busy, try again later." 4 +Someone else is currently editing the \fIsudoers\fR file. +.Ip "@sysconf@/sudoers.tmp: Permission denied" 4 +You didn't run \fBvisudo\fR as root. +.Ip "Can't find you in the passwd database" 4 +Your userid does not appear in the system passwd file. +.Ip "Warning: undeclared Alias referenced near ..." 4 +Either you are using a {User,Runas,Host,Cmnd}_Alias before +defining it or you have a user or hostname listed that +consists solely of upper case letters, digits, and the +underscore ('_') character. If the latter, you can ignore +the warnings (\fBsudo\fR will not complain). In \fB\-s\fR (strict) +mode these are errors not warnings. +.SH "ENVIRONMENT" +The following environment variables are used only if \fBvisudo\fR +was configured with the \fI--with-env-editor\fR option: +.PP +.Vb 2 +\& EDITOR Used by visudo as the editor to use +\& VISUAL Used by visudo if EDITOR is not set +.Ve +.SH "FILES" +.PP +.Vb 2 +\& @sysconf@/sudoers List of who can run what +\& @sysconf@/sudoers.tmp Lock file for visudo +.Ve +.SH "AUTHOR" +Many people have worked on \fIsudo\fR over the years, this version of +\fBvisudo\fR was written by: +.PP +.Vb 1 +\& Todd Miller +.Ve +See the HISTORY file in the sudo distribution for more details. +.SH "BUGS" +If you feel you have found a bug in sudo, please submit a bug report +at http://www.courtesan.com/sudo/bugs/ +.SH "DISCLAIMER" +\fBVisudo\fR is provided ``AS IS'\*(R' and any express or implied warranties, +including, but not limited to, the implied warranties of merchantability +and fitness for a particular purpose are disclaimed. +See the LICENSE file distributed with \fBsudo\fR for complete details. +.SH "CAVEATS" +There is no easy way to prevent a user from gaining a root shell if +the editor used by \fBvisudo\fR allows shell escapes. +.SH "SEE ALSO" +\fIsudo\fR\|(8), \fIvipw\fR\|(8). + +.rn }` '' +.IX Title "visudo.pod.in @mansectsu@" +.IX Name "visudo - edit the sudoers file" + +.IX Header "NAME" + +.IX Header "SYNOPSIS" + +.IX Header "DESCRIPTION" + +.IX Header "OPTIONS" + +.IX Item "-s" + +.IX Item "-V" + +.IX Header "ERRORS" + +.IX Item "sudoers file busy, try again later." + +.IX Item "@sysconf@/sudoers.tmp: Permission denied" + +.IX Item "Can't find you in the passwd database" + +.IX Item "Warning: undeclared Alias referenced near ..." + +.IX Header "ENVIRONMENT" + +.IX Header "FILES" + +.IX Header "AUTHOR" + +.IX Header "BUGS" + +.IX Header "DISCLAIMER" + +.IX Header "CAVEATS" + +.IX Header "SEE ALSO" +