From: Todd C. Miller Date: Fri, 6 Jul 2007 13:33:47 +0000 (+0000) Subject: Move sudoers defaults parameters into their own section. X-Git-Tag: SUDO_1_7_0~508 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=95df3fa678df793f42ca89300098e0e0bd8e8a10;p=sudo Move sudoers defaults parameters into their own section. --- diff --git a/sudoers.pod b/sudoers.pod index b6ccc2e0e..8801c2f24 100644 --- a/sudoers.pod +++ b/sudoers.pod @@ -233,6 +233,243 @@ These operators are used to add to and delete from a list respectively. It is not an error to use the C<-=> operator to remove an element that does not exist in a list. +See L for a list of supported Defaults parameters. + +=head2 User Specification + + User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ + (':' Host_List '=' Cmnd_Spec_List)* + + Cmnd_Spec_List ::= Cmnd_Spec | + Cmnd_Spec ',' Cmnd_Spec_List + + Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd + + Runas_Spec ::= '(' Runas_List ')' + + Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | + 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:') + +A B determines which commands a user may run +(and as what user) on specified hosts. By default, commands are +run as B, but this can be changed on a per-command basis. + +Let's break that down into its constituent parts: + +=head2 Runas_Spec + +A C is simply a C (as defined above) +enclosed in a set of parentheses. If you do not specify a +C in the user specification, a default C +of B will be used. A C sets the default for +commands that follow it. What this means is that for the entry: + + dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm + +The user B may run F, F, and +F -- but only as B. E.g., + + $ sudo -u operator /bin/ls. + +It is also possible to override a C later on in an +entry. If we modify the entry like so: + + dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm + +Then user B is now allowed to run F as B, +but F and F as B. + +=head2 Tag_Spec + +A command may have zero or more tags associated with it. There are +eight possible tag values, C, C, C, C, +C, C, C and C. +Once a tag is set on a C, subsequent Cs in the +C, inherit the tag unless it is overridden by the +opposite tag (i.e.: C overrides C and C +overrides C). + +=head3 NOPASSWD and PASSWD + +By default, B requires that a user authenticate him or herself +before running a command. This behavior can be modified via the +C tag. Like a C, the C tag sets +a default for the commands that follow it in the C. +Conversely, the C tag can be used to reverse things. +For example: + + ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm + +would allow the user B to run F, F, and +F as root on the machine rushmore as B without +authenticating himself. If we only want B to be able to +run F without a password the entry would be: + + ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm + +Note, however, that the C tag has no effect on users who are +in the group specified by the I option. + +By default, if the C tag is applied to any of the entries +for a user on the current host, he or she will be able to run +C without a password. Additionally, a user may only run +C without a password if the C tag is present +for all a user's entries that pertain to the current host. +This behavior may be overridden via the verifypw and listpw options. + +=head3 NOEXEC and EXEC + +If B has been compiled with I support and the underlying +operating system supports it, the C tag can be used to prevent +a dynamically-linked executable from running further commands itself. + +In the following example, user B may run F +and F but shell escapes will be disabled. + + aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi + +See the L section below for more details +on how C works and whether or not it will work on your system. + +=head3 SETENV and NOSETENV + +These tags override the value of the I option on a per-command +basis. Note that environment variables set on the command line way +are not subject to the restrictions imposed by I, +I, or I. As such, only trusted users should +be allowed to set variables in this manner. + +=head3 MONITOR and NOMONITOR + +If B has been configured with the C<--with-systrace> option, +the C tag can be used to cause programs spawned by a command +to be checked against I and logged just like they would +be if run through B directly. This is useful in conjunction +with commands that allow shell escapes such as editors, shells and +paginators. + +In the following example, user B may run any command on the +machine research in monitor mode. + + chuck research = MONITOR: ALL + +See the L section below for more details +on how C works and whether or not it will work on your system. + +=head2 Wildcards + +B allows shell-style I (aka meta or glob characters) +to be used in pathnames as well as command line arguments in the +I file. Wildcard matching is done via the B +L routine. Note that these are I regular expressions. + +=over 8 + +=item C<*> + +Matches any set of zero or more characters. + +=item C + +Matches any single character. + +=item C<[...]> + +Matches any character in the specified range. + +=item C<[!...]> + +Matches any character B in the specified range. + +=item C<\x> + +For any character "x", evaluates to "x". This is used to +escape special characters such as: "*", "?", "[", and "}". + +=back + +Note that a forward slash ('/') will B be matched by +wildcards used in the pathname. When matching the command +line arguments, however, a slash B get matched by +wildcards. This is to make a path like: + + /usr/bin/* + +match F but not F. + +=head2 Exceptions to wildcard rules + +The following exceptions apply to the above rules: + +=over 8 + +=item C<""> + +If the empty string C<""> is the only command line argument in the +I entry it means that command is not allowed to be run +with B arguments. + +=back + +=head2 Including other files from within sudoers + +It is possible to include other I files from within the +I file currently being parsed using the C<#include> +directive, similar to the one used by the C preprocessor. This is +useful, for example, for keeping a site-wide I file in +addition to a per-machine local one. For the sake of this example +the site-wide I will be F and the per-machine +one will be F. To include F +from F we would use the following line in F: + + #include /etc/sudoers.local + +When B reaches this line it will suspend processing of the +current file (F) and switch to F. +Upon reaching the end of F, the rest of +F will be processed. Files that are included may +themselves include other files. A hard limit of 128 nested include +files is enforced to prevent include file loops. + +=head2 Other special characters and reserved words + +The pound sign ('#') is used to indicate a comment (unless it is +part of a #include directive or unless it occurs in the context of +a user name and is followed by one or more digits, in which case +it is treated as a uid). Both the comment character and any text +after it, up to the end of the line, are ignored. + +The reserved word B is a built-in I that always causes +a match to succeed. It can be used wherever one might otherwise +use a C, C, C, or C. +You should not try to define your own I called B as the +built-in alias will be used in preference to your own. Please note +that using B can be dangerous since in a command context, it +allows the user to run B command on the system. + +An exclamation point ('!') can be used as a logical I operator +both in an I and in front of a C. This allows one to +exclude certain values. Note, however, that using a C in +conjunction with the built-in C alias to allow a user to +run "all but a few" commands rarely works as intended (see SECURITY +NOTES below). + +Long lines can be continued with a backslash ('\') as the last +character on the line. + +Whitespace between elements in a list as well as special syntactic +characters in a I ('=', ':', '(', ')') is optional. + +The following characters must be escaped with a backslash ('\') when +used as part of a word (e.g.Ea username or hostname): +'@', '!', '=', ':', ',', '(', ')', '\'. + +=head1 SUDOERS OPTIONS + +Sudo's behavior can be modified by C lines, as +explained earlier. A list of all supported Defaults parameters, +grouped by type, are listed below. + B: =over 12 @@ -833,235 +1070,6 @@ B, and B. The following syslog priorities are supported: B, B, B, B, B, B, B, and B. -=head2 User Specification - - User_Spec ::= User_List Host_List '=' Cmnd_Spec_List \ - (':' Host_List '=' Cmnd_Spec_List)* - - Cmnd_Spec_List ::= Cmnd_Spec | - Cmnd_Spec ',' Cmnd_Spec_List - - Cmnd_Spec ::= Runas_Spec? Tag_Spec* Cmnd - - Runas_Spec ::= '(' Runas_List ')' - - Tag_Spec ::= ('NOPASSWD:' | 'PASSWD:' | 'NOEXEC:' | 'EXEC:' | - 'SETENV:' | 'NOSETENV:' | 'MONITOR:' | 'NOMONITOR:') - -A B determines which commands a user may run -(and as what user) on specified hosts. By default, commands are -run as B, but this can be changed on a per-command basis. - -Let's break that down into its constituent parts: - -=head2 Runas_Spec - -A C is simply a C (as defined above) -enclosed in a set of parentheses. If you do not specify a -C in the user specification, a default C -of B will be used. A C sets the default for -commands that follow it. What this means is that for the entry: - - dgb boulder = (operator) /bin/ls, /bin/kill, /usr/bin/lprm - -The user B may run F, F, and -F -- but only as B. E.g., - - $ sudo -u operator /bin/ls. - -It is also possible to override a C later on in an -entry. If we modify the entry like so: - - dgb boulder = (operator) /bin/ls, (root) /bin/kill, /usr/bin/lprm - -Then user B is now allowed to run F as B, -but F and F as B. - -=head2 Tag_Spec - -A command may have zero or more tags associated with it. There are -eight possible tag values, C, C, C, C, -C, C, C and C. -Once a tag is set on a C, subsequent Cs in the -C, inherit the tag unless it is overridden by the -opposite tag (i.e.: C overrides C and C -overrides C). - -=head3 NOPASSWD and PASSWD - -By default, B requires that a user authenticate him or herself -before running a command. This behavior can be modified via the -C tag. Like a C, the C tag sets -a default for the commands that follow it in the C. -Conversely, the C tag can be used to reverse things. -For example: - - ray rushmore = NOPASSWD: /bin/kill, /bin/ls, /usr/bin/lprm - -would allow the user B to run F, F, and -F as root on the machine rushmore as B without -authenticating himself. If we only want B to be able to -run F without a password the entry would be: - - ray rushmore = NOPASSWD: /bin/kill, PASSWD: /bin/ls, /usr/bin/lprm - -Note, however, that the C tag has no effect on users who are -in the group specified by the I option. - -By default, if the C tag is applied to any of the entries -for a user on the current host, he or she will be able to run -C without a password. Additionally, a user may only run -C without a password if the C tag is present -for all a user's entries that pertain to the current host. -This behavior may be overridden via the verifypw and listpw options. - -=head3 NOEXEC and EXEC - -If B has been compiled with I support and the underlying -operating system supports it, the C tag can be used to prevent -a dynamically-linked executable from running further commands itself. - -In the following example, user B may run F -and F but shell escapes will be disabled. - - aaron shanty = NOEXEC: /usr/bin/more, /usr/bin/vi - -See the L section below for more details -on how C works and whether or not it will work on your system. - -=head3 SETENV and NOSETENV - -These tags override the value of the I option on a per-command -basis. Note that environment variables set on the command line way -are not subject to the restrictions imposed by I, -I, or I. As such, only trusted users should -be allowed to set variables in this manner. - -=head3 MONITOR and NOMONITOR - -If B has been configured with the C<--with-systrace> option, -the C tag can be used to cause programs spawned by a command -to be checked against I and logged just like they would -be if run through B directly. This is useful in conjunction -with commands that allow shell escapes such as editors, shells and -paginators. - -In the following example, user B may run any command on the -machine research in monitor mode. - - chuck research = MONITOR: ALL - -See the L section below for more details -on how C works and whether or not it will work on your system. - -=head2 Wildcards - -B allows shell-style I (aka meta or glob characters) -to be used in pathnames as well as command line arguments in the -I file. Wildcard matching is done via the B -L routine. Note that these are I regular expressions. - -=over 8 - -=item C<*> - -Matches any set of zero or more characters. - -=item C - -Matches any single character. - -=item C<[...]> - -Matches any character in the specified range. - -=item C<[!...]> - -Matches any character B in the specified range. - -=item C<\x> - -For any character "x", evaluates to "x". This is used to -escape special characters such as: "*", "?", "[", and "}". - -=back - -Note that a forward slash ('/') will B be matched by -wildcards used in the pathname. When matching the command -line arguments, however, a slash B get matched by -wildcards. This is to make a path like: - - /usr/bin/* - -match F but not F. - -=head2 Exceptions to wildcard rules - -The following exceptions apply to the above rules: - -=over 8 - -=item C<""> - -If the empty string C<""> is the only command line argument in the -I entry it means that command is not allowed to be run -with B arguments. - -=back - -=head2 Including other files from within sudoers - -It is possible to include other I files from within the -I file currently being parsed using the C<#include> -directive, similar to the one used by the C preprocessor. This is -useful, for example, for keeping a site-wide I file in -addition to a per-machine local one. For the sake of this example -the site-wide I will be F and the per-machine -one will be F. To include F -from F we would use the following line in F: - - #include /etc/sudoers.local - -When B reaches this line it will suspend processing of the -current file (F) and switch to F. -Upon reaching the end of F, the rest of -F will be processed. Files that are included may -themselves include other files. A hard limit of 128 nested include -files is enforced to prevent include file loops. - -=head2 Other special characters and reserved words - -The pound sign ('#') is used to indicate a comment (unless it is -part of a #include directive or unless it occurs in the context of -a user name and is followed by one or more digits, in which case -it is treated as a uid). Both the comment character and any text -after it, up to the end of the line, are ignored. - -The reserved word B is a built-in I that always causes -a match to succeed. It can be used wherever one might otherwise -use a C, C, C, or C. -You should not try to define your own I called B as the -built-in alias will be used in preference to your own. Please note -that using B can be dangerous since in a command context, it -allows the user to run B command on the system. - -An exclamation point ('!') can be used as a logical I operator -both in an I and in front of a C. This allows one to -exclude certain values. Note, however, that using a C in -conjunction with the built-in C alias to allow a user to -run "all but a few" commands rarely works as intended (see SECURITY -NOTES below). - -Long lines can be continued with a backslash ('\') as the last -character on the line. - -Whitespace between elements in a list as well as special syntactic -characters in a I ('=', ':', '(', ')') is optional. - -The following characters must be escaped with a backslash ('\') when -used as part of a word (e.g.Ea username or hostname): -'@', '!', '=', ':', ',', '(', ')', '\'. - =head1 FILES @sysconfdir@/sudoers List of who can run what